App Layer Protocols

7/30/2019 App Layer Protocols

1/15

ByMahewSyme,PhilipGoldie

Date:Mar5,2004

SampleChapterisprovidedcourtesyofPrenceHallProfessional.

Returntothearcle

Inthischapter,we'llmovefurtheruptheOSI SevenLayerModelandtakeanindepthlookattheworkingsofsomeoftheApplicaon

layerprotocolsthataremostcommonlyusedincontentswitching.TheseincludeTCPbasedservicessuchasHTTP,UDPserviceslikeDNS,

andapplicaonsthatuseacombinaonofTCPandUDP,suchastheRealTimeStreamingProtocol(RTSP).Finally,we'lllookathowthese

typesofapplicaonscanbesecuredusingSecureSocketsLayer(SSL).

HyperTextTransferProtocol(HTTP)

TheHyperTextTransferProtocol,orHTTP,mustbethemostwidelyusedApplicaonlayerprotocolintheworldtoday.Itformsthebasis

ofwhatmostpeopleunderstandtheInternettobetheWorldWideWeb.Itspurposeistoprovidealightweightprotocolfortheretrieval

ofHyperTextMarkupLanguage(HTML)andotherdocumentsfromWebsitesthroughouttheInternet.Each meyouopenaWebbrowser

tosurftheInternet,youareusingHTTPoverTCP/IP.

HTTPwasfirstrafiedintheearly1990sandhasbeenthroughthreemainiteraons:

HTTP/0.9:AsimpliscfirstimplementaonoftheprotocolthatonlysupportedtheopontogetaWebpage.

HTTP/1.0:RafiedbytheIETFasRFC1945in1996.Thisversionaddedmanysupplementaldatafields,knownasheaderstothe

specificaon.Thisallowedforotherinformaonpassingbetweentheclientandserver,alongsidetherequestandconsequent

page.

HTTP/1.1:DefinedinRFC2068bytheIETF,version1.1implementedanumberofimprovementsoverandabovethe1.0

specificaon.Oneofthemainimprovementsof1.1over1.0wastheimplementaonoftechniquessuchaspersistentTCP

connecons,pipelining,andcachecontroltoimproveperformancewithinHTTPbasedapplicaons.

Mostbrowsersthesedaysoffersupportforboth1.0and1.1implementaons,withnewbrowsersusing1.1asadefaultbutsupporngtheabilitytofallbacktoearlierversionsifrequired.OnethingtheRFCdefinionsarecleartopointoutisthatallimplementaonsofthe

HTTPprotocolshouldbebackwardcompable.ThatistosaythatabrowserimplemenngtheHTTP/1.1specificaonshouldbecapable

ofreceivinga1.0responsefromaserver.Conversely,a1.1implementaonontheserversideshouldalsobecapableofrespondingto

requestsfroma1.0browser.

ItiswelloutsidetheboundsofthisbooktocovertheHTTPprotocols inhugedetail,solet'sconcentrateonthoseelementsmostrelevant

tocontentswitching.

BasicHTTPPageRetrieval

Let'sstartatthebeginningandseehowabasicbrowserretrievesaWebpagefromaWebserver.Thefirstimportantpointtonoteisthata

Webpageistypicallymadeupofmanydozensofobjects,rangingfromtheHTMLbasethroughtotheimagesthatarepresentonthepage.TheHTMLcanbethoughtofasthetemplateforthepageoverall,instrucngthebrowseronthelayoutofthetext,fontsizesand

colors,backgroundcolorofthepage,andwhichotherimagesneedtoberetrievedtomakeupthepage.

Thinkoftheprocess,takingplaceinthefollowingorder:

ClientsendsarequestfortherequiredpagetotheWebserver.1.

Theserveranalyzes therequestandsendsbackanacknowledgmenttotheclientalongwiththeHTMLcoderequiredtomakethe

page.

2.

TheclientwillbegininterprengtheHTMLandbuildingthepage.3.

Theclient,insubsequentrequests,willretrieveanyembeddedobjects,suchasimagesorothermulmediasources.4.

es http://www.informit.com/articles/printerfriendly.aspx?p

5 2/22/2012


2/15

Onceallelements ofthepagehavebeenretrieved,theclientbrowserwilldisplaythecompletedWebpage.Theorderand mingofthe

processdescribedpreviouslydependslargelyonwhichimplementaonofHTTPisused1.0or1.1althoughallbrowsersworkinthis

wayofrequestandresponse.

HTTPMethods

HTTPdoesnotonlyofferamechanismfortheclienttoreceivedatafromtheserver,butalsoothercommunicaontypessuchasthe

passingofdatafromtheclienttotheserver.SuchmechanismsareknownwithintheHTTPspecificaonsasamethod.Table31showsthe

supportedmethod

types

inHTTP/1.0

and

1.1.

Table31.TheHTTPMethodHeadersinHTTP/1.0andHTTP/1.1

METHOD DESCRIPTION HTTP/1.0 HTTP/1.1

GET Retrievetheinformaonspecified.

HEAD IdencaltotheGETrequest,buttheservermustnotreturnanypagecontentotherthantheHTTPheaders.

POST Allowstheclienttosubmitinformaontotheserver,usedforsubminginformaon

fromaform,etc.

PUT Allowstheclienttoplaceanitemontheserverinthelocaonspecified.

DELETE Allowstheclienttodeletetheitemspecifiedintherequest.

TRACE Allowstheclienttoseetherequestitmadetotheserver.Thisactsasaloopbackin

effect.

OPTIONS Allowstheclienttodeterminethecommunicaonsoponsavailableontheserver.

IntermsofgeneralWebbrowsing,theGETandPOSTmethodsarebyfarthemostcommonlyused.ForabrowsertobuildastandardWebpage,theGETmethodisusedtoretrieveeachobjectindividually,whereasfortransaconalWebsitesimplemenngshoppingcartstyle

applicaons,thePOSTmethodwillalsobeused.

TheHTTPURL

TheURListhemostimportantpieceofinformaonthattheclientbrowserincludesinanyGETrequest.TheURLisdefinedasbeinga

combinaonofthehostwherethesiteislocated,theschemeusedtoretrievethepage,andthefullpathandfilename.Oponally,theURL

mayincludeinformaonsuchastheTCPportnumbertobeusedorauniquereferencepointwithinalargerpage.Figure31showsthe

breakdownofanexampleURL.


5 2/22/2012


3/15

Figure31.AnexampleURLanditscomponents.

TheURIisalsocommonlyusedwhenreferencingthelocaonofdocumentswithinHTTP.Theformaldefinionofthedifferencebetween

aURLandaURIissimple:AURIisaURLwithouttheschemedefined.

PersistentConneconsinHTTP

OneoftheothermajordifferencesinoperaonbetweenHTTP/1.0andHTTP/1.1isthehandlingofTCPconneconsrequiredtoretrievea

fullWebpage.GiventhataclientwilltypicallyhavetoretrievemulpleobjectstomakeupasingleWebpage,itisoeninefficienttoopen

andcloseTCPsessionsrepeatedlywhenretrievingobjectsfromthesameserver.ToimprovetheoverallperformanceofHTTPinthis

instance,theprotocoldefinestheConnect i on:headerthatcommunicatestotheserverwhethertheTCPsessionshouldbeclosedor

remainopenoncetheobjecthasbeenretrieved.TheConnect i on:headerhastwoopons:

Connecon:Closed:ThedefaultforHTTP/1.0

Connecon:KeepAlive:ThedefaultforHTTP/1.1

TheCl osedstateindicatesthattheservershouldclosetheTCPconnecononcetherequesthasbeenfulfilled.TheKeep- Al i vestate

indicatesthattheservershouldkeeptheTCPconneconopenaertherequesthasbeenfulfilled.Alongwithanobviousperformance

increasefromremovingtheneedtoopenandcloseTCPconnecons,theKeep- Al i vestatealsoallowstheimplementaonofpipelining.

