Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

ByMa hewSyme,PhilipGoldie Date:Mar5,2004 SampleChapterisprovidedcourtesyofPren ceHallProfessional. Returntothear cle Inthis chapter,we'llmovefurtheruptheOSI SevenLayerModelandtakeanindepthlookattheworkingsofsomeoftheApplica on layerprotocolsthataremostcommonlyusedincontentswitching.TheseincludeTCPbasedservices suchasHTTP,UDPservices likeDNS, andapplica onsthatuseacombina onofTCPandUDP,suchas theRealTimeStreamingProtocol(RTSP).Finally,we'lllookathowthese types ofapplica onscanbesecuredusingSecureSocketsLayer(SSL).

HyperTextTransferProtocol(HTTP)
TheHyperTextTransferProtocol,orHTTP,mustbethemostwidelyusedApplica onlayerprotocolintheworldtoday.Itforms thebasis ofwhatmostpeopleunderstandtheInternettobetheWorldWideWeb.Itspurposeistoprovidealightweightprotocolfortheretrieval ofHyperTextMarkupLanguage(HTML)andotherdocuments fromWebsitesthroughouttheInternet.Each meyouopenaWebbrowser tosurftheInternet,youareusingHTTPoverTCP/IP. HTTPwasrstra edintheearly1990s andhas beenthroughthreemainitera ons: HTTP/0.9:Asimplis crstimplementa onoftheprotocolthatonlysupportedtheop ontogetaWebpage. HTTP/1.0:Ra edbytheIETFasRFC1945in1996.Thisversionaddedmanysupplementaldataelds,knownas headerstothe specica on.This allowedforotherinforma onpassingbetweentheclientandserver,alongsidetherequestandconsequent page. HTTP/1.1:DenedinRFC2068bytheIETF,version1.1implementedanumberofimprovementsoverandabovethe1.0 specica on.Oneofthemainimprovementsof1.1over1.0was theimplementa onoftechniques suchaspersistentTCP connec ons,pipelining,andcachecontroltoimproveperformancewithinHTTPbasedapplica ons. Mostbrowsers thesedays oersupportforboth1.0and1.1implementa ons,withnewbrowsers using1.1as adefaultbutsuppor ng theabilitytofallbacktoearlierversions ifrequired.OnethingtheRFCdeni onsarecleartopointoutisthatallimplementa onsofthe HTTPprotocolshouldbebackwardcompa ble.Thatis tosaythatabrowserimplemen ngtheHTTP/1.1specica onshouldbecapable ofreceivinga1.0responsefromaserver.Conversely,a1.1implementa onontheserversideshouldalsobecapableofrespondingto requestsfroma1.0browser. Itiswelloutsidetheboundsofthis booktocovertheHTTPprotocolsinhugedetail,solet's concentrateonthoseelementsmostrelevant tocontentswitching.

BasicHTTPPageRetrieval
Let's startatthebeginningandseehowabasicbrowserretrievesaWebpagefromaWebserver.Therstimportantpointtonoteis thata Webpageis typicallymadeupofmanydozens ofobjects,rangingfromtheHTMLbasethroughtotheimages thatarepresentonthe page.TheHTMLcanbethoughtofasthetemplateforthepageoverall,instruc ngthebrowseronthelayoutofthetext,fontsizes and colors,backgroundcolorofthepage,andwhichotherimagesneedtoberetrievedtomakeupthepage. Thinkoftheprocess,takingplaceinthefollowingorder: 1. ClientsendsarequestfortherequiredpagetotheWebserver. 2. Theserveranalyzes therequestandsends backanacknowledgmenttotheclientalongwiththeHTMLcoderequiredtomakethe page. 3. Theclientwillbegininterpre ngtheHTMLandbuildingthepage. 4. Theclient,insubsequentrequests,willretrieveanyembeddedobjects,suchasimages orothermul mediasources.

1 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Onceallelements ofthepagehavebeenretrieved,theclientbrowserwilldisplaythecompletedWebpage.Theorderand mingofthe processdescribedpreviouslydependslargelyonwhichimplementa onofHTTPis used1.0or1.1althoughallbrowsers workinthis wayofrequestandresponse.

HTTPMethods
HTTPdoesnotonlyoeramechanismfortheclienttoreceivedatafromtheserver,butalsoothercommunica ontypes suchas the passingofdatafromtheclienttotheserver.SuchmechanismsareknownwithintheHTTPspecica ons as amethod.Table31shows the supportedmethodtypes inHTTP/1.0and1.1.

Table31.TheHTTPMethodHeadersinHTTP/1.0andHTTP/1.1

METHOD

DESCRIPTION

HTTP/1.0 HTTP/1.1

GET

Retrievetheinforma onspecied.

HEAD

Iden caltotheGETrequest,buttheservermustnotreturnanypagecontentotherthan theHTTPheaders.

POST

Allowstheclienttosubmitinforma ontotheserver,usedforsubmi nginforma on fromaform,etc.

PUT

Allowstheclienttoplaceanitemontheserverintheloca onspecied.

DELETE

Allowstheclienttodeletetheitemspeciedintherequest.

TRACE

Allowstheclienttoseetherequestitmadetotheserver.Thisactsasaloopbackin eect.

OPTIONS

Allowstheclienttodeterminethecommunica onsop onsavailableontheserver.

Interms ofgeneralWebbrowsing,theGETandPOSTmethodsarebyfarthemostcommonlyused.ForabrowsertobuildastandardWeb page,theGETmethodis usedtoretrieveeachobjectindividually,whereasfortransac onalWebsitesimplemen ngshoppingcartstyle applica ons,thePOSTmethodwillalsobeused.

TheHTTPURL
TheURLis themostimportantpieceofinforma onthattheclientbrowserincludes inanyGETrequest.TheURLis denedas beinga combina onofthehostwherethesiteis located,theschemeusedtoretrievethepage,andthefullpathandlename.Op onally,theURL mayincludeinforma onsuchastheTCPportnumbertobeusedorauniquereferencepointwithinalargerpage.Figure31shows the breakdownofanexampleURL.

2 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Figure31.AnexampleURLanditscomponents.

TheURIis alsocommonlyusedwhenreferencingtheloca onofdocuments withinHTTP.Theformaldeni onofthedierencebetween aURLandaURIissimple:AURIis aURLwithouttheschemedened.

PersistentConnec onsinHTTP
Oneoftheothermajordierences inopera onbetweenHTTP/1.0andHTTP/1.1isthehandlingofTCPconnec ons requiredtoretrievea fullWebpage.Giventhataclientwilltypicallyhavetoretrievemul pleobjectstomakeupasingleWebpage,itis o eninecienttoopen andcloseTCPsessions repeatedlywhenretrievingobjectsfromthesameserver.ToimprovetheoverallperformanceofHTTPinthis instance,theprotocoldenestheConnection:headerthatcommunicates totheserverwhethertheTCPsessionshouldbeclosedor remainopenoncetheobjecthasbeenretrieved.TheConnection:headerhas twoop ons: Connec on:Closed:ThedefaultforHTTP/1.0 Connec on:KeepAlive:ThedefaultforHTTP/1.1 TheClosedstateindicatesthattheservershouldclosetheTCPconnec ononcetherequesthas beenfullled.TheKeep-Alivestate indicatesthattheservershouldkeeptheTCPconnec onopena ertherequesthasbeenfullled.Alongwithanobviousperformance increasefromremovingtheneedtoopenandcloseTCPconnec ons,theKeep-Alivestatealsoallows theimplementa onofpipelining. Pipeliningallowsaclienttosendmul pleHTTPGETrequestsoverthesameTCPconnec onwithoutneedingtowaitforindividual responsesa ereach.Figure32shows thedierenceintheseconnec ontypes. Figure32.ThedierenceinTCPhandlingbetweenHTTP/1.0andHTTP/1.1.

