optimierung von anwendungen - hp-user-society.de · -data redundancy elimination-window scaling ......
TRANSCRIPT
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
1© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
2d01Horst Dümcke [email protected]
Optimierung von Anwendungen
2© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application NetworkingBusiness Ready Enterprise
Application Networking ServicesApplication Networking ServicesApplication Delivery and Application Oriented NetworkingApplication Delivery and Application Oriented Networking
Transport InfrastructureTransport Infrastructure
Eth, FC, IB, WAN, MANEth, FC, IB, WAN, MAN
CRMCRMCustomerCustomer
RelationshipRelationshipManagementManagement
SCMSCMSupplySupplyChainChain
ManagementManagement
ERMERMEnterpriseEnterpriseResourceResource
ManagementManagement
ERPERPEnterpriseEnterprise
RequirementsRequirementsPlanningPlanning
Business Ready EnterpriseBusiness Ready Enterprise
CommComm--unicationsunications
ProductivityProductivity
OrderOrderProcessingProcessing
VerticalVertical
SFASFASalesSalesForceForce
AutomationAutomation
ServerServer
OS, HardwareOS, HardwareStorage InfrastructureStorage Infrastructure
SAN, NAS, DASSAN, NAS, DAS
Optimizing application performance with existingserver, storage, and network infrastructure
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
3© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application Optimization Infrastructure
WAN
WAN Acceleration- Data redundancy elimination- Window scaling- LZ compression- Adaptive congestion avoidance
Application Acceleration- Latency mitigation- Application data cache- Meta data cache- Local services
Application Optimization- Delta encoding- FlashForward optimization- Application security- Server offload
Application Scalability- Server load-balancing- Site selection- SSL termination and offload- Video delivery
Network Classification- Quality of Service- Network-Based App Recognition- Queuing, Policing, Shaping- Visibility, Monitoring, Control
Application Networking- Message Transformation- Protocol Transformation- Message based Security- Application visibility
4© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
5© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
6© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application
CGI
Web based applications
Web Server
DB
FileSystem
GET index.html
200 OK
Hire Joe Doe
Data
Application
Web Server
Make sure he
gets paid
Data
Application
Web Server
Joe needs a cell phone
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
7© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Data
Application
Web Portal
Application Integration
Data
Application
WSDL
Data
Application
WSDL
WSD
L
Discovery, Routing, Security, Orchestration
Hire Joe Doe
8© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
9© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
“Web 2.0”
Source: http://www.web2logo.com/
10© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
11© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Example: Duke’s bank from J2EE tutorial1) http://someserver/bank/transferFunds
2) http://someserver/bank/transferFunds
Different Output for the same URL
HTTP is stateless
How is the state managed?
Source: http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Ebank.html
12© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
HTTP, the Hypertext Transfer Protocol, Uses TCP to Transmit Requests
and Responses between Client and Server
SYNSYNSYN/ACKSYN/ACK
ACKACK
http requesthttp request
http responsehttp responseFINFIN
ACKACKFIN/ACKFIN/ACKACKACK
HTTP/1.0Port 80
HTTP/1.1 Adds Persistent Connections and Pipelining
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
13© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
HTTP Redirectionserver1
http requesthttp request
http requesthttp request
server2
http responsehttp response
HTTP/1.1 301 Moved PermanentlyLocation: http://server2/path/index.html
http response (moved)http response (moved)
14© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Cookies
requestrequest
responseresponseSet-Cookie:NAME=VALUE;expires=DATE;Set-Cookie:NAME=VALUE;expires=DATE;
requestrequest Cookie:NAME=VALUECookie:NAME=VALUE
responseresponse
“A cookie is a small piece of information sent by a web server to store on a web browser so it can later be read back from that browser.”
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
15© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
HTTP – Conditional GET
HTTP/1.1 Conditional GET requests allow a previously requested object to be cached by the browser if not stale.
If-Modified-Since: Client requests object only if modified since the Last-Modified: date.
