T-110.5140 Network Application Frameworks and XML

Summary and Conclusions

20.04.2009

Sasu Tarkoma

Topics Covered

Distributed systems security Multi-addressing: Mobility and multi-

homing Building applications

Distributed objects Role of directory services Mobile and wireless applications XML-based presentation and RPC

Scalability and performance issues

Interconnections

Interconnections applicable on many levels Network-level operation

DNS, overlay lookup, IPsec Application-level operation

DHTs, SSL, SOAP, WS-Security

Network Security

DirectoriesObjects

Mobility and Routing

Identity/Locator split

Process

Transport

ID Layer

IP Layer

Link Layer

identifier

locator

New name space for IDs Maybe based on DNS Maybe a separate

namespace Maybe IP addresses are

used for location Good for hiding IP versions

Communication end-points (sockets) bound to identifiers

Upper layer view

IP connectivity problematic today Broken by firewalls, NATs, mobility Two versions of IP: IPv4 and IPv6

HIP has a potential remedy Restores end-to-end connectivity (NAT traversal

possible but may require changes / tunnelling) Adds opportunistic security Handles mobility and multi-homing Requires DHT based overlay (currently missing)

Where is the network state? Routers know addresses

Like today DHT knows HITs / SIDs

Lease based storage Middleboxes know SPIs

Soft state

Lessons to learn

Hierarchical routing likely to stay Addresses carry topological information Efficient and well established

Applications face changing connectivity QoS varies periods of non-connectivity

Identifiers and locators likely to split Mobility management is needed Probably changes in directory services

Overlays have been proposed

Summary

Topology based routing is necessary Mobility causes address changes Address changes must be signalled end-

to-end Mobility management needed

Initial rendezvous: maybe a directory service Double jump problem: rendezvous needed

Many engineering trade-offs

Distributed Hash Tables and Overlays

Overlay Networks

Origin in Peer-to-Peer (P2P) Builds upon Distributed Hash Tables (DHTs) Easy to deploy

No changes to routers or TCP/IP stack Typically on application layer

Overlay properties Resilience Fault-tolerance Scalability

Some DHT applications

File sharing Web caching Censor-resistant data storage Event notification Naming systems Query and indexing Communication primitives Backup storage Web archive

Middleware

Examples

Middleware CORBA Message-oriented Middleware Event Systems & tuple spaces Java Message Service Java 2 Enterprise Edition (J2EE) .NET

Mobile middleware WAE J2ME Wireless CORBA FUEGO

Summary

Middleware for application development and deployment for supporting heterogeneous environments Main communication paradigms: RPC/RMI,

asynchronous events (publish/subscribe) J2EE, CORBA, ..

Mobile middleware Desktop middleware not usable on small,

mobile devices Special solutions are needed J2ME, Wireless CORBA, ..

Web Services

Standardization

W3C Web Services XML Protocol Working Group

SOAP Web Services Addressing Working Group Web Services Choreography Working Group Web Services Description Working Group

WSDL OASIS

E-business standards, UDDI WS-I (Web Service Interoperability Org.)

Binding profiles,..

Web Service Architecture

The three major roles in web services Service provider

Provider of the WS Service Requestor

Any consumer / client Service Registry

logically centralized directory of services A protocol stack is needed to support

these roles

Web Services Protocol Stack Message Transport

Responsible for transporting messages HTTP, BEEP

XML Messaging Responsible for encoding messages in common XML format XML-RPC, SOAP

Service Description Responsible for describing an interface to a specific web

service WSDL

Service discovery Responsible for service discovery and search UDDI

Web Services Security

Need for XML security

XML document can be encrypted using SSL or IPSec this cannot handle the different parts of the

document documents may be routed hop-by-hop different entities must process different parts of the

document SSL/TLS/IPSec provide message integrity and

privacy only when the message is in transit We also need to encrypt and authenticate the

document in arbitrary sequences and to involve multiple parties

Application-layer Security

Identity-based security Authentication and authorization information

shared across security domains Content-based security

Protecting against buffer overflow and CGI-like attacks

Must have knowledge about the applications to which these messages are directed

Accountability or non-repudation Need message level security Maintain integrity, archived audit trails

The standards and specifications mentioned earlier address these issues

Basic XML Security

XML Digital Signatures (XMLDSIG) XML Encryption XML Canonicalization XML Key Management

Summary

Security contexts Security needed within and between contexts XML validation, encryption, and authentication

needed between security contexts! WS security standard revisited

SOAP header carries security information (and other info as well)

Selective processing SAML

Statements about authorization, authentication, attributes

SAML & WS-Security & XACML Implementations available

Putting it together

With identity/locator split + overlays?

Upper layers

Overlay

Congestion

End-to-end

Routing

Overlay addresses

IP addresses

Routing paths

DNS names, customidentifiers

Host Identities

IP addresses

Routing paths

ID Layer

CONTROL

DATA

”Theory”

WS Security

SOAP

TCP

IP

”Practice”

WS Security

SOAP

TCP4

IPv4

HTTP/TLS/sockets

TCP6

IPv6

”Future?”

WS Security

SOAP

IPv4

HTTP?/sockets

IPv6

TCP

HIPsec

HIPCTRL

Discussion

Interesting things are happening on L7 Ajax, content delivery, BitTorrent, DHTs, OpenID,

mashups, REST, .. Web services have enabled significant business

Google, Amazon, .. Based on custom software

Network layer support for applications is not perfect

Channel binding, end-host reachability, trust, DoS Incremental network evolution vs. clean slate

developments Control points Interdomain policies and peering

Important Dates

Exam on 12.5. 9-12 in T1. Deadline for the second assignment

15.5.

Remember course feedback http://www.cs.hut.fi/Opinnot/Palaute/

kurssipalaute.html