Thenalpieceinthepuzzleofinterac onbetweenclientandserveris inopeningmul pleTCPconnec ons.We'vealreadyseenthata clientcanopenapersistentTCPconnec ontotheserverandpipelineHTTPrequests.TofurtherimproveperformanceoftheHTTP opera on,manybrowserswillopenseveralsimultaneousconnec ons.Figure33gives examples ofpipeliningandmul pleconnec ons. Figure33.Implemen ngpipeliningandmul pleconnec onsasperformancemechanisms.

OtherHTTPHeaders
TheHTTPprotocolincludesdeni ons fordozensofheadersthatcanbeincludedintheclienttoserverandservertoclientrequests and responses.Wewillnota empttolistanddescribeallthoseavailablehere;forafulldescrip on,theRFCforHTTP/1.0andHTTP/1.1oers abe ersource.TheRFCsdeneaseries ofstandardheaders,whichcanbecomplementedbyaddinguserdenedheaders fromeither theclientorserverside. Asheaders areASCII readabletextineveryHTTPrequestandresponsepair,theycanproveveryusefulintheimplementa onofcontent switching.Let'slookatsomeoftheHTTPheaders mostcommonlyusedincontentswitching.

The"Accept:"Header
Theclientbrowserusesthe"Accept:"headertoindicatetotheserverwhichcontentandmediatypescanbeaccepted.Examplesofthe "Accept:"headerinclude:

3 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Accept: */*

Acceptanything

Accept: text/plain; text/html

AcceptplaintextandHTML

Accept: text/html; image/jpeg; image/bmp

AcceptHTMLandJPEGandbitmapimages

The"Accept:"headerisusefulinthecontextofcontentswitchingtobeabletodeterminethecapabili es ofapar cularclient.Ifthe clientbrowsercannotacceptimages,forexample,therequestcanbedirectedtoaserverop mizedtodelivertextonlyversions ofthe Webpages.

The"Host:"Header
Oneofthemainproblems intheoriginalHTTP/1.0specica onwas thatauser's requestas typedintothebrowser(e.g., h p://www.foocorp.com/index.html)wouldnotcontainthehost(www.foocorp.com)elementintheGETrequestsenttotheserver.This represents aproblemifvirtualhos ngisusedwithinaWebserverfarm,wheretheserverispoten allyhos ngmul pleWebsites and needstousethis hostinforma ontodeterminewhichpathandpagetheuserisreques ng. WithintheHTTP/1.1specica on,andsubsequentlyinmanynewHTTP/1.0browsers,supportwas addedforthe"Host:"header.This allowstheuser's requestedURL,typedintothebrowser,tobeconvertedintoaGETrequestcontainingthefullpathandlenamealong withthehostfromwhichthecontentis beingfetched.Thefollowingis anexampleoftransla ngafullURLintoits componentparts.
URL : http://www.foocorp.com/directory/somewhere/page.html GET /directory/somewhere/page.html HTTP/1.0\r\n Host: wwwfoocorp.com

The"Host:"headerhas manyuseswithincontentswitching,examplesofwhichareshowninChapter6,ContentAwareServerLoad Balancing.

The"User-Agent:"Header
The"User-Agent:"headerindicates totheserverthetypeofbrowserbeingusedbytheclient.The"User-Agent:"headeris usefulin thecontextofcontentswitchingas itcanbeusedtodeterminethebrowsertypeusedbytheclientanddirecttherequesttoaresource oeringcontentop mizedforsuchabrowser.Thefollowingis anexampleofthe"User-Agent:".
User-Agent: Mozilla/4.0(Compatible; MSIE 6.0; Windows NT 5.0)

CookiesTheHTTPStateManagementMechanism
Aswe'llseeinlaterchapters,oneofthebiggestchallenges inHTTPenvironments,whethercontentswitchedornot,is maintainingsome formofclientsidestatethatenablesWebservers andintermediarydevices torecognizetheclientsessionandunderstandthecurrent statusoftheusersession.This issuewastackledinRFC2109,whichdenedtheuseoftheSet-CookieandCookieHTTPheadersused tosetandusethecookies,respec vely.InHTTP,cookies taketheformofasmallpieceoftextinforma onthatis implantedintotheuser's browsereitherpermanentlyortemporarily.Thetermcookieiscommonlyusedincompu ngtodescribeanopaquepieceofinforma on heldduringasessionand,unfortunately,seems tohavenomoreinteres ngoriginthanthat.Oncethebackendserverhas implantedthe cookieintotheuser's browser,theinforma oncanbeusedforanumberofdierentapplica ons rangingfromcontentpersonaliza on, usersessionpersistenceforonlineshopping,andthecollec onofdemographicandsta s calinforma ononWebsiteusage. TheserverissuingaSet-CookieheaderinanyHTTPresponsecanpostacookietotheclientatany meduringanHTTPsession.This Set-Cookieheaderhas thefollowingsyntax:
Set-Cookie: <name>=<value>; expires=<date>; path=<path>; domain=<domain>; secure

4 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Thenameandvalueelds aretheonlyonesthataremandatorywhenissuingacookie.As thenamesuggests,thesedenethenameof thecookieanditsvalue,suchas UserID=Phil,forexample.Theexpireseldiden es,downtothesecond,thedateand meon whichacookiewillexpireandbedeletedfromtheclientcomputer.Thepathanddomainelds indicatethedomain,suchas www.foocorp.com,andtheURL,suchas /home/brochures/,forwhichthecookieshouldbeused.Bothoftheseop ons caneec velybe wildcardedbyspecifyingfoocorp.comtomatchwww.foocorp.comandintranet.foocorp.com,forexample.Finally,thesecureeld indicatestotheclientthatthecookieshouldonlybeusedwhenasecureconnec on(SSLsecuredHTTPorHTTPS)isusedbetweenthe clientandserver.Figure34shows theinterac onbetweenaclientandserverastwodierentcookiesareinsertedandused. Figure34.Theinterac onbetweenaclientandaserverwhentwodierentcookiesareimplantedandused.

Thefollowingcodeshows theHTTPresponses fromtheserverinmoredetail.NotethatthesecondcookieincludesthePatheld,which willlimittheuseofthecookietoURLsrequestedbytheuserthatincludethestring/docs.

Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Set-Cookie: UserID=Phil Connection: Keep-Alive\r\n Content-Type: text/html\r\n \r\n Hypertext Transfer Protocol HTTP/1.1 200 OK\r\n Set-Cookie: UserType=Gold; Path=/docs Connection: Keep-Alive\r\n Content-Type: text/html\r\n \r\n

Themechanismthatgoverns whetheracookieis permanent(i.e.,storedontheharddiskoftheuser's machine)ortemporary(i.e., removedoncetheusercloses thebrowserapplica on)istheExpireseldintheSet-Cookieheader.Iftheserverdoes notissuean Expiresdirec vewhenimplan ngthecookie,itis consideredtemporary,whereas iftheExpiresdirec veis used,thenthecookiewill bestoredontheclientmachineun ltheexpirydatehas passed. Cookies arebyfaroneofthemostusefuladdi ons madetotheHTTPspecica ons,andaswe'llseeinlaterchapterscanbeusedin conjunc onwithcontentswitchingtoenableawholehostofnewexperienceenhancingservices.

