Operating Systems and Networks Network Lecture 12: Application Layer Adrian Perrig Network Security Group ETH Zürich
OperatingSystemsandNetworks
NetworkLecture12:ApplicationLayer
AdrianPerrigNetworkSecurityGroupETHZürich
2
WhereweareintheCourse• StartingtheApplicationLayer!
– Buildsdistributed“networkservices”(DNS,Web)onTransportservices
PhysicalLink
Application
NetworkTransport
3
Recall• Applicationlayerprotocolsareoftenpartofan“app”
– Butdon’tneedaGUI,e.g.,DNS
TCPIP
802.11
HTTPapp
OS
User-level
(NIC)
4
Recall(2)• Applicationlayermessagesareoftensplitovermultiplepackets– Ormaybeaggregatedinapacket…
802.11 IP TCP HTTP
802.11 IP TCP HTTP
802.11 IP TCP HTTP
HTTP
ApplicationCommunicationNeeds• Varywidelywithapp;mustbuildonTransportservices
5
UDP
DNS
TCP
Seriesofvariablelength,reliablerequest/replyexchanges
Web
UDP
Real-time(unreliable)
streamdelivery
Skype
SeeBook
Short,reliablerequest/replyexchanges
Messagereliability!
OSISession/PresentationLayers• Rememberthis?Tworelevantconcepts…
6
– Providesfunctionsneededbyusers– Convertsdifferentdatarepresentations– Multiplesessionsbetweensamesrc-dst– Providesend-to-enddelivery– Sendspacketsovermultiplelinks– Sendsframesofinformation– Sendsbitsassignals
Butconsiderpartoftheapplication,notstrictlylayered!
7
SessionConcept• Asessionisaseriesofrelatednetworkinteractionsinsupportofanapplicationtask– Ofteninformal,notexplicit
• Examples:– Webpagefetchesmultipleimages– Skypecallinvolvesaudio,video,chat
8
PresentationConcept• Appsneedtoidentifythetypeofcontent,andencodeitfortransfer– ThesearePresentationfunctions
• Examples:– Media(MIME)types,e.g.,image/jpeg,identifythetypeofcontent
– Transferencodings,e.g.,gzip,identifycontentencoding– Applicationheadersareoftensimpleandreadableversuspackedforefficiency
9
Topics• EvolvingInternetapplications• DNS(DomainNameSystem)• HTTP(HyperText TransferProtocol)• Webproxiesandcaching• ContentDistributionNetworks• Peer-to-peer(BitTorrent)
• Real-timeapplications(VoIP)
Thislecture
SeeBook
EvolutionofInternetApplications• Alwayschanging,andgrowing…
10
20101970 19901980 2000
Traffic
FileTransfer(FTP)Email(SMTP)
News(NTTP)
SecureShell(ssh)Telnet
Web(HTTP)Web(CDNs)
P2P(BitTorrent)Web(Video)
???
EvolutionofInternetApplications(2)• ForapeekatthestateoftheInternet:
– Akamai’sStateoftheInternetReport(quarterly)– Cisco’sVisualNetworkingIndex– MaryMeeker’s InternetReport
• RobustInternetgrowth,esp.video,wirelessandmobile– Mosttrafficisvideo,willbe90%ofInternetinafewyears– Wirelesstrafficwillsoonovertakewiredtraffic– Mobiletrafficisstillasmallportion(15%)ofoverall– GrowingattacktrafficfromChina,alsoU.S.andRussia
11
14
DomainNameSystem(DNS)(§7.1.1-7.1.3)
• TheDNS(DomainNameSystem)– Human-readablehostnames,andmore– Part1:thedistributednamespace
www.uw.edu?
