App Layer Protocols
-
Upload
torfromdoe -
Category
Documents
-
view
218 -
download
0
Transcript of App Layer Protocols
-
7/30/2019 App Layer Protocols
1/15
ByMahewSyme,PhilipGoldie
Date:Mar5,2004
SampleChapterisprovidedcourtesyofPrenceHallProfessional.
Returntothearcle
Inthischapter,we'llmovefurtheruptheOSI SevenLayerModelandtakeanindepthlookattheworkingsofsomeoftheApplicaon
layerprotocolsthataremostcommonlyusedincontentswitching.TheseincludeTCPbasedservicessuchasHTTP,UDPserviceslikeDNS,
andapplicaonsthatuseacombinaonofTCPandUDP,suchastheRealTimeStreamingProtocol(RTSP).Finally,we'lllookathowthese
typesofapplicaonscanbesecuredusingSecureSocketsLayer(SSL).
HyperTextTransferProtocol(HTTP)
TheHyperTextTransferProtocol,orHTTP,mustbethemostwidelyusedApplicaonlayerprotocolintheworldtoday.Itformsthebasis
ofwhatmostpeopleunderstandtheInternettobetheWorldWideWeb.Itspurposeistoprovidealightweightprotocolfortheretrieval
ofHyperTextMarkupLanguage(HTML)andotherdocumentsfromWebsitesthroughouttheInternet.Each meyouopenaWebbrowser
tosurftheInternet,youareusingHTTPoverTCP/IP.
HTTPwasfirstrafiedintheearly1990sandhasbeenthroughthreemainiteraons:
HTTP/0.9:AsimpliscfirstimplementaonoftheprotocolthatonlysupportedtheopontogetaWebpage.
HTTP/1.0:RafiedbytheIETFasRFC1945in1996.Thisversionaddedmanysupplementaldatafields,knownasheaderstothe
specificaon.Thisallowedforotherinformaonpassingbetweentheclientandserver,alongsidetherequestandconsequent
page.
HTTP/1.1:DefinedinRFC2068bytheIETF,version1.1implementedanumberofimprovementsoverandabovethe1.0
specificaon.Oneofthemainimprovementsof1.1over1.0wastheimplementaonoftechniquessuchaspersistentTCP
connecons,pipelining,andcachecontroltoimproveperformancewithinHTTPbasedapplicaons.
Mostbrowsersthesedaysoffersupportforboth1.0and1.1implementaons,withnewbrowsersusing1.1asadefaultbutsupporngtheabilitytofallbacktoearlierversionsifrequired.OnethingtheRFCdefinionsarecleartopointoutisthatallimplementaonsofthe
HTTPprotocolshouldbebackwardcompable.ThatistosaythatabrowserimplemenngtheHTTP/1.1specificaonshouldbecapable
ofreceivinga1.0responsefromaserver.Conversely,a1.1implementaonontheserversideshouldalsobecapableofrespondingto
requestsfroma1.0browser.
ItiswelloutsidetheboundsofthisbooktocovertheHTTPprotocols inhugedetail,solet'sconcentrateonthoseelementsmostrelevant
tocontentswitching.
BasicHTTPPageRetrieval
Let'sstartatthebeginningandseehowabasicbrowserretrievesaWebpagefromaWebserver.Thefirstimportantpointtonoteisthata
Webpageistypicallymadeupofmanydozensofobjects,rangingfromtheHTMLbasethroughtotheimagesthatarepresentonthepage.TheHTMLcanbethoughtofasthetemplateforthepageoverall,instrucngthebrowseronthelayoutofthetext,fontsizesand
colors,backgroundcolorofthepage,andwhichotherimagesneedtoberetrievedtomakeupthepage.
Thinkoftheprocess,takingplaceinthefollowingorder:
ClientsendsarequestfortherequiredpagetotheWebserver.1.
Theserveranalyzes therequestandsendsbackanacknowledgmenttotheclientalongwiththeHTMLcoderequiredtomakethe
page.
2.
TheclientwillbegininterprengtheHTMLandbuildingthepage.3.
Theclient,insubsequentrequests,willretrieveanyembeddedobjects,suchasimagesorothermulmediasources.4.
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
2/15
Onceallelements ofthepagehavebeenretrieved,theclientbrowserwilldisplaythecompletedWebpage.Theorderand mingofthe
processdescribedpreviouslydependslargelyonwhichimplementaonofHTTPisused1.0or1.1althoughallbrowsersworkinthis
wayofrequestandresponse.
HTTPMethods
HTTPdoesnotonlyofferamechanismfortheclienttoreceivedatafromtheserver,butalsoothercommunicaontypessuchasthe
passingofdatafromtheclienttotheserver.SuchmechanismsareknownwithintheHTTPspecificaonsasamethod.Table31showsthe
supportedmethod
types
inHTTP/1.0
and
1.1.
Table31.TheHTTPMethodHeadersinHTTP/1.0andHTTP/1.1
METHOD DESCRIPTION HTTP/1.0 HTTP/1.1
GET Retrievetheinformaonspecified.
HEAD IdencaltotheGETrequest,buttheservermustnotreturnanypagecontentotherthantheHTTPheaders.
POST Allowstheclienttosubmitinformaontotheserver,usedforsubminginformaon
fromaform,etc.
PUT Allowstheclienttoplaceanitemontheserverinthelocaonspecified.
DELETE Allowstheclienttodeletetheitemspecifiedintherequest.
TRACE Allowstheclienttoseetherequestitmadetotheserver.Thisactsasaloopbackin
effect.
OPTIONS Allowstheclienttodeterminethecommunicaonsoponsavailableontheserver.
IntermsofgeneralWebbrowsing,theGETandPOSTmethodsarebyfarthemostcommonlyused.ForabrowsertobuildastandardWebpage,theGETmethodisusedtoretrieveeachobjectindividually,whereasfortransaconalWebsitesimplemenngshoppingcartstyle
applicaons,thePOSTmethodwillalsobeused.
TheHTTPURL
TheURListhemostimportantpieceofinformaonthattheclientbrowserincludesinanyGETrequest.TheURLisdefinedasbeinga
combinaonofthehostwherethesiteislocated,theschemeusedtoretrievethepage,andthefullpathandfilename.Oponally,theURL
mayincludeinformaonsuchastheTCPportnumbertobeusedorauniquereferencepointwithinalargerpage.Figure31showsthe
breakdownofanexampleURL.
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
3/15
Figure31.AnexampleURLanditscomponents.
TheURIisalsocommonlyusedwhenreferencingthelocaonofdocumentswithinHTTP.Theformaldefinionofthedifferencebetween
aURLandaURIissimple:AURIisaURLwithouttheschemedefined.
PersistentConneconsinHTTP
OneoftheothermajordifferencesinoperaonbetweenHTTP/1.0andHTTP/1.1isthehandlingofTCPconneconsrequiredtoretrievea
fullWebpage.GiventhataclientwilltypicallyhavetoretrievemulpleobjectstomakeupasingleWebpage,itisoeninefficienttoopen
andcloseTCPsessionsrepeatedlywhenretrievingobjectsfromthesameserver.ToimprovetheoverallperformanceofHTTPinthis
instance,theprotocoldefinestheConnect i on:headerthatcommunicatestotheserverwhethertheTCPsessionshouldbeclosedor
remainopenoncetheobjecthasbeenretrieved.TheConnect i on:headerhastwoopons:
Connecon:Closed:ThedefaultforHTTP/1.0
Connecon:KeepAlive:ThedefaultforHTTP/1.1
TheCl osedstateindicatesthattheservershouldclosetheTCPconnecononcetherequesthasbeenfulfilled.TheKeep- Al i vestate
indicatesthattheservershouldkeeptheTCPconneconopenaertherequesthasbeenfulfilled.Alongwithanobviousperformance
increasefromremovingtheneedtoopenandcloseTCPconnecons,theKeep- Al i vestatealsoallowstheimplementaonofpipelining.