HTTPFurtherReading
Itisoutsidethescopeofthis booktocovertheHTTPprotocolinitsen rety;.theRFCforHTTP/1.1aloneis over160pages.Formore indepthdetailontheprotocol,it'sworthlookingatthefollowingRFCs: RCF1945HypertextTransferProtocolHTTP/1.0 RFC2068HypertextTransferProtocolHTTP/1.1 RFC2109HTTPStateManagementMechanism

FileTransferProtocol(FTP)
InInternetterms,TheFileTransferProtocol,orFTP,hasbeenaroundforalong me.FirstdenedinRFC172wri eninJune1971,the protocolhas beenthroughseveralchangesthroughtothecurrentspecica on,whichisdenedinRFC959.Again,whileit's notthe purposeofthis booktodescribeeverydetailaboutFTP,it'sworthlookingatits basicopera ontogetabe erunderstandingofhow contentswitchingcanimproveperformanceandreliabilityinFTPenvironments.

FTPBasics
FTPexists primarilyforthetransferofdatabetweentwoendpoints.TheRFCitselfactuallystates thattwooftheobjec ves oftheprotocol areto"promotethesharingofles"and"transferdatareliablyandeciently."FTPdiersfromHTTPfundamentallyas itis anapplica on madeupoftwodis nctTCPconnec ons:

5 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Controlconnec on:This TCPbasedconnec onis usedtoprovideacommunica ons channelforthedeliveryofcommands and replies.Thisis eec velythemechanismthatenables theusertotelltheserverwhichleis beingrequested,whichdirectoryitis in,andsoforth. Dataconnec on:ThesecondTCPbasedconnec onis usedfortheactualtransferofuserdata.OncetheControlconnec onhas beenusedtoexchangeinforma ononwhichleis required,theDataconnec onis usedtotransferthelebetweentheclientand server. Usingthesetwocommunica onconnec ons,twodis nctmodes ofopera ondetermineinwhichdirec ontheconnec ons are established:Ac vemodeandPassivemode.

Ac veModeFTP
WithinanAc veFTPsession,theControlconnec onisestablishedfromtheclienttotheserver,withtheDataconnec onestablished backfromtheservertotheclient.Inordertodothis,theclientissues aPORTcommandtotheserverthatcontains theIPaddress and sourceanddes na onTCPportsthatshouldbeusedduringtheDataconnec on.Figure35shows thelifecycleofanAc veFTPsession. Figure35.Anac veFTPsessionexample.

AswecanseefromFigure35,oncetheuserhas loggedonwithavalidusernameandpassword,theveryrst"data"thatispassedin thiscase,adirectorylis ngis carriedusingaseparatedatachannel.Theformatforcommunica ngtheIPandTCPinforma onofthe datachannelis as follows:

PORT [Octet 1],[Octet 2],[Octet 3],[Octet 4], [TCP Port 8 Bytes],[TCP Port 8 Bytes]

Therfore,intheprecedingexample,thePORTcommandofPORT 10,10,10,10,15,199equatestoIPaddress10.10.10.10andTCPport 4039[15256+1991]. Insomeinstances,Ac veFTPcanbeconsideredasecurityriskmainlybecausethereis o enli lecontroloverthecontentsofthePORT command.Undernormalusage,thisinforma onshouldbetheIPaddressandlisteningTCPportoftheclientwai ngfortheData connec on.Whenusedmaliciously,however,theclientcouldissuePORTcommands withIPaddressesandTCPportsofothermachines eitherwithinthesamenetworkas theserverorremotely.ManyApplica onlayerrewalls andproxies,orrewallswithsupportforFTP commandparsingcanbeusedtoreducetheeec venessofsucha acks.Onealterna veis toimplementthesecondmethodof FTPPassivemodeFTP.

PassiveModeFTP
PassivemodeFTPworkssimilarlytoAc vemodeFTPwithonemajorexcep on:boththeControlandDataconnec ons withinaPassive modeFTPsessionareestablishedfromtheclienttotheserver.Toimplementthis,ratherthanusethePORTcommand,PassivemodeFTP implements thePASVcommand,whichinstructstheserverthatitshouldlistenfortheincomingDataconnec on.Figure36shows the PassivemodeFTPinmoredetail. Figure36.APassiveFTPsessionexample.

InFigure36,wecanseethatratherthantheclientdicta ngtheparametersoftheDataconnec on,itsimplyrequeststhis informa on fromtheserver.SimilarlytothePORTcommandinAc vemode,theserver's RESPONSEtothePASVrequestfromtheclientcanbe interpretedasfollows:

RESPONSE 227 (10,10,10,10,41,38)

whichmeans openfromclienttoserveronIPaddress 10.10.10.10andTCPport10534[41256+381].

FTPFurtherReading

6 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Forfurtherinforma ononthedetailedworkings ofFTP,it'sworthlookingatRFC959.

RealTimeStreamingProtocol(RTSP)
InthemodernInternet,applica onsarerequiredtodelivervalue.Oneofthebiggestconundrums inrecentyears has beentheba leto actuallymaketheInternetaviablepla ormformakingmoney.As we'llseethroughoutthecourseofthis book,oneofthebiggestdrivers fordeliveringonthe"GoldRush"promiseofInternettechnologiesis content.Makingcontenta rac vetoendconsumers tothepoint wheretheyarewillingtopayisabigchallengeandonethathasbeenaidedbythedeliveryofApplica onlayerprotocolssuchas RTSP, whichenablesthedeliveryofreal mevideoandaudioinvariablequali es.TheotherApplica onlayerprotocols we'velookedatsofarin thischapterworkinarequest/responsemanner,wherebytheclientasksforsomepieceofcontent,thecontentis deliveredusingTCPor UDP,andthentheclientapplica oncandisplaythecontenttotheuser.Whilethesemechanisms aresuitableforalargenumberof applica onsintheInternet,therealsoexists arequirementtodelivercontent,beitimages,audio,video,oracombina onofallthree,in real me.ImagineifauserweretotrytowatchafullscreenvideoleofaonehourmovieusingHTTPorFTPas theApplica onlayer protocol.Themovielemightbeseveralhundredmegabytes,ifnotseveralgigabytes,insize.Evenwithmodernbroadbandservices deliverabletothehome,thistypeoflargelesizedoes nottwellinthe"downloadthenplay"modelwesawpreviously. RTSPuses acombina onofreliabletransmissionoverTCP(usedforcontrol)andbesteortsdeliveryoverUDP(usedforcontent)to streamcontenttousers.Bythis,wemeanthattheledeliverycanstartandtheclientsideapplica oncanbegindisplayingtheaudioand videocontentbeforethecompletelehas arrived.Interms ofouronehourmovieexample,thismeans thattheclientcanrequestamovie leandwatcha"live"feedsimilartohowonewouldwatchaTV.Alongwiththis "ondemand"typeservice,RTSPalsoenables thedelivery oflivebroadcastcontentthatwouldnotbepossiblewithtradi onaldownloadandplaytypemechanisms.

