websockets everywhere: the future transport protocol for everything (almost)

WebSockets Everywhere: the Future Transport Protocol for Everything

(Almost)

Dan Shappir

CTO at Ericom Software

@DanShappir

blog: ericomguy.blogspot.com

Six-time BriForum speaker

Remember DCOM?

● Microsoft Distributed COM, circa 1996● General purpose communication layer for

client / server● UDP-based, using ports 1024-5000● COM succeeded; DCOM failed

Can you guess why?

Network Security Realities

● Firewalls/proxies dislike UDP● Firewalls/proxies often dislike TCP● Firewalls/proxies like HTTP (80) and HTTPS

(443)o But dislike most any other port

Stateful Inspection means that just tunneling through ports 80 and 443 isn’t enough

Make Apps Look Like Websites

Use HTTP / HTTPS as an applicative transportExample: RD Gateway (tunnels RDP through HTTPS)

● Web Services● XML and SOAP● RESTful APIs● JSON● AJAX

HTTP Was Designed For Docs Not Apps

● Built on TCP Sockets but ...● Request / Response architecture

o Only client can send Requestso Server can only Respond to Requestso Can’t send another Request before Response

● Header on every Request / Responseo Up to 8KB each

Various Workarounds

COMET● Persistent connections (HTTP 1.1)● Polling● Long Polling● Chunked Response● Multiple channels● Pipelining● Two-way HTTP

Problems With Workarounds

● Hacks: error prone● Complicated● Compatibility issues● Headers overhead

o Especially if contains cookies

Need a Better Solution

Flexibility of Sockets + reach of Web (HTTP)

WebSockets - Sockets for the Web

● Part of HTML5: W3C API and IETF Protocol● Full-duplex, bidirectional communication● Unsecured (TCP) and secured (SSL) modes● Traverses firewalls, proxies and routers● Text (UTF-8) and binary data● Ping/Pong messages for keep-alive● Share ports 80 and 443 with HTTP/HTTPS

WebSocket Connection Process

1. Client opens new TCP connection to Server2. Optional SSL (TLS) handshake3. Client sends HTTP GET Request4. Server sends HTTP Response5. Magic: Client & Server communicate using

WebSocket packets

WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1

WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1

WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1

WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1

WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept:kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol:ericom|accessnow.3

WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept:kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol:ericom|accessnow.3

WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept:kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol:ericom|accessnow.3

WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept: kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol: ericom|accessnow.3

Packet Oriented Protocol

● After handshake, protocol is sequence of packets

● Packets comprised of header + payload● Several packet types● Peers receive full data packets payload

o Not partial packets / byteso Not control packets

WebSocket Packet

Minimally framed: small header + payload

0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

FIN

RSV1

RSV2

RSV3

opcode(4)MASK

payload len(7)

extended payload len(16/64)

extended payload len continued(16/64)

masking key(0/32)

masking key continued payload ...

Packet Opcodes (Types)

0 - continuation frame1 - text frame (UTF-8)2 - binary frame3-7 - reserved (data)8 - connection close9 - ping10 - pong11-15 - reserved (control)

WebSockets vs HTTP Bandwidth

Simple JavaScript Example

var ws = new WebSocket("ws://...");ws.onopen = function () {

ws.send("hello");};ws.onmessage = function (event) { console.log(event.data);};

Growing Support

● Browserso Everybody!

● Webserverso Most everybody!

● Firewallso Often just works

● SSL VPNo Juniper, Cisco, CheckPoint, …

Benefits of SSL VPNs over VPNs

For Web protocols: HTTP and WebSockets

● No client-side installation● No client-side configuration● Any client device

WebSockets For Native Apps

● .NET (4.5) WCF support● Java EE (JSR-356)● C/C++ - several Open Source implementations● PHP - Rachet● Node.js - multiple libraries

WebSockets Extensions

Utilizing Sec-WebSocket-Extensions in Request/Response Headers:1. Compression (deflate)2. Multiplexing

What If It Doesn’t Connect?

● Use standard ports: 80, 443o Or standard alternate ports: 8080, 8443, 8008

● Use SSL, with proper certificates● Upgrade SSL VPN, Firewall, …● Disable anti-virus

o Or exception, or disable packet inspection

● Fallback to HTTP / HTTPS

Future Protocol For Everything?

No, primarily when UDP is required● Streaming Video or Video Conferencing● Remote access over bad connections

(“Framehawk” scenario)

The Future, Future Protocol

● For UDP: WebRTC with data-channelso Use WebSockets as fallback

● For TCP: WebSocketso Use HTTP / HTTPS as fallback

● HTTP / HTTPS for RESTful APIs

Summary

WebSockets couple the performance and flexibility of TCP with the reach of HTTP

Prediction: WebSockets will replace simple TCP as preferred underlying protocol

Existing protocols wrapped in WebSockets