The Design and Implementation of a SSL Proxy For Content

Download Report

Transcript The Design and Implementation of a SSL Proxy For Content

The Design and Implementation of
a SSL Proxy
for Content Switch
Thesis Proposal
by
Ganesh Kumar Godavari
Department of Computer Science
Univ. of Colorado at Colorado Springs
9/26/2001
Godavari Thesis Proposal SSL Proxy
1
What is a SSL Proxy?
9/26/2001
Godavari Thesis Proposal SSL Proxy
2
Where is SSL in OSI Network Layer Model?
TCP
9/26/2001
Godavari Thesis Proposal SSL Proxy
3
IXP12EB Setup in Lab
The board includes Intel IXP1200 network processor
With VxWork Realtime Embedded OS
and WindRiver IDE
SSL proxy will be developed on this network processor.
9/26/2001
Godavari Thesis Proposal SSL Proxy
4
Goal of my Thesis
• Goal: Design efficient SSL Proxy that can
– Handle Multiple SSL Requests
– Handle session reusability
– Handle Keep-Alive sessions
and understand the porting issues to VxWork on IXP12EB.
• HTTPS is very slow compared to HTTP, so designing and
implementing an efficient proxy will be challenging.
• SSL proxy will be making routing decisions based on a set of
user-defined rules, and the IP address, TCP port number, URL,
HTTP headers, and the values of XML tags of the requests.
• Deliverables
– Design documentation for the SSL Proxy.
– Source code for implementing the SSL Proxy on Linux and
IXP 12EB
– Working prototypes and their performance analysis.
9/26/2001
Godavari Thesis Proposal SSL Proxy
5
Thesis Plan
Work done Till-Date
– Designed a concurrent SSL Proxy using OpenSSL and dynamic
forking in Linux for handling multiple SSL requests
– Studied and analyzed how session reusability can be achieved
Next 2 week
– Study and analyze how keep-alive sessions can be maintained
– Study and analyze how to achieve preforking.
– Compare the performance of preforking and dynamic forking
versions
Next 2 weeks
– Port OpenSSL to VxWorks
– Compare networking support between Linux and VxWorks
Next 3 weeks
– Port SSL Proxy to IXP network Processor
– Compare performance of SSL Proxy on Linux and IXP-12EB
9/26/2001
Godavari Thesis Proposal SSL Proxy
6
Questions/Comments ??
9/26/2001
Godavari Thesis Proposal SSL Proxy
7
References
[1] OpenSSL: The Open Source toolkit for SSL/TLS (http://www.openssl.org)
[2] SSL and TLS, by Eric Rescorla
[3] SSL and TLS Essentials, by Stephen Thomas
[4] mod_ssl: The Apache Interface to OpenSSL (http://www.modssl.org)
[5] HTTP Over TLS
ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-https-02.txt
The specification on how to run HTTP over SSL/TLS
[6] Tunneling TCP based protocols through Web proxy servers
http://www.www.alternic.org/drafts/drafts-l-m/draft-luotonen-web-proxy-tunneling-01.txt
The specification for the HTTP CONNECT method
[7] Analysis of SSL 3.0 Protocol
http://www.counterpane.com/ssl.html
D. Wagner and B. Schneier's USENIX analysis of SSLv3
[8] HyperText Transfer Protocol (HTTP), Version 1.1 (Internet Draft)
http://www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-rev-06.txt
The application layer protocol Apache+mod_ssl uses over SSL/TLS
[9] HyperText Transfer Protocol (HTTP), Version 1.0 (RFC 1945)
http://www.ietf.org/rfc/rfc1945.txt
The application layer protocol Apache + mod_ssl uses over SSL/TLS
9/26/2001
Godavari Thesis Proposal SSL Proxy
8
References
[10] Intel® IXA (Internet Exchange Architecture),
http://developer.intel.com/design/ixa/index.htm
[11] WindRiver Tornado Development Tools,
http://www.windriver.com/products/html/tornado2.html
[12] Tornado User’s Guide (Windows Version) 2.0
[13] WindRiver VxWorks, http://www.windriver.com/products/html/vxwks54.html
Intel®, IXP-1200, IXP-12EB is the registered Trademarks of Intel Corporation
Tornado, VxWorks is the registered Trademarks of Wind River Systems, Inc
Linux, Apache, Openssl protected under the GNU General Public License
9/26/2001
Godavari Thesis Proposal SSL Proxy
9