TheComponentsofRTSPDelivery
DuringourlookatRTSP,we'llusethetermtodescribeanumberofprotocolsthatworktogetherindeliveringcontenttotheuser.

RTSP
RTSPis thecontrolprotocolforthedeliveryofmul mediacontentacross IPnetworks.Itis basedtypicallyonTCPforreliabledeliveryand has averysimilaropera onandsyntaxtoHTTP.RTSPis usedbytheclientapplica ontocommunicatetotheserverinforma onsuchas themedialebeingrequested,thetypeofapplica ontheclientis using,themechanismofdeliveryofthele(unicastormul cast,UDP orTCP),andotherimportantcontrolinforma oncommands suchas DESCRIBE,SETUP,andPLAY.Theactualmul mediacontentis not typicallydeliveredovertheRTSPconnec on(s),althoughitcanbeinterleavedifrequired.RTSPis analogous totheremotecontrolofthe streamingprotocols.

RealTimeTransportProtocol(RTP)
RTPis theprotocolusedfortheactualtransportanddeliveryofthereal meaudioandvideodata.As thedeliveryoftheactualdatafor audioandvideois typicallydelaysensi ve,thelighterweightUDPprotocolis usedas theLayer4deliverymechanism,althoughTCPmight alsobeusedinenvironments thatsuerhigherpacketloss.TheRTPowwhendeliveringthecontentisunidirec onalfromtheserverto theclient.Oneinteres ngpartoftheRTPopera onis thatthesourceportusedbytheserverwhensendingtheUDPdataisalways evenalthoughitisdynamicallyassigned.Thedes na onport(i.e.,theUDPportonwhichtheclientis listening)ischosenbytheclient andcommunicatedovertheRTSPcontrolconnec on.

RealTimeControlProtocol(RTCP)
RTCPisacomplimentaryprotocoltoRTPandisabidirec onalUDPbasedmechanismtoallowtheclienttocommunicatestreamquality informa onbacktotheobjectserver.TheRTCPUDPcommunica onalwaysuses thenextUDPsourceportupfromthatusedbytheRTP stream,andconsequentlyis alwaysodd.Figure37showshowthethreeprotocols worktogether. Figure37.Thethreemainapplica onprotocolsusedinreal mestreaming.

7 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

RTSPOpera on
TheRTSPprotocolisverysimilarinstructureandspecicallysyntaxtoHTTP.BothusethesameURLstructuretodescribeanobject,with RTSPusingthertsp://schemeratherthantheh p://.RTSP,however,introducesanumberofaddi onalheaders(suchas DESCRIBE, SETUP,andPLAY)andalsoallows datatransportoutofbandandoveradierentprotocol,suchas RTPdescribedearlier.Thebestwayto understandhowthecomponents describedpreviouslyworktogethertodeliveranaudio/videostreamis tolookatanexample.Thebasic stepsinvolvedintheprocess areas follows: 1. Theclientestablishes aTCPconnec ontotheservers,typicallyonTCPport554,thewellknownportforRTSP. 2. Theclientwillthencommenceissuingaseries ofRTSPheadercommands thathaveasimilarformattoHTTP,eachofwhichis acknowledgedbytheserver.WithintheseRTSPcommands,theclientwilldescribetotheserverdetails ofthesession requirements,suchas theversionofRTSPitsupports,thetransporttobeusedforthedataow,andanyassociatedUDPorTCP portinforma on.This informa onispassedusingtheDESCRIBEandSETUPheadersandis augmentedontheserverresponse withaSessionIDthattheclient,andanytransitoryproxydevices,canusetoiden fythestreaminfurtherexchanges. 3. Oncethenego a onoftransportparameters hasbeencompleted,theclientwillissueaPLAYcommandtoinstructtheserverto commencedeliveryoftheRTPdatastream. 4. Oncetheclientdecidestoclosethestream,aTEARDOWNcommandis issuedalongwiththeSessionIDinstruc ngtheserverto ceasetheRTPdeliveryassociatedwiththatID.

ExampleRTSPwithUDPBasedRTPDelivery
Let's consideranexampleinterac onwheretheclientandserverwilluseacombina onofTCPbasedRTSPandUDPbasedRTPandRTCP todeliverandviewavideostream.Intherststep,theclientwillestablishaTCPconnec ontoport554ontheserverandissuean OPTIONScommandshowingtheprotocolversionusedforthesession.Theserveracknowledgesthis witha200OKmessage,similarto HTTP.
C->S OPTIONS rtsp://video.foocorp.com:554 RTSP/1.0 Cseq: 1 S->C RTSP/1.0 200 OK Cseq: 1

Next,theclientissuesaDESCRIBEcommandthatindicatestotheservertheURLofthemedialebeingrequested.Theserverresponds withanother200OKacknowledgmentandincludes afullmediadescrip onofthecontent,whichispresentedineitherSession Descrip onProtocol(SDP)orMul mediaandHypermediaExperts Group(MHEG)format.

C->S DESCRIBE rtsp://video.foocorp.com:554/streams/example.rm RTSP/1.0 Cseq:2

S->C

RTSP/1.0 200 OK Cseq: 2 Content-Type: application/sdp Content-Length: 210 <SDP Data...>

InthethirdstageoftheRTSPnego a on,theclientissuesaSETUPcommandthatiden es totheserverthetransportmechanisms,in orderofpreference,theclientwantstouse.Wewon'tlistalloftheavailabletransportop ons here(theRFCobviouslycontainsan exhaus velist),butwe'llseetheclientrequestRTPoverUDPonports 5067and5068forthedatatransport.Theserverrespondswith conrma onoftheRTPoverUDPtransportmechanismandtheclientsideportsandincludes theuniqueSessionIDandserverport informa on.
C->S SETUP rtsp://video.foocorp.com:554/streams/example.rm RTSP/1.0 Cseq: 3 Transport: rtp/udp;unicast;client_port=5067-5068 RTSP/1.0 200 OK Cseq: 3 Session: 12345678 Transport: rtp/udp;client_port=5067-5068;server_port=6023-6024

S->C

Finally,theclientisnowreadytocommencethereceiptofthedatastreamandissues aPLAYcommand.Thissimplycontains theURLand SessionIDpreviouslyprovidedbytheserver.Theserveracknowledges this PLAYcommand,andtheRTPstreamfromtheservertoclient willbegin.

8 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

C->S

PLAY rtsp://video.foocorp.com:554/streams/example.rm RTSP/1.0 Cseq: 4 Session: 12345678 RTSP/1.0 200 OK Cseq: 4

S->C

Oncetheclientdecidesthatthestreamcanbestopped,aTEARDOWNcommandisissuedovertheRTSPconnec onreferencedonlyby theSessionID.Theserveragainacknowledgesthis andtheRTPdeliverywillcease.

C->S TEARDOWN rtsp://video.foocorp.com:554/streams/example.rm RTSP/1.0 Cseq: 5 Session: 12345678 RTSP/1.0 200 OK Cseq: 5

S->C

Figure38shows thisexampleinasimpliedgraphicform. Figure38.AnexampleofRTSPinac onwiththevideoandaudiodatabeingdeliveredoveraseparate UDPbasedRTPstream.