If-Modified-Since: Fri, 02-Jun-95 02:42:43 GMT Etag: A unique identifier associated with a document sent by server. Client requests document only if the entity tag has changed.
If-None-Match: "2f5cd-964-381e1bd6" For each request of a fresh object the server returns 304 Not-Modified. This can be inefficient!
16© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Example: Duke’s bank – Network Traceserver2
GET /bank/transferFunds HTTP/1.1
GET /bank/template/banner.gif HTTP/1.1
POST /bank/j_security_check HTTP/1.1
GET /bank/transferFunds HTTP/1.1
GET /bank/template/banner.gif HTTP/1.1
200 OK
200 OK
302 Moved Temporarily
200 OK
304 Not Modified
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
17© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
18© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application Optimization Infrastructure
WAN
Deploy Transparent Web Caching
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
19© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Transparent Caching
No Changesto Network
Architecture, Browsers,or Servers
Web ServerInternet
Web TrafficTransparently Redirected
WCCP-Enabled Router
20© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
HTTP Cache
• Web pages are made of a series of objects
• The HTML file is downloaded first; the browser then parses the Web page top-down looking for HTML tags like “IMG SRC=xxxxx”
• Java code are cacheable objects, too
Siebel 7 HelpdeskLarge .cab Downloads
95% Cache Hit Rate
DocumentumCustomer Sales Force Portal
80–90% Bytes Cached(Large PDF and PPT Objects)
Oracle Finance2 MB .jar Download Cached
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
21© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Example: Duke’s bank – Network Traceserver2
GET /bank/transferFunds HTTP/1.1
GET /bank/template/banner.gif HTTP/1.1
POST /bank/j_security_check HTTP/1.1
GET /bank/transferFunds HTTP/1.1
GET /bank/template/banner.gif HTTP/1.1
200 OK
200 OK
302 Moved Temporarily
200 OK
304 Not Modified
HTTP/1.1 200 OKETag: "13453-1062576212000"Content-Type: image/gif
GET /bank/template/banner.gif HTTP/1.1If-None-Match: "13453-1062576212000"
22© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application Optimization Infrastructure
WAN
Application Velocity System
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
23© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Object Download Without FlashForward
webWANHTTP Request “index.html”
Forward Response 200 OK “index.html”
HTTP Request “foo.gif”
Forward Response 200 OK “foo.gif”
HTTP IMS Request “foo.gif”
Forward Response 304 “Not Modified”
HTTP IMS Request “foo.gif”
Forward Response 200 OK “foo.gif”
24© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Object Download With FlashForward
webAVSWAN
Response 200 OK “index.html” (rewritten)
Forward Request
HTTP Response
Response 200 OK “foo_FGN1.gif”
HTTP IMS Request “foo.gif
Response 304 “NM”
HTTP IMS Request “foo.gif
HTTP Request “index.html”
HTTP Request “foo_FGN1.gif”
HTTP Request “foo_FGN2.gif”
Rewrite HTML pageResponse 200 OK
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
25© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
26© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application Optimization Infrastructure
WAN
L7 content switch
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
27© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Session State
• HTTP is stateless• Session state can be maintained by the browser through
Cookies URL rewriting Hidden form fields Challenge/response (username/password)MSNID (Mobile clients)
• Most likely the browser only stores a session IDJSESSIONIDPHPSESSIONIDASP.NET_SessionId