PipeliningallowsaclienttosendmulpleHTTPGETrequestsoverthesameTCPconneconwithoutneedingtowaitforindividual
responsesaereach.Figure32showsthedifferenceintheseconnecontypes.
Figure32.ThedifferenceinTCPhandlingbetweenHTTP/1.0andHTTP/1.1.
ThefinalpieceinthepuzzleofinteraconbetweenclientandserverisinopeningmulpleTCPconnecons.We'vealreadyseenthata
clientcanopenapersistentTCPconnecontotheserverandpipelineHTTPrequests.TofurtherimproveperformanceoftheHTTP
operaon,manybrowserswillopenseveralsimultaneous connecons.Figure33givesexamplesofpipeliningandmulpleconnecons.
Figure33.Implemenngpipeliningandmulpleconneconsasperformancemechanisms.
OtherHTTPHeaders
TheHTTPprotocolincludesdefinionsfordozensofheadersthatcanbeincludedintheclienttoserverandservertoclientrequests and
responses. Wewillnotaempttolistanddescribeallthoseavailablehere;forafulldescripon,theRFCforHTTP/1.0andHTTP/1.1offers
abeersource.TheRFCsdefineaseriesofstandardheaders,whichcanbecomplementedbyaddinguserdefinedheadersfromeither
theclientorserverside.
AsheadersareASCII readabletextineveryHTTPrequestandresponsepair,theycanproveveryusefulintheimplementaonofcontent
switching.Let'slookatsomeoftheHTTPheadersmostcommonlyusedincontentswitching.
The"Accept:"Header
Theclientbrowserusesthe"Accept : " headertoindicatetotheserverwhichcontentandmediatypescanbeaccepted.Examplesofthe
"Accept : " headerinclude:
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
4/15
Accept : */ * Acceptanything
Accept : t ext/ pl ai n; t ext/ ht ml AcceptplaintextandHTML
Accept : t ext / ht ml ; i mage/ j peg; i mage/ bmp AcceptHTMLandJPEGandbitmapimages
The"Accept : " headerisusefulinthecontextofcontentswitchingtobeabletodeterminethecapabiliesofaparcularclient.Ifthe
clientbrowsercannotacceptimages,forexample,therequestcanbedirectedtoaserveropmizedtodelivertextonlyversionsofthe
Webpages.
The"Host:"Header
Oneofthemainproblems intheoriginalHTTP/1.0specificaonwasthatauser'srequestastypedintothebrowser(e.g.,
hp://www.foocorp.com/index.html)wouldnotcontainthehost(www.foocorp.com)elementintheGETrequestsenttotheserver.This
representsaproblemifvirtualhosngisusedwithinaWebserverfarm,wheretheserverispotenallyhosngmulpleWebsitesandneedstousethishostinformaontodeterminewhichpathandpagetheuserisrequesng.
WithintheHTTP/1.1specificaon,andsubsequentlyinmanynewHTTP/1.0browsers,supportwasaddedforthe"Host: " header.This
allowstheuser'srequestedURL,typedintothebrowser,tobeconvertedintoaGETrequestcontainingthefullpathandfilenamealong
withthehostfromwhichthecontentisbeingfetched.ThefollowingisanexampleoftranslangafullURLintoitscomponentparts.
URL : htt p: / / www. f oocor p. com/ di r ect ory/ somewher e/ page. ht ml
GET / di r ect ory/ somewhere/ page. ht ml HTTP/ 1. 0\ r \ nHost : wwwf oocorp. com
The"Host : " headerhasmanyuseswithincontentswitching,examplesofwhichareshowninChapter6,ContentAwareServerLoad
Balancing.
The"User-Agent:"Header
The"User- Agent : " headerindicatestotheserverthetypeofbrowserbeingusedbytheclient.The"User- Agent : " headerisusefulin
thecontextofcontentswitchingasitcanbeusedtodeterminethebrowsertypeusedbytheclientanddirecttherequesttoaresource
offeringcontentopmizedforsuchabrowser.Thefollowingisanexampleofthe"User- Agent : " .
User - Agent: Mozi l l a/ 4. 0(Compat i bl e; MSI E 6. 0; Wi ndows NT 5. 0)
CookiesTheHTTPStateManagementMechanism
Aswe'llseeinlaterchapters,oneofthebiggestchallengesinHTTPenvironments,whethercontentswitchedornot,ismaintainingsome
formofclientsidestatethatenablesWebserversandintermediary devicestorecognizetheclientsessionandunderstandthecurrentstatusoftheusersession.ThisissuewastackledinRFC2109,whichdefinedtheuseoftheSet- Cooki eandCooki eHTTPheadersused
tosetandusethecookies,respecvely.InHTTP,cookiestaketheformofasmallpieceoftextinformaonthatisimplantedintotheuser's
browsereitherpermanentlyortemporarily.Thetermcookieiscommonlyusedincompungtodescribeanopaquepieceofinformaon
heldduringasessionand,unfortunately,seemstohavenomoreinteresngoriginthanthat.Oncethebackendserverhasimplantedthe
cookieintotheuser'sbrowser,theinformaoncanbeusedforanumberofdifferentapplicaonsrangingfromcontentpersonalizaon,
usersessionpersistenceforonlineshopping,andthecolleconofdemographicandstascalinformaononWebsiteusage.
TheserverissuingaSet- Cooki eheaderinanyHTTPresponsecanpostacookietotheclientatany meduringanHTTPsession.This
Set- Cooki eheaderhasthefollowingsyntax:
Set - Cooki e: =; expi r es=; pat h=; domai n=; secur e
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
5/15
Thenameandval uefieldsaretheonlyonesthataremandatorywhenissuingacookie.Asthenamesuggests,thesedefinethenameof
thecookieanditsvalue,suchasUser I D=Phi l ,forexample.Theexpi r esfieldidenfies,downtothesecond,thedateand meon
whichacookiewillexpireandbedeletedfromtheclientcomputer.Thepat handdomai nfieldsindicatethedomain,suchas
www.foocorp.com,andtheURL,suchas/home/brochures/,forwhichthecookieshouldbeused.Bothoftheseoponscaneffecvelybe
wildcardedbyspecifyingfoocorp.comtomatchwww.foocorp.comandintranet.foocorp.com,forexample.Finally,thesecurefield
indicatestotheclientthatthecookieshouldonlybeusedwhenasecureconnecon(SSLsecuredHTTPorHTTPS)isusedbetweenthe
clientandserver.Figure34showstheinteraconbetweenaclientandserverastwodifferentcookiesareinsertedandused.
Figure34.Theinteraconbetweenaclientandaserverwhentwodifferentcookiesareimplantedandused.
ThefollowingcodeshowstheHTTPresponsesfromtheserverinmoredetail.NotethatthesecondcookieincludesthePat hfield,which
willlimittheuseofthecookietoURLsrequestedbytheuserthatincludethestring/docs.
Hypert ext Transf er Pr otocolHTTP/ 1. 1 200 OK\ r \ n
Set-Cookie: UserID=PhilConnect i on: Keep- Al i ve\ r \ nCont ent - Type: t ext/ ht ml \ r \ n\ r \ n
Hypert ext Transf er Pr otocol
HTTP/ 1. 1 200 OK\ r \ n Set-Cookie: UserType=Gold; Path=/docsConnect i on: Keep- Al i ve\ r \ nCont ent - Type: t ext/ ht ml \ r \ n\ r \ n
Themechanismthatgovernswhetheracookieispermanent(i.e.,storedontheharddiskoftheuser'smachine)ortemporary(i.e.,
removedoncetheuserclosesthebrowserapplicaon)istheExpi r esfieldintheSet- Cooki eheader.Iftheserverdoesnotissuean
Expi r esdirecvewhenimplanngthecookie,itisconsideredtemporary,whereasiftheExpi r esdirecveisused,thenthecookiewill
bestoredontheclientmachineunltheexpirydatehaspassed.
