Optimierung von Anwendungen - hp-user-society.de · -Data redundancy elimination-Window scaling ... Real Time Traffic (Voice and Video) ... (Large PDF and PPT Objects)

© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr

1© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID

2d01Horst Dümcke [email protected]

Optimierung von Anwendungen


Application NetworkingBusiness Ready Enterprise

Application Networking ServicesApplication Networking ServicesApplication Delivery and Application Oriented NetworkingApplication Delivery and Application Oriented Networking

Transport InfrastructureTransport Infrastructure

Eth, FC, IB, WAN, MANEth, FC, IB, WAN, MAN

CRMCRMCustomerCustomer

RelationshipRelationshipManagementManagement

SCMSCMSupplySupplyChainChain

ManagementManagement

ERMERMEnterpriseEnterpriseResourceResource

ManagementManagement

ERPERPEnterpriseEnterprise

RequirementsRequirementsPlanningPlanning

Business Ready EnterpriseBusiness Ready Enterprise

CommComm--unicationsunications

ProductivityProductivity

OrderOrderProcessingProcessing

VerticalVertical

SFASFASalesSalesForceForce

AutomationAutomation

ServerServer

OS, HardwareOS, HardwareStorage InfrastructureStorage Infrastructure

SAN, NAS, DASSAN, NAS, DAS

Optimizing application performance with existingserver, storage, and network infrastructure



Application Optimization Infrastructure

WAN

WAN Acceleration- Data redundancy elimination- Window scaling- LZ compression- Adaptive congestion avoidance

Application Acceleration- Latency mitigation- Application data cache- Meta data cache- Local services

Application Optimization- Delta encoding- FlashForward optimization- Application security- Server offload

Application Scalability- Server load-balancing- Site selection- SSL termination and offload- Video delivery

Network Classification- Quality of Service- Network-Based App Recognition- Queuing, Policing, Shaping- Visibility, Monitoring, Control

Application Networking- Message Transformation- Protocol Transformation- Message based Security- Application visibility


Conclusion

Security

Statefull SLB

Security

Web Caching

Example Application IntegrationVideo Delivery

Roadmap through this Presentation

User Interface (web browser based)

App. to App. Comm.(web services based)

Real Time Traffic (Voice and Video)

Evolution of Application Design



Conclusion

Security

Statefull SLB

Security

Web Caching








Application

CGI

Web based applications

Web Server

DB

FileSystem

GET index.html

200 OK

Hire Joe Doe

Data

Application

Web Server

Make sure he

gets paid

Data

Application

Web Server

Joe needs a cell phone



Data

Application

Web Portal

Application Integration

Data

Application

WSDL

Data

Application

WSDL

WSD

L

Discovery, Routing, Security, Orchestration

Hire Joe Doe


Conclusion

Security

Statefull SLB

Security

Web Caching









“Web 2.0”

Source: http://www.web2logo.com/


Conclusion

Security

Statefull SLB

Security

Web Caching









Example: Duke’s bank from J2EE tutorial1) http://someserver/bank/transferFunds

2) http://someserver/bank/transferFunds

Different Output for the same URL

HTTP is stateless

How is the state managed?

Source: http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Ebank.html


HTTP, the Hypertext Transfer Protocol, Uses TCP to Transmit Requests

and Responses between Client and Server

SYNSYNSYN/ACKSYN/ACK

ACKACK

http requesthttp request

http responsehttp responseFINFIN

ACKACKFIN/ACKFIN/ACKACKACK

HTTP/1.0Port 80

HTTP/1.1 Adds Persistent Connections and Pipelining



HTTP Redirectionserver1



server2

http responsehttp response

HTTP/1.1 301 Moved PermanentlyLocation: http://server2/path/index.html

http response (moved)http response (moved)


Cookies

requestrequest

responseresponseSet-Cookie:NAME=VALUE;expires=DATE;Set-Cookie:NAME=VALUE;expires=DATE;

requestrequest Cookie:NAME=VALUECookie:NAME=VALUE

responseresponse

“A cookie is a small piece of information sent by a web server to store on a web browser so it can later be read back from that browser.”



HTTP – Conditional GET

HTTP/1.1 Conditional GET requests allow a previously requested object to be cached by the browser if not stale.

If-Modified-Since: Client requests object only if modified since the Last-Modified: date.