• Session Information is stored server sideIn memoryIn Database
28© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Example: Duke’s bank – Network Traceserver2
GET /bank/transferFunds HTTP/1.1
GET /bank/template/banner.gif HTTP/1.1
POST /bank/j_security_check HTTP/1.1
GET /bank/transferFunds HTTP/1.1
GET /bank/template/banner.gif HTTP/1.1
200 OK
200 OK
302 Moved Temporarily
200 OK
304 Not Modified
HTTP/1.1 200 OKSet-Cookie: JSESSIONID=DD0A8323C9ABCF64608D618920D8DF5C; Path=/
POST /bank/j_security_check HTTP/1.1Cookie: JSESSIONID=DD0A8323C9ABCF64608D618920D8DF5C
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
29© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Layer 7 Flow Setup (1/3)
SYN
SYN_ACK
Starts Buffering
ACK
Data GET/HTTP 1.1
ACK ACK’s Client PacketsKeeps Buffering
Matches VIP w/L7 rule
Chooses SEQ #Replies w/SYN_ACK
30© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Layer 7 Flow Setup (2/3)
ACK
DataGET Continuation
SYN
SYN_ACK
ACK
Data—GETData—GET Continuation
Empties BufferSends Data to Server
Acts as ClientDoes Not Forward
SYN_ACK
Parses the DataSelects ServerInitiates TCP
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
31© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Layer 7 Flow Setup (3/3)
ACK
DataHTTP/1.1 200 OK
ShortcutACK
ShortcutDataContinuation
Shortcut
Matches Existing FlowRewrites L2/L3/L4
and SEQ/ACK
Does Not Forward ACKReady to
Splice the Flows
32© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Splicing the Flows Together
ShortcutAck #Y Z
Seq = X, Ack = Y Seq = X, Ack = Z
ShortcutSeq #Y Z
Seq = Y, Ack = X+1 Seq = Z, Ack = X+1
Adjusting Seq and Ack Numbers
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
33© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
34© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application Optimization Infrastructure
WAN
Application NetworkingApplication Networking
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
35© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
What are Web Services?
• Software system designed to support interoperable machine-to-machine interaction
• Based on messages• Platform and programming language-independent• Leverage existing Web standards• Interface is described in a machine-processable
format• Based on XML, SOAP, WSDL
36© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
SOAP message
Post /GetStockQuote /HTTP 1.1Host: www.example.comContent-type: text/xml; charset=“utf-8”Content-length: nnnnSOAPAction: “StockService”
SOAP Request Message
200 OK Content-type: text/xml; charset=“utf-8”Content-length: nnnn
SOAP Response Message
Request MessageURL: www.example.com/GetStockQuote
Response Message
HTTP Request Header HTTP Response Header
<soap:Envelope xmlns:soap="http:// schemas.xmlsoap.org/soap/envelope/">
<soap:Body><GetStockQuote xmlns:=“http://
example.com/stockquote"><Symbol>CSCO</Symbol>
</GetStockQuote></soap:Body>
</soap:Envelope>
<soap:Envelope xmlns:soap="http:// schemas.xmlsoap.org/soap/envelope/">
<soap:Body><GetStockQuoteResponse xmlns="http://
example.com/stockquote "><Quote>18.5</Quote>
</GetStockQuoteResponse></soap:Body>
</soap:Envelope>
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
37© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
AON Understands Application Messages
• Conventional networks provide intelligent packet level services but can’t interpret message contents
• AON interprets application message contents for much richer detailed information: (e.g. Ship To, Part#, Qty, $, SLA)
• Allows business driven policies to be executed on application messages at runtime
?