Network
128.94.155.135
NamesandAddresses• Names:higher-level(user-understandable)resourceidentifiers• Addresses: lower-levelresourcelocators
– Multiplelevels,e.g.,fullnameà emailà IPaddressà Ethernetaddress• Resolution (orlookup):mappinganametoanaddress
15
Directory
Name,e.g.“AndyTanenbaum,”or“flits.cs.vu.nl”
Address,e.g.“Vrije Universiteit,Amsterdam”
orIPv4“130.30.27.38”Lookup
16
BeforetheDNS– HOSTS.TXT• DirectorywasafileHOSTS.TXTregularlyretrievedforallhostsfromacentralmachineattheNIC(NetworkInformationCenter)
• Nameswereinitiallyflat,becamehierarchical(e.g.,lcs.mit.edu)~1985
• NeithermanageablenorefficientastheARPANETgrew…
17
DNS• AnamingservicetomapbetweenhostnamesandtheirIP
addresses(andmore)– www.uwa.edu.auà 130.95.128.140
• Goals– Easytomanage(especiallywithmultipleparties)– Efficient(goodperformance,fewresources)
• Approach– Distributeddirectorybasedonahierarchicalnamespace– Automatedprotocoltotiepiecestogether
TLDs(Top-LevelDomains)• RunbyICANN(InternetCorp.forAssignedNamesandNumbers)
– Startingin‘98;namingisfinancial,political,andinternational
• 22+genericTLDs– Initially.com,.edu ,.gov.,.mil,.org,.net– Added.aero,.info,.museum,etc.from’01through.xxxin’11– DifferentTLDshavedifferentusagepolicies
• ~250countrycodeTLDs– Twoletters,e.g.,“.au”,plusinternationalcharacterssince2010– Widelycommercialized,e.g.,.tv (Tuvalu)– Manydomainhacks,e.g.,instagr.am(Armenia),goo.gl(Greenland)
19
21
DNSZones(2)• Zonesarethebasisfordistribution
– EDURegistraradministers.edu– UWadministerswashington.edu– CS&Eadministerscs.washington.edu
• Eachzonehasanameserver tocontactforinformationaboutit– Zonemustincludecontactsfordelegations,e.g.,.eduknowsnameserver forwashington.edu
DNSResourceRecords• AzoneiscomprisedofDNSresourcerecordsthatprovideinformationaboutitsdomainnames
22
Type MeaningSOA Start of authority, has main zone parametersA IPv4 address of a hostAAAA (“quad A”) IPv6 address of a hostCNAME Canonical name for an aliasMX Mail exchanger for the domainNS Nameserver of domain or delegated subdomain
24
DNSResolution• DNSprotocolletsahostresolveanyhostname(domain)toIPaddress
• Ifunknown,canstartwiththerootnameserver andworkdownzones
• Let’sseeanexamplefirst…
26
Iterativevs.RecursiveQueries• Recursivequery
– Nameserver completesresolutionandreturnsthefinalanswer– E.g.,flitsà localnameserver
• Iterativequery– Nameserver returnstheanswerorwhotocontactnextfortheanswer
– E.g.,localnameserverà allothers
27
Iterativevs.RecursiveQueries(2)• Recursivequery
– Letsserveroffloadclientburden(simpleresolver)formanageability
– Letsservercacheoverapoolofclientsforbetterperformance
• Iterativequery– Letsserver“fileandforget”– Easytobuildhighloadservers
28
Caching• Resolutionlatencyshouldbelow
– Addsdelaytowebbrowsing• Cachequery/responsestoanswerfuturequeriesimmediately– Includingpartial(iterative)answers– ResponsescarryaTTLforcaching
Nameserver
query out
responseCache
Caching(2)• flits.cs.vu.nlnowresolveseng.washington.edu
– Andpreviousresolutionscutoutmostoftheprocess
29
1:query 2:query
UWnameserver(forwashington.edu)
3:eng.washington.edu4:eng.washington.edu
Localnameserver(forcs.vu.nl)
Iknowtheserverforwashington.edu!