OtherOp onsforDataDelivery
Incertainscenarios,thebesteort,dynamicportmethods ofUDPbasedRTP,asdescribedpreviously,arenotsuitable.Some environments mightconsiderthealloca onofdynamicsourceanddes na onUDPports throughrewalls tobesomethingtheycanlive happilywithout.Moreover,justthenatureoftheLayer1andLayer2transportmechanisms underlyingthedatadeliverymightnotbe suitedtononguaranteedUDPtrac.Ineitherinstance,RTSPallows forthenego a onoftheRTPdeliveryofthemediadatatobe interleavedintotheexis ngTCPconnec on. Wheninterleaving,theclienttoserverSETUPcommandhas thefollowingformat:
C->S SETUP rtsp://video.foocorp.com:554/streams/example.rm RTSP/1.0 Cseq: 3 Transport: rtp/avp/tcp; interleaved=0-1

Thechangeoverintheprecedingexampleis inthetransportdescrip on.First,thetransportmechanisms havechangedtoshowthatthe RTPdeliverymustbeoverTCPratherthanUDP.Second,theaddi onoftheinterleavedop onshowsthattheRTPdatashouldbe interleavedandusechanneliden ers0and10willbeusedfortheRTPdataand1willbeusedfortheRTCPmessages.Toconrmthe transportsetup,theserverwillrespondwithconrma onandaSessionIDas before:
S->C RTSP/1.0 200 OK Cseq: 3 Session: 12345678 Transport: rtp/ avp/tcp; interleaved=0-1

TheRTPandRTCPdatacannowbetransmi edovertheexis ngRTSPTCPconnec onwiththeserverusingthe0and1iden ers to representtherelevantchannel. Onefurtherdeliveryop onforRTPandRTCPunderRTSPistowrapthedeliveryofallmediastreamingcomponents insidetradi onal HTTPframeformats.This removes mostbarriers presentedwhenusingstreamingmediathroughrewalledenvironments,aseventhe moststringentadministratorwilltypicallyallowHTTPtractotraverseperimetersecurity.WhileHTTPandRTSPinterleaveddeliveryof thestreamedmediadatawillmakethecontentavailabletothewidestpossibleaudience,whenyouconsidertheoverheadofwrappingall RTPdatainsideeitheranexis ngTCPstreamor,worses ll,insideHTTP,itis theleastecientmethodfordelivery.Toenablethe streamingmediaclientbrowsertocopewiththedierentop ons describedpreviously,mostoertheclientusers theabilitytocongure theirpreferreddeliverymechanismormechanisms,andthe meoutthatshouldbeimposedinfailingbetweenthem.Whatyouwillsee fromaclientperspec veis thattheclientapplica onwillrstrequestthatthestreambedeliveredusingRTPinUDP,andifthestream doesnotarrivewithinxseconds (as itis poten allybeingblockedbyanintermediaterewall),itwillfailbacktousingRTPinterleavedin theexis ngRTSPconnec on.

RTSPandRTPFurtherReading

9 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Forfurtherinforma onontheRTSPandRTPprotocols,RFCs 2326and1889,respec vely,areagoodsource.

SecureSocketsLayer(SSL)
Thenalprotocolwe'lllookatinthis chapteris neitheraLayer4transportprotocolnoranApplica onlayerprotocol,butonethatsits betweentheselayers toprovidesecurityservices tomanymodernInternetapplica ons.SecureSockets Layer,orSSL,hasbeenoneofthe majorforces inInternetsecuritytechnologysinceits incep onbyNetscapeCommunica ons,andcon nues tobeincludedinallmajor browsers.Thishas enabledWebapplica ondeveloperstodeliversecurecontentandservices usingtradi onalHTTPservers withfew changes requiredinterms ofthesetupofthebasicserverorrestructuringoftheHTMLcontent.Theothermajoradvantageofthe integra onofSSLintoallmajorbrowsers is itstransparencytotheuser.SSLtypicallygetsusedwithouttheknowledgeoftheclient,other thantheappearanceofasmallpadlockinthecornerofthebrowserwindow,thus meaningthatnoaddi onallevelofexper seis required touseInternetapplica onswiththis security.Figure39shows abrowserthatis currentlyusingSSL. Figure39.AWebbrowserwilltypicallyuseSSLwheninstructedbytheWebsitewithli leornoinputrequired bytheuser.TheuseofSSLcanbeseenbytheinclusionofasmallpadlockinthebrowser.

Whilethemostcommonimplementa onofSSLis withinWebbrowsers,crea ngtheapplica onprotocolhybridknownasHTTPS,it shouldberememberedthatitis atransparentprotocolavailabletoanyTCP/IPbasedapplica on.AlongwithHTTPS,othercommonSSL securedprotocols includeSMTPSandTelnetS.

TheNeedforApplica onSecurity
TheneedforsecuritywithinInternetapplica ons iscleartheInternetis s llapublicnetworkwithli leornosecurityinfrastructure designedtoprotectallusers.Imagineusingtheonlineservices ofyourfavoritebank.Passingimportantdatasuchas yourbankaccount number,password,andbalanceacross theInternetusingonlyHTTPrepresents ahugepersonalsecurityrisk,as thedatais poten ally visibletoanydevicesi ngbetweenyourbrowserandthebank's Website.SSLcanbeusedveryeec velytohideallofalltheapplica on dataas ittraverses theInternettopreventanybodysnoopingtheconnec onfromreadingpersonaldataaprocess referredtoas encryp on. ThesecondimportantfeatureprovidedbySSLforInternetapplica ons is authen ca on;inotherwords,theabilityfortheclienttobe abletodis nguishtheWebsiteas valid.Imagineinourprevious bankexampleifanotherroguesiteweretomasqueradeas thebank's Website.This mightallowtheroguesitetointerceptthepersonalandbankingdetailsofthousandsofcustomers,notawelcome situa on.SSLprovidesmechanisms toimplementauthen ca onasawayforeachsidetoiden fyitselftotheother. ThenalsecurityelementthatisprovidedbySSLis tamperdetec on.Imaginenallythatsomeoneweretositbetweentheclientandthe bank's Websiteandchangecertainpieces ofdataas theypassbackandforth.This wouldgivetheopportunitytoalterkeypersonaland bankingdataandpoten allysetupfraudulenttransac ons.SSLprovides mechanismsforeachsidetoensurethattheApplica onlayer databeingsentandreceivedhas notchangedinanywayas ittraversestheInternet. FortheInternettocon nuetogrow,notonlyinsize,butalsoas acrediblemediumforbusiness andcommerce,itmustbeabletoprovide mechanisms suchasSSLasawaytoguaranteesecurity.

Fi ngSSLintotheSevenLayerModel
IntheconceptsoftheOSI SevenLayerModelas wesawinChapter2,UnderstandingLayer2,3,and4Protocols,SSLsits betweenthe Applica onlayerandtheTransportlayer,tradi onallyseenaspartofthePresenta onlayer.This meansthattheuseofSSLisselec vely performedbyeachapplica onratherthanas awholewithencryp onbasedinIPSec.This gives theclientmachinetheabilitytorun secureservicesforcertainapplica ons only,whileremainingimpar altotheunderlyingLayer3and4services below.Incomparison, IPSec,forexample,canoperateinatunnelingmode,whichmeans thatalltracowingtoorfromapar cularaddress orrangeof addresses isencryptedrightdowntotheIPlayer.WithinSSL,onlytheApplica onlayerdatais encrypted.Figure310shows thepresence ofSSLintheOSI model. Figure310.WhereSSLsitsintheOSImodelincomparisontoIPSec.