CookiesarebyfaroneofthemostusefuladdionsmadetotheHTTPspecificaons,andaswe'llseeinlaterchapterscanbeusedin
conjunconwithcontentswitchingtoenableawholehostofnewexperienceenhancingservices.
HTTPFurtherReading
ItisoutsidethescopeofthisbooktocovertheHTTPprotocolinitsenrety;.theRFCforHTTP/1.1aloneisover160pages.Formore
indepthdetailontheprotocol,it'sworthlookingatthefollowingRFCs:
RCF1945HypertextTransferProtocolHTTP/1.0
RFC2068HypertextTransferProtocolHTTP/1.1
RFC2109HTTPStateManagementMechanism
FileTransferProtocol(FTP)
InInternetterms,TheFileTransferProtocol,orFTP,hasbeenaroundforalong me.FirstdefinedinRFC172wrieninJune1971,the
protocolhasbeenthroughseveralchangesthroughtothecurrentspecificaon,whichisdefinedinRFC959.Again,whileit'snotthe
purposeofthisbooktodescribeeverydetailaboutFTP,it'sworthlookingatitsbasicoperaontogetabeerunderstandingofhow
contentswitchingcanimproveperformanceandreliabilityinFTPenvironments.
FTPBasics
FTPexistsprimarilyforthetransferofdatabetweentwoendpoints.TheRFCitselfactuallystatesthattwooftheobjecvesoftheprotocol
areto"promotethesharingoffiles"and"transferdatareliablyandefficiently."FTPdiffersfromHTTPfundamentallyasitisanapplicaon
madeupoftwodisnctTCPconnecons:
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
6/15
Controlconnecon:ThisTCPbasedconneconisusedtoprovideacommunicaonschannelforthedeliveryofcommands and
replies.Thisiseffecvelythemechanismthatenablestheusertotelltheserverwhichfileisbeingrequested,whichdirectoryitis
in,andsoforth.
Dataconnecon:ThesecondTCPbasedconneconisusedfortheactualtransferofuserdata.OncetheControlconneconhas
beenusedtoexchangeinformaononwhichfileisrequired,theDataconneconisusedtotransferthefilebetweentheclientand
server.
Usingthesetwocommunicaonconnecons,twodisnctmodesofoperaondetermineinwhichdirecontheconneconsare
established:AcvemodeandPassivemode.
AcveModeFTP
WithinanAcveFTPsession,theControlconneconisestablishedfromtheclienttotheserver,withtheDataconneconestablished
backfromtheservertotheclient.Inordertodothis,theclientissuesaPORTcommandtotheserverthatcontainstheIPaddressand
sourceanddesnaonTCPportsthatshouldbeusedduringtheDataconnecon.Figure35showsthelifecycleofanAcveFTPsession.
Figure35.AnacveFTPsessionexample.
AswecanseefromFigure35,oncetheuserhasloggedonwithavalidusernameandpassword,theveryfirst"data"thatispassedin
thiscase,adirectorylisngiscarriedusingaseparatedatachannel.TheformatforcommunicangtheIPandTCPinformaonofthe
datachannelisasfollows:
PORT [Oct et 1] , [ Oct et 2], [ Oct et 3] , [ Oct et 4], [ TCP Port 8 Bytes] , [ TCP Port 8 Bytes]
Therfore,intheprecedingexample,thePORTcommandofPORT 10, 10, 10, 10, 15, 199equatestoIPaddress10.10.10.10andTCPport
4039[15256+1991].
Insomeinstances,AcveFTPcanbeconsideredasecurityriskmainlybecausethereisoenlilecontroloverthecontentsofthePORT
command.Undernormalusage,thisinformaonshouldbetheIPaddressandlisteningTCPportoftheclientwaingfortheData
connecon.Whenusedmaliciously,however,theclientcouldissuePORTcommands withIPaddressesandTCPportsofothermachines
eitherwithinthesamenetworkastheserverorremotely.ManyApplicaonlayerfirewallsandproxies,orfirewallswithsupportforFTP
commandparsingcanbeusedtoreducetheeffecvenessofsuchaacks.Onealternaveistoimplementthesecondmethodof
FTPPassivemodeFTP.
PassiveModeFTP
PassivemodeFTPworkssimilarlytoAcvemodeFTPwithonemajorexcepon:boththeControlandDataconneconswithinaPassive
modeFTPsessionareestablishedfromtheclienttotheserver.Toimplementthis,ratherthanusethePORTcommand,PassivemodeFTP
implementsthePASVcommand,whichinstructstheserverthatitshouldlistenfortheincomingDataconnecon.Figure36showsthe
PassivemodeFTPinmoredetail.
Figure36.APassiveFTPsessionexample.
InFigure36,wecanseethatratherthantheclientdictangtheparametersoftheDataconnecon,itsimplyrequeststhisinformaon
fromtheserver.SimilarlytothePORTcommandinAcvemode,theserver's RESPONSEtothePASVrequestfromtheclientcanbe
interpretedasfollows:
RESPONSE 227 (10, 10, 10, 10, 41, 38)
whichmeansopenfromclienttoserveronIPaddress10.10.10.10andTCPport10534[41256+381].
FTPFurtherReading
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
7/15
ForfurtherinformaononthedetailedworkingsofFTP,it'sworthlookingatRFC959.
RealTimeStreamingProtocol(RTSP)
InthemodernInternet,applicaonsarerequiredtodelivervalue.Oneofthebiggestconundrumsinrecentyearshasbeenthebaleto
actuallymaketheInternetaviableplaormformakingmoney.Aswe'llseethroughoutthecourseofthisbook,oneofthebiggestdrivers
fordeliveringonthe"GoldRush"promiseofInternettechnologiesiscontent.Makingcontentaracvetoendconsumerstothepoint
wheretheyarewillingtopayisabigchallengeandonethathasbeenaidedbythedeliveryofApplicaonlayerprotocolssuchasRTSP,
whichenablesthedeliveryofrealmevideoandaudioinvariablequalies.TheotherApplicaonlayerprotocols we'velookedatsofarin
thischapterworkinarequest/responsemanner,wherebytheclientasksforsomepieceofcontent,thecontentisdeliveredusingTCPorUDP,andthentheclientapplicaoncandisplaythecontenttotheuser.Whilethesemechanismsaresuitableforalargenumberof
applicaonsintheInternet,therealsoexistsarequirementtodelivercontent,beitimages,audio,video,oracombinaonofallthree,in
real me.ImagineifauserweretotrytowatchafullscreenvideofileofaonehourmovieusingHTTPorFTPastheApplicaonlayer
protocol.Themoviefilemightbeseveralhundredmegabytes,ifnotseveralgigabytes,insize.Evenwithmodernbroadbandservices
deliverabletothehome,thistypeoflargefilesizedoesnotfitwellinthe"downloadthenplay"modelwesawpreviously.
RTSPusesacombinaonofreliabletransmissionoverTCP(usedforcontrol)andbesteffortsdeliveryoverUDP(usedforcontent)to
streamcontenttousers.Bythis,wemeanthatthefiledeliverycanstartandtheclientsideapplicaoncanbegindisplayingtheaudioand
videocontentbeforethecompletefilehasarrived.Intermsofouronehourmovieexample,thismeansthattheclientcanrequestamovie
fileandwatcha"live"feedsimilartohowonewouldwatchaTV.Alongwiththis"ondemand"typeservice,RTSPalsoenablesthedelivery
oflivebroadcastcontentthatwouldnotbepossiblewithtradionaldownloadandplaytypemechanisms.
TheComponentsofRTSPDelivery
DuringourlookatRTSP,we'llusethetermtodescribeanumberofprotocolsthatworktogetherindeliveringcontenttotheuser.