If-Modified-Since: Fri, 02-Jun-95 02:42:43 GMT Etag: A unique identifier associated with a document sent by server. Client requests document only if the entity tag has changed.

If-None-Match: "2f5cd-964-381e1bd6" For each request of a fresh object the server returns 304 Not-Modified. This can be inefficient!


Example: Duke’s bank – Network Traceserver2

GET /bank/transferFunds HTTP/1.1

GET /bank/template/banner.gif HTTP/1.1

POST /bank/j_security_check HTTP/1.1



200 OK

200 OK

302 Moved Temporarily

200 OK

304 Not Modified



Conclusion

Security

Statefull SLB

Security

Web Caching









WAN

Deploy Transparent Web Caching



Transparent Caching

No Changesto Network

Architecture, Browsers,or Servers

Web ServerInternet

Web TrafficTransparently Redirected

WCCP-Enabled Router


HTTP Cache

• Web pages are made of a series of objects

• The HTML file is downloaded first; the browser then parses the Web page top-down looking for HTML tags like “IMG SRC=xxxxx”

• Java code are cacheable objects, too

Siebel 7 HelpdeskLarge .cab Downloads

95% Cache Hit Rate

DocumentumCustomer Sales Force Portal

80–90% Bytes Cached(Large PDF and PPT Objects)

Oracle Finance2 MB .jar Download Cached









200 OK

200 OK


200 OK

304 Not Modified

HTTP/1.1 200 OKETag: "13453-1062576212000"Content-Type: image/gif

GET /bank/template/banner.gif HTTP/1.1If-None-Match: "13453-1062576212000"



WAN

Application Velocity System



Object Download Without FlashForward

webWANHTTP Request “index.html”

Forward Response 200 OK “index.html”

HTTP Request “foo.gif”

Forward Response 200 OK “foo.gif”

HTTP IMS Request “foo.gif”

Forward Response 304 “Not Modified”

HTTP IMS Request “foo.gif”

Forward Response 200 OK “foo.gif”


Object Download With FlashForward

webAVSWAN

Response 200 OK “index.html” (rewritten)

Forward Request

HTTP Response

Response 200 OK “foo_FGN1.gif”

HTTP IMS Request “foo.gif

Response 304 “NM”

HTTP IMS Request “foo.gif

HTTP Request “index.html”

HTTP Request “foo_FGN1.gif”

HTTP Request “foo_FGN2.gif”

Rewrite HTML pageResponse 200 OK



Conclusion

Security

Statefull SLB

Security

Web Caching









WAN

L7 content switch



Session State

• HTTP is stateless• Session state can be maintained by the browser through

Cookies URL rewriting Hidden form fields Challenge/response (username/password)MSNID (Mobile clients)

• Most likely the browser only stores a session IDJSESSIONIDPHPSESSIONIDASP.NET_SessionId

• Session Information is stored server sideIn memoryIn Database








200 OK

200 OK


200 OK

304 Not Modified

HTTP/1.1 200 OKSet-Cookie: JSESSIONID=DD0A8323C9ABCF64608D618920D8DF5C; Path=/

POST /bank/j_security_check HTTP/1.1Cookie: JSESSIONID=DD0A8323C9ABCF64608D618920D8DF5C



Layer 7 Flow Setup (1/3)

SYN

SYN_ACK

Starts Buffering

ACK

Data GET/HTTP 1.1

ACK ACK’s Client PacketsKeeps Buffering

Matches VIP w/L7 rule

Chooses SEQ #Replies w/SYN_ACK



ACK

DataGET Continuation

SYN

SYN_ACK

ACK

Data—GETData—GET Continuation

Empties BufferSends Data to Server

Acts as ClientDoes Not Forward

SYN_ACK

Parses the DataSelects ServerInitiates TCP




ACK

DataHTTP/1.1 200 OK

ShortcutACK

ShortcutDataContinuation

Shortcut

Matches Existing FlowRewrites L2/L3/L4

and SEQ/ACK

Does Not Forward ACKReady to

Splice the Flows


Splicing the Flows Together

ShortcutAck #Y Z

Seq = X, Ack = Y Seq = X, Ack = Z

ShortcutSeq #Y Z

Seq = Y, Ack = X+1 Seq = Z, Ack = X+1

Adjusting Seq and Ack Numbers



Conclusion

Security

Statefull SLB

Security

Web Caching









WAN

Application NetworkingApplication Networking



What are Web Services?

