T-110.455 Network Application Frameworks and XML Web Services
Download
Report
Transcript T-110.455 Network Application Frameworks and XML Web Services
T-110.5140 Network Application
Frameworks and XML
Summary and Conclusions
22.04.2008
Sasu Tarkoma
Topics Covered
Distributed systems security
Multi-addressing: Mobility and multihoming
Building applications
Distributed objects
Role of directory services
Mobile and wireless applications
XML-based presentation and RPC
Scalability and performance issues
Interconnections
Network
Security
Objects
Directories
Interconnections applicable on many
levels
Network-level operation
DNS, overlay lookup, IPsec
Application-level operation
DHTs, SSL, SOAP, WS-Security
Mobility and Routing
Identity/Locator split
New name space for IDs
Maybe based on DNS
Maybe a separate
namespace
Maybe IP addresses are
used for location
Good for hiding IP versions
Communication endpoints (sockets) bound to
identifiers
Process
Transport
identifier
ID Layer
IP Layer
Link Layer
locator
Upper layer view
IP connectivity problematic today
HIP has a potential remedy
Broken by firewalls, NATs, mobility
Two versions of IP: IPv4 and IPv6
Restores end-to-end connectivity (NAT traversal
possible but may require changes / tunnelling)
Adds opportunistic security
Handles mobility and multi-homing
Requires DHT based overlay (currently missing)
Where is the network state?
Routers know addresses
DHT knows HITs / SIDs
Like today
Lease based storage
Middleboxes know SPIs
Soft state
Lessons to learn
Hierarchical routing likely to stay
Applications face changing connectivity
Addresses carry topological information
Efficient and well established
QoS varies
periods of non-connectivity
Identifiers and locators likely to split
Mobility management is needed
Probably changes in directory services
Overlays have been proposed
Summary
Topology based routing is necessary
Mobility causes address changes
Address changes must be signalled endto-end
Mobility management needed
Initial rendezvous: maybe a directory service
Double jump problem: rendezvous needed
Many engineering trade-offs
Distributed Hash Tables and
Overlays
Overlay Networks
Origin in Peer-to-Peer (P2P)
Builds upon Distributed Hash Tables
(DHTs)
Easy to deploy
No changes to routers or TCP/IP stack
Typically on application layer
Overlay properties
Resilience
Fault-tolerance
Scalability
Some DHT applications
File sharing
Web caching
Censor-resistant data storage
Event notification
Naming systems
Query and indexing
Communication primitives
Backup storage
Web archive
Middleware
Examples
Middleware
CORBA
Message-oriented Middleware
Event Systems & tuple spaces
Java Message Service
Java 2 Enterprise Edition (J2EE)
.NET
Mobile middleware
WAE
J2ME
Wireless CORBA
FUEGO
Summary
Middleware
for application development and deployment
for supporting heterogeneous environments
Main communication paradigms: RPC/RMI,
asynchronous events (publish/subscribe)
J2EE, CORBA, ..
Mobile middleware
Desktop middleware not usable on small,
mobile devices
Special solutions are needed
J2ME, Wireless CORBA, ..
Web Services
Standardization
W3C Web Services
XML Protocol Working Group
Web Services Addressing Working Group
Web Services Choreography Working Group
Web Services Description Working Group
WSDL
OASIS
SOAP
E-business standards, UDDI
WS-I (Web Service Interoperability Org.)
Binding profiles,..
Web Service Architecture
The three major roles in web services
Service provider
Service Requestor
Any consumer / client
Service Registry
Provider of the WS
logically centralized directory of services
A protocol stack is needed to support
these roles
Web Services Protocol Stack
Message Transport
XML Messaging
Responsible for encoding messages in
common XML format
XML-RPC, SOAP
Service Description
Responsible for transporting messages
HTTP, BEEP
Responsible for describing an interface to a
specific web service
WSDL
Service discovery
Responsible for service discovery and search
UDDI
Web Services Security
Need for XML security
XML document can be encrypted using SSL or
IPSec
this cannot handle the different parts of the
document
documents may be routed hop-by-hop
different entities must process different parts of the
document
SSL/TLS/IPSec provide message integrity and
privacy only when the message is in transit
We also need to encrypt and authenticate the
document in arbitrary sequences and to involve
multiple parties
Application-layer Security
Identity-based security
Content-based security
Protecting against buffer overflow and CGI-like
attacks
Must have knowledge about the applications to
which these messages are directed
Accountability or non-repudation
Authentication and authorization information
shared across security domains
Need message level security
Maintain integrity, archived audit trails
The standards and specifications mentioned
earlier address these issues
Basic XML Security
XML Digital Signatures (XMLDSIG)
XML Encryption
XML Canonicalization
XML Key Management
Summary
Security contexts
WS security standard revisited
SOAP header carries security information (and
other info as well)
Selective processing
SAML
Security needed within and between contexts
XML validation, encryption, and authentication
needed between security contexts!
Statements about authorization, authentication,
attributes
SAML & WS-Security & XACML
Implementations available
Putting it together
With identity/locator split +
overlays?
Upper layers
Overlay
CONTROL
DNS names, custom
identifiers
Overlay addresses
Congestion
End-to-end
Routing
Host Identities
ID Layer
IP addresses
IP addresses
DATA
Routing paths
Routing paths
”Theory”
WS Security
”Practice”
”Future?”
WS Security
WS Security
SOAP
SOAP
HTTP/TLS/sockets
TCP
IP
TCP4
IPv4
TCP6
IPv6
H
I
P
C
T
R
L
SOAP
HTTP?/sockets
TCP
HIPsec
IPv4
IPv6
Discussion
Interesting things are happening on L7
Ajax, content delivery, BitTorrent, DHTs, OpenID,
mashups, REST, ..
Web services have enabled significant business
Network layer support for applications is not
perfect
Google, Amazon, ..
Based on custom software
Channel binding, end-host reachability, trust, DoS
Incremental network evolution vs. clean slate
developments
Control points
Interdomain policies and peering
Important Dates
Exam on 9.5. 9-12 in T1.
Deadline for the second assignment
12.5.
Remember course feedback
http://www.cs.hut.fi/Opinnot/Palaute/kurssipal
aute.html