10 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Encryp onandCryptography
Theprocess ofencryp onanddecryp onfundamentallymeanstotakesomesourcedata,transformittoastatewhereitcannotberead byanyoneelse,andthentransformitbacktoits originalstate,thus renderingitreadableoncemore.This approachrequires theuseof twoimportantelements:theCryptographicAlgorithm,orcipher,andakey.Acipheris amathema calformulaorfunc onthatisapplied eithertotheoriginaldata(toencrypt)ortothetransformeddata(todecrypt).Onethingalways remains true,howeverthecipherused toencryptthedatamustalsobeusedtodecryptattheotherend.Toenablethis commonalityinanetworksuchas theInternetwhere thereareenormous numbersofpoten alclientserverconnec oncombina ons,aseries ofstandardciphers havebeendevelopedover mesuchas DataEncryp onStandard(DES)andRC4. Astheseciphers arewellknown,theyrelyonthesecondelementtointroducesomeformofrandomfactortotheprocess,knownas a key.Theuseofakey,orseriesofkeys,gives theciphertheabilitytoencryptthedatainsuchawaysoas nottobedecryptedeasily.Ifyou weretoencryptasimplesentenceusinganalgorithmthatis widelyknown,itwouldbearela velysimpletasktorunthedatathroughthe samealgorithmandarriveattheanswer.Theuseofakeymeans thatinordertodecryptthedata,therecipientmustknowboththe appropriateciphertouseandthekeyusedtoencryptthedataoriginally. Thiscombina onofcipherandkeyforms thebasicpremiseofmoderncryptography:Decryp onwiththeknownkeyis simple,but decryp onwithoutthekeyis extremelydicultandinmostcasescomputa onallyimpossible.SSLuses acombina onoftwobasic encryp ontechniques,symmetrickeyencryp onandpublickeyencryp on.

SymmetricKeyEncryp on
Withsymmetrickeyencryp on,bothsides usethesamekeyvaluetoperformboththeencryp onanddecryp on.Figure311shows a simplegraphicalrepresenta onofsymmetrickeyencryp on. Figure311.Withsymmetrickeyencryp on,boththeencryp onanddecryp onusethesamekey.

Symmetrickeyencryp onhasanumberofadvantages anddisadvantages.First,performingthis typeofencryp onanddecryp onis computa onallyinexpensive,whichmeans thattheperformanceofapplica ons usingsymmetrickeys is generallybe er.Onthe downside,ifthesharedkeyis compromisedoneitherside,thesecurityoftheencryp onbetweenthepar es isbroken.Moreover,the processofsharingasinglesharedkeybetweentwosides wan ngtousesymmetrickeyencryp oncanbecumbersome.Imaginetwo Internetbaseduserswishingtocommunicatetheymustrstshareakeytousebeforetheycanencryptandtransmitdata.This initself is amajorheadache,as thekeycannotjustbesimplysentincleartextovertheInternetforfearofbeingcaptured.SSLuses symmetrickeyencryp onforbulkencryp onthatis,theencryp onofallApplica onlayerdatabutitemploys averyclevertechnique toarriveatacommonsharedkeypublickeyorasymmetrickeyencryp on.

PublicKeyorAsymmetricKeyEncryp on
Asits namesuggests,publickeyorasymmetrickeyencryp onuses twodierentkeys toperformencryp onanddecryp on, respec vely.Thesekeys areknownasthepublicandprivatekeys andaremathema callylinkedtosecurity.Themathema csof publickeyencryp onaredierentfromthoseinsymmetrickeyencryp on,as anydataencryptedusingthepublickeycannotbeeasily decryptedusingthepublickey,andsimilarlywiththeprivatekey.Forpublickeyencryp ontoworkcorrectly,theclientmustencrypt usingthepublickeyandtheservermustdecryptusingtheprivatekey.As aresult,thesecurityofthepublickeyis largelyirrelevantandit is commonlyavailable.InSSLterms,thepublickeyiscarriedinacer catemoreonthatlater.Thesecurityoftheprivatekey,however, is ofutmostimportance,andtypically,theprivatekeywillneverleavetheserverforwhichitwas generatedforfearofcompromisingthe securityofthekeypair.Therefore,insummary,ifyouencryptwiththewidelyavailablepublickey,theresul ngdatacanonlybe decryptedusingthecorrespondingprivatekey.Figure312showsasimplerepresenta onofpublickeyencryp on. Figure312.Inasymmetrickeyorpublickeyencryp on,anydataencryptedusingtheeasilyavailablepublickey canonlybedecryptedusingthecorrespondingprivatekey.

Thisapproachaords privatekeyencryp onacoupleofkeyadvantages.First,thecombina onofcorresponding,mathema callylinked keys meansthatoncethedatahas beenencrypted,itcanonlybedecryptedbytheholderoftheprivatekey.Second,as thepublickeycan

11 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

betransmi edincleartexttotheintendedreceiver,itis wellsuitedtolargescale,publicnetworks suchastheInternet.Themain downsideofpublickeyencryp onis thatitis computa onallyexpensive,thusrenderingitunsuitableforsitua ons inwhichlarge volumesarerequired.Aboveall,thesecurityoftheprivatekeyis paramount;ifitis lostorcompromised,theen repremiseonwhichthe processis builtis broken.

SSLCombiningSymmetricandAsymmetricEncryp on
Therefore,ontheonehandwehaveasymmetricencryp onmechanismthatis computa onallycheapbutdoesnotscalewelltolarge numbersofusers,andontheother,wehaveacomputa onallyexpensivealgorithmwhichdoesscalewellduetoitsconceptofpublic keys.TheanswerintermsofSSListouseacombina onofbothofthesemechanismstoachievetheresultwe'relookingfor.Theaimof combiningthetwomethods istoallowforencryptedaccess fromanywherebyanyone.Theprocessusesasymmetricencryp onto ini alizetheconnec on,andthenuses symmetricencryp ontoprovideasecurecommunica onchannelforthedura onofthe conversa on. Whencommunica onsbegin,theclientcreatesarandomnumberwhoselengthisdeterminedbytheencryp onstrengthrequired.This largerandomnumberwilleec velyformthesharedprivatekeyforthesymmetricencryp onthatwillbeusedtoexchangeapplica on data.Theclientencrypts thisrandomnumberwiththepublickeyandsends theencryptedversionofthis totheserver.Theasymmetric encryp onatthis stageensuresthatonlytheprivatekeycandecryptthedata.Oncedecrypted,this randomnumberis nowusedas the symmetrickeyforthedura onoftheconversa on,as eachpartyhas successfullysharedacommonkey.Thebeautyofthis process is thattheactualprivatekeys (randomnumbers)neveractuallytraversetheconnec oninclearform,thus minimizingthechanceofbeing intercepted.Figure313shows thiscombina onofsymmetricandpublickeyencryp onas usedbySSL. Figure313.SSLusesacombina onofpublickeyencryp ontoexchangethesymmetrickeyandsymmetric encryp ontoencryptthebulkapplica ondata.

Encryp onAlgorithms
Therearemanyencryp onalgorithms used,andeachprovidesdierentlevelsofencryp on,dependingonthedegreeofsecurity required.Earlieralgorithms were40bits inlength,butwithtoday'scompu ngpowercantypicallybecrackedwithinafewhours.The longertheencryp onlength,thehardertheyaretocrack.Allalgorithms workinconjunc onwithasecretkeytocreatetheencryp on.In thecaseofSSL,this secretkeyistherandomlygeneratednumber.Commonencryp onalgorithms usedtodayareDES,3DES,andAES.