• Software system designed to support interoperable machine-to-machine interaction

• Based on messages• Platform and programming language-independent• Leverage existing Web standards• Interface is described in a machine-processable

format• Based on XML, SOAP, WSDL


SOAP message

Post /GetStockQuote /HTTP 1.1Host: www.example.comContent-type: text/xml; charset=“utf-8”Content-length: nnnnSOAPAction: “StockService”

SOAP Request Message

200 OK Content-type: text/xml; charset=“utf-8”Content-length: nnnn

SOAP Response Message

Request MessageURL: www.example.com/GetStockQuote

Response Message

HTTP Request Header HTTP Response Header

<soap:Envelope xmlns:soap="http:// schemas.xmlsoap.org/soap/envelope/">

<soap:Body><GetStockQuote xmlns:=“http://

example.com/stockquote"><Symbol>CSCO</Symbol>

</GetStockQuote></soap:Body>

</soap:Envelope>

<soap:Envelope xmlns:soap="http:// schemas.xmlsoap.org/soap/envelope/">

<soap:Body><GetStockQuoteResponse xmlns="http://

example.com/stockquote "><Quote>18.5</Quote>

</GetStockQuoteResponse></soap:Body>

</soap:Envelope>



AON Understands Application Messages

• Conventional networks provide intelligent packet level services but can’t interpret message contents

• AON interprets application message contents for much richer detailed information: (e.g. Ship To, Part#, Qty, $, SLA)

• Allows business driven policies to be executed on application messages at runtime

?

MFG

APPLICATION-ORIENTED NETWORKING

SAP

101011001011011011010100110101

PACKET NETWORKING

SAP MFG

101011001011011011010100110101

PURCHASE ORDER #: 012345678FROM: BigWig Co, AnytownTO: Cisco Systems DATE: 04/01/05QTY: 50 PART#: Widget #12345aPRICE:=$500 ea. TOTAL: = $25,000DELIVERY: Urgent SLA:= 2 days


Conclusion

Security

Statefull SLB

Security

Web Caching









XSLT: Extensible Stylesheet Language Transformations

Source: http://www.xml.com/pub/a/2000/08/holman/index.html

+

<?xml version="1.0"?><?xml-stylesheet type="text/xsl" href="hello.xsl"?> <greeting>Hello world.</greeting>

Hello.xml

<?xml version="1.0"?><xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

version="1.0"> <xsl:output method="xml" omit-xml-declaration="yes"/><xsl:template match="/"><html> <xsl:value-of select="greeting"/>

</html></xsl:template>

</xsl:transform>

Hello.xsl

<html>Hello World.

</html> Hello.htm

XMLDoc

XSLTProcessor

XSLDoc

HTMLDoc

XMLData

Stylesheet

FinalHTML


Protocol Bridging and Message Transformation

SOAP/HTTP

AONP

JMS

JMS/SSL

JMS Message Broker

FTP

SMTP

• AON Nodes Can Act as Protocol GatewaysBetween Multiple Applications

• AON Services can be used to create message transformation functions



Conclusion

Security

Statefull SLB

Security

Web Caching








Security Issues for Applications

• IdentityAuthenticationAuthorization

• Integrityguarantee no modification in transit

• ConfidentialityProtect data such that only authorized actors can view data



Security Context and Models

• Transport Level Security

Both parties can be identified, integrity and confidentiality is ensured by encrypted transport

• Message Level SecuritySecurity Context is embedded in the message header and allows identityverificationIndividual fields of the message can be encrypted for confidentialityMessage can be signed for integrity

Intermediate Actor


If Self Signed Certificate,Prompt User to Authenticate

Certificate Is Verified by Checking Validity Dates and Signature of the CA

Transport Level SecuritySSL: Key Exchange Logical

Client Requests Server to Authenticate Itself

Server Authenticates by Sending Its Digital Certificate

(Optional) Server May Request Client-Side Authentication

If Certificate Authority SignedCertificate, Verify with CA Public Key

Message Encryption Algorithm and Integrity Hash Functions Negotiated

Session Keys Are Generated

Encrypted Data Is Exchanged

Client Server

CertificateAuthority

Public Key

Pop-UpSecurity

Alert(Manual)