Cache
30
LocalNameservers• Localnameservers typicallyrunbyIT(enterprise,ISP)
– ButmaybeyourhostorAP– Oralternativese.g.,GooglepublicDNS
• Clientsneedtobeabletocontacttheirlocalnameservers– TypicallyconfiguredviaDHCP
31
RootNameservers• Root(dot)isservedby13servernames
– a.root-servers.nettom.root-servers.net– Allnameservers needrootIPaddresses– Handledviaconfigurationfile(named.ca)
• Thereare>250distributedserverinstances– Highlyreachable,reliableservice– MostserversarereachedbyIPanycast (Multiplelocationsadvertise
sameIP!Routestakeclienttotheclosestone.See§5.2.9)– ServersareIPv4andIPv6reachable
RootServerDeployment
32
Source:http://www.root-servers.org.Snapshoton27.02.12.Doesnotrepresentcurrentdeployment.
33
DNSProtocol• Queryandresponsemessages
– BuiltonUDPmessages,port53– ARQforreliability;serverisstateless!– Messageslinkedbya16-bitIDfield
Query
Response
Time
Client ServerID=0x1234
ID=0x1234
34
DNSProtocol(2)• Servicereliabilityviareplicas
– Runmultiplenameservers fordomain– Returnthelist;clientsuseoneanswer– Helpsdistributeloadtoo
NSforuw.edu?
A
B
C
UseA,BorC
35
DNSProtocol(3)• Securityisamajorissue
– Compromiseredirectstowrongsite!– Notpartofinitialprotocols..
• DNSSEC(DNSSecurityExtensions)– Longunderdevelopment,nowpartiallydeployed
Um,security??
36
HTTP,theHyperText TransferProtocol(§7.3.1-7.3.4)
• HTTP,(HyperText TransferProtocol)– BasisforfetchingWebpages
requestNetwork
37
SirTimBerners-Lee(1955–)• InventoroftheWeb
– DominantInternetappsincemid90s– HenowdirectstheW3C
• DevelopedWebatCERNin‘89– Browser,serverandfirstHTTP– PopularizedviaMosaic(‘93),Netscape– FirstWWWconferencein’94…
Source:ByPaulClarke,CC-BY-2.0,viaWikimediaCommons
39
WebProtocolContext• HTTPisarequest/responseprotocolforfetchingWebresources– RunsonTCP,typicallyport80– Partofbrowser/serverapp
TCPIP
802.11
browser
HTTPTCPIP
802.11
server
HTTPrequest
response
40
FetchingaWebpagewithHTTP• StartwiththepageURL:
http://de.wikipedia.org/wiki/Chuchichäschtli
• Steps:– ResolvetheservertoIPaddress(DNS)– SetupTCPconnectiontotheserver– SendHTTPrequestforthepage– (AwaitHTTPresponseforthepage)– Execute/fetchembeddedresources/render– CleanupanyidleTCPconnections
Protocol PageonserverServer
**
Staticvs DynamicWebpages• Staticwebpageiscontentofafile,e.g.,image• Dynamicwebpageistheresultofprogramexecution
– Javascript onclient,PHPonserver,orboth
41
EvolutionofHTTP• Considersecurity(SSL/TLSforHTTPS)later
42
20101990 20001995 2005
1.0developed
1.1developed(persistentconnections)
0.9RFC1945
RFC2068,2109RFC2616
CookiesSSL2.0
SPDY(HTTP2.0)
Proliferationofcontenttypes
andbrowser/server
scriptingtechnologies
RFC2965
43
HTTPProtocol• Originallyasimpleprotocol,withmanyoptionsaddedover
time– Text-basedcommands,headers
• Tryityourself:– Asa“browser”fetchingaURL– Run“telnetwww.scion-architecture.net 80”– Type“GET/HTTP/1.1”followedby“Host:www.scion-
architecture.net”followedbyablankline– ServerwillreturnHTTPresponsewiththepagecontents(orother
info)
44
HTTPGetResult$telnetwww.scion-architecture.net 80Trying129.132.85.42...Connectedtoscion-architecture.net.Escapecharacteris'^]'.GET/HTTP/1.1Host:www.scion-architecture.net
HTTP/1.1200OKDate:Wed,01Jun201621:04:24GMTServer:Apache/2.2.15(RedHat)X-Powered-By:PHP/5.3.3Transfer-Encoding:chunkedContent-Type:text/html;charset=UTF-8
3565
<!DOCTYPEHTML>
<html>...