PipeliningallowsaclienttosendmulpleHTTPGETrequestsoverthesameTCPconneconwithoutneedingtowaitforindividual

responsesaereach.Figure32showsthedifferenceintheseconnecontypes.

Figure32.ThedifferenceinTCPhandlingbetweenHTTP/1.0andHTTP/1.1.

ThefinalpieceinthepuzzleofinteraconbetweenclientandserverisinopeningmulpleTCPconnecons.We'vealreadyseenthata

clientcanopenapersistentTCPconnecontotheserverandpipelineHTTPrequests.TofurtherimproveperformanceoftheHTTP

operaon,manybrowserswillopenseveralsimultaneous connecons.Figure33givesexamplesofpipeliningandmulpleconnecons.

Figure33.Implemenngpipeliningandmulpleconneconsasperformancemechanisms.

OtherHTTPHeaders

TheHTTPprotocolincludesdefinionsfordozensofheadersthatcanbeincludedintheclienttoserverandservertoclientrequests and

responses. Wewillnotaempttolistanddescribeallthoseavailablehere;forafulldescripon,theRFCforHTTP/1.0andHTTP/1.1offers

abeersource.TheRFCsdefineaseriesofstandardheaders,whichcanbecomplementedbyaddinguserdefinedheadersfromeither

theclientorserverside.

AsheadersareASCII readabletextineveryHTTPrequestandresponsepair,theycanproveveryusefulintheimplementaonofcontent

switching.Let'slookatsomeoftheHTTPheadersmostcommonlyusedincontentswitching.

The"Accept:"Header

Theclientbrowserusesthe"Accept : " headertoindicatetotheserverwhichcontentandmediatypescanbeaccepted.Examplesofthe

"Accept : " headerinclude:


5 2/22/2012


4/15

Accept : */ * Acceptanything

Accept : t ext/ pl ai n; t ext/ ht ml AcceptplaintextandHTML

Accept : t ext / ht ml ; i mage/ j peg; i mage/ bmp AcceptHTMLandJPEGandbitmapimages

The"Accept : " headerisusefulinthecontextofcontentswitchingtobeabletodeterminethecapabiliesofaparcularclient.Ifthe

clientbrowsercannotacceptimages,forexample,therequestcanbedirectedtoaserveropmizedtodelivertextonlyversionsofthe

Webpages.

The"Host:"Header

Oneofthemainproblems intheoriginalHTTP/1.0specificaonwasthatauser'srequestastypedintothebrowser(e.g.,

hp://www.foocorp.com/index.html)wouldnotcontainthehost(www.foocorp.com)elementintheGETrequestsenttotheserver.This

representsaproblemifvirtualhosngisusedwithinaWebserverfarm,wheretheserverispotenallyhosngmulpleWebsitesandneedstousethishostinformaontodeterminewhichpathandpagetheuserisrequesng.

WithintheHTTP/1.1specificaon,andsubsequentlyinmanynewHTTP/1.0browsers,supportwasaddedforthe"Host: " header.This

allowstheuser'srequestedURL,typedintothebrowser,tobeconvertedintoaGETrequestcontainingthefullpathandfilenamealong

withthehostfromwhichthecontentisbeingfetched.ThefollowingisanexampleoftranslangafullURLintoitscomponentparts.

URL : htt p: / / www. f oocor p. com/ di r ect ory/ somewher e/ page. ht ml

GET / di r ect ory/ somewhere/ page. ht ml HTTP/ 1. 0\ r \ nHost : wwwf oocorp. com

The"Host : " headerhasmanyuseswithincontentswitching,examplesofwhichareshowninChapter6,ContentAwareServerLoad

Balancing.

The"User-Agent:"Header

The"User- Agent : " headerindicatestotheserverthetypeofbrowserbeingusedbytheclient.The"User- Agent : " headerisusefulin

thecontextofcontentswitchingasitcanbeusedtodeterminethebrowsertypeusedbytheclientanddirecttherequesttoaresource

offeringcontentopmizedforsuchabrowser.Thefollowingisanexampleofthe"User- Agent : " .

User - Agent: Mozi l l a/ 4. 0(Compat i bl e; MSI E 6. 0; Wi ndows NT 5. 0)

CookiesTheHTTPStateManagementMechanism

Aswe'llseeinlaterchapters,oneofthebiggestchallengesinHTTPenvironments,whethercontentswitchedornot,ismaintainingsome

formofclientsidestatethatenablesWebserversandintermediary devicestorecognizetheclientsessionandunderstandthecurrentstatusoftheusersession.ThisissuewastackledinRFC2109,whichdefinedtheuseoftheSet- Cooki eandCooki eHTTPheadersused

tosetandusethecookies,respecvely.InHTTP,cookiestaketheformofasmallpieceoftextinformaonthatisimplantedintotheuser's

browsereitherpermanentlyortemporarily.Thetermcookieiscommonlyusedincompungtodescribeanopaquepieceofinformaon

heldduringasessionand,unfortunately,seemstohavenomoreinteresngoriginthanthat.Oncethebackendserverhasimplantedthe

cookieintotheuser'sbrowser,theinformaoncanbeusedforanumberofdifferentapplicaonsrangingfromcontentpersonalizaon,

usersessionpersistenceforonlineshopping,andthecolleconofdemographicandstascalinformaononWebsiteusage.

TheserverissuingaSet- Cooki eheaderinanyHTTPresponsecanpostacookietotheclientatany meduringanHTTPsession.This

Set- Cooki eheaderhasthefollowingsyntax:

Set - Cooki e: =; expi r es=; pat h=; domai n=; secur e


5 2/22/2012


5/15

Thenameandval uefieldsaretheonlyonesthataremandatorywhenissuingacookie.Asthenamesuggests,thesedefinethenameof

thecookieanditsvalue,suchasUser I D=Phi l ,forexample.Theexpi r esfieldidenfies,downtothesecond,thedateand meon

whichacookiewillexpireandbedeletedfromtheclientcomputer.Thepat handdomai nfieldsindicatethedomain,suchas

www.foocorp.com,andtheURL,suchas/home/brochures/,forwhichthecookieshouldbeused.Bothoftheseoponscaneffecvelybe

wildcardedbyspecifyingfoocorp.comtomatchwww.foocorp.comandintranet.foocorp.com,forexample.Finally,thesecurefield

indicatestotheclientthatthecookieshouldonlybeusedwhenasecureconnecon(SSLsecuredHTTPorHTTPS)isusedbetweenthe

clientandserver.Figure34showstheinteraconbetweenaclientandserverastwodifferentcookiesareinsertedandused.

Figure34.Theinteraconbetweenaclientandaserverwhentwodifferentcookiesareimplantedandused.

ThefollowingcodeshowstheHTTPresponsesfromtheserverinmoredetail.NotethatthesecondcookieincludesthePat hfield,which

willlimittheuseofthecookietoURLsrequestedbytheuserthatincludethestring/docs.

Hypert ext Transf er Pr otocolHTTP/ 1. 1 200 OK\ r \ n

Set-Cookie: UserID=PhilConnect i on: Keep- Al i ve\ r \ nCont ent - Type: t ext/ ht ml \ r \ n\ r \ n

Hypert ext Transf er Pr otocol

HTTP/ 1. 1 200 OK\ r \ n Set-Cookie: UserType=Gold; Path=/docsConnect i on: Keep- Al i ve\ r \ nCont ent - Type: t ext/ ht ml \ r \ n\ r \ n

Themechanismthatgovernswhetheracookieispermanent(i.e.,storedontheharddiskoftheuser'smachine)ortemporary(i.e.,

removedoncetheuserclosesthebrowserapplicaon)istheExpi r esfieldintheSet- Cooki eheader.Iftheserverdoesnotissuean

Expi r esdirecvewhenimplanngthecookie,itisconsideredtemporary,whereasiftheExpi r esdirecveisused,thenthecookiewill

bestoredontheclientmachineunltheexpirydatehaspassed.