SSL Offload

Full

TCP-

Prox

yTw

o D

istin

ct C

onne

ctio

ns

SSL Handshake

TCP Setup

Encrypted HTTP GETClear Text HTTP GET and Reply

TCP Setup

Encrypted HTTP Reply

TCP Tear downTCP Tear down


Message Level Security

• Transport Level Security establishes a security context between transport endpoints

• Message Level Security includes the security context as part of the message providing end-to-end security across proxies

• Message Level Security requires:IdentityIntegrityConfidentiality



Identity: Security Tokens

• Username/Password

• X.509 Certificate

<S11:Envelope xmlns:S11="..." xmlns:wsse="..."><S11:Header><wsse:Security>

<wsse:UsernameToken><wsse:Username>Zoe</wsse:Username><wsse:Password>IloveDogs</wsse:Password>

</wsse:UsernameToken></wsse:Security>

</S11:Header><S11:Body>.....</S11:Body>

</S11:Envelope>


Integrity: Digital Signature

SenderPrivate

Key

Message

Sender

Hash (S)

Signature

Receiver

Sender PublicKey

Message

Signature

Hash (R)

Test Integrity by comparing Hash calculated by

Sender and Receiver

Hash (S)



Confidentiality: XML Encryption

• Encrypted data can be expressed using XML

• Portions of an XML document can be selectively encrypted

<S11:Body><PaymentInfo>

<Name>John Smith</Name><CreditCard Limit=‘3000’>

<Number>12345678</Number></CreditCard>

</PaymentInfo></ S11:Body>

<S11:Header><wsse:Security>

<xenc:ReferenceList><xenc:DataReference URI="#card"/>

</xenc:ReferenceList></wsse:Security>

</S11:Header><S11:Body>

<PaymentInfo><Name>John Smith</Name><xenc:EncryptedData Id="card">

<ds:KeyInfo><ds:KeyName>CN=Alpha Bank, C=FR</ds:KeyName>

</ds:KeyInfo><xenc:CipherData>

<xenc:CipherValue>...

</xenc:CipherValue></xenc:CipherData>

</xenc:EncryptedData></PaymentInfo>

</S11:Body>


AON as XML Firewall

Web Service

Authorized Requestor

Unauthorized Requestor

1) Authenticate and Validate SOAP Requests

SOAP SOAPSecure SOAP

WS Client Web Service

2) Secure SOAP Communication



Conclusion

Security

Statefull SLB

Security

Web Caching









WAN

IOS

NAT



Control Protocols

• Control protocols are designed to establish and control endpoints for data exchange between applications

• Out-of band control protocols will use a different transport connection than the actual data exchange

• Many control protocols have in-band variations to work over HTTP to work around firewall issues


Invite Invite

200 OK200 OK

Session Established

Alice Bob

SIP

ACK

SIP Proxy



Basic Concept of NAT: Example

• NAT changes the IP address (layer 3 OSI) in the IP header

• Remote host only sees the 14.38.50.1 address—instant security

Local Remote

10.6.1.20

NATAfter NAT

Outbound Packet

Src Addr14.38.50.1

Dest Addr172.16.1.1

After NATReturn Packet

Src Addr172.16.1.1

Dest Addr10.6.1.20

Before NATOutbound Packet

Src Addr10.6.1.20

Dest Addr172.16.1.1

Before NATReturn Packet

Src Addr172.16.1.1

Dest Addr14.38.50.1

172.16.1.1


SIP: Media Ports

.5

.10

.2

10.1.1.0/24

.1 .30

NAT

Internet

Phone A Media—IP: 10.1.1.10 Port: 20000

Phone B Media—IP: 172.16.1.5 Port: 17000

IP Phone BExt. 5505

IP Phone AExt. 5510

172.16.1.0/24

.1



SIP: One Way Audio

172.16.1.0/24

Phone A>B RTP Stream

Phone B>ARTP Stream

.1 .30

NAT

10.1.1.0/24IP Phone BExt. 5505

IP Phone AExt. 5510

.5

.10

.2

.1Internet


Latency: Delay, Jitter

• Propagation delay: the time it takes the physical signal to traverse the path

• Serialization delay: the time it takes to actually transmit the packet; depends on the bit-rate

• Queuing delay: the time a packet spends in router queues; depends on queue length and type

• A maximum delay of 120 milliseconds is recommended for comfortable human-to-human audio