MFG
APPLICATION-ORIENTED NETWORKING
SAP
101011001011011011010100110101
PACKET NETWORKING
SAP MFG
101011001011011011010100110101
PURCHASE ORDER #: 012345678FROM: BigWig Co, AnytownTO: Cisco Systems DATE: 04/01/05QTY: 50 PART#: Widget #12345aPRICE:=$500 ea. TOTAL: = $25,000DELIVERY: Urgent SLA:= 2 days
38© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
39© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
XSLT: Extensible Stylesheet Language Transformations
Source: http://www.xml.com/pub/a/2000/08/holman/index.html
+
<?xml version="1.0"?><?xml-stylesheet type="text/xsl" href="hello.xsl"?> <greeting>Hello world.</greeting>
Hello.xml
<?xml version="1.0"?><xsl:transform xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0"> <xsl:output method="xml" omit-xml-declaration="yes"/><xsl:template match="/"><html> <b><i><u><xsl:value-of select="greeting"/></u></i></b>
</html></xsl:template>
</xsl:transform>
Hello.xsl
<html><b><i><u>Hello World.</u></i></b>
</html> Hello.htm
XMLDoc
XSLTProcessor
XSLDoc
HTMLDoc
XMLData
Stylesheet
FinalHTML
40© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Protocol Bridging and Message Transformation
SOAP/HTTP
AONP
JMS
JMS/SSL
JMS Message Broker
FTP
SMTP
• AON Nodes Can Act as Protocol GatewaysBetween Multiple Applications
• AON Services can be used to create message transformation functions
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
41© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
42© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Security Issues for Applications
• IdentityAuthenticationAuthorization
• Integrityguarantee no modification in transit
• ConfidentialityProtect data such that only authorized actors can view data
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
43© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Security Context and Models
• Transport Level Security
Both parties can be identified, integrity and confidentiality is ensured by encrypted transport
• Message Level SecuritySecurity Context is embedded in the message header and allows identityverificationIndividual fields of the message can be encrypted for confidentialityMessage can be signed for integrity
Intermediate Actor
44© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
If Self Signed Certificate,Prompt User to Authenticate
Certificate Is Verified by Checking Validity Dates and Signature of the CA
Transport Level SecuritySSL: Key Exchange Logical
Client Requests Server to Authenticate Itself
Server Authenticates by Sending Its Digital Certificate
(Optional) Server May Request Client-Side Authentication
If Certificate Authority SignedCertificate, Verify with CA Public Key
Message Encryption Algorithm and Integrity Hash Functions Negotiated
Session Keys Are Generated
Encrypted Data Is Exchanged
Client Server
CertificateAuthority
Public Key
Pop-UpSecurity
Alert(Manual)
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
45© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
SSL Offload
Full
TCP-
Prox
yTw
o D
istin
ct C
onne
ctio
ns
SSL Handshake
TCP Setup
Encrypted HTTP GETClear Text HTTP GET and Reply
TCP Setup
Encrypted HTTP Reply
TCP Tear downTCP Tear down
46© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Message Level Security
• Transport Level Security establishes a security context between transport endpoints
• Message Level Security includes the security context as part of the message providing end-to-end security across proxies
• Message Level Security requires:IdentityIntegrityConfidentiality
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
47© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Identity: Security Tokens
• Username/Password
• X.509 Certificate
<S11:Envelope xmlns:S11="..." xmlns:wsse="..."><S11:Header><wsse:Security>
<wsse:UsernameToken><wsse:Username>Zoe</wsse:Username><wsse:Password>IloveDogs</wsse:Password>
</wsse:UsernameToken></wsse:Security>
</S11:Header><S11:Body>.....</S11:Body>
</S11:Envelope>
48© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Integrity: Digital Signature
SenderPrivate
Key
Message
Sender
Hash (S)
Signature
Receiver
Sender PublicKey
Message
Signature
Hash (R)
Test Integrity by comparing Hash calculated by
Sender and Receiver
Hash (S)
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
49© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Confidentiality: XML Encryption
• Encrypted data can be expressed using XML
• Portions of an XML document can be selectively encrypted
<S11:Body><PaymentInfo>
<Name>John Smith</Name><CreditCard Limit=‘3000’>
<Number>12345678</Number></CreditCard>
</PaymentInfo></ S11:Body>
<S11:Header><wsse:Security>
<xenc:ReferenceList><xenc:DataReference URI="#card"/>
</xenc:ReferenceList></wsse:Security>
</S11:Header><S11:Body>
<PaymentInfo><Name>John Smith</Name><xenc:EncryptedData Id="card">
<ds:KeyInfo><ds:KeyName>CN=Alpha Bank, C=FR</ds:KeyName>
</ds:KeyInfo><xenc:CipherData>
<xenc:CipherValue>...
