your app lives on the network - networking for web developers
TRANSCRIPT
Wim GoddenCu.be Solutions@wimgtr
Your app lives on a networkNetworking for web developers
Who am I ?
Wim Godden (@wimgtr)
Where I'm from
Where I'm from
Where I'm from
Where I'm from
Where I'm from
Where I'm from
My town
My town
Belgium the traffic
Who am I ?
Wim Godden (@wimgtr)
Founder of Cu.be Solutions (http://cu.be)
Open Source developer since 1997
Developer of PHPCompatibility, OpenX, Nginx SLIC, ...
Speaker at PHP and Open Source conferences
Who are you ?
Developers ?
System engineers ?
Network engineers ?
Do you know how the Internet works ?
Were web developers, not network engineers !
Know enough to build new stuff
Know enough to maintain existing code
What if...
Customer
Support Desk
Developers
Do you know these ?
TCP
UDP
IP
DNS
BGP
MAC address
IPv4
IPv6
SYN
ACK
Source port
Destination port
Default gateway
Routing table
Basics : OSI model
PhysicalLayer 1
Data LinkLayer 2
NetworkLayer 3
TransportLayer 4
SessionLayer 5
PresentationLayer 6
ApplicationLayer 7
Wires, network card, wireless interface
Data protocol (ethernet, ...)
IP adressing
TCP, UDP, ports, ...
TLS, L2TP, SOCKS, PPTP, ...
Serialization, data translation
HTTP, DNS, SMTP, ...
Basics : packets
01011010111010
Physical cableor wireless01011010111010
Basics : packets
Destination MAC (6 bytes)Source MAC (6 bytes)Type (2 bytes)
Payload (46 1500 bytes)CRC (4 bytes)
Part 1 : Ethernet frame
0-34-78-1112-1516-1920-2324-2728-31
0VersionHeader lengthDSCPECNTotal length
32IdentificationFlagsFragment Offset
64Time To LiveProtocolHeader Checksum
96Source IP Address
128Destination IP Address
160Options (if required)
< Contents of the packet >
Part 2 : IPv4 header (min. 160 bytes)
Part 3 : TCP/UDP/ header and data
Basics : TCP packet
Bit0-34-78-1112-1516-1920-2324-2728-31
0Source portDestination port
32Sequence number
64Acknowledgment number
96Data offsetFlagsWindow size
128ChecksumUrgent pointer
160Options (if required)
< Contents of the packet >
Basics : packets
Destination MAC (6 bytes)Source MAC (6 bytes)Type (2 bytes)
Payload (46 1500 bytes)CRC (4 bytes)
Part 1 : Ethernet frame
Sending on a local network
Each system has a MAC addressAssigned by manufacturer
Can be overwritten (for VM or failover)
Same physical network send packet to MAC address
Switch knows MAC address(es) of devices and forwards traffic
Layer 2
Sending IP traffic on local network
Requires IP addresses
Where to send ? We need to know MAC addressUses ARP (Address Resolution Protocol) for lookup
Stores IP MAC relation in ARP table
Whats local ? Same IP subnet
OK, whats a subnet ?
Layer 3
16:58:56.933019 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.15 tell 192.168.0.12, length 2816:58:56.938019 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.15 is-at 00:50:56:8b:6a:b7, length 46
IP adressing (IPv4)
IPv4 adressing = CIDR notationxxx.xxx.xxx.xxx where 0
TCP/UDP ports
Bit0-34-78-1112-1516-1920-2324-2728-31
0Source portDestination port
32Sequence number
64Acknowledgment number
96Data offsetFlagsWindow size
128ChecksumUrgent pointer
160Options (if required)
< Contents of the packet >
Bit0-34-78-1112-1516-1920-2324-2728-31
0Source portDestination port
32LengthChecksum
< Contents of the packet >
TCP
UDP
Source and Destination ports
Destination port : defined by serviceHTTP : TCP port 80
HTTPS : TCP port 443
DNS : UDP port 53
Source port : for identification of a connection
Client
Server
80
80
80
5000
5001
5002
See active connections withsource/destination ports : netstat -n
Fetching a website
Need to fetch http://cu.be
TCP doesnt know what cu.be is needs an IP address
Looks up IP address through DNS
Open a socket
Connect to IP address on port 80
Send HTTP request over the connection
Get data back
Get images, CSS, javascript over the same connection
Close the connection
Show the webpage
DNS lookups
Through a DNS serverAuthoritative : in charge of the domain name
Recursive : asks the authoritative server, then caches for a while Cache time is defined by TTL
Usually you will use a recursive server (owned by your provider)
Client
Recursive DNS Server
IP forcu.be ?
Root DNS server
IP forcu.be ?
.be DNS server
cu.be DNS server
Ask the .beDNS server
IP forcu.be ?
Ask the cu.beDNS server
IP forcu.be ?
194.50.97.38
194.50.97.38
DNS lookups
Actual lookups depend on type of DNS record
DNS holds lots of things :A record = IP addresses
CNAME records = aliases for A records
MX records = mail servers
NS records = DNS servers
TXT = various stuff (anti-spam mostly)
2 tools to debug DNS :dignslookup
Sockets
The layer between your application and TCP, UDP, ...
Abstracts syntax
Makes it easy to switch between protocols
Provides an easy interfaceNo need to know implementation
Send a stream of data split up in packets
Receive lots of data converted from packets to string
Packets over the Internet
Client
Router
Server
Internet
192.168.0.15
192.168.0.1
194.7.1.4
BGP protocol decides how packets are routed
Each public network has AS (Autonomous System) numberAS3356 = Level3
AS39628 = Cu.be
BGP announces subnets over BGP to its uplink providers :AS39628 here you can reach 194.50.97.0/24 through me
BGP routes
BGP routing
RouterAS 1
RouterAS 5
RouterAS 5
RouterAS 52
RouterAS 10
RouterAS 2
Client
Server
IPv6
Created to solve lack of IP addresses (4.3 billion in IPv4)
Standard created in 90s
Deployed on most major sites, but small sites behind
Addresses :IPv4 address : 192.168.0.1
IPv6 address : 2001:0db8:0000:0000:0000:0000:0370:7334Abbreviated : 2001:0db8::0370:7334
Cant talk to eachother !
Address space :2128 = 340,282,366,920,938,463,463,374,607,431,770,000,000
Deployment rates (source : Google) :Global : 13.12%
US : 29.78%
Canada : 16.58%
Belgium : 48.42%
Should you use it ? YES ! (But dont forget about firewalling !)
TLS
Client
Server
0
45
90
135
180
225
SYNClientHelloSYN ACKACKServerHelloCertificateServerHelloDoneClientKeyExchangeChangeCipherSpecFinishedChangecipherSpecFinishedDATA270
315
TLS with Session Resumption
Client
Server
0
45
90
135
180
225
SYNClientHelloSYN ACKACKServerHelloChangecipherSpecFinishedChangeCipherSpecFinishedDATA270
315
TLS HSTS
HSTS = HTTP Strict Transport Security
Remembers that a site is SSL-only
Prevents users from going to http:// then redirected to https://
Prevents leaking of session cookies over unsecured wifi
HTTP
Its what we use every day ;-)
Theres new version : HTTP/2Developed by Google as SPDY
Designed for speed
Multiple simultaneous requests in 1 connection
Binary format (pro : more efficient con : harder to debug)
TLS/SSL encryption is standard
Built-in prioritization
Server Push
Header compression
Try it out
Deploy it !
Questions ?
Questions ?
Contact
Twitter @wimgtr
Slides http://www.slideshare.net/wimg
E-mail [email protected]
Thanks !