CookiesarebyfaroneofthemostusefuladdionsmadetotheHTTPspecificaons,andaswe'llseeinlaterchapterscanbeusedin

conjunconwithcontentswitchingtoenableawholehostofnewexperienceenhancingservices.

HTTPFurtherReading

ItisoutsidethescopeofthisbooktocovertheHTTPprotocolinitsenrety;.theRFCforHTTP/1.1aloneisover160pages.Formore

indepthdetailontheprotocol,it'sworthlookingatthefollowingRFCs:

RCF1945HypertextTransferProtocolHTTP/1.0

RFC2068HypertextTransferProtocolHTTP/1.1

RFC2109HTTPStateManagementMechanism

FileTransferProtocol(FTP)

InInternetterms,TheFileTransferProtocol,orFTP,hasbeenaroundforalong me.FirstdefinedinRFC172wrieninJune1971,the

protocolhasbeenthroughseveralchangesthroughtothecurrentspecificaon,whichisdefinedinRFC959.Again,whileit'snotthe

purposeofthisbooktodescribeeverydetailaboutFTP,it'sworthlookingatitsbasicoperaontogetabeerunderstandingofhow

contentswitchingcanimproveperformanceandreliabilityinFTPenvironments.

FTPBasics

FTPexistsprimarilyforthetransferofdatabetweentwoendpoints.TheRFCitselfactuallystatesthattwooftheobjecvesoftheprotocol

areto"promotethesharingoffiles"and"transferdatareliablyandefficiently."FTPdiffersfromHTTPfundamentallyasitisanapplicaon

madeupoftwodisnctTCPconnecons:


5 2/22/2012


6/15

Controlconnecon:ThisTCPbasedconneconisusedtoprovideacommunicaonschannelforthedeliveryofcommands and

replies.Thisiseffecvelythemechanismthatenablestheusertotelltheserverwhichfileisbeingrequested,whichdirectoryitis

in,andsoforth.

Dataconnecon:ThesecondTCPbasedconneconisusedfortheactualtransferofuserdata.OncetheControlconneconhas

beenusedtoexchangeinformaononwhichfileisrequired,theDataconneconisusedtotransferthefilebetweentheclientand

server.

Usingthesetwocommunicaonconnecons,twodisnctmodesofoperaondetermineinwhichdirecontheconneconsare

established:AcvemodeandPassivemode.

AcveModeFTP

WithinanAcveFTPsession,theControlconneconisestablishedfromtheclienttotheserver,withtheDataconneconestablished

backfromtheservertotheclient.Inordertodothis,theclientissuesaPORTcommandtotheserverthatcontainstheIPaddressand

sourceanddesnaonTCPportsthatshouldbeusedduringtheDataconnecon.Figure35showsthelifecycleofanAcveFTPsession.

Figure35.AnacveFTPsessionexample.

AswecanseefromFigure35,oncetheuserhasloggedonwithavalidusernameandpassword,theveryfirst"data"thatispassedin

thiscase,adirectorylisngiscarriedusingaseparatedatachannel.TheformatforcommunicangtheIPandTCPinformaonofthe

datachannelisasfollows:

PORT [Oct et 1] , [ Oct et 2], [ Oct et 3] , [ Oct et 4], [ TCP Port 8 Bytes] , [ TCP Port 8 Bytes]

Therfore,intheprecedingexample,thePORTcommandofPORT 10, 10, 10, 10, 15, 199equatestoIPaddress10.10.10.10andTCPport

4039[15256+1991].

Insomeinstances,AcveFTPcanbeconsideredasecurityriskmainlybecausethereisoenlilecontroloverthecontentsofthePORT

command.Undernormalusage,thisinformaonshouldbetheIPaddressandlisteningTCPportoftheclientwaingfortheData

connecon.Whenusedmaliciously,however,theclientcouldissuePORTcommands withIPaddressesandTCPportsofothermachines

eitherwithinthesamenetworkastheserverorremotely.ManyApplicaonlayerfirewallsandproxies,orfirewallswithsupportforFTP

commandparsingcanbeusedtoreducetheeffecvenessofsuchaacks.Onealternaveistoimplementthesecondmethodof

FTPPassivemodeFTP.

PassiveModeFTP

PassivemodeFTPworkssimilarlytoAcvemodeFTPwithonemajorexcepon:boththeControlandDataconneconswithinaPassive

modeFTPsessionareestablishedfromtheclienttotheserver.Toimplementthis,ratherthanusethePORTcommand,PassivemodeFTP

implementsthePASVcommand,whichinstructstheserverthatitshouldlistenfortheincomingDataconnecon.Figure36showsthe

PassivemodeFTPinmoredetail.

Figure36.APassiveFTPsessionexample.

InFigure36,wecanseethatratherthantheclientdictangtheparametersoftheDataconnecon,itsimplyrequeststhisinformaon

fromtheserver.SimilarlytothePORTcommandinAcvemode,theserver's RESPONSEtothePASVrequestfromtheclientcanbe

interpretedasfollows:

RESPONSE 227 (10, 10, 10, 10, 41, 38)

whichmeansopenfromclienttoserveronIPaddress10.10.10.10andTCPport10534[41256+381].

FTPFurtherReading


5 2/22/2012


7/15

ForfurtherinformaononthedetailedworkingsofFTP,it'sworthlookingatRFC959.

RealTimeStreamingProtocol(RTSP)

InthemodernInternet,applicaonsarerequiredtodelivervalue.Oneofthebiggestconundrumsinrecentyearshasbeenthebaleto

actuallymaketheInternetaviableplaormformakingmoney.Aswe'llseethroughoutthecourseofthisbook,oneofthebiggestdrivers

fordeliveringonthe"GoldRush"promiseofInternettechnologiesiscontent.Makingcontentaracvetoendconsumerstothepoint

wheretheyarewillingtopayisabigchallengeandonethathasbeenaidedbythedeliveryofApplicaonlayerprotocolssuchasRTSP,

whichenablesthedeliveryofrealmevideoandaudioinvariablequalies.TheotherApplicaonlayerprotocols we'velookedatsofarin

thischapterworkinarequest/responsemanner,wherebytheclientasksforsomepieceofcontent,thecontentisdeliveredusingTCPorUDP,andthentheclientapplicaoncandisplaythecontenttotheuser.Whilethesemechanismsaresuitableforalargenumberof

applicaonsintheInternet,therealsoexistsarequirementtodelivercontent,beitimages,audio,video,oracombinaonofallthree,in

real me.ImagineifauserweretotrytowatchafullscreenvideofileofaonehourmovieusingHTTPorFTPastheApplicaonlayer

protocol.Themoviefilemightbeseveralhundredmegabytes,ifnotseveralgigabytes,insize.Evenwithmodernbroadbandservices

deliverabletothehome,thistypeoflargefilesizedoesnotfitwellinthe"downloadthenplay"modelwesawpreviously.

RTSPusesacombinaonofreliabletransmissionoverTCP(usedforcontrol)andbesteffortsdeliveryoverUDP(usedforcontent)to

streamcontenttousers.Bythis,wemeanthatthefiledeliverycanstartandtheclientsideapplicaoncanbegindisplayingtheaudioand

videocontentbeforethecompletefilehasarrived.Intermsofouronehourmovieexample,thismeansthattheclientcanrequestamovie

fileandwatcha"live"feedsimilartohowonewouldwatchaTV.Alongwiththis"ondemand"typeservice,RTSPalsoenablesthedelivery

oflivebroadcastcontentthatwouldnotbepossiblewithtradionaldownloadandplaytypemechanisms.