RTSP
RTSPisthecontrolprotocolforthedeliveryofmulmediacontentacrossIPnetworks.ItisbasedtypicallyonTCPforreliabledeliveryand
hasaverysimilaroperaonandsyntaxtoHTTP.RTSPisusedbytheclientapplicaontocommunicatetotheserverinformaonsuchas
themediafilebeingrequested,thetypeofapplicaontheclientisusing,themechanismofdeliveryofthefile(unicastormulcast,UDP
orTCP),andotherimportantcontrolinformaoncommandssuchasDESCRIBE,SETUP,andPLAY.Theactualmulmediacontentisnot
typicallydeliveredovertheRTSPconnecon(s),althoughitcanbeinterleavedifrequired.RTSPisanalogoustotheremotecontrolofthe
streamingprotocols.
RealTimeTransportProtocol(RTP)
RTPistheprotocolusedfortheactualtransportanddeliveryoftherealmeaudioandvideodata.Asthedelivery oftheactualdatafor
audioandvideoistypicallydelaysensive,thelighterweightUDPprotocolisusedastheLayer4deliverymechanism,althoughTCPmight
alsobeusedinenvironmentsthatsufferhigherpacketloss.TheRTPflowwhendeliveringthecontentisunidireconalfromtheserverto
theclient.OneinteresngpartoftheRTPoperaonisthatthesourceportusedbytheserverwhensendingtheUDPdataisalways
evenalthoughitisdynamically assigned.Thedesnaonport(i.e.,theUDPportonwhichtheclientislistening)ischosenbytheclient
andcommunicatedovertheRTSPcontrolconnecon.
RealTimeControlProtocol(RTCP)
RTCPisacomplimentaryprotocoltoRTPandisabidireconalUDPbasedmechanismtoallowtheclienttocommunicatestreamquality
informaonbacktotheobjectserver.TheRTCPUDPcommunicaonalwaysusesthenextUDPsourceportupfromthatusedbytheRTP
stream,andconsequently isalwaysodd.Figure37showshowthethreeprotocols worktogether.
Figure37.Thethreemainapplicaonprotocolsusedinrealmestreaming.
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
8/15
RTSPOperaon
TheRTSPprotocolisverysimilarinstructureandspecificallysyntaxtoHTTP.BothusethesameURLstructuretodescribeanobject,with
RTSPusingthertsp://schemeratherthanthehp://.RTSP,however,introducesanumberofaddionalheaders(suchasDESCRIBE,
SETUP,andPLAY)andalsoallowsdatatransportoutofbandandoveradifferentprotocol,suchasRTPdescribedearlier.Thebestwayto
understandhowthecomponentsdescribedpreviouslyworktogethertodeliveranaudio/videostreamistolookatanexample.Thebasic
stepsinvolvedintheprocessareasfollows:
Theclientestablishes aTCPconnecontotheservers,typicallyonTCPport554,thewellknownportforRTSP.1.
TheclientwillthencommenceissuingaseriesofRTSPheadercommands thathaveasimilarformattoHTTP,eachofwhichis
acknowledgedbytheserver.WithintheseRTSPcommands,theclientwilldescribetotheserverdetailsofthesession
requirements,suchastheversionofRTSPitsupports,thetransporttobeusedforthedataflow,andanyassociatedUDPorTCP
portinformaon.ThisinformaonispassedusingtheDESCRIBEandSETUPheadersandisaugmentedontheserverresponse
withaSessionIDthattheclient,andanytransitoryproxydevices,canusetoidenfythestreaminfurtherexchanges.
2.
Oncethenegoaonoftransportparametershasbeencompleted,theclientwillissueaPLAYcommandtoinstructtheserverto
commencedeliveryoftheRTPdatastream.
3.
Oncetheclientdecidestoclosethestream,aTEARDOWNcommandisissuedalongwiththeSessionID instrucngtheserverto
ceasetheRTPdelivery associatedwiththatID.
4.
ExampleRTSPwithUDPBasedRTPDelivery
Let'sconsideranexampleinteraconwheretheclientandserverwilluseacombinaonofTCPbasedRTSPandUDPbasedRTPandRTCP
todeliverandviewavideostream.Inthefirststep,theclientwillestablishaTCPconnecontoport554ontheserverandissuean
OPTIONScommandshowingtheprotocolversionusedforthesession.Theserveracknowledgesthiswitha200OKmessage,similarto
HTTP.
C- >S OPTI ONS r t sp: / / vi deo. f oocor p. com: 554 RTSP/ 1. 0Cseq: 1
S- >C RTSP/ 1. 0 200 OKCseq: 1
Next,theclientissuesaDESCRIBEcommandthatindicatestotheservertheURLofthemediafilebeingrequested.Theserverresponds
withanother200OKacknowledgmentandincludesafullmediadescriponofthecontent,whichispresentedineitherSessionDescriponProtocol(SDP)orMulmediaandHypermediaExpertsGroup(MHEG)format.
C- >S DESCRI BE r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 2
S- >C RTSP/ 1. 0 200 OKCseq: 2Cont ent - Type: appl i cat i on/ sdp
Cont ent - Length: 210
InthethirdstageoftheRTSPnegoaon,theclientissuesaSETUPcommandthatidenfiestotheserverthetransportmechanisms,in
orderofpreference,theclientwantstouse.Wewon'tlistalloftheavailabletransportoponshere(theRFCobviouslycontainsan
exhausvelist),butwe'llseetheclientrequestRTPoverUDPonports5067and5068forthedatatransport.Theserverrespondswith
confi
rma
onofthe
RTP
over
UDP
transport
mechanism
and
the
client
side
ports
and
includes
the
unique
Session
IDand
server
portinformaon.
C- >S SETUP r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 3Transport : r t p/ udp; uni cast ; cl i ent _por t =5067- 5068
S- >C RTSP/ 1. 0 200 OKCseq: 3Sessi on: 12345678Transpor t : r t p/ udp; cl i ent _por t =5067- 5068; server_ port =6023- 6024
Finally,theclientisnowreadytocommencethereceiptofthedatastreamandissuesaPLAYcommand.ThissimplycontainstheURLand
SessionIDpreviouslyprovidedbytheserver.TheserveracknowledgesthisPLAYcommand,andtheRTPstreamfromtheservertoclient
willbegin.
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
9/15
C- >S PLAY r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 4Sessi on: 12345678
S- >C RTSP/ 1. 0 200 OKCseq: 4
Oncetheclientdecidesthatthestreamcanbestopped,aTEARDOWNcommandisissuedovertheRTSPconneconreferencedonlyby
theSessionID.TheserveragainacknowledgesthisandtheRTPdeliverywillcease.
C- >S TEARDOWN r t sp: / / vi deo. f oocor p. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 5
Sessi on: 12345678
S- >C RTSP/ 1. 0 200 OKCseq: 5
Figure38showsthisexampleinasimplifiedgraphicform.
Figure38.AnexampleofRTSPinaconwiththevideoandaudiodatabeingdeliveredoveraseparate
UDPbasedRTPstream.
OtherOponsforDataDelivery
Incertainscenarios,thebesteffort,dynamicportmethodsofUDPbasedRTP,asdescribedpreviously,arenotsuitable.Some
environmentsmightconsidertheallocaonofdynamicsourceanddesnaonUDPportsthroughfirewallstobesomethingtheycanlive
happilywithout.Moreover,justthenatureoftheLayer1andLayer2transportmechanismsunderlyingthedatadeliverymightnotbe
suitedtononguaranteedUDPtraffic.Ineitherinstance,RTSPallowsforthenegoaonoftheRTPdeliveryofthemediadatatobe
interleavedintotheexisngTCPconnecon.
