t-110.5140 network application frameworks and xml summary and conclusions 20.04.2009 sasu tarkoma
DESCRIPTION
Interconnections n Interconnections applicable on many levels u Network-level operation F DNS, overlay lookup, IPsec u Application-level operation F DHTs, SSL, SOAP, WS-Security NetworkSecurity Directories ObjectsTRANSCRIPT
T-110.5140 Network Application Frameworks and XML
Summary and Conclusions
20.04.2009
Sasu Tarkoma
Topics Covered
Distributed systems security Multi-addressing: Mobility and multi-
homing Building applications
Distributed objects Role of directory services Mobile and wireless applications XML-based presentation and RPC
Scalability and performance issues
Interconnections
Interconnections applicable on many levels Network-level operation
DNS, overlay lookup, IPsec Application-level operation
DHTs, SSL, SOAP, WS-Security
Network Security
DirectoriesObjects
Mobility and Routing
Identity/Locator split
Process
Transport
ID Layer
IP Layer
Link Layer
identifier
locator
New name space for IDs Maybe based on DNS Maybe a separate
namespace Maybe IP addresses are
used for location Good for hiding IP versions
Communication end-points (sockets) bound to identifiers
Upper layer view
IP connectivity problematic today Broken by firewalls, NATs, mobility Two versions of IP: IPv4 and IPv6
HIP has a potential remedy Restores end-to-end connectivity (NAT traversal
possible but may require changes / tunnelling) Adds opportunistic security Handles mobility and multi-homing Requires DHT based overlay (currently missing)
Where is the network state? Routers know addresses
Like today DHT knows HITs / SIDs
Lease based storage Middleboxes know SPIs
Soft state
Lessons to learn
Hierarchical routing likely to stay Addresses carry topological information Efficient and well established
Applications face changing connectivity QoS varies periods of non-connectivity
Identifiers and locators likely to split Mobility management is needed Probably changes in directory services
Overlays have been proposed
Summary
Topology based routing is necessary Mobility causes address changes Address changes must be signalled end-
to-end Mobility management needed
Initial rendezvous: maybe a directory service Double jump problem: rendezvous needed
Many engineering trade-offs
Distributed Hash Tables and Overlays
Overlay Networks
Origin in Peer-to-Peer (P2P) Builds upon Distributed Hash Tables (DHTs) Easy to deploy
No changes to routers or TCP/IP stack Typically on application layer
Overlay properties Resilience Fault-tolerance Scalability
Some DHT applications
File sharing Web caching Censor-resistant data storage Event notification Naming systems Query and indexing Communication primitives Backup storage Web archive
Middleware
Examples
Middleware CORBA Message-oriented Middleware Event Systems & tuple spaces Java Message Service Java 2 Enterprise Edition (J2EE) .NET
Mobile middleware WAE J2ME Wireless CORBA FUEGO
Summary
Middleware for application development and deployment for supporting heterogeneous environments Main communication paradigms: RPC/RMI,
asynchronous events (publish/subscribe) J2EE, CORBA, ..
Mobile middleware Desktop middleware not usable on small,
mobile devices Special solutions are needed J2ME, Wireless CORBA, ..
Web Services
Standardization
W3C Web Services XML Protocol Working Group
SOAP Web Services Addressing Working Group Web Services Choreography Working Group Web Services Description Working Group
WSDL OASIS
E-business standards, UDDI WS-I (Web Service Interoperability Org.)
Binding profiles,..
Web Service Architecture
The three major roles in web services Service provider
Provider of the WS Service Requestor
Any consumer / client Service Registry
logically centralized directory of services A protocol stack is needed to support
these roles
Web Services Protocol Stack Message Transport
Responsible for transporting messages HTTP, BEEP
XML Messaging Responsible for encoding messages in common XML format XML-RPC, SOAP
Service Description Responsible for describing an interface to a specific web
service WSDL
Service discovery Responsible for service discovery and search UDDI
Web Services Security
Need for XML security
XML document can be encrypted using SSL or IPSec this cannot handle the different parts of the
document documents may be routed hop-by-hop different entities must process different parts of the
document SSL/TLS/IPSec provide message integrity and
privacy only when the message is in transit We also need to encrypt and authenticate the
document in arbitrary sequences and to involve multiple parties
Application-layer Security
Identity-based security Authentication and authorization information
shared across security domains Content-based security
Protecting against buffer overflow and CGI-like attacks
Must have knowledge about the applications to which these messages are directed
Accountability or non-repudation Need message level security Maintain integrity, archived audit trails
The standards and specifications mentioned earlier address these issues
Basic XML Security
XML Digital Signatures (XMLDSIG) XML Encryption XML Canonicalization XML Key Management
Summary
Security contexts Security needed within and between contexts XML validation, encryption, and authentication
needed between security contexts! WS security standard revisited
SOAP header carries security information (and other info as well)
Selective processing SAML
Statements about authorization, authentication, attributes
SAML & WS-Security & XACML Implementations available
Putting it together
With identity/locator split + overlays?
Upper layers
Overlay
Congestion
End-to-end
Routing
Overlay addresses
IP addresses
Routing paths
DNS names, customidentifiers
Host Identities
IP addresses
Routing paths
ID Layer
CONTROL
DATA
”Theory”
WS Security
SOAP
TCP
IP
”Practice”
WS Security
SOAP
TCP4
IPv4
HTTP/TLS/sockets
TCP6
IPv6
”Future?”
WS Security
SOAP
IPv4
HTTP?/sockets
IPv6
TCP
HIPsec
HIPCTRL
Discussion
Interesting things are happening on L7 Ajax, content delivery, BitTorrent, DHTs, OpenID,
mashups, REST, .. Web services have enabled significant business
Google, Amazon, .. Based on custom software
Network layer support for applications is not perfect
Channel binding, end-host reachability, trust, DoS Incremental network evolution vs. clean slate
developments Control points Interdomain policies and peering
Important Dates
Exam on 12.5. 9-12 in T1. Deadline for the second assignment
15.5.
Remember course feedback http://www.cs.hut.fi/Opinnot/Palaute/
kurssipalaute.html