TheComponentsofRTSPDelivery

DuringourlookatRTSP,we'llusethetermtodescribeanumberofprotocolsthatworktogetherindeliveringcontenttotheuser.

RTSP

RTSPisthecontrolprotocolforthedeliveryofmulmediacontentacrossIPnetworks.ItisbasedtypicallyonTCPforreliabledeliveryand

hasaverysimilaroperaonandsyntaxtoHTTP.RTSPisusedbytheclientapplicaontocommunicatetotheserverinformaonsuchas

themediafilebeingrequested,thetypeofapplicaontheclientisusing,themechanismofdeliveryofthefile(unicastormulcast,UDP

orTCP),andotherimportantcontrolinformaoncommandssuchasDESCRIBE,SETUP,andPLAY.Theactualmulmediacontentisnot

typicallydeliveredovertheRTSPconnecon(s),althoughitcanbeinterleavedifrequired.RTSPisanalogoustotheremotecontrolofthe

streamingprotocols.

RealTimeTransportProtocol(RTP)

RTPistheprotocolusedfortheactualtransportanddeliveryoftherealmeaudioandvideodata.Asthedelivery oftheactualdatafor

audioandvideoistypicallydelaysensive,thelighterweightUDPprotocolisusedastheLayer4deliverymechanism,althoughTCPmight

alsobeusedinenvironmentsthatsufferhigherpacketloss.TheRTPflowwhendeliveringthecontentisunidireconalfromtheserverto

theclient.OneinteresngpartoftheRTPoperaonisthatthesourceportusedbytheserverwhensendingtheUDPdataisalways

evenalthoughitisdynamically assigned.Thedesnaonport(i.e.,theUDPportonwhichtheclientislistening)ischosenbytheclient

andcommunicatedovertheRTSPcontrolconnecon.

RealTimeControlProtocol(RTCP)

RTCPisacomplimentaryprotocoltoRTPandisabidireconalUDPbasedmechanismtoallowtheclienttocommunicatestreamquality

informaonbacktotheobjectserver.TheRTCPUDPcommunicaonalwaysusesthenextUDPsourceportupfromthatusedbytheRTP

stream,andconsequently isalwaysodd.Figure37showshowthethreeprotocols worktogether.

Figure37.Thethreemainapplicaonprotocolsusedinrealmestreaming.


5 2/22/2012


8/15

RTSPOperaon

TheRTSPprotocolisverysimilarinstructureandspecificallysyntaxtoHTTP.BothusethesameURLstructuretodescribeanobject,with

RTSPusingthertsp://schemeratherthanthehp://.RTSP,however,introducesanumberofaddionalheaders(suchasDESCRIBE,

SETUP,andPLAY)andalsoallowsdatatransportoutofbandandoveradifferentprotocol,suchasRTPdescribedearlier.Thebestwayto

understandhowthecomponentsdescribedpreviouslyworktogethertodeliveranaudio/videostreamistolookatanexample.Thebasic

stepsinvolvedintheprocessareasfollows:

Theclientestablishes aTCPconnecontotheservers,typicallyonTCPport554,thewellknownportforRTSP.1.

TheclientwillthencommenceissuingaseriesofRTSPheadercommands thathaveasimilarformattoHTTP,eachofwhichis

acknowledgedbytheserver.WithintheseRTSPcommands,theclientwilldescribetotheserverdetailsofthesession

requirements,suchastheversionofRTSPitsupports,thetransporttobeusedforthedataflow,andanyassociatedUDPorTCP

portinformaon.ThisinformaonispassedusingtheDESCRIBEandSETUPheadersandisaugmentedontheserverresponse

withaSessionIDthattheclient,andanytransitoryproxydevices,canusetoidenfythestreaminfurtherexchanges.

2.

Oncethenegoaonoftransportparametershasbeencompleted,theclientwillissueaPLAYcommandtoinstructtheserverto

commencedeliveryoftheRTPdatastream.

3.

Oncetheclientdecidestoclosethestream,aTEARDOWNcommandisissuedalongwiththeSessionID instrucngtheserverto

ceasetheRTPdelivery associatedwiththatID.

4.

ExampleRTSPwithUDPBasedRTPDelivery

Let'sconsideranexampleinteraconwheretheclientandserverwilluseacombinaonofTCPbasedRTSPandUDPbasedRTPandRTCP

todeliverandviewavideostream.Inthefirststep,theclientwillestablishaTCPconnecontoport554ontheserverandissuean

OPTIONScommandshowingtheprotocolversionusedforthesession.Theserveracknowledgesthiswitha200OKmessage,similarto

HTTP.

C- >S OPTI ONS r t sp: / / vi deo. f oocor p. com: 554 RTSP/ 1. 0Cseq: 1

S- >C RTSP/ 1. 0 200 OKCseq: 1

Next,theclientissuesaDESCRIBEcommandthatindicatestotheservertheURLofthemediafilebeingrequested.Theserverresponds

withanother200OKacknowledgmentandincludesafullmediadescriponofthecontent,whichispresentedineitherSessionDescriponProtocol(SDP)orMulmediaandHypermediaExpertsGroup(MHEG)format.

C- >S DESCRI BE r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 2

S- >C RTSP/ 1. 0 200 OKCseq: 2Cont ent - Type: appl i cat i on/ sdp

Cont ent - Length: 210

InthethirdstageoftheRTSPnegoaon,theclientissuesaSETUPcommandthatidenfiestotheserverthetransportmechanisms,in

orderofpreference,theclientwantstouse.Wewon'tlistalloftheavailabletransportoponshere(theRFCobviouslycontainsan

exhausvelist),butwe'llseetheclientrequestRTPoverUDPonports5067and5068forthedatatransport.Theserverrespondswith

confi

rma

onofthe

RTP

over

UDP

transport

mechanism

and

the

client

side

ports

and

includes

the

unique

Session

IDand

server

portinformaon.

C- >S SETUP r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 3Transport : r t p/ udp; uni cast ; cl i ent _por t =5067- 5068

S- >C RTSP/ 1. 0 200 OKCseq: 3Sessi on: 12345678Transpor t : r t p/ udp; cl i ent _por t =5067- 5068; server_ port =6023- 6024

Finally,theclientisnowreadytocommencethereceiptofthedatastreamandissuesaPLAYcommand.ThissimplycontainstheURLand

SessionIDpreviouslyprovidedbytheserver.TheserveracknowledgesthisPLAYcommand,andtheRTPstreamfromtheservertoclient

willbegin.


5 2/22/2012


9/15

C- >S PLAY r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 4Sessi on: 12345678


Oncetheclientdecidesthatthestreamcanbestopped,aTEARDOWNcommandisissuedovertheRTSPconneconreferencedonlyby

theSessionID.TheserveragainacknowledgesthisandtheRTPdeliverywillcease.

C- >S TEARDOWN r t sp: / / vi deo. f oocor p. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 5

Sessi on: 12345678


Figure38showsthisexampleinasimplifiedgraphicform.

Figure38.AnexampleofRTSPinaconwiththevideoandaudiodatabeingdeliveredoveraseparate

UDPbasedRTPstream.

OtherOponsforDataDelivery

Incertainscenarios,thebesteffort,dynamicportmethodsofUDPbasedRTP,asdescribedpreviously,arenotsuitable.Some

environmentsmightconsidertheallocaonofdynamicsourceanddesnaonUDPportsthroughfirewallstobesomethingtheycanlive

happilywithout.Moreover,justthenatureoftheLayer1andLayer2transportmechanismsunderlyingthedatadeliverymightnotbe

suitedtononguaranteedUDPtraffic.Ineitherinstance,RTSPallowsforthenegoaonoftheRTPdeliveryofthemediadatatobe

interleavedintotheexisngTCPconnecon.