45
HTTPProtocol(2)• Commandsusedintherequest
Method DescriptionGET ReadaWebpageHEAD ReadaWebpage'sheaderPOST AppendtoaWebpagePUT StoreaWebpageDELETE RemovetheWebpageTRACE EchotheincomingrequestCONNECT ConnectthroughaproxyOPTIONS Queryoptionsforapage
FetchpageUploaddata
HTTPProtocol(3)• Codesreturnedwiththeresponse
46
Code Meaning Examples1xx Information 100=serveragreestohandleclient'srequest2xx Success 200=requestsucceeded;204=nocontentpresent3xx Redirection 301=pagemoved;304=cachedpagestillvalid4xx Clienterror 403=forbiddenpage;404=pagenotfound5xx Servererror 500=internalservererror;503=tryagainlater
Yes!
HTTPProtocol(4)• Manyheaderfieldsspecifycapabilitiesandcontent
– E.g.,Content-Type:text/html,Cookie:lect=12-1-http
47
Function ExampleHeadersBrowsercapabilities(clientà server)
User-Agent, Accept,Accept-Charset,Accept-Encoding,Accept-Language
Cachingrelated(mixeddirections)
If-Modified-Since, If-None-Match,Date,Last-Modified,Expires,Cache-Control,ETag
Browsercontext(clientà server) Cookie,Referer,Authorization,Host
Contentdelivery(serverà client)
Content-Encoding, Content-Length,Content-Type,Content-Language,Content-Range,Set-Cookie
49
PLT(PageLoadTime)• PLTisthekeymeasureofwebperformance
– Fromclickuntiluserseespage– SmallincreasesinPLTdecreasesales
• PLTdependsonmanyfactors– Structureofpage/content– HTTP(andTCP!)protocol– NetworkRTTandbandwidth
50
EarlyPerformance(1)• HTTP/1.0usesoneTCPconnectiontofetcheachwebresource– MadeHTTPveryeasytobuild– ButgavefairlypoorPLT…
51
EarlyPerformance(2)• ManyreasonswhyPLTislargerthan
necessary– Sequentialrequest/responses,evenwhen
todifferentservers– MultipleTCPconnectionsetupstothesame
server– MultipleTCPslow-startphases
• Networkisnotusedeffectively– Worsewithmanysmallresources/page
52
WaystoDecreasePLT1. Reducecontentsizefortransfer
– Smallerimages,gzip2. ChangeHTTPtomakebetteruseofavailable
bandwidth(e.g.,avoidTCPslowstart)3. ChangeHTTPtoavoidrepeatedtransfersofthe
samecontent– Caching,andproxies
4. Movecontentclosertoclient– CDNs[later]
53
ParallelConnections• OnesimplewaytoreducePLT
– Browserrunsmultiple(8,say)HTTPinstancesinparallel– Serverisunchanged;alreadyhandlesconcurrentrequestsformanyclients
• Howdoesthishelp?– SingleHTTPwasn’tusingnetworkmuch…– Soparallelconnectionsaren’tslowedmuch– Pullsincompletiontimeoflastfetch
54
PersistentConnections• Parallelconnectionscompetewitheachotherfornetworkresources– 1parallelclient≈8sequentialclients?– Exacerbatesnetworkbursts,andloss
• Persistentconnectionalternative– Make1TCPconnectionto1server– UseitformultipleHTTPrequests
PersistentConnections(2)
55
Onerequestperconnection
Sequentialrequestsperconnection
Pipelinedrequestsperconnection
56
PersistentConnections(3)• WidelyusedaspartofHTTP/1.1
– Supportsoptionalpipelining– PLTbenefitsdependingonpagestructure,buteasyonnetwork
• Issueswithpersistentconnections– HowlongtokeepTCPconnection?– Canitbeslower?(Yes.Butwhy?)
57
HTTPCachingandProxies (§7.3.4,§7.5.2)
• HTTPcachingandproxies– Enablingcontentreuse
ServerClients
ProxyCache
58
WebCaching• Usersoftenrevisitwebpages
– Bigwinfromreusinglocalcopy!– Thisiscaching
• Keyquestion:– WhenisitOKtoreuselocalcopy?