• Jitter: delay variation; caused by queue depth variation

• Jitter is bad for interactive voice like VoIP, generating pops and clicks



Packet Loss and Misordering

• Isolated lossLoss of an isolated packet; possible causes:

Because of a single CRC errorBecause of short-duration full queue (tail-drop)…

• Burst lossMultiple consecutive packets are lost; possible causes:

Because of a noise on the transmission media that kills all the packetsA sudden route change in a transit device creates a temporary black holeFull transit interface queue

• Packet misorderingThis may happen; possible causes:

Load balancing through multiple paths having different latenciesInadequate QoS/queuing policyTypically happening on parallel architectures


Latency NetworkJitter

Dist. ofStats ConnectivityPacket

Loss

FTP DNS DHCP TCPJitter ICMP UDPDLSW HTTP

NetworkPerformanceMonitoring

Service Level Service Level AgreementAgreement

(SLA)(SLA)MonitoringMonitoring

NetworkNetworkAssessmentAssessment

Multiprotocol Label

Switching (MPLS)

Monitoring

VoIP VoIP MonitoringMonitoringAvailability Trouble

Shooting

OperationsOperations

Measurement MetricsMeasurement Metrics

UsesUses

IP Server

MIB Data Active Generated Traffic to measure the network

DestinationSource

Defined Packet Size, SpacingCOS and Protocol

IP Server

Responder

LDP H.323 SIP RTP

IP SLAIP SLA

Cisco IOS Software

IP SLAIP SLA

Cisco IOS Software IP SLAIP SLA

Cisco IOS Software

Multi-Protocol Measurement with Cisco IOS IP Service Level Agreements

Radius Video



HTTP OperationMeasurement

DNS REQDNS ANS

SYNSYN/ACK

ACK

GET /…<HTML>…

…</HTML>

FIN

FIN/ACKACK

DNS Server

HTTP Server

IP SLAsTime to

First Byte

TCP RTT

DNS RTT

HTTP RTT


UDP Jitter Operation Measurement Example

IP SLARTx = receive tstamp for packet x.

Send Packets

ST2

P2

ST1

P1P2 i1

RT2 RT1

Receive packets

P2 P1i2

RT1+d1 RT2+d2

Reply to packets

P2P1 i2

AT1 AT2

Reflected packets

P2P1 i3

Responder

dx = processing time spent between packet arrival and treatment.

IP Core

STx = sent tstampfor packet x.

Each packet contains STx, RTx, ATx, and dxThe source can now calculate:JitterSD = (RT2-RT1)-(ST2-ST1) = i2-i1JitterDS = (AT2-AT1)-((RT2+d2)-(RT1+d1)) = i3-i2

ATx = receive tstamp for packet x.



Conclusion

Security

Statefull SLB

Security

Web Caching








www

UnicastWAN

Live StreamHybrid Unicast to Multicast

Multicast-Enabled LAN Only; CE Scales to Many Simultaneous Programs; Requires Event Planning and Administration

CDMDNS VideoServer

Live Unicast Stream Single MulticastStream Replicatedby Network



CDM

Video on DemandWithout Cisco Content Engines (CE)

Internetor WAN

VideoServer

wwwCRFirst Request Subsequent Requests

Separate Stream for Each Client Across the WANAggregate of All Clients Must Be Less Than WAN Bandwidth


CDM

Video on Demand Pull Caching

Internetor WAN

VideoServer

wwwDNS

Streamed Bandwidth Must Be Less Than WAN BandwidthUnmanaged Intranet or Internet Sourced

First Request Subsequent Requests



Conclusion

Security

Statefull SLB

Security

Web Caching









WAN

WAN Acceleration- Data redundancy elimination- Window scaling- LZ compression- Adaptive congestion avoidance

Application Acceleration- Latency mitigation- Application data cache- Meta data cache- Local services

Application Optimization- Delta encoding- FlashForward optimization- Application security- Server offload

Application Scalability- Server load-balancing- Site selection- SSL termination and offload- Video delivery

Network Classification- Quality of Service- Network-Based App Recognition- Queuing, Policing, Shaping- Visibility, Monitoring, Control

Application Networking- Message Transformation- Protocol Transformation- Message based Security- Application visibility



Q and A

Documents

Optimierung von Anwendungen - hp-user-society.de · -Data redundancy elimination-Window scaling ... Real Time Traffic (Voice and Video) ... (Large PDF and PPT Objects)