Wheninterleaving,theclienttoserverSETUPcommandhasthefollowingformat:

C- >S SETUP r t sp: / / vi deo. f oocorp. com: 554/ st r eams/ exampl e. r m RTSP/ 1. 0Cseq: 3Transport : r t p/ avp/ t cp; i nt erl eaved=0- 1

Thechangeoverintheprecedingexampleisinthetransportdescripon.First,thetransportmechanismshavechangedtoshowthatthe

RTPdelivery mustbeoverTCPratherthanUDP.Second,theaddionofthei nt er l eavedoponshowsthattheRTPdatashouldbe

interleavedandusechannelidenfiers0and10willbeusedfortheRTPdataand1willbeusedfortheRTCPmessages.Toconfirmthe

transportsetup,theserverwillrespondwithconfirmaonandaSessionIDasbefore:

S- >C RTSP/ 1. 0 200 OKCseq: 3Sessi on: 12345678Transport : r t p/ avp/ t cp; i nt erl eaved=0- 1

TheRTPandRTCPdatacannowbetransmiedovertheexisngRTSPTCPconneconwiththeserverusingthe0and1idenfiersto

representtherelevantchannel.

OnefurtherdeliveryoponforRTPandRTCPunderRTSPistowrapthedeliveryofallmediastreamingcomponentsinsidetradional

HTTPframeformats.Thisremovesmostbarrierspresentedwhenusingstreamingmediathroughfirewalledenvironments,aseventhe

moststringentadministratorwilltypicallyallowHTTPtraffictotraverseperimetersecurity.WhileHTTPandRTSPinterleaveddeliveryofthestreamedmediadatawillmakethecontentavailabletothewidestpossibleaudience,whenyouconsidertheoverheadofwrappingall

RTPdatainsideeitheranexisngTCPstreamor,worsesll,insideHTTP,itistheleastefficientmethodfordelivery.Toenablethe

streamingmediaclientbrowsertocopewiththedifferentoponsdescribedpreviously,mostoffertheclientuserstheabilitytoconfigure

theirpreferreddeliverymechanismormechanisms,andthemeoutthatshouldbeimposedinfailingbetweenthem.Whatyouwillsee

fromaclientperspecveisthattheclientapplicaonwillfirstrequestthatthestreambedeliveredusingRTPinUDP,andifthestream

doesnotarrivewithinxseconds(asitispotenallybeingblockedbyanintermediatefirewall),itwillfailbacktousingRTPinterleavedin

theexisngRTSPconnecon.

RTSPandRTPFurtherReading


5 2/22/2012


10/15

ForfurtherinformaonontheRTSPandRTPprotocols,RFCs2326and1889,respecvely,areagoodsource.

SecureSocketsLayer(SSL)

Thefinalprotocolwe'lllookatinthischapterisneitheraLayer4transportprotocolnoranApplicaonlayerprotocol,butonethatsits

betweentheselayerstoprovidesecurityservicestomanymodernInternetapplicaons.SecureSocketsLayer,orSSL,hasbeenoneofthe

majorforcesinInternetsecuritytechnologysinceitsinceponbyNetscapeCommunicaons,andconnuestobeincludedinallmajor

browsers.ThishasenabledWebapplicaondeveloperstodeliversecurecontentandservicesusingtradionalHTTPserverswithfew

changesrequiredintermsofthesetupofthebasicserverorrestructuringoftheHTMLcontent.Theothermajoradvantageofthe

integraonofSSLintoallmajorbrowsersisitstransparencytotheuser.SSLtypicallygetsusedwithouttheknowledgeoftheclient,otherthantheappearanceofasmallpadlockinthecornerofthebrowserwindow,thusmeaningthatnoaddionallevelofexperseisrequired

touseInternetapplicaonswiththissecurity.Figure39showsabrowserthatiscurrentlyusingSSL.

Figure39.AWebbrowserwilltypicallyuseSSLwheninstructedbytheWebsitewithlileornoinputrequired

bytheuser.TheuseofSSLcanbeseenbytheinclusionofasmallpadlockinthebrowser.

WhilethemostcommonimplementaonofSSLiswithinWebbrowsers,creangtheapplicaonprotocolhybridknownasHTTPS,it

shouldberememberedthatitisatransparentprotocolavailabletoanyTCP/IPbasedapplicaon.AlongwithHTTPS,othercommonSSL

securedprotocolsincludeSMTPSandTelnetS.

TheNeedforApplicaonSecurity

TheneedforsecuritywithinInternetapplicaonsiscleartheInternetissllapublicnetworkwithlileornosecurityinfrastructure

designedtoprotectallusers.Imagineusingtheonlineservicesofyourfavoritebank.Passingimportantdatasuchasyourbankaccount

number,password,andbalanceacrosstheInternetusingonlyHTTPrepresentsahugepersonalsecurityrisk,asthedataispotenally

visibletoanydevicesingbetweenyourbrowserandthebank'sWebsite.SSLcanbeusedveryeffecvelytohideallofalltheapplicaon

dataasittraversestheInternettopreventanybodysnoopingtheconneconfromreadingpersonaldataaprocessreferredtoas

encrypon.

ThesecondimportantfeatureprovidedbySSLforInternetapplicaonsisauthencaon;inotherwords,theabilityfortheclienttobe

abletodisnguishtheWebsiteasvalid.Imagineinourpreviousbankexampleifanotherroguesiteweretomasqueradeasthebank's

Website.Thismightallowtheroguesitetointerceptthepersonalandbankingdetailsofthousandsofcustomers,notawelcome

situaon.SSLprovidesmechanismstoimplementauthencaonasawayforeachsidetoidenfyitselftotheother.

ThefinalsecurityelementthatisprovidedbySSListamperdetecon.Imaginefinallythatsomeoneweretositbetweentheclientandthe

bank'sWebsiteandchangecertainpiecesofdataastheypassbackandforth.Thiswouldgivetheopportunitytoalterkeypersonaland

bankingdataandpotenallysetupfraudulenttransacons.SSLprovidesmechanismsforeachsidetoensurethattheApplicaonlayer

databeingsentandreceivedhasnotchangedinanywayasittraversestheInternet.

FortheInternettoconnuetogrow,notonlyinsize,butalsoasacrediblemediumforbusinessandcommerce,itmustbeabletoprovide

mechanismssuchasSSLasawaytoguaranteesecurity.

FingSSLintotheSevenLayerModel

IntheconceptsoftheOSI SevenLayerModelaswesawinChapter2,UnderstandingLayer2,3,and4Protocols,SSLsitsbetweentheApplicaonlayerandtheTransportlayer,tradionallyseenaspartofthePresentaonlayer.ThismeansthattheuseofSSLisselecvely

performedbyeachapplicaonratherthanasawholewithencryponbasedinIPSec.Thisgivestheclientmachinetheabilitytorun

secureservicesforcertainapplicaonsonly,whileremainingimparaltotheunderlyingLayer3and4servicesbelow.Incomparison,

IPSec,forexample,canoperateinatunnelingmode,whichmeansthatalltrafficflowingtoorfromaparcularaddressorrangeof

addressesisencryptedrightdowntotheIPlayer.WithinSSL,onlytheApplicaonlayerdataisencrypted.Figure310showsthepresence

ofSSLintheOSI model.

Figure310.WhereSSLsitsintheOSImodelincomparisontoIPSec.


15 2/22/2012


11/15

EncryponandCryptography

Theprocessofencryponanddecryponfundamentallymeanstotakesomesourcedata,transformittoastatewhereitcannotberead

byanyoneelse,andthentransformitbacktoitsoriginalstate,thusrenderingitreadableoncemore.Thisapproachrequirestheuseof

twoimportantelements:theCryptographicAlgorithm,orcipher,andakey.Acipherisamathemacalformulaorfunconthatisapplied

eithertotheoriginaldata(toencrypt)ortothetransformeddata(todecrypt).Onethingalwaysremainstrue,howeverthecipherused

toencryptthedatamustalsobeusedtodecryptattheotherend.ToenablethiscommonalityinanetworksuchastheInternetwhere

thereareenormousnumbersofpotenalclientserverconneconcombinaons,aseriesofstandardciphershavebeendevelopedover

mesuchasDataEncryponStandard(DES)andRC4.