Wheninterleaving,theclienttoserverSETUPcommandhasthefollowingformat:
C- >S SETUP r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 3Transport : r t p/ avp/ t cp; i nt erl eaved=0- 1
Thechangeoverintheprecedingexampleisinthetransportdescripon.First,thetransportmechanismshavechangedtoshowthatthe
RTPdelivery mustbeoverTCPratherthanUDP.Second,theaddionofthei nt er l eavedoponshowsthattheRTPdatashouldbe
interleavedandusechannelidenfiers0and10willbeusedfortheRTPdataand1willbeusedfortheRTCPmessages.Toconfirmthe
transportsetup,theserverwillrespondwithconfirmaonandaSessionIDasbefore:
S- >C RTSP/ 1. 0 200 OKCseq: 3Sessi on: 12345678Transport : r t p/ avp/ t cp; i nt erl eaved=0- 1
TheRTPandRTCPdatacannowbetransmiedovertheexisngRTSPTCPconneconwiththeserverusingthe0and1idenfiersto
representtherelevantchannel.
OnefurtherdeliveryoponforRTPandRTCPunderRTSPistowrapthedeliveryofallmediastreamingcomponentsinsidetradional
HTTPframeformats.Thisremovesmostbarrierspresentedwhenusingstreamingmediathroughfirewalledenvironments,aseventhe
moststringentadministratorwilltypicallyallowHTTPtraffictotraverseperimetersecurity.WhileHTTPandRTSPinterleaveddeliveryofthestreamedmediadatawillmakethecontentavailabletothewidestpossibleaudience,whenyouconsidertheoverheadofwrappingall
RTPdatainsideeitheranexisngTCPstreamor,worsesll,insideHTTP,itistheleastefficientmethodfordelivery.Toenablethe
streamingmediaclientbrowsertocopewiththedifferentoponsdescribedpreviously,mostoffertheclientuserstheabilitytoconfigure
theirpreferreddeliverymechanismormechanisms,andthemeoutthatshouldbeimposedinfailingbetweenthem.Whatyouwillsee
fromaclientperspecveisthattheclientapplicaonwillfirstrequestthatthestreambedeliveredusingRTPinUDP,andifthestream
doesnotarrivewithinxseconds(asitispotenallybeingblockedbyanintermediatefirewall),itwillfailbacktousingRTPinterleavedin
theexisngRTSPconnecon.
RTSPandRTPFurtherReading
es http://www.informit.com/articles/printerfriendly.aspx?p
5 2/22/2012
-
7/30/2019 App Layer Protocols
10/15
ForfurtherinformaonontheRTSPandRTPprotocols,RFCs2326and1889,respecvely,areagoodsource.
SecureSocketsLayer(SSL)
Thefinalprotocolwe'lllookatinthischapterisneitheraLayer4transportprotocolnoranApplicaonlayerprotocol,butonethatsits
betweentheselayerstoprovidesecurityservicestomanymodernInternetapplicaons.SecureSocketsLayer,orSSL,hasbeenoneofthe
majorforcesinInternetsecuritytechnologysinceitsinceponbyNetscapeCommunicaons,andconnuestobeincludedinallmajor
browsers.ThishasenabledWebapplicaondeveloperstodeliversecurecontentandservicesusingtradionalHTTPserverswithfew
changesrequiredintermsofthesetupofthebasicserverorrestructuringoftheHTMLcontent.Theothermajoradvantageofthe
integraonofSSLintoallmajorbrowsersisitstransparencytotheuser.SSLtypicallygetsusedwithouttheknowledgeoftheclient,otherthantheappearanceofasmallpadlockinthecornerofthebrowserwindow,thusmeaningthatnoaddionallevelofexperseisrequired
touseInternetapplicaonswiththissecurity.Figure39showsabrowserthatiscurrentlyusingSSL.
Figure39.AWebbrowserwilltypicallyuseSSLwheninstructedbytheWebsitewithlileornoinputrequired
bytheuser.TheuseofSSLcanbeseenbytheinclusionofasmallpadlockinthebrowser.
WhilethemostcommonimplementaonofSSLiswithinWebbrowsers,creangtheapplicaonprotocolhybridknownasHTTPS,it
shouldberememberedthatitisatransparentprotocolavailabletoanyTCP/IPbasedapplicaon.AlongwithHTTPS,othercommonSSL
securedprotocolsincludeSMTPSandTelnetS.
TheNeedforApplicaonSecurity
TheneedforsecuritywithinInternetapplicaonsiscleartheInternetissllapublicnetworkwithlileornosecurityinfrastructure
designedtoprotectallusers.Imagineusingtheonlineservicesofyourfavoritebank.Passingimportantdatasuchasyourbankaccount
number,password,andbalanceacrosstheInternetusingonlyHTTPrepresentsahugepersonalsecurityrisk,asthedataispotenally
visibletoanydevicesingbetweenyourbrowserandthebank'sWebsite.SSLcanbeusedveryeffecvelytohideallofalltheapplicaon
dataasittraversestheInternettopreventanybodysnoopingtheconneconfromreadingpersonaldataaprocessreferredtoas
encrypon.
ThesecondimportantfeatureprovidedbySSLforInternetapplicaonsisauthencaon;inotherwords,theabilityfortheclienttobe
abletodisnguishtheWebsiteasvalid.Imagineinourpreviousbankexampleifanotherroguesiteweretomasqueradeasthebank's
Website.Thismightallowtheroguesitetointerceptthepersonalandbankingdetailsofthousandsofcustomers,notawelcome
situaon.SSLprovidesmechanismstoimplementauthencaonasawayforeachsidetoidenfyitselftotheother.
ThefinalsecurityelementthatisprovidedbySSListamperdetecon.Imaginefinallythatsomeoneweretositbetweentheclientandthe
bank'sWebsiteandchangecertainpiecesofdataastheypassbackandforth.Thiswouldgivetheopportunitytoalterkeypersonaland
bankingdataandpotenallysetupfraudulenttransacons.SSLprovidesmechanismsforeachsidetoensurethattheApplicaonlayer
databeingsentandreceivedhasnotchangedinanywayasittraversestheInternet.
FortheInternettoconnuetogrow,notonlyinsize,butalsoasacrediblemediumforbusinessandcommerce,itmustbeabletoprovide
mechanismssuchasSSLasawaytoguaranteesecurity.
FingSSLintotheSevenLayerModel
IntheconceptsoftheOSI SevenLayerModelaswesawinChapter2,UnderstandingLayer2,3,and4Protocols,SSLsitsbetweentheApplicaonlayerandtheTransportlayer,tradionallyseenaspartofthePresentaonlayer.ThismeansthattheuseofSSLisselecvely
performedbyeachapplicaonratherthanasawholewithencryponbasedinIPSec.Thisgivestheclientmachinetheabilitytorun
secureservicesforcertainapplicaonsonly,whileremainingimparaltotheunderlyingLayer3and4servicesbelow.Incomparison,
IPSec,forexample,canoperateinatunnelingmode,whichmeansthatalltrafficflowingtoorfromaparcularaddressorrangeof
addressesisencryptedrightdowntotheIPlayer.WithinSSL,onlytheApplicaonlayerdataisencrypted.Figure310showsthepresence
ofSSLintheOSI model.
Figure310.WhereSSLsitsintheOSImodelincomparisontoIPSec.
es http://www.informit.com/articles/printerfriendly.aspx?p
15 2/22/2012
-
7/30/2019 App Layer Protocols
11/15
EncryponandCryptography
Theprocessofencryponanddecryponfundamentallymeanstotakesomesourcedata,transformittoastatewhereitcannotberead
byanyoneelse,andthentransformitbacktoitsoriginalstate,thusrenderingitreadableoncemore.Thisapproachrequirestheuseof
twoimportantelements:theCryptographicAlgorithm,orcipher,andakey.Acipherisamathemacalformulaorfunconthatisapplied
eithertotheoriginaldata(toencrypt)ortothetransformeddata(todecrypt).Onethingalwaysremainstrue,howeverthecipherused
toencryptthedatamustalsobeusedtodecryptattheotherend.ToenablethiscommonalityinanetworksuchastheInternetwhere
thereareenormousnumbersofpotenalclientserverconneconcombinaons,aseriesofstandardciphershavebeendevelopedover
mesuchasDataEncryponStandard(DES)andRC4.