NetworkCache
Localcopies
Server
59
WebCaching(2)• Locallydetermineifcopyisstillvalid
– Basedonexpiryinformationsuchas “Expires”headerfromserver
– Oruseaheuristictoguess(cacheable,freshlyvalid,notmodifiedrecently)
– Contentisthenavailablerightaway
NetworkCacheServer
60
WebCaching(3)• Revalidatecopywithremoteserver
– Basedontimestampofcopysuchas“Last-Modified”headerfromserver
– Orbasedoncontentsuchas“ETag”headerfromserver:EntityTag,computedbyserverasauniqueobjectidentifier
– Contentisavailableafter1RTT
NetworkCacheServer
62
WebProxies• Placeintermediarybetweenpoolofclientsandexternalwebservers
• Proxycaching– Clientsbenefitfromlarger,sharedcache(otherclientsmayhavealreadyaccessedcontent)
– Benefitslimitedbysecure/dynamicper-clientcontent,aswellas“longtail”dataaccesspattern
– Enablesapplicationoforganizationalaccesspolicies
64
CDNs (ContentDeliveryNetworks)(§7.5.3)
• CDNs(ContentDeliveryNetworks)– Efficientdistributionofpopularcontent;fasterdeliveryforclients
ContentReplica
Consumers
65
Context• Asthewebtookoffinthe90s,trafficvolumesgrewandgrew.This:1. Concentratedloadonpopularservers2. Ledtocongestednetworksandneedtoprovisionmore
bandwidth3. Gaveapooruserexperience
• Idea:– Placepopularcontentnearclients– Helpswithallthreeissuesabove
66
BeforeCDNs• Sendingcontentfromthesourceto4userstakes4x3=12“networkhops”intheexample
Source
User
User
...
68
AfterCDNs(2)• Benefitsassumingpopularcontent:
– Reducesserver,networkload– Improvesuserexperience(PLT)
Source
User
User
...Replica
69
PopularityofContent• Zipf’s Law:fewpopularitems,manyunpopularones(“heavytail”ofprobabilitydistribution);bothmatter
Zipf popularity(kth itemis1/k)
RankSource:Wikipedia
GeorgeZipf (1902-1950)
70
Howtoplacecontentnearclients?• Usebrowserandproxycaches
– Helps,butlimitedtooneclientorclientsinoneorganization
• WanttoplacereplicasacrosstheInternetforusebyallnearbyclients– DonebycleveruseofDNS
ContentDeliveryNetwork(2)• DNSresolutionofsitegivesanswerdependingonclient
– Directeachclienttothenearestreplica(usingIPgeolocation)
72
Consumer
site
73
BusinessModel• ClevermodelpioneeredbyAkamai
– PlacingsitereplicaatanISPiswin-win– ImprovessiteexperienceandreducesbandwidthusageofISP
ISPUser
User
...Replica
74
TheFutureofHTTP• TheFutureofHTTP
– Howwillwemakethewebfaster?– Abrieflookatsomeapproaches
requestNetwork
ModernWebPages• Waterfalldiagramshowsprogressionofpageload
75
webpagetest toolforhttp://coursera.org(Firefox,5/1Mbps,fromVA,3/1/13)
76
ModernWebPages(2)
Yikes!-23requests-1Mbdata-2.6secs
webpagetest toolforhttp://coursera.org(Firefox,5/1Mbps,fromVA,3/1/13)
• WaterfallandPLTdependsonmanyfactors– Verydifferentfordifferentbrowsers– Verydifferentforrepeatpageviews– Dependsonlocalcomputationaswellasnetwork
ModernWebPages(3)
77
Yay!(Networkusedwell)
78
RecentworktoreducePLTPagesgrowevermorecomplex!
– Larger,moredynamic,andsecure– HowwillwereducePLT?