Astheseciphersarewellknown,theyrelyonthesecondelementtointroducesomeformofrandomfactortotheprocess,knownasa

key.Theuseofakey,orseriesofkeys,givestheciphertheabilitytoencryptthedatainsuchawaysoasnottobedecryptedeasily.Ifyou

weretoencryptasimplesentenceusinganalgorithmthatiswidelyknown,itwouldbearelavelysimpletasktorunthedatathroughthe

samealgorithmandarriveattheanswer.Theuseofakeymeansthatinordertodecryptthedata,therecipientmustknowboththe

appropriateciphertouseandthekeyusedtoencryptthedataoriginally.

Thiscombinaonofcipherandkeyformsthebasicpremiseofmoderncryptography:Decryponwiththeknownkeyissimple,but

decryponwithoutthekeyisextremelydifficultandinmostcasescomputaonallyimpossible.SSLusesacombinaonoftwobasic

encrypontechniques,symmetrickeyencryponandpublickeyencrypon.

SymmetricKeyEncrypon

Withsymmetrickeyencrypon,bothsidesusethesamekeyvaluetoperformboththeencryponanddecrypon.Figure311showsa

simplegraphicalrepresentaonofsymmetrickeyencrypon.

Figure311.Withsymmetrickeyencrypon,boththeencryponanddecryponusethesamekey.

Symmetrickeyencryponhasanumberofadvantagesanddisadvantages.First,performingthistypeofencryponanddecryponis

computaonallyinexpensive, whichmeansthattheperformanceofapplicaonsusingsymmetrickeysisgenerallybeer.Onthe

downside,ifthesharedkeyiscompromisedoneitherside,thesecurityoftheencryponbetweentheparesisbroken.Moreover,the

processofsharingasinglesharedkeybetweentwosideswanngtousesymmetrickeyencryponcanbecumbersome.Imaginetwo

Internetbaseduserswishingtocommunicatetheymustfirstshareakeytousebeforetheycanencryptandtransmitdata.Thisinitself

isamajorheadache,asthekeycannotjustbesimplysentincleartextovertheInternetforfearofbeingcaptured.SSLuses

symmetrickeyencryponforbulkencryponthatis,theencryponofallApplicaonlayerdatabutitemploysaveryclevertechnique

toarriveatacommonsharedkeypublickeyorasymmetrickeyencrypon.

PublicKeyorAsymmetricKeyEncrypon

Asitsnamesuggests,publickeyorasymmetrickeyencryponusestwodifferentkeystoperformencryponanddecrypon,

respecvely.Thesekeysareknownasthepublicandprivatekeysandaremathemacallylinkedtosecurity.Themathemacsof

publickeyencryponaredifferentfromthoseinsymmetrickeyencrypon,asanydataencryptedusingthepublickeycannotbeeasily

decryptedusingthepublickey,andsimilarlywiththeprivatekey.Forpublickeyencrypontoworkcorrectly,theclientmustencrypt

usingthepublickeyandtheservermustdecryptusingtheprivatekey.Asaresult,thesecurityofthepublickeyislargelyirrelevantandit

iscommonlyavailable.InSSLterms,thepublickeyiscarriedinacerficatemoreonthatlater.Thesecurityoftheprivatekey,however,

isofutmostimportance,andtypically,theprivatekeywillneverleavetheserverforwhichitwasgeneratedforfearofcompromisingthe

securityofthekeypair.Therefore,insummary,ifyouencryptwiththewidelyavailablepublickey,theresulngdatacanonlybe

decryptedusingthecorrespondingprivatekey.Figure312showsasimplerepresentaonofpublickeyencrypon.

Figure312.Inasymmetrickeyorpublickeyencrypon,anydataencryptedusingtheeasilyavailablepublickey

canonlybedecryptedusingthecorrespondingprivatekey.

Thisapproachaffordsprivatekeyencryponacoupleofkeyadvantages. First,thecombinaonofcorresponding,mathemacallylinked

keysmeansthatoncethedatahasbeenencrypted,itcanonlybedecryptedbytheholderoftheprivatekey.Second,asthepublickeycan


15 2/22/2012


12/15

betransmiedincleartexttotheintendedreceiver,itiswellsuitedtolargescale,publicnetworkssuchastheInternet.Themain

downsideofpublickeyencryponisthatitiscomputaonallyexpensive,thusrenderingitunsuitableforsituaonsinwhichlarge

volumesarerequired.Aboveall,thesecurityoftheprivatekeyisparamount;ifitislostorcompromised,theenrepremiseonwhichthe

processisbuiltisbroken.

SSLCombiningSymmetricandAsymmetricEncrypon

Therefore,ontheonehandwehaveasymmetricencryponmechanismthatiscomputaonallycheapbutdoesnotscalewelltolarge

numbersofusers,

and

onthe

other,

we

have

acomputa

onally

expensive

algorithm

which

does

scale

well

due

toitsconcept

ofpublickeys.TheanswerintermsofSSListouseacombinaonofbothofthesemechanismstoachievetheresultwe'relookingfor.Theaimof

combiningthetwomethodsistoallowforencryptedaccessfromanywherebyanyone.Theprocessusesasymmetricencryponto

inializetheconnecon,andthenusessymmetricencrypontoprovideasecurecommunicaonchannelfortheduraonofthe

conversaon.

Whencommunicaonsbegin,theclientcreatesarandomnumberwhoselengthisdeterminedbytheencryponstrengthrequired.This

largerandomnumberwilleffecvelyformthesharedprivatekeyforthesymmetricencryponthatwillbeusedtoexchangeapplicaon

data.Theclientencryptsthisrandomnumberwiththepublickeyandsendstheencryptedversionofthistotheserver.Theasymmetric

encryponatthisstageensuresthatonlytheprivatekeycandecryptthedata.Oncedecrypted,thisrandomnumberisnowusedasthe

symmetrickeyfortheduraonoftheconversaon,aseachpartyhassuccessfullysharedacommonkey.Thebeautyofthisprocessis

thattheactualprivatekeys(randomnumbers)neveractuallytraversetheconneconinclearform,thusminimizingthechanceofbeing

intercepted.Figure313showsthiscombinaonofsymmetricandpublickeyencryponasusedbySSL.

Figure313.SSLusesacombinaonofpublickeyencrypontoexchangethesymmetrickeyandsymmetricencrypontoencryptthebulkapplicaondata.

EncryponAlgorithms

Therearemanyencryponalgorithms used,andeachprovidesdifferentlevelsofencrypon,dependingonthedegreeofsecurity

required.Earlieralgorithms were40bitsinlength,butwithtoday'scompungpowercantypicallybecrackedwithinafewhours.The

longertheencryponlength,thehardertheyaretocrack.Allalgorithms workinconjunconwithasecretkeytocreatetheencrypon.In

thecaseofSSL,thissecretkeyistherandomlygeneratednumber.CommonencryponalgorithmsusedtodayareDES,3DES,andAES.