Astheseciphersarewellknown,theyrelyonthesecondelementtointroducesomeformofrandomfactortotheprocess,knownasa
key.Theuseofakey,orseriesofkeys,givestheciphertheabilitytoencryptthedatainsuchawaysoasnottobedecryptedeasily.Ifyou
weretoencryptasimplesentenceusinganalgorithmthatiswidelyknown,itwouldbearelavelysimpletasktorunthedatathroughthe
samealgorithmandarriveattheanswer.Theuseofakeymeansthatinordertodecryptthedata,therecipientmustknowboththe
appropriateciphertouseandthekeyusedtoencryptthedataoriginally.
Thiscombinaonofcipherandkeyformsthebasicpremiseofmoderncryptography:Decryponwiththeknownkeyissimple,but
decryponwithoutthekeyisextremelydifficultandinmostcasescomputaonallyimpossible.SSLusesacombinaonoftwobasic
encrypontechniques,symmetrickeyencryponandpublickeyencrypon.
SymmetricKeyEncrypon
Withsymmetrickeyencrypon,bothsidesusethesamekeyvaluetoperformboththeencryponanddecrypon.Figure311showsa
simplegraphicalrepresentaonofsymmetrickeyencrypon.
Figure311.Withsymmetrickeyencrypon,boththeencryponanddecryponusethesamekey.
Symmetrickeyencryponhasanumberofadvantagesanddisadvantages.First,performingthistypeofencryponanddecryponis
computaonallyinexpensive, whichmeansthattheperformanceofapplicaonsusingsymmetrickeysisgenerallybeer.Onthe
downside,ifthesharedkeyiscompromisedoneitherside,thesecurityoftheencryponbetweentheparesisbroken.Moreover,the
processofsharingasinglesharedkeybetweentwosideswanngtousesymmetrickeyencryponcanbecumbersome.Imaginetwo
Internetbaseduserswishingtocommunicatetheymustfirstshareakeytousebeforetheycanencryptandtransmitdata.Thisinitself
isamajorheadache,asthekeycannotjustbesimplysentincleartextovertheInternetforfearofbeingcaptured.SSLuses
symmetrickeyencryponforbulkencryponthatis,theencryponofallApplicaonlayerdatabutitemploysaveryclevertechnique
toarriveatacommonsharedkeypublickeyorasymmetrickeyencrypon.
PublicKeyorAsymmetricKeyEncrypon
Asitsnamesuggests,publickeyorasymmetrickeyencryponusestwodifferentkeystoperformencryponanddecrypon,
respecvely.Thesekeysareknownasthepublicandprivatekeysandaremathemacallylinkedtosecurity.Themathemacsof
publickeyencryponaredifferentfromthoseinsymmetrickeyencrypon,asanydataencryptedusingthepublickeycannotbeeasily
decryptedusingthepublickey,andsimilarlywiththeprivatekey.Forpublickeyencrypontoworkcorrectly,theclientmustencrypt
usingthepublickeyandtheservermustdecryptusingtheprivatekey.Asaresult,thesecurityofthepublickeyislargelyirrelevantandit
iscommonlyavailable.InSSLterms,thepublickeyiscarriedinacerficatemoreonthatlater.Thesecurityoftheprivatekey,however,
isofutmostimportance,andtypically,theprivatekeywillneverleavetheserverforwhichitwasgeneratedforfearofcompromisingthe
securityofthekeypair.Therefore,insummary,ifyouencryptwiththewidelyavailablepublickey,theresulngdatacanonlybe
decryptedusingthecorrespondingprivatekey.Figure312showsasimplerepresentaonofpublickeyencrypon.
Figure312.Inasymmetrickeyorpublickeyencrypon,anydataencryptedusingtheeasilyavailablepublickey
canonlybedecryptedusingthecorrespondingprivatekey.
Thisapproachaffordsprivatekeyencryponacoupleofkeyadvantages. First,thecombinaonofcorresponding,mathemacallylinked
keysmeansthatoncethedatahasbeenencrypted,itcanonlybedecryptedbytheholderoftheprivatekey.Second,asthepublickeycan
es http://www.informit.com/articles/printerfriendly.aspx?p
15 2/22/2012
-
7/30/2019 App Layer Protocols
12/15
betransmiedincleartexttotheintendedreceiver,itiswellsuitedtolargescale,publicnetworkssuchastheInternet.Themain
downsideofpublickeyencryponisthatitiscomputaonallyexpensive,thusrenderingitunsuitableforsituaonsinwhichlarge
volumesarerequired.Aboveall,thesecurityoftheprivatekeyisparamount;ifitislostorcompromised,theenrepremiseonwhichthe
processisbuiltisbroken.
SSLCombiningSymmetricandAsymmetricEncrypon
Therefore,ontheonehandwehaveasymmetricencryponmechanismthatiscomputaonallycheapbutdoesnotscalewelltolarge
numbersofusers,
and
onthe
other,
we
have
acomputa
onally
expensive
algorithm
which
does
scale
well
due
toitsconcept
ofpublickeys.TheanswerintermsofSSListouseacombinaonofbothofthesemechanismstoachievetheresultwe'relookingfor.Theaimof
combiningthetwomethodsistoallowforencryptedaccessfromanywherebyanyone.Theprocessusesasymmetricencryponto
inializetheconnecon,andthenusessymmetricencrypontoprovideasecurecommunicaonchannelfortheduraonofthe
conversaon.
Whencommunicaonsbegin,theclientcreatesarandomnumberwhoselengthisdeterminedbytheencryponstrengthrequired.This
largerandomnumberwilleffecvelyformthesharedprivatekeyforthesymmetricencryponthatwillbeusedtoexchangeapplicaon
data.Theclientencryptsthisrandomnumberwiththepublickeyandsendstheencryptedversionofthistotheserver.Theasymmetric
encryponatthisstageensuresthatonlytheprivatekeycandecryptthedata.Oncedecrypted,thisrandomnumberisnowusedasthe
symmetrickeyfortheduraonoftheconversaon,aseachpartyhassuccessfullysharedacommonkey.Thebeautyofthisprocessis
thattheactualprivatekeys(randomnumbers)neveractuallytraversetheconneconinclearform,thusminimizingthechanceofbeing
intercepted.Figure313showsthiscombinaonofsymmetricandpublickeyencryponasusedbySSL.
Figure313.SSLusesacombinaonofpublickeyencrypontoexchangethesymmetrickeyandsymmetricencrypontoencryptthebulkapplicaondata.
EncryponAlgorithms
Therearemanyencryponalgorithms used,andeachprovidesdifferentlevelsofencrypon,dependingonthedegreeofsecurity
required.Earlieralgorithms were40bitsinlength,butwithtoday'scompungpowercantypicallybecrackedwithinafewhours.The
longertheencryponlength,thehardertheyaretocrack.Allalgorithms workinconjunconwithasecretkeytocreatetheencrypon.In
thecaseofSSL,thissecretkeyistherandomlygeneratednumber.CommonencryponalgorithmsusedtodayareDES,3DES,andAES.
