Wim GoddenCu.be Solutions@wimgtr

Your app lives on a networkNetworking for web developers

Who am I ?

Wim Godden (@wimgtr)

Where I'm from

Where I'm from

Where I'm from

Where I'm from

Where I'm from

Where I'm from

My town

My town

Belgium the traffic

Who am I ?

Wim Godden (@wimgtr)

Founder of Cu.be Solutions (http://cu.be)

Open Source developer since 1997

Developer of PHPCompatibility, OpenX, Nginx SLIC, ...

Speaker at PHP and Open Source conferences

Who are you ?

Developers ?

System engineers ?

Network engineers ?

Do you know how the Internet works ?

Were web developers, not network engineers !

Know enough to build new stuff

Know enough to maintain existing code

What if...

Customer

Support Desk

Developers

Do you know these ?

TCP

UDP

IP

DNS

BGP

MAC address

IPv4

IPv6

SYN

ACK

Source port

Destination port

Default gateway

Routing table

Basics : OSI model

PhysicalLayer 1

Data LinkLayer 2

NetworkLayer 3

TransportLayer 4

SessionLayer 5

PresentationLayer 6

ApplicationLayer 7

Wires, network card, wireless interface

Data protocol (ethernet, ...)

IP adressing

TCP, UDP, ports, ...

TLS, L2TP, SOCKS, PPTP, ...

Serialization, data translation

HTTP, DNS, SMTP, ...

Basics : packets

01011010111010

Physical cableor wireless01011010111010

Basics : packets

Destination MAC (6 bytes)Source MAC (6 bytes)Type (2 bytes)

Payload (46 1500 bytes)CRC (4 bytes)

Part 1 : Ethernet frame

0-34-78-1112-1516-1920-2324-2728-31

0VersionHeader lengthDSCPECNTotal length

32IdentificationFlagsFragment Offset

64Time To LiveProtocolHeader Checksum

96Source IP Address

128Destination IP Address

160Options (if required)

< Contents of the packet >

Part 2 : IPv4 header (min. 160 bytes)

Part 3 : TCP/UDP/ header and data

Basics : TCP packet

Bit0-34-78-1112-1516-1920-2324-2728-31

0Source portDestination port

32Sequence number

64Acknowledgment number

96Data offsetFlagsWindow size

128ChecksumUrgent pointer

160Options (if required)

< Contents of the packet >

Basics : packets

Destination MAC (6 bytes)Source MAC (6 bytes)Type (2 bytes)

Payload (46 1500 bytes)CRC (4 bytes)

Part 1 : Ethernet frame

Sending on a local network

Each system has a MAC addressAssigned by manufacturer

Can be overwritten (for VM or failover)

Same physical network send packet to MAC address

Switch knows MAC address(es) of devices and forwards traffic

Layer 2

Sending IP traffic on local network

Requires IP addresses

Where to send ? We need to know MAC addressUses ARP (Address Resolution Protocol) for lookup

Stores IP MAC relation in ARP table

Whats local ? Same IP subnet

OK, whats a subnet ?

Layer 3

16:58:56.933019 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.15 tell 192.168.0.12, length 2816:58:56.938019 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.15 is-at 00:50:56:8b:6a:b7, length 46

IP adressing (IPv4)

IPv4 adressing = CIDR notationxxx.xxx.xxx.xxx where 0

TCP/UDP ports

Bit0-34-78-1112-1516-1920-2324-2728-31

0Source portDestination port

32Sequence number

64Acknowledgment number

96Data offsetFlagsWindow size

128ChecksumUrgent pointer

160Options (if required)

< Contents of the packet >

Bit0-34-78-1112-1516-1920-2324-2728-31

0Source portDestination port

32LengthChecksum

< Contents of the packet >

TCP

UDP

Source and Destination ports

Destination port : defined by serviceHTTP : TCP port 80

HTTPS : TCP port 443

DNS : UDP port 53

Source port : for identification of a connection

Client

Server

80

80

80

5000

5001

5002

See active connections withsource/destination ports : netstat -n

Fetching a website

Need to fetch http://cu.be

TCP doesnt know what cu.be is needs an IP address

Looks up IP address through DNS

Open a socket

Connect to IP address on port 80

Send HTTP request over the connection

Get data back

Get images, CSS, javascript over the same connection

Close the connection

Show the webpage

DNS lookups

Through a DNS serverAuthoritative : in charge of the domain name

Recursive : asks the authoritative server, then caches for a while Cache time is defined by TTL

Usually you will use a recursive server (owned by your provider)

Client

Recursive DNS Server

IP forcu.be ?

Root DNS server

IP forcu.be ?

.be DNS server

cu.be DNS server

Ask the .beDNS server

IP forcu.be ?

Ask the cu.beDNS server

IP forcu.be ?

194.50.97.38

194.50.97.38

DNS lookups

Actual lookups depend on type of DNS record

DNS holds lots of things :A record = IP addresses

CNAME records = aliases for A records

MX records = mail servers

NS records = DNS servers

TXT = various stuff (anti-spam mostly)

2 tools to debug DNS :dignslookup

Sockets

The layer between your application and TCP, UDP, ...

Abstracts syntax

Makes it easy to switch between protocols

Provides an easy interfaceNo need to know implementation

Send a stream of data split up in packets

Receive lots of data converted from packets to string

Packets over the Internet

Client

Router

Server

Internet

192.168.0.15

192.168.0.1

194.7.1.4

BGP protocol decides how packets are routed

Each public network has AS (Autonomous System) numberAS3356 = Level3

AS39628 = Cu.be

BGP announces subnets over BGP to its uplink providers :AS39628 here you can reach 194.50.97.0/24 through me

BGP routes

BGP routing

RouterAS 1

RouterAS 5

RouterAS 5

RouterAS 52

RouterAS 10

RouterAS 2

Client

Server

IPv6

Created to solve lack of IP addresses (4.3 billion in IPv4)

Standard created in 90s

Deployed on most major sites, but small sites behind

Addresses :IPv4 address : 192.168.0.1

IPv6 address : 2001:0db8:0000:0000:0000:0000:0370:7334Abbreviated : 2001:0db8::0370:7334

Cant talk to eachother !

Address space :2128 = 340,282,366,920,938,463,463,374,607,431,770,000,000

Deployment rates (source : Google) :Global : 13.12%

US : 29.78%

Canada : 16.58%

Belgium : 48.42%

Should you use it ? YES ! (But dont forget about firewalling !)

TLS

Client

Server

0

45

90

135

180

225

SYNClientHelloSYN ACKACKServerHelloCertificateServerHelloDoneClientKeyExchangeChangeCipherSpecFinishedChangecipherSpecFinishedDATA270

315

TLS with Session Resumption

Client

Server

0

45

90

135

180

225

SYNClientHelloSYN ACKACKServerHelloChangecipherSpecFinishedChangeCipherSpecFinishedDATA270

315

TLS HSTS

HSTS = HTTP Strict Transport Security

Remembers that a site is SSL-only

Prevents users from going to http:// then redirected to https://

Prevents leaking of session cookies over unsecured wifi

HTTP

Its what we use every day ;-)

Theres new version : HTTP/2Developed by Google as SPDY

Designed for speed

Multiple simultaneous requests in 1 connection

Binary format (pro : more efficient con : harder to debug)

TLS/SSL encryption is standard

Built-in prioritization

Server Push

Header compression

Try it out

Deploy it !

Questions ?

Questions ?

Contact

Twitter @wimgtr

Slides http://www.slideshare.net/wimg

E-mail wim@cu.be

Thanks !