Cerficates

Nowthatwe'veseentheimportanceofpassingthepublickeywithinSSL,let'slookatthemechanismusedtoundertakethis.Cerficates

areusedinSSLtoperformtwokeyfuncons:first,theyprovidealevelofauthencaon,potenallyforbothsides,andsecond,they

provideastandardformatinwhichtopassthepublickeytotherequester.Cerficatesarelikedigitalpassports thatcanauthencatean

organizaontoauseronconnecontoitssite.Twotypesofcerficatescanbeused:aservercerficateandaclientcerficate.Ina

typicalSSLenvironment,onlytheservercerficateisused.Thisissothattheserver(orsite)canauthencatewhotheyareontheinial

clientrequestandpassthepublickey.Remember,itistheclientthatiniatestheconneconandasksforthecerficatetobesent.This

allowsanorganizaontopublishitsservices,andeventhoughtheuserscannotseewheretheyaregoing(e.g.,thereisnostorefront,or

actualphysicalstructure),theyknowtheyhaveconnectedtothesitebasedontheservercerficateissued.Whileweagreethatthiscould

bespoofedintheory,onehastoquesontheraonalityofthis.Itrequiresthattheprivatekeyberetrieved,DNSentriestothatsitebe

hijacked,orupdatedtothenewaddress,andallofthisneedstohappenwithouttheexisngsitebecomingawareofit.Thisishighlyunlikelyinanagewheresecurityisanumberoneagendaitem,andahighlyacvesitewouldbeimmediatelyawareofasitefailureor

aack.Inaddion,ausermustactuallymakeacreditcardpaymenttothisfraudulentsite.Ifthisdidhappen,itwouldhavetobetoasite

thatisnotwellmonitoredandacvelytrading,andthereforeveryrarelyvisited,whichinturnmakestheexercisesuperfluousasnohuge

revenueorlossofreputaonwouldbeachievedbythehacker.Typically,thereceiptofaservercerficateisallthatisrequiredtobegina

secureconneconwithasite.Insomecases,thesitealsowantstoensurethattheusersarewhotheysaytheyare.Thisiscertainlya

requirementinbusinesstobusinesstransaconswherecompanieswanttobeabletocontrolaccesstotheirsite,especiallywhenaccess

tosensiveinformaonorlargesumsofmoneyareinvolved.

Clientcerficatesareusedtoprovideclientsideauthencaon.Thesecerficates,normallyderivedfromtheservercerficate,are

loadedontotheuser'smachine,andonconnecon,theserverwillrequestthecerficatetobesenttoittoauthencatetheuser.Aseach

cerficatewillhaveauniqueidenfier,thiscanbeusedtotrackaccess.Shouldconnecvitynolongerbepermiedorrequired,thenthis

uniqueidenfiercanalsobeusedtorevokeaccesstothespecificsite.


15 2/22/2012


13/15

gr aphi cs/ ccc. gi f

gr aphi cs/ ccc. gi f

HavingtheabilitytoprovideclientandserverauthencaonbuildsaverycompellingcaseforSSLdeployment.Figure314isanexample

ofwhatacerficatelookslikefollowedbytheassociatedprivatekey:

Cerficatessuchasthesecanbeeasilycopiedandpastedintoasecurityappliance.

CerficateAuthories

Cerficateauthories(CAs)arelikethepassportcontroloftheSSLworld.Theyconfirmthatasiteiswhatitsaysitis,astheyhavesigned

thecerficate.ManyorganizaonsactasCAsandsigncerficatesonbehalfofsites.Theseorganizaonsareoenseenasrespected

businessesorinsomecasesquasigovernmenttypedepartmentssuchasapostofficeortelecommunicaonsprovider.Thelargestones

aroundtodayarededicatedtoprovidingacerficatesigningfuncon,suchasVerisign,Entrust,andThawte.Bydefault,Webbrowsers

havealistofacceptedCAs,whichischeckedwhenasiteisaccessed.IftheCAisnotpresent,thebrowserwilldisplayamessageaskingif

thiscerficateshouldbeaccepted.AddingordelengCAscanbedonebyuserswithintheirfavoritebrowser.Cerficateshavetheability

tobechained.Thismeansthatacerficatecanbetrustedifithasalinkorchainbacktotheoriginalissuerwhomyoutrust.Thismethodis

transparenttotheuserandishandledbytheSSLprotocol.

Figure314Sampleofapubliccerficateandprivatekey.Asyoucansee,itismerelycleartextandcanbeeasilycopied.

- - - - - BEGI N CERTI FI CATE- - - - -I Ft TCCBR6gAwI BAgI EN0sJ FTANBgkqhki G9w0BAQQFADCBwzELMAkGA1UEBVVMxFDASBgNVBAoTC0VudHJ 1c3QubmV0MTs wOQYDVQQLEz J 3d3c uZW50cnV

ZXQvQ1BTI Gl uY29ycC4gYnkgcmVmLi AobGl t aXRzI GxpYWI uKTEl MCMGA1ULmVudHJ 1c3QubmV0L0NQUyBpbmNvcnAuI GJ 5I HJ l Zi 4gKGxpbWl 0cyBsaWFi Li kxJ TAj BgNVBAsTHChj KSAxOTk5I EVudHJ 1c3QubmV0I ExpbWl 0ZWQxOj A4BgNVBAMTVudHJ 1c3QubmV0I FNl Y3VyZSBTZXJ 2ZXI gQ2VydGl maWNhdGl vbi BBdXRob3J pdHkDj AMBgNVBAMTBUNSTDEyMCygKqAohi ZodHR3QubmV0L0NSTC9zZXJ 2ZXI xLmNybDAf BgNVHSMEGDAWgBTwF2I TVT2z/ woAa/ t QhJ f z7WLQGj AdBgNVHQ4

EFgQU3Rc4WmXyFuApzKBZCUyzwqoO6j kwCQYDVR0TBAgkqhki G9n0HQQAEDDAKGwRWNC4wAwI DqDANBgkqhki G9w0BAQQFAAOBgQBbSMGk6Bt J 7g6UzC4hL1nJ ZYQl dua3ot 6K7Est Au6pBi E0DhAGJ Km0t CrS16hKGMpI DE5OTkgRW50cnVzdC5uZXQf f f f l t aXRl ZDE6MDgGA1UEAxMxRW50cnZXQgU2Vj dXJ l I FNl cnZl ci BDZXJ 0aWZpY2F0aW9uI EF1dGhvcml 0eTAeFw0MDgxNj A4Mj daFw0wMj AxMDgxNj M4Mj daMH4xCzAJ BgNVBAYTAl NFMRI wEAYEwl TdG9j a2hvbG0xEj AQBgNVBAcTCVN0b2Nr aG9sbTEUMBI GA1UEChMLQmxaWwgQUI xFDASBgNVBAsTC0Rl dmVsb3Bt ZW50MRswGQYDVQQDExJ 2aXAyYS5dGFpbC5j b20wgZ8wDQYJ KoZI hvcNAQEBBQADgY0AMI GJ AoGBALc t Vj RkmPJFsI / oo1Xh0yJ qyC/ Vl 2t WS3uj M8l SqCA9af q8cqf cRN5cWcel i x5oEbaz5eGdt LVWqBHw09As3w1AyZsdi SUpdOFNdj Phv9I C9S13y7zCzr 0SyS/ u7l 1c4

c3QubmV0L2NwczCBwAYI KwYBBQUHAgI wgbMwEhYLRW50cnVzdC5uZXQwAwI9TsMAFHBudxPK58I PkKUSpdxZvg7AgMBAAGj ggL4MI I C9DCCAQcGA1UdI AS/ DCB+QYJ KoZI hvZ9B0sCMI Hr MCYGCCsGAQUFBwI BFhpodHRwOi 8vd3d3LnEVudHJ 1c3QubmV0I ENQUyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJ l bmNl Li BUayBj b250YWl ucyBsaW1pdGF0aW9ucyBvb

i B3YXJ yYW50aWVzI GFuZCBsaWFiaWxpdGl l cy4gI ENvcHl yaWdodCAoYykgMTk5OSBFbnRydXN0Lm5l dCAgd3ddHJ 1c3QubmV0L2NwczALBgNVHQ8EBAMCBaAwKwYDVR0QBCQwI oAPMj AwMTANj M4Mj dagQ8yMDAxMDkyMTA0MzgyN1owEQYJ YI ZI AYb4QgEBBAQDAgZAMBMJ QQMMAoGCCsGAQUFBwMBMI I BHQYDVR0f BI I BFDCCARAwgd+ggdyggdmkgdYCzAJ BgNVBAYTAl VTMRQwEgYDVQQKEwt FbnRy5l dDE7MDkGA1UECxMyd3d3/ wWqspaKSNsWf qc0AWFf gKznJ J mnxsyThudodg5i TM1Nf r 93aD2P/ 3qPMxSSEm/ T/uOKBaLPLVd3dmj Pc/ 0v1AU48dc0hgx6VhqX98poLi HJ AHg==- - - - - END CERTI FI CATE- - - - -

