T-110.455 Network Application Frameworks and XML Web Services

Download Report

Transcript T-110.455 Network Application Frameworks and XML Web Services

T-110.5140 Network Application
Frameworks and XML
Summary and Conclusions
22.04.2008
Sasu Tarkoma
Topics Covered



Distributed systems security
Multi-addressing: Mobility and multihoming
Building applications





Distributed objects
Role of directory services
Mobile and wireless applications
XML-based presentation and RPC
Scalability and performance issues
Interconnections

Network
Security
Objects
Directories
Interconnections applicable on many
levels

Network-level operation


DNS, overlay lookup, IPsec
Application-level operation

DHTs, SSL, SOAP, WS-Security
Mobility and Routing
Identity/Locator split

New name space for IDs





Maybe based on DNS
Maybe a separate
namespace
Maybe IP addresses are
used for location
Good for hiding IP versions
Communication endpoints (sockets) bound to
identifiers
Process
Transport
identifier
ID Layer
IP Layer
Link Layer
locator
Upper layer view

IP connectivity problematic today



HIP has a potential remedy





Broken by firewalls, NATs, mobility
Two versions of IP: IPv4 and IPv6
Restores end-to-end connectivity (NAT traversal
possible but may require changes / tunnelling)
Adds opportunistic security
Handles mobility and multi-homing
Requires DHT based overlay (currently missing)
Where is the network state?

Routers know addresses


DHT knows HITs / SIDs


Like today
Lease based storage
Middleboxes know SPIs

Soft state
Lessons to learn

Hierarchical routing likely to stay



Applications face changing connectivity





Addresses carry topological information
Efficient and well established
QoS varies
periods of non-connectivity
Identifiers and locators likely to split
Mobility management is needed
Probably changes in directory services

Overlays have been proposed
Summary




Topology based routing is necessary
Mobility causes address changes
Address changes must be signalled endto-end
Mobility management needed



Initial rendezvous: maybe a directory service
Double jump problem: rendezvous needed
Many engineering trade-offs
Distributed Hash Tables and
Overlays
Overlay Networks



Origin in Peer-to-Peer (P2P)
Builds upon Distributed Hash Tables
(DHTs)
Easy to deploy



No changes to routers or TCP/IP stack
Typically on application layer
Overlay properties



Resilience
Fault-tolerance
Scalability
Some DHT applications









File sharing
Web caching
Censor-resistant data storage
Event notification
Naming systems
Query and indexing
Communication primitives
Backup storage
Web archive
Middleware
Examples

Middleware







CORBA
Message-oriented Middleware
Event Systems & tuple spaces
Java Message Service
Java 2 Enterprise Edition (J2EE)
.NET
Mobile middleware




WAE
J2ME
Wireless CORBA
FUEGO
Summary

Middleware





for application development and deployment
for supporting heterogeneous environments
Main communication paradigms: RPC/RMI,
asynchronous events (publish/subscribe)
J2EE, CORBA, ..
Mobile middleware



Desktop middleware not usable on small,
mobile devices
Special solutions are needed
J2ME, Wireless CORBA, ..
Web Services
Standardization

W3C Web Services

XML Protocol Working Group




Web Services Addressing Working Group
Web Services Choreography Working Group
Web Services Description Working Group


WSDL
OASIS


SOAP
E-business standards, UDDI
WS-I (Web Service Interoperability Org.)

Binding profiles,..
Web Service Architecture

The three major roles in web services

Service provider


Service Requestor


Any consumer / client
Service Registry


Provider of the WS
logically centralized directory of services
A protocol stack is needed to support
these roles
Web Services Protocol Stack

Message Transport



XML Messaging



Responsible for encoding messages in
common XML format
XML-RPC, SOAP
Service Description



Responsible for transporting messages
HTTP, BEEP
Responsible for describing an interface to a
specific web service
WSDL
Service discovery


Responsible for service discovery and search
UDDI
Web Services Security
Need for XML security

XML document can be encrypted using SSL or
IPSec





this cannot handle the different parts of the
document
documents may be routed hop-by-hop
different entities must process different parts of the
document
SSL/TLS/IPSec provide message integrity and
privacy only when the message is in transit
We also need to encrypt and authenticate the
document in arbitrary sequences and to involve
multiple parties
Application-layer Security

Identity-based security


Content-based security



Protecting against buffer overflow and CGI-like
attacks
Must have knowledge about the applications to
which these messages are directed
Accountability or non-repudation



Authentication and authorization information
shared across security domains
Need message level security
Maintain integrity, archived audit trails
The standards and specifications mentioned
earlier address these issues
Basic XML Security




XML Digital Signatures (XMLDSIG)
XML Encryption
XML Canonicalization
XML Key Management
Summary

Security contexts



WS security standard revisited



SOAP header carries security information (and
other info as well)
Selective processing
SAML



Security needed within and between contexts
XML validation, encryption, and authentication
needed between security contexts!
Statements about authorization, authentication,
attributes
SAML & WS-Security & XACML
Implementations available
Putting it together
With identity/locator split +
overlays?
Upper layers
Overlay
CONTROL
DNS names, custom
identifiers
Overlay addresses
Congestion
End-to-end
Routing
Host Identities
ID Layer
IP addresses
IP addresses
DATA
Routing paths
Routing paths
”Theory”
WS Security
”Practice”
”Future?”
WS Security
WS Security
SOAP
SOAP
HTTP/TLS/sockets
TCP
IP
TCP4
IPv4
TCP6
IPv6
H
I
P
C
T
R
L
SOAP
HTTP?/sockets
TCP
HIPsec
IPv4
IPv6
Discussion

Interesting things are happening on L7


Ajax, content delivery, BitTorrent, DHTs, OpenID,
mashups, REST, ..
Web services have enabled significant business



Network layer support for applications is not
perfect


Google, Amazon, ..
Based on custom software
Channel binding, end-host reachability, trust, DoS
Incremental network evolution vs. clean slate
developments


Control points
Interdomain policies and peering
Important Dates

Exam on 9.5. 9-12 in T1.
Deadline for the second assignment
12.5.

Remember course feedback


http://www.cs.hut.fi/Opinnot/Palaute/kurssipal
aute.html