Cer cates
Nowthatwe'veseentheimportanceofpassingthepublickeywithinSSL,let's lookatthemechanismusedtoundertakethis.Cer cates areusedinSSLtoperformtwokeyfunc ons:rst,theyprovidealevelofauthen ca on,poten allyforbothsides,andsecond,they provideastandardformatinwhichtopassthepublickeytotherequester.Cer catesarelikedigitalpassportsthatcanauthen catean organiza ontoauseronconnec ontoits site.Twotypes ofcer catescanbeused:aservercer cateandaclientcer cate.Ina typicalSSLenvironment,onlytheservercer cateisused.Thisis sothattheserver(orsite)canauthen catewhotheyareontheini al clientrequestandpassthepublickey.Remember,itis theclientthatini ates theconnec onandasksforthecer catetobesent.This allowsanorganiza ontopublishits services,andeventhoughtheuserscannotseewheretheyaregoing(e.g.,thereisnostorefront,or actualphysicalstructure),theyknowtheyhaveconnectedtothesitebasedontheservercer cateissued.Whileweagreethatthis could bespoofedintheory,onehas toques onthera onalityofthis.Itrequiresthattheprivatekeyberetrieved,DNSentries tothatsitebe hijacked,orupdatedtothenewaddress,andallofthisneeds tohappenwithouttheexis ngsitebecomingawareofit.Thisis highly unlikelyinanagewheresecurityis anumberoneagendaitem,andahighlyac vesitewouldbeimmediatelyawareofasitefailureor a ack.Inaddi on,ausermustactuallymakeacreditcardpaymenttothis fraudulentsite.Ifthis didhappen,itwouldhavetobetoasite thatisnotwellmonitoredandac velytrading,andthereforeveryrarelyvisited,whichinturnmakestheexercisesuperuous as nohuge revenueorloss ofreputa onwouldbeachievedbythehacker.Typically,thereceiptofaservercer cateis allthatisrequiredtobegina secureconnec onwithasite.Insomecases,thesitealsowantstoensurethattheusers arewhotheysaytheyare.This is certainlya requirementinbusiness tobusinesstransac onswherecompanies wanttobeabletocontrolaccess totheirsite,especiallywhenaccess tosensi veinforma onorlargesumsofmoneyareinvolved. Clientcer cates areusedtoprovideclientsideauthen ca on.Thesecer cates,normallyderivedfromtheservercer cate,are loadedontotheuser's machine,andonconnec on,theserverwillrequestthecer catetobesenttoittoauthen catetheuser.As each cer catewillhaveauniqueiden er,this canbeusedtotrackaccess.Shouldconnec vitynolongerbepermi edorrequired,thenthis uniqueiden ercanalsobeusedtorevokeaccess tothespecicsite.

12 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Havingtheabilitytoprovideclientandserverauthen ca onbuilds averycompellingcaseforSSLdeployment.Figure314is anexample ofwhatacer catelooks likefollowedbytheassociatedprivatekey: Cer cates suchas thesecanbeeasilycopiedandpastedintoasecurityappliance.

Cer cateAuthori es
Cer cateauthori es(CAs)arelikethepassportcontroloftheSSLworld.Theyconrmthatasiteiswhatitsays itis,as theyhavesigned thecer cate.Manyorganiza ons actas CAs andsigncer cates onbehalfofsites.Theseorganiza onsareo enseenas respected businesses orinsomecasesquasigovernmenttypedepartments suchas apostoceortelecommunica onsprovider.Thelargestones aroundtodayarededicatedtoprovidingacer catesigningfunc on,suchasVerisign,Entrust,andThawte.Bydefault,Webbrowsers havealistofacceptedCAs,whichis checkedwhenasiteis accessed.IftheCAis notpresent,thebrowserwilldisplayamessageaskingif thiscer cateshouldbeaccepted.Addingordele ngCAscanbedonebyusers withintheirfavoritebrowser.Cer cateshavetheability tobechained.Thismeans thatacer catecanbetrustedifithas alinkorchainbacktotheoriginalissuerwhomyoutrust.Thismethodis transparenttotheuserandishandledbytheSSLprotocol.

Figure314Sampleofapubliccer cateandprivatekey.Asyoucansee,itismerelycleartextandcanbeeasilycopied.
-----BEGIN CERTIFICATE----IFtTCCBR6gAwIBAgIEN0sJFTANBgkqhkiG9w0BAQQFADCBwzELMAkGA1UEB VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnV ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1U LmVudHJ1c3QubmV0L0NQUyBpbmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAs THChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQxOjA4BgNVBAMTVudHJ1c3QubmV0IFNlY3Vy ZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkDjAMBgNVBAMTBUNSTDEyMCygKqAohiZ odHR3QubmV0 L0NSTC9zZXJ2ZXIxLmNybDAfBgNVHSMEGDAWgBTwF2ITVT2z/woAa/tQhJfz7WLQGjAdBgNVHQ4 EFgQU3Rc4WmXyFuApzKBZCUyzwqoO6jkwCQYDVR0TBAgkqhkiG9n0HQQAEDDAKGwRWNC4wAwIDq graphics/ccc.gif DANBgkqhkiG9w0BAQQFAAOBgQBbSMGk6BtJ7g6UzC4hL1nJZYQldua3ot6K7EstAu6pBiE0DhAG JKm0tCrS16h KGMpIDE5OTkgRW50cnVzdC5uZXQffffltaXRlZDE6MDgGA1UEAxMxRW50cn ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0 MDgxNjA4MjdaFw0wMjAxMDgxNjM4MjdaMH4xCzAJBgNVBAYTAlNFMRIwEAY EwlTdG9ja2hvbG0xEjAQBgNVBAcTCVN0b2NraG9sbTEUMBIGA1UEChMLQmx aWwgQUIxFDASBgNVBAsTC0RldmVsb3BtZW50MRswGQYDVQQDExJ2aXAyYS5 dGFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALctVjRkmPJ FsI/oo1Xh0yJqyC/Vl2tWS3ujM8lSqCA9afq8cqfcRN5cWcelix5oEbaz5e GdtLVWqBHw09As3w1AyZsdiSUpdOFNdjPhv9IC9S13y7zCzr0SyS/u7l1c4 c3QubmV0L2NwczCBwAYIKwYBBQUHAgIwgbMwEhYLRW50cnVzdC5uZXQwAwI 9TsMAFHBudxPK58IPkKUSpdxZvg7AgMBAAGjggL4MIIC9DCCAQcGA1UdIAS /DCB+QYJKoZIhvZ9B0sCMIHrMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LnEVudHJ1c3QubmV0IE NQUyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlLiBUayBjb250YWlucyBsaW1pdGF0aW9ucyBvb iB3YXJyYW50aWVzIGFuZCBsaWFi graphics/ccc.gif aWxpdGllcy4gIENvcHlyaWdodCAoYykgMTk5OSBFbnRydXN0Lm5ldCAgd3d dHJ1c3QubmV0L2NwczALBgNVHQ8EBAMCBaAwKwYDVR0QBCQwIoAPMjAwMTA NjM4MjdagQ8yMDAxMDkyMTA0MzgyN1owEQYJYIZIAYb4QgEBBAQDAgZAMBM JQQMMAoGCCsGAQUFBwMBMIIBHQYDVR0fBIIBFDCCARAwgd+ggdyggdmkgdY CzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtFbnRy5ldDE7MDkGA1UECxMyd3d3 /wWqspaKSNsWfqc0AWFfgKznJJmnxsyThudodg5iTM1Nfr93aD2P/3qPMxSSEm/T/ uOKBaLPLVd3dmjPc/0v1AU48dc0hgx6VhqX98poLiHJAHg== -----END CERTIFICATE---------BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,9BCDFA41DAC78C8D +AsRro1zm2vlV0deB0kw9geWpMJoLOz67sdb8+8E2Pal5hZC1asZapwHGXOAgqeQfUb6VZKy+2H zjz8Nw6I3xcAyi7xnF1YYRJxlz7sA+5ACBSAYvZGZRXF7jyTXomIITrwPt40V9uGldjFmwAd6e1 k1qxKi2T6qtzdVeYZhz27+njtMkDa1PVdJWbcLFyLMRZAUp5Ubu8mIUgkReyMSPMdn6bjmf7hKE 3jbT/REnICiDcLe3SZzXes8mckUOOV++dBD+orBxeU8dkB59ivWE/WlAP4cf1wOPS/ B1yzFsHqlbyqlvtfxjF472vU4V0JLOe0RQ5NyVqw09N/NHrgBHce6JgwEHfmgfRr/ P2RFYvwhs1wUvKVgOOK8KxHdRgNMGshFWMOGmrWV82dO0pywC25Xlq1GiC6vglwHxvzfSr4pnYv 5VcgDzfkvsYJCVpTiWYiS522Svb0Ln3Gyx55JgIdlaMVhZUCmdbRqH6KFoWyr0Ud+++6PbI+HWb VPBpifrqyj3LDnuPTRTDkwy7WlzggXXY1TbdO8XY7KrhgpcBpN4amILANhcZG/ -----END RSA PRIVATE KEY-----