- - - - - BEGI N RSA PRI VATE KEY- - - - -Pr oc- Type: 4, ENCRYPTEDDEK- I nf o: DES- EDE3- CBC, 9BCDFA41DAC78C8D

+AsRr o1zm2vl V0deB0kw9geWpMJ oLOz67sdb8+8E2Pal 5hZC1asZapwHGXOAgqeQf Ub6VZKy+2Hzj z8Nw6I 3xcAyi 7xnF1YYRJ xl z7sA+5ACBSAYvZGZRXF7j yTXomI I Tr wPt 40V9uGl dj FmwAd6e1k1qxKi 2T6qt zdVeYZhz27+nj t MkDa1PVdJ WbcLFyLMRZAUp5Ubu8mI UgkReyMSPMdn6bj mf 7hKE3j bT/ REnI Ci DcLe3SZzXes8mckUOOV++dBD+or BxeU8dkB59i vWE/ Wl AP4cf 1wOPS/B1yzFsHql byql vt f xj F472vU4V0J LOe0RQ5NyVqw09N/ NHr gBHce6J gwEHf mgf Rr/P2RFYvwhs1wUvKVgOOK8KxHdRgNMGshFWMOGmr WV82dO0pywC25Xl q1Gi C6vgl wHxvzf Sr 4pnYv5VcgDzf kvsYJ CVpTi WYi S522Svb0Ln3Gyx55J gI dl aMVhZUCmdbRqH6KFoWyr 0Ud+++6PbI +HWbVPBpi f r qyj 3LDnuPTRTDkwy7Wl zggXXY1TbdO8XY7Kr hgpcBpN4amI LANhcZG/- - - - - END RSA PRI VATE KEY- - - - -

SSLinAcon


15 2/22/2012


14/15

Let'sseethecombinaonofciphersuites,keys,algorithms.andcerficatesinaconaswerunthroughanexampleSSLsession.

WhenenablingSSLonservicesonyourserver,youwillfirstneedtocreateaprivateandpublickeypairandcorrespondingcerficate.This

processisautomacallyiniatedonmostWebserversandwillresultinthecreaonofwhatisknownasacerficatesigningrequest,or

CSR.ThisCSR,containingthepublickey,shouldbeforwardedtothechosenCAforsigning,andoncecompletedimportedbackintothe

Webserver.Apointtonotehereisthattheprivatekeymuststayprivate;ifitwereavailable,someonecouldeasilymasqueradeasyour

sitebecausethepublickeyisjustthat,public.Withtheprivateandpublickeypair,allencryptedtrafficcanbedecrypted.Butlet'sgetback

totheCSR.TheCSRneedstobesenttoaCA,whowillsignitandreturnittoyouforyoutovalidateyourdomainname.Wemustpointout

herethatacerficateis edtoadomainnameandnotanIPaddress.Thisdomainnameneedstoberesolvedtotheaddressoftheserver

inordertowork.Oncecomplete,theWebsitecanbereadyforuse,andallthatisrequiredisthattheservershavetheSSLservice

running.

NowwearereadytobegintheactualSSLsetupasillustratedinFigure315.Let'slookatthestepsinmoredetail,rememberingthat

certainmessagetypeswithintheSSLprotocolareusedtodeterminespecificrequests:

OncetheclienthasestablishedaTCPsessiononport443withtheserver,theclientsendsaclienthellomessage.Thisclienthello

includesinformaonsuchastheciphersuitesthatitsupports.

1.

Theserverselectstheciphersuitefromthelistpresentedandrespondswithaserverhelloindicangtotheclienttheciphersit

deemssuitable.Theclientandtheserverhavenowagreedonaciphersuitetouse.

2.

Theserverthenissuestheclientacopyofitscerficate(rememberthatthiscerficatealsocontainsthepublickey).Oponally,

theservermayrequestacopyoftheclient'scerficateifclientsideauthencaonisrequired.

3.

Next,theserversendsaserverhellodonemessagetotelltheclientithascompletedthefirstphaseofthesessionsetup.Asthereisnokeyyet,thisprocessiscarriedoutincleartext.

4.

Theclientnowgeneratesarandomnumber,encryptsitwithitspublickey,andsendstheservertheclientkey.Thisprocessis

knownastheclientkeyexchange.Thisisthesymmetrickeythatwillbeusedfortheduraonofthesymmetricencrypon

session.Communicaonfromhereonisencrypted.

5.

Theclientnowsendsachangecipherspecmessagetotheservertosayitwillnowbeginusingthenegoatedciphersuite

(determinedinstep2)fortheduraonofthesession.

6.

Oncethisisdone,theclientsendsafinishedmessagetotheservertosaythatitisready.7.

Theserver,inturn,sendsachangecipherspecmessagetotheclientusingtheagreedinformaon.Theserveralsosendsouta

finishedmessageoncompleon.

8.

Asecureencryptedtunnelisnowsetup,andcommunicaoncanbeginusingthesymmetricencrypondetailsnegoated.9.

Figure315.SSLsessionsetupisacomputaonallyintensiveprocessthatweneedtooffloadtoincrease

networkperformance.

Onekeypieceofinformaoninthisexchange,whichwewillseehasrelevanceincontentswitchinginlaterchapters,istheSSLSessionID.

ThisisarandomidenfieragreedbybothsideswhenfirstiniangtheSSLsessiontotheserverandisusedtouniquelyidenfythe

tunneltheyhaveestablished. Oneoponthatisheldbytheclientduringthenegoaonprocessdescribedpreviouslyistoreuseasetof

agreedciphersandkeysbyincludingtheSessionIDintheclienthelloitsendstotheserver.Providedthattheserverisconfiguredtoallow

thistypeofsessionreuse,itwillskiptheneedtoswapthesymmetrickeyandthusbypassthebignumberarithmecneeded,inturn

speedinguptheprocess.TheSSLSessionID canbereadincleartext,asitisnotpassedencryptedbetweenclientandserver.

SSLSummary

SSLisastandardsbasedencryponandauthencaonmechanismwidelyusedwithintheInternettoday.Whilebyfarthemostcommon

implementaonsuseHTTPastheApplicaonlayerprotocol,SSLcanbeusedtosecureotherapplicaons.Aswe'llseeinlaterchapters,

theinclusionofSSLasasecuritymechanismformodernWebsitescreatesyetanotherpartofthepuzzleofcontentswitching.

Summary


15 2/22/2012


15/15

AswithourcoverageofLayer2,3,and4protocols,therearemanyothermoredetailedbookscoveringtheApplicaonlayerprotocols we

sawinthischapter.Hopefully,however,thischapterhasservedtogiveabeerunderstandingofthewaysinwhichTCP,UDP,andIPcan

becombinedtoprovideapplicaonservices,alloponallywrappedinSSLforgreatersecurity.Equippedwiththisunderstanding,wecan

begintounderstandtheconceptsofcontentswitchingandputthetechniquestousetosolvemanyofthescalabilityproblemsofmodern

IPnetworks.

2012PearsonEducaon,Inc.Allrightsreserved.

800East96thStreetIndianapolis,Indiana46240


Documents

App Layer Protocols