1. Betteruseofthenetwork– HTTP/2effortbasedonSPDY
2. Bettercontentstructures– mod_pagespeed serverextension
79
SPDY(“speedy”)• AsetofHTTPimprovements
– Multiplexed(parallel)HTTPrequestsononeTCPconnection– Clientprioritiesforparallelrequests– CompressedHTTPheaders– Serverpushofresources
• Nowbeingtestedandimproved– DefaultinChrome,Firefox– BasisforHTTP/2
80
mod_pagespeed• Observation:
– Thewaypagesarewrittenaffectshowquicklytheyload– Manybooksonbestpracticesforpageauthorsanddevelopers
• Keyidea:– Haveserverre-write(compile)pagestohelpthemloadquickly!
– Apachemod_pagespeed isanexample
81
mod_pagespeed (2)• Apacheserverextension
– Softwareinstalledwithwebserver– Rewritespages“onthefly”withrulesbasedonbestpractices
• Examplerewriterules:– MinifyJavascript– Flattenmulti-levelCSSfiles– Resizeimagesforclient– …andmuchmore(100sofspecificrules)
82
Peer-to-PeerContentDelivery(BitTorrent)(§7.5.4)
• Peer-to-peercontentdelivery– Runswithoutdedicatedinfrastructure– BitTorrent asanexample
Peer
Peer
Peer
PeerPeer
83
Context• Deliverywithclient/serverCDNs:
– Efficient,scalesupforpopularcontent– Reliable,managedforgoodservice
• …butsomedisadvantagestoo:– Needfordedicatedinfrastructure– Centralizedcontrol/oversight
84
P2P(Peer-to-Peer)• Goalisdeliverywithout dedicatedinfrastructureorcentralizedcontrol– Stillefficientatscale,andreliable
• Keyideaistohaveparticipants(orpeers)helpeachother– InitiallyNapster‘99formusic(gone)– NowBitTorrent ‘01onwards(popular!)
85
P2PChallenges• Noserversonwhichtorelyon
– Communicationmustbepeer-to-peer andself-organizing,notclient-server
– Leadstoseveralissuesatscale…
Peer
Peer
Peer
PeerPeer
86
P2PChallenges(2)1. Limitedcapabilities
– Howcanonepeerdelivercontenttoallotherpeers?
2. Participationincentives– Whywouldpeershelpeachother?
3. Decentralization– Howwillpeersfindcontent?
87
OvercomingLimitedCapabilities• Peercansendcontenttoallotherpeersusingadistributiontree– Typicallydonewithreplicasovertime– Self-scalingcapacity(morenodesàmorecapacity)
Source
88
ProvidingParticipationIncentives• Peersplaytworoles:
– Download()tohelpthemselves,andupload()tohelpothers
Source
89
ProvidingParticipationIncentives(2)• Couplethetworoles:
– I’lluploadforyouifyouuploadforme– Encouragescooperation
Source
90
EnablingDecentralization• Peermustlearnwheretogetcontent
– UseDHTs (DistributedHashTables)
• DHTsarefully-decentralized,efficientalgorithmsforadistributedindex– Indexisspreadacrossallpeers– Indexlistspeerstocontactforcontent– Anypeercanlookuptheindex– Startedasacademicworkin2001
91
BitTorrent• MainP2Psysteminusetoday
– DevelopedbyCohenin‘01– Veryrapidgrowth,largetransfers– BigfractionofInternettraffic– Usedforlegalandcopyrightedcontent
• Deliversdatausing“torrents”:– Transfersfilesinpiecesforparallelism– Notablefortreatmentofincentives– Trackerordecentralizedindex(DHT)
ByJacobAppelbaum,CC-BY-SA-2.0,fromWikimediaCommons
BramCohen(1975—)
92
BitTorrent Protocol• Stepstodownloadatorrent:
1. Startwithtorrentdescription2. Contacttrackertojoinandgetlistofpeers(withatleast
seedpeer)2. Or,useDHTindexforpeers3. Tradepieceswithdifferentpeers4. Favorpeersthatuploadtoyourapidly;“choke”peers
thatdon’tbyslowingyouruploadtothem
BitTorrent Protocol(5)• DHTindex(spreadoverpeers)isfullydecentralized
96
DHT
DHT
DHTDHT
DHT
DHT
DHT
DHT