SSLinAc on

13 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

Let's seethecombina onofciphersuites,keys,algorithms.andcer cates inac onas werunthroughanexampleSSLsession. WhenenablingSSLonservices onyourserver,youwillrstneedtocreateaprivateandpublickeypairandcorrespondingcer cate.This processis automa callyini atedonmostWebserversandwillresultinthecrea onofwhatis knownasacer catesigningrequest,or CSR.This CSR,containingthepublickey,shouldbeforwardedtothechosenCAforsigning,andoncecompletedimportedbackintothe Webserver.Apointtonotehereis thattheprivatekeymuststayprivate;ifitwereavailable,someonecouldeasilymasqueradeasyour sitebecausethepublickeyisjustthat,public.Withtheprivateandpublickeypair,allencryptedtraccanbedecrypted.Butlet's getback totheCSR.TheCSRneedstobesenttoaCA,whowillsignitandreturnittoyouforyoutovalidateyourdomainname.Wemustpointout herethatacer cateis edtoadomainnameandnotanIPaddress.Thisdomainnameneedstoberesolvedtotheaddressoftheserver inordertowork.Oncecomplete,theWebsitecanbereadyforuse,andallthatis requiredis thattheservers havetheSSLservice running. NowwearereadytobegintheactualSSLsetupas illustratedinFigure315.Let'slookatthesteps inmoredetail,rememberingthat certainmessagetypes withintheSSLprotocolareusedtodeterminespecicrequests: 1. Oncetheclienthas establishedaTCPsessiononport443withtheserver,theclientsends aclienthellomessage.This clienthello includes informa onsuchas theciphersuitesthatitsupports. 2. Theserverselects theciphersuitefromthelistpresentedandresponds withaserverhelloindica ngtotheclienttheciphersit deems suitable.Theclientandtheserverhavenowagreedonaciphersuitetouse. 3. Theserverthenissues theclientacopyofits cer cate(rememberthatthis cer catealsocontains thepublickey).Op onally, theservermayrequestacopyoftheclient'scer cateifclientsideauthen ca onis required. 4. Next,theserversends aserverhellodonemessagetotelltheclientithas completedtherstphaseofthesessionsetup.As there is nokeyyet,thisprocess iscarriedoutincleartext. 5. Theclientnowgenerates arandomnumber,encryptsitwithits publickey,andsends theservertheclientkey.Thisprocess is knownas theclientkeyexchange.This is thesymmetrickeythatwillbeusedforthedura onofthesymmetricencryp on session.Communica onfromhereonis encrypted. 6. Theclientnowsendsachangecipherspecmessagetotheservertosayitwillnowbeginusingthenego atedciphersuite (determinedinstep2)forthedura onofthesession. 7. Oncethis isdone,theclientsends anishedmessagetotheservertosaythatitisready. 8. Theserver,inturn,sendsachangecipherspecmessagetotheclientusingtheagreedinforma on.Theserveralsosendsouta nishedmessageoncomple on. 9. Asecureencryptedtunnelis nowsetup,andcommunica oncanbeginusingthesymmetricencryp ondetails nego ated. Figure315.SSLsessionsetupisacomputa onallyintensiveprocessthatweneedtoooadtoincrease networkperformance.

Onekeypieceofinforma oninthisexchange,whichwewillseehas relevanceincontentswitchinginlaterchapters,is theSSLSessionID. Thisis arandomiden eragreedbybothsides whenrstini a ngtheSSLsessiontotheserverandis usedtouniquelyiden fythe tunneltheyhaveestablished.Oneop onthatis heldbytheclientduringthenego a onprocessdescribedpreviouslyis toreuseasetof agreedciphers andkeysbyincludingtheSessionIDintheclienthelloitsends totheserver.Providedthattheserveris conguredtoallow thistypeofsessionreuse,itwillskiptheneedtoswapthesymmetrickeyandthus bypassthebignumberarithme cneeded,inturn speedinguptheprocess.TheSSLSessionIDcanbereadincleartext,as itis notpassedencryptedbetweenclientandserver.

SSLSummary
SSLis astandardsbasedencryp onandauthen ca onmechanismwidelyusedwithintheInternettoday.Whilebyfarthemostcommon implementa ons useHTTPas theApplica onlayerprotocol,SSLcanbeusedtosecureotherapplica ons.As we'llseeinlaterchapters, theinclusionofSSLas asecuritymechanismformodernWebsites creates yetanotherpartofthepuzzleofcontentswitching.

Summary

14 of 15

2/22/2012 10:43 PM

Articles

http://www.informit.com/articles/printerfriendly.aspx?p=169578

AswithourcoverageofLayer2,3,and4protocols,therearemanyothermoredetailedbooks coveringtheApplica onlayerprotocols we sawinthis chapter.Hopefully,however,this chapterhas servedtogiveabe erunderstandingoftheways inwhichTCP,UDP,andIPcan becombinedtoprovideapplica onservices,allop onallywrappedinSSLforgreatersecurity.Equippedwiththis understanding,wecan begintounderstandtheconcepts ofcontentswitchingandputthetechniques tousetosolvemanyofthescalabilityproblemsofmodern IPnetworks.
2012PearsonEduca on,Inc.Allrightsreserved. 800East96thStreetIndianapolis,Indiana46240

15 of 15

2/22/2012 10:43 PM