Cerficates
Nowthatwe'veseentheimportanceofpassingthepublickeywithinSSL,let'slookatthemechanismusedtoundertakethis.Cerficates
areusedinSSLtoperformtwokeyfuncons:first,theyprovidealevelofauthencaon,potenallyforbothsides,andsecond,they
provideastandardformatinwhichtopassthepublickeytotherequester.Cerficatesarelikedigitalpassports thatcanauthencatean
organizaontoauseronconnecontoitssite.Twotypesofcerficatescanbeused:aservercerficateandaclientcerficate.Ina
typicalSSLenvironment,onlytheservercerficateisused.Thisissothattheserver(orsite)canauthencatewhotheyareontheinial
clientrequestandpassthepublickey.Remember,itistheclientthatiniatestheconneconandasksforthecerficatetobesent.This
allowsanorganizaontopublishitsservices,andeventhoughtheuserscannotseewheretheyaregoing(e.g.,thereisnostorefront,or
actualphysicalstructure),theyknowtheyhaveconnectedtothesitebasedontheservercerficateissued.Whileweagreethatthiscould
bespoofedintheory,onehastoquesontheraonalityofthis.Itrequiresthattheprivatekeyberetrieved,DNSentriestothatsitebe
hijacked,orupdatedtothenewaddress,andallofthisneedstohappenwithouttheexisngsitebecomingawareofit.Thisishighlyunlikelyinanagewheresecurityisanumberoneagendaitem,andahighlyacvesitewouldbeimmediatelyawareofasitefailureor
aack.Inaddion,ausermustactuallymakeacreditcardpaymenttothisfraudulentsite.Ifthisdidhappen,itwouldhavetobetoasite
thatisnotwellmonitoredandacvelytrading,andthereforeveryrarelyvisited,whichinturnmakestheexercisesuperfluousasnohuge
revenueorlossofreputaonwouldbeachievedbythehacker.Typically,thereceiptofaservercerficateisallthatisrequiredtobegina
secureconneconwithasite.Insomecases,thesitealsowantstoensurethattheusersarewhotheysaytheyare.Thisiscertainlya
requirementinbusinesstobusinesstransaconswherecompanieswanttobeabletocontrolaccesstotheirsite,especiallywhenaccess
tosensiveinformaonorlargesumsofmoneyareinvolved.
Clientcerficatesareusedtoprovideclientsideauthencaon.Thesecerficates,normallyderivedfromtheservercerficate,are
loadedontotheuser'smachine,andonconnecon,theserverwillrequestthecerficatetobesenttoittoauthencatetheuser.Aseach
cerficatewillhaveauniqueidenfier,thiscanbeusedtotrackaccess.Shouldconnecvitynolongerbepermiedorrequired,thenthis
uniqueidenfiercanalsobeusedtorevokeaccesstothespecificsite.
es http://www.informit.com/articles/printerfriendly.aspx?p
15 2/22/2012
-
7/30/2019 App Layer Protocols
13/15
gr aphi cs/ ccc. gi f
gr aphi cs/ ccc. gi f
HavingtheabilitytoprovideclientandserverauthencaonbuildsaverycompellingcaseforSSLdeployment.Figure314isanexample
ofwhatacerficatelookslikefollowedbytheassociatedprivatekey:
Cerficatessuchasthesecanbeeasilycopiedandpastedintoasecurityappliance.
CerficateAuthories
Cerficateauthories(CAs)arelikethepassportcontroloftheSSLworld.Theyconfirmthatasiteiswhatitsaysitis,astheyhavesigned
thecerficate.ManyorganizaonsactasCAsandsigncerficatesonbehalfofsites.Theseorganizaonsareoenseenasrespected
businessesorinsomecasesquasigovernmenttypedepartmentssuchasapostofficeortelecommunicaonsprovider.Thelargestones
aroundtodayarededicatedtoprovidingacerficatesigningfuncon,suchasVerisign,Entrust,andThawte.Bydefault,Webbrowsers
havealistofacceptedCAs,whichischeckedwhenasiteisaccessed.IftheCAisnotpresent,thebrowserwilldisplayamessageaskingif
thiscerficateshouldbeaccepted.AddingordelengCAscanbedonebyuserswithintheirfavoritebrowser.Cerficateshavetheability
tobechained.Thismeansthatacerficatecanbetrustedifithasalinkorchainbacktotheoriginalissuerwhomyoutrust.Thismethodis
transparenttotheuserandishandledbytheSSLprotocol.
Figure314Sampleofapubliccerficateandprivatekey.Asyoucansee,itismerelycleartextandcanbeeasilycopied.
- - - - - BEGI N CERTI FI CATE- - - - -I Ft TCCBR6gAwI BAgI EN0sJ FTANBgkqhki G9w0BAQQFADCBwzELMAkGA1UEBVVMxFDASBgNVBAoTC0VudHJ 1c3QubmV0MTs wOQYDVQQLEz J 3d3c uZW50cnV
ZXQvQ1BTI Gl uY29ycC4gYnkgcmVmLi AobGl t aXRzI GxpYWI uKTEl MCMGA1ULmVudHJ 1c3QubmV0L0NQUyBpbmNvcnAuI GJ 5I HJ l Zi 4gKGxpbWl 0cyBsaWFi Li kxJ TAj BgNVBAsTHChj KSAxOTk5I EVudHJ 1c3QubmV0I ExpbWl 0ZWQxOj A4BgNVBAMTVudHJ 1c3QubmV0I FNl Y3VyZSBTZXJ 2ZXI gQ2VydGl maWNhdGl vbi BBdXRob3J pdHkDj AMBgNVBAMTBUNSTDEyMCygKqAohi ZodHR3QubmV0L0NSTC9zZXJ 2ZXI xLmNybDAf BgNVHSMEGDAWgBTwF2I TVT2z/ woAa/ t QhJ f z7WLQGj AdBgNVHQ4
EFgQU3Rc4WmXyFuApzKBZCUyzwqoO6j kwCQYDVR0TBAgkqhki G9n0HQQAEDDAKGwRWNC4wAwI DqDANBgkqhki G9w0BAQQFAAOBgQBbSMGk6Bt J 7g6UzC4hL1nJ ZYQl dua3ot 6K7Est Au6pBi E0DhAGJ Km0t CrS16hKGMpI DE5OTkgRW50cnVzdC5uZXQf f f f l t aXRl ZDE6MDgGA1UEAxMxRW50cnZXQgU2Vj dXJ l I FNl cnZl ci BDZXJ 0aWZpY2F0aW9uI EF1dGhvcml 0eTAeFw0MDgxNj A4Mj daFw0wMj AxMDgxNj M4Mj daMH4xCzAJ BgNVBAYTAl NFMRI wEAYEwl TdG9j a2hvbG0xEj AQBgNVBAcTCVN0b2Nr aG9sbTEUMBI GA1UEChMLQmxaWwgQUI xFDASBgNVBAsTC0Rl dmVsb3Bt ZW50MRswGQYDVQQDExJ 2aXAyYS5dGFpbC5j b20wgZ8wDQYJ KoZI hvcNAQEBBQADgY0AMI GJ AoGBALc t Vj RkmPJFsI / oo1Xh0yJ qyC/ Vl 2t WS3uj M8l SqCA9af q8cqf cRN5cWcel i x5oEbaz5eGdt LVWqBHw09As3w1AyZsdi SUpdOFNdj Phv9I C9S13y7zCzr 0SyS/ u7l 1c4
c3QubmV0L2NwczCBwAYI KwYBBQUHAgI wgbMwEhYLRW50cnVzdC5uZXQwAwI9TsMAFHBudxPK58I PkKUSpdxZvg7AgMBAAGj ggL4MI I C9DCCAQcGA1UdI AS/ DCB+QYJ KoZI hvZ9B0sCMI Hr MCYGCCsGAQUFBwI BFhpodHRwOi 8vd3d3LnEVudHJ 1c3QubmV0I ENQUyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJ l bmNl Li BUayBj b250YWl ucyBsaW1pdGF0aW9ucyBvb
i B3YXJ yYW50aWVzI GFuZCBsaWFiaWxpdGl l cy4gI ENvcHl yaWdodCAoYykgMTk5OSBFbnRydXN0Lm5l dCAgd3ddHJ 1c3QubmV0L2NwczALBgNVHQ8EBAMCBaAwKwYDVR0QBCQwI oAPMj AwMTANj M4Mj dagQ8yMDAxMDkyMTA0MzgyN1owEQYJ YI ZI AYb4QgEBBAQDAgZAMBMJ QQMMAoGCCsGAQUFBwMBMI I BHQYDVR0f BI I BFDCCARAwgd+ggdyggdmkgdYCzAJ BgNVBAYTAl VTMRQwEgYDVQQKEwt FbnRy5l dDE7MDkGA1UECxMyd3d3/ wWqspaKSNsWf qc0AWFf gKznJ J mnxsyThudodg5i TM1Nf r 93aD2P/ 3qPMxSSEm/ T/uOKBaLPLVd3dmj Pc/ 0v1AU48dc0hgx6VhqX98poLi HJ AHg==- - - - - END CERTI FI CATE- - - - -
