T Network Application Frameworks and XML Summary and Conclusions Sasu Tarkoma

Topics Covered n Distributed systems security n Multi-addressing: Mobility and multi- homing n Building applications u Distributed objects u Role of directory services u Mobile and wireless applications u XML-based presentation and RPC n Scalability and performance issues

Interconnections n Interconnections applicable on many levels u Network-level operation F DNS, overlay lookup, IPsec u Application-level operation F DHTs, SSL, SOAP, WS-Security NetworkSecurity Directories Objects

Mobility and Routing

Identity/Locator split Process Transport ID Layer IP Layer Link Layer identifier locator n New name space for IDs u Maybe based on DNS u Maybe a separate namespace u Maybe IP addresses are used for location u Good for hiding IP versions n Communication end- points (sockets) bound to identifiers

Upper layer view n IP connectivity problematic today u Broken by firewalls, NATs, mobility u Two versions of IP: IPv4 and IPv6 n HIP has a potential remedy u Restores end-to-end connectivity (NAT traversal possible but may require changes / tunnelling) u Adds opportunistic security u Handles mobility and multi-homing u Requires DHT based overlay (currently missing) n Where is the network state? u Routers know addresses F Like today u DHT knows HITs / SIDs F Lease based storage u Middleboxes know SPIs F Soft state

Lessons to learn n Hierarchical routing likely to stay u Addresses carry topological information u Efficient and well established n Applications face changing connectivity u QoS varies u periods of non-connectivity n Identifiers and locators likely to split n Mobility management is needed n Probably changes in directory services u Overlays have been proposed

Summary n Topology based routing is necessary n Mobility causes address changes n Address changes must be signalled end- to-end n Mobility management needed u Initial rendezvous: maybe a directory service u Double jump problem: rendezvous needed n Many engineering trade-offs

Distributed Hash Tables and Overlays

Overlay Networks n Origin in Peer-to-Peer (P2P) n Builds upon Distributed Hash Tables (DHTs) n Easy to deploy u No changes to routers or TCP/IP stack u Typically on application layer n Overlay properties u Resilience u Fault-tolerance u Scalability

Some DHT applications n File sharing n Web caching n Censor-resistant data storage n Event notification n Naming systems n Query and indexing n Communication primitives n Backup storage n Web archive

Middleware

Examples n Middleware u CORBA u Message-oriented Middleware u Event Systems & tuple spaces u Java Message Service u Java 2 Enterprise Edition (J2EE) u.NET n Mobile middleware u WAE u J2ME u Wireless CORBA u FUEGO

Summary n Middleware u for application development and deployment u for supporting heterogeneous environments u Main communication paradigms: RPC/RMI, asynchronous events (publish/subscribe) u J2EE, CORBA,.. n Mobile middleware u Desktop middleware not usable on small, mobile devices u Special solutions are needed u J2ME, Wireless CORBA,..

Web Services

Standardization n W3C Web Services u XML Protocol Working Group F SOAP u Web Services Addressing Working Group u Web Services Choreography Working Group u Web Services Description Working Group F WSDL n OASIS u E-business standards, UDDI n WS-I (Web Service Interoperability Org.) u Binding profiles,..

Web Service Architecture n The three major roles in web services u Service provider F Provider of the WS u Service Requestor F Any consumer / client u Service Registry F logically centralized directory of services n A protocol stack is needed to support these roles

Web Services Protocol Stack n Message Transport u Responsible for transporting messages u HTTP, BEEP n XML Messaging u Responsible for encoding messages in common XML format u XML-RPC, SOAP n Service Description u Responsible for describing an interface to a specific web service u WSDL n Service discovery u Responsible for service discovery and search u UDDI

Web Services Security

Need for XML security n XML document can be encrypted using SSL or IPSec u this cannot handle the different parts of the document u documents may be routed hop-by-hop u different entities must process different parts of the document n SSL/TLS/IPSec provide message integrity and privacy only when the message is in transit n We also need to encrypt and authenticate the document in arbitrary sequences and to involve multiple parties

Application-layer Security n Identity-based security u Authentication and authorization information shared across security domains n Content-based security u Protecting against buffer overflow and CGI-like attacks u Must have knowledge about the applications to which these messages are directed n Accountability or non-repudation u Need message level security u Maintain integrity, archived audit trails n The standards and specifications mentioned earlier address these issues

Basic XML Security n XML Digital Signatures (XMLDSIG) n XML Encryption n XML Canonicalization n XML Key Management

Summary n Security contexts u Security needed within and between contexts u XML validation, encryption, and authentication needed between security contexts! n WS security standard revisited u SOAP header carries security information (and other info as well) u Selective processing n SAML u Statements about authorization, authentication, attributes u SAML & WS-Security & XACML n Implementations available

Putting it together

With identity/locator split + overlays? Upper layers Overlay Congestion End-to-end Routing Overlay addresses IP addresses Routing paths DNS names, custom identifiers Host Identities IP addresses Routing paths ID Layer CONTROL DATA

”Theory” WS Security SOAP TCP IP ”Practice” WS Security SOAP TCP4 IPv4 HTTP/TLS/sockets TCP6 IPv6 ”Future?” WS Security SOAP IPv4 HTTP?/sockets IPv6 TCP HIPsec HIPCTRLHIPCTRL HIPCTRLHIPCTRL

Discussion n Interesting things are happening on L7 u Ajax, content delivery, BitTorrent, DHTs, OpenID, mashups, REST,.. u Web services have enabled significant business F Google, Amazon,.. F Based on custom software u Network layer support for applications is not perfect F Channel binding, end-host reachability, trust, DoS n Incremental network evolution vs. clean slate developments u Control points u Interdomain policies and peering

Important Dates n Exam on in T1. n Deadline for the second assignment n Remember course feedback u aute.html