websockets everywhere: the future transport protocol for everything (almost)
DESCRIPTION
WebSockets couples the performance and flexibility of TCP with the reach of HTTP Prediction: WebSockets will replace simple TCP as preferred underlying protocol. To see how Websockets are used in a popular HTML5-based remote access solution, by visiting the following URL: http://j.mp/1luquBQTRANSCRIPT
WebSockets Everywhere: the Future Transport Protocol for Everything
(Almost)
Dan Shappir
CTO at Ericom Software
@DanShappir
blog: ericomguy.blogspot.com
Six-time BriForum speaker
Remember DCOM?
● Microsoft Distributed COM, circa 1996● General purpose communication layer for
client / server● UDP-based, using ports 1024-5000● COM succeeded; DCOM failed
Can you guess why?
Network Security Realities
● Firewalls/proxies dislike UDP● Firewalls/proxies often dislike TCP● Firewalls/proxies like HTTP (80) and HTTPS
(443)o But dislike most any other port
Stateful Inspection means that just tunneling through ports 80 and 443 isn’t enough
Make Apps Look Like Websites
Use HTTP / HTTPS as an applicative transportExample: RD Gateway (tunnels RDP through HTTPS)
● Web Services● XML and SOAP● RESTful APIs● JSON● AJAX
HTTP Was Designed For Docs Not Apps
● Built on TCP Sockets but ...● Request / Response architecture
o Only client can send Requestso Server can only Respond to Requestso Can’t send another Request before Response
● Header on every Request / Responseo Up to 8KB each
Various Workarounds
COMET● Persistent connections (HTTP 1.1)● Polling● Long Polling● Chunked Response● Multiple channels● Pipelining● Two-way HTTP
Problems With Workarounds
● Hacks: error prone● Complicated● Compatibility issues● Headers overhead
o Especially if contains cookies
Need a Better Solution
Flexibility of Sockets + reach of Web (HTTP)
WebSockets - Sockets for the Web
● Part of HTML5: W3C API and IETF Protocol● Full-duplex, bidirectional communication● Unsecured (TCP) and secured (SSL) modes● Traverses firewalls, proxies and routers● Text (UTF-8) and binary data● Ping/Pong messages for keep-alive● Share ports 80 and 443 with HTTP/HTTPS
WebSocket Connection Process
1. Client opens new TCP connection to Server2. Optional SSL (TLS) handshake3. Client sends HTTP GET Request4. Server sends HTTP Response5. Magic: Client & Server communicate using
WebSocket packets
WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1
WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1
WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1
WebSocket RequestGET /blaze HTTP/1.1Host: an.ericom.comConnection: UpgradeUpgrade: websocketSec-WebSocket-Key: oY+dTudispTU+nqsq5XXVw==Sec-WebSocket-Version: 13Sec-WebSocket-Protocol: ericom|accessnow.3Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits, x-webkit-deflate-frameUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36Origin: http://127.0.0.1
WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept:kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol:ericom|accessnow.3
WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept:kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol:ericom|accessnow.3
WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept:kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol:ericom|accessnow.3
WebSocket ResponseHTTP/1.1 101 Switching ProtocolsConnection: UpgradeUpgrade: websocketSec-WebSocket-Accept: kgTM0bjagqwcNTJaj/VZZZZCJ5Q=Sec-WebSocket-Protocol: ericom|accessnow.3
Packet Oriented Protocol
● After handshake, protocol is sequence of packets
● Packets comprised of header + payload● Several packet types● Peers receive full data packets payload
o Not partial packets / byteso Not control packets
WebSocket Packet
Minimally framed: small header + payload
0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
FIN
RSV1
RSV2
RSV3
opcode(4)MASK
payload len(7)
extended payload len(16/64)
extended payload len continued(16/64)
masking key(0/32)
masking key continued payload ...
Packet Opcodes (Types)
0 - continuation frame1 - text frame (UTF-8)2 - binary frame3-7 - reserved (data)8 - connection close9 - ping10 - pong11-15 - reserved (control)
WebSockets vs HTTP Bandwidth
Simple JavaScript Example
var ws = new WebSocket("ws://...");ws.onopen = function () {
ws.send("hello");};ws.onmessage = function (event) { console.log(event.data);};
Growing Support
● Browserso Everybody!
● Webserverso Most everybody!
● Firewallso Often just works
● SSL VPNo Juniper, Cisco, CheckPoint, …
Benefits of SSL VPNs over VPNs
For Web protocols: HTTP and WebSockets
● No client-side installation● No client-side configuration● Any client device
WebSockets For Native Apps
● .NET (4.5) WCF support● Java EE (JSR-356)● C/C++ - several Open Source implementations● PHP - Rachet● Node.js - multiple libraries
WebSockets Extensions
Utilizing Sec-WebSocket-Extensions in Request/Response Headers:1. Compression (deflate)2. Multiplexing
What If It Doesn’t Connect?
● Use standard ports: 80, 443o Or standard alternate ports: 8080, 8443, 8008
● Use SSL, with proper certificates● Upgrade SSL VPN, Firewall, …● Disable anti-virus
o Or exception, or disable packet inspection
● Fallback to HTTP / HTTPS
Future Protocol For Everything?
No, primarily when UDP is required● Streaming Video or Video Conferencing● Remote access over bad connections
(“Framehawk” scenario)
The Future, Future Protocol
● For UDP: WebRTC with data-channelso Use WebSockets as fallback
● For TCP: WebSocketso Use HTTP / HTTPS as fallback
● HTTP / HTTPS for RESTful APIs
Summary
WebSockets couple the performance and flexibility of TCP with the reach of HTTP
Prediction: WebSockets will replace simple TCP as preferred underlying protocol
Existing protocols wrapped in WebSockets