- - - - - BEGI N RSA PRI VATE KEY- - - - -Pr oc- Type: 4, ENCRYPTEDDEK- I nf o: DES- EDE3- CBC, 9BCDFA41DAC78C8D
+AsRr o1zm2vl V0deB0kw9geWpMJ oLOz67sdb8+8E2Pal 5hZC1asZapwHGXOAgqeQf Ub6VZKy+2Hzj z8Nw6I 3xcAyi 7xnF1YYRJ xl z7sA+5ACBSAYvZGZRXF7j yTXomI I Tr wPt 40V9uGl dj FmwAd6e1k1qxKi 2T6qt zdVeYZhz27+nj t MkDa1PVdJ WbcLFyLMRZAUp5Ubu8mI UgkReyMSPMdn6bj mf 7hKE3j bT/ REnI Ci DcLe3SZzXes8mckUOOV++dBD+or BxeU8dkB59i vWE/ Wl AP4cf 1wOPS/B1yzFsHql byql vt f xj F472vU4V0J LOe0RQ5NyVqw09N/ NHr gBHce6J gwEHf mgf Rr/P2RFYvwhs1wUvKVgOOK8KxHdRgNMGshFWMOGmr WV82dO0pywC25Xl q1Gi C6vgl wHxvzf Sr 4pnYv5VcgDzf kvsYJ CVpTi WYi S522Svb0Ln3Gyx55J gI dl aMVhZUCmdbRqH6KFoWyr 0Ud+++6PbI +HWbVPBpi f r qyj 3LDnuPTRTDkwy7Wl zggXXY1TbdO8XY7Kr hgpcBpN4amI LANhcZG/- - - - - END RSA PRI VATE KEY- - - - -
SSLinAcon
es http://www.informit.com/articles/printerfriendly.aspx?p
15 2/22/2012
-
7/30/2019 App Layer Protocols
14/15
Let'sseethecombinaonofciphersuites,keys,algorithms.andcerficatesinaconaswerunthroughanexampleSSLsession.
WhenenablingSSLonservicesonyourserver,youwillfirstneedtocreateaprivateandpublickeypairandcorrespondingcerficate.This
processisautomacallyiniatedonmostWebserversandwillresultinthecreaonofwhatisknownasacerficatesigningrequest,or
CSR.ThisCSR,containingthepublickey,shouldbeforwardedtothechosenCAforsigning,andoncecompletedimportedbackintothe
Webserver.Apointtonotehereisthattheprivatekeymuststayprivate;ifitwereavailable,someonecouldeasilymasqueradeasyour
sitebecausethepublickeyisjustthat,public.Withtheprivateandpublickeypair,allencryptedtrafficcanbedecrypted.Butlet'sgetback
totheCSR.TheCSRneedstobesenttoaCA,whowillsignitandreturnittoyouforyoutovalidateyourdomainname.Wemustpointout
herethatacerficateis edtoadomainnameandnotanIPaddress.Thisdomainnameneedstoberesolvedtotheaddressoftheserver
inordertowork.Oncecomplete,theWebsitecanbereadyforuse,andallthatisrequiredisthattheservershavetheSSLservice
running.
NowwearereadytobegintheactualSSLsetupasillustratedinFigure315.Let'slookatthestepsinmoredetail,rememberingthat
certainmessagetypeswithintheSSLprotocolareusedtodeterminespecificrequests:
OncetheclienthasestablishedaTCPsessiononport443withtheserver,theclientsendsaclienthellomessage.Thisclienthello
includesinformaonsuchastheciphersuitesthatitsupports.
1.
Theserverselectstheciphersuitefromthelistpresentedandrespondswithaserverhelloindicangtotheclienttheciphersit
deemssuitable.Theclientandtheserverhavenowagreedonaciphersuitetouse.
2.
Theserverthenissuestheclientacopyofitscerficate(rememberthatthiscerficatealsocontainsthepublickey).Oponally,
theservermayrequestacopyoftheclient'scerficateifclientsideauthencaonisrequired.
3.
Next,theserversendsaserverhellodonemessagetotelltheclientithascompletedthefirstphaseofthesessionsetup.Asthereisnokeyyet,thisprocessiscarriedoutincleartext.
4.
Theclientnowgeneratesarandomnumber,encryptsitwithitspublickey,andsendstheservertheclientkey.Thisprocessis
knownastheclientkeyexchange.Thisisthesymmetrickeythatwillbeusedfortheduraonofthesymmetricencrypon
session.Communicaonfromhereonisencrypted.
5.
Theclientnowsendsachangecipherspecmessagetotheservertosayitwillnowbeginusingthenegoatedciphersuite
(determinedinstep2)fortheduraonofthesession.
6.
Oncethisisdone,theclientsendsafinishedmessagetotheservertosaythatitisready.7.
Theserver,inturn,sendsachangecipherspecmessagetotheclientusingtheagreedinformaon.Theserveralsosendsouta
finishedmessageoncompleon.
8.
Asecureencryptedtunnelisnowsetup,andcommunicaoncanbeginusingthesymmetricencrypondetailsnegoated.9.
Figure315.SSLsessionsetupisacomputaonallyintensiveprocessthatweneedtooffloadtoincrease
networkperformance.
Onekeypieceofinformaoninthisexchange,whichwewillseehasrelevanceincontentswitchinginlaterchapters,istheSSLSessionID.
ThisisarandomidenfieragreedbybothsideswhenfirstiniangtheSSLsessiontotheserverandisusedtouniquelyidenfythe
tunneltheyhaveestablished. Oneoponthatisheldbytheclientduringthenegoaonprocessdescribedpreviouslyistoreuseasetof
agreedciphersandkeysbyincludingtheSessionIDintheclienthelloitsendstotheserver.Providedthattheserverisconfiguredtoallow
thistypeofsessionreuse,itwillskiptheneedtoswapthesymmetrickeyandthusbypassthebignumberarithmecneeded,inturn
speedinguptheprocess.TheSSLSessionID canbereadincleartext,asitisnotpassedencryptedbetweenclientandserver.
SSLSummary
SSLisastandardsbasedencryponandauthencaonmechanismwidelyusedwithintheInternettoday.Whilebyfarthemostcommon
implementaonsuseHTTPastheApplicaonlayerprotocol,SSLcanbeusedtosecureotherapplicaons.Aswe'llseeinlaterchapters,
theinclusionofSSLasasecuritymechanismformodernWebsitescreatesyetanotherpartofthepuzzleofcontentswitching.
Summary
es http://www.informit.com/articles/printerfriendly.aspx?p
15 2/22/2012
-
7/30/2019 App Layer Protocols
15/15
AswithourcoverageofLayer2,3,and4protocols,therearemanyothermoredetailedbookscoveringtheApplicaonlayerprotocols we
sawinthischapter.Hopefully,however,thischapterhasservedtogiveabeerunderstandingofthewaysinwhichTCP,UDP,andIPcan
becombinedtoprovideapplicaonservices,alloponallywrappedinSSLforgreatersecurity.Equippedwiththisunderstanding,wecan
begintounderstandtheconceptsofcontentswitchingandputthetechniquestousetosolvemanyofthescalabilityproblemsofmodern
IPnetworks.
2012PearsonEducaon,Inc.Allrightsreserved.
800East96thStreetIndianapolis,Indiana46240
es http://www.informit.com/articles/printerfriendly.aspx?p