</xenc:CipherValue></xenc:CipherData>
</xenc:EncryptedData></PaymentInfo>
</S11:Body>
50© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
AON as XML Firewall
Web Service
Authorized Requestor
Unauthorized Requestor
1) Authenticate and Validate SOAP Requests
SOAP SOAPSecure SOAP
WS Client Web Service
2) Secure SOAP Communication
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
51© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
52© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application Optimization Infrastructure
WAN
IOS
NAT
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
53© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Control Protocols
• Control protocols are designed to establish and control endpoints for data exchange between applications
• Out-of band control protocols will use a different transport connection than the actual data exchange
• Many control protocols have in-band variations to work over HTTP to work around firewall issues
54© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Invite Invite
200 OK200 OK
Session Established
Alice Bob
SIP
ACK
SIP Proxy
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
55© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Basic Concept of NAT: Example
• NAT changes the IP address (layer 3 OSI) in the IP header
• Remote host only sees the 14.38.50.1 address—instant security
Local Remote
10.6.1.20
NATAfter NAT
Outbound Packet
Src Addr14.38.50.1
Dest Addr172.16.1.1
After NATReturn Packet
Src Addr172.16.1.1
Dest Addr10.6.1.20
Before NATOutbound Packet
Src Addr10.6.1.20
Dest Addr172.16.1.1
Before NATReturn Packet
Src Addr172.16.1.1
Dest Addr14.38.50.1
172.16.1.1
56© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
SIP: Media Ports
.5
.10
.2
10.1.1.0/24
.1 .30
NAT
Internet
Phone A Media—IP: 10.1.1.10 Port: 20000
Phone B Media—IP: 172.16.1.5 Port: 17000
IP Phone BExt. 5505
IP Phone AExt. 5510
172.16.1.0/24
.1
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
57© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
SIP: One Way Audio
172.16.1.0/24
Phone A>B RTP Stream
Phone B>ARTP Stream
.1 .30
NAT
10.1.1.0/24IP Phone BExt. 5505
IP Phone AExt. 5510
.5
.10
.2
.1Internet
58© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Latency: Delay, Jitter
• Propagation delay: the time it takes the physical signal to traverse the path
• Serialization delay: the time it takes to actually transmit the packet; depends on the bit-rate
• Queuing delay: the time a packet spends in router queues; depends on queue length and type
• A maximum delay of 120 milliseconds is recommended for comfortable human-to-human audio
• Jitter: delay variation; caused by queue depth variation
• Jitter is bad for interactive voice like VoIP, generating pops and clicks
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
59© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Packet Loss and Misordering
• Isolated lossLoss of an isolated packet; possible causes:
Because of a single CRC errorBecause of short-duration full queue (tail-drop)…
• Burst lossMultiple consecutive packets are lost; possible causes:
Because of a noise on the transmission media that kills all the packetsA sudden route change in a transit device creates a temporary black holeFull transit interface queue
• Packet misorderingThis may happen; possible causes:
Load balancing through multiple paths having different latenciesInadequate QoS/queuing policyTypically happening on parallel architectures
60© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Latency NetworkJitter
Dist. ofStats ConnectivityPacket
Loss
FTP DNS DHCP TCPJitter ICMP UDPDLSW HTTP
NetworkPerformanceMonitoring
Service Level Service Level AgreementAgreement
(SLA)(SLA)MonitoringMonitoring
NetworkNetworkAssessmentAssessment
Multiprotocol Label
Switching (MPLS)
Monitoring
VoIP VoIP MonitoringMonitoringAvailability Trouble
Shooting
OperationsOperations
Measurement MetricsMeasurement Metrics
UsesUses
IP Server
MIB Data Active Generated Traffic to measure the network
DestinationSource
Defined Packet Size, SpacingCOS and Protocol
IP Server
Responder
LDP H.323 SIP RTP
IP SLAIP SLA
Cisco IOS Software
IP SLAIP SLA
Cisco IOS Software IP SLAIP SLA
Cisco IOS Software
Multi-Protocol Measurement with Cisco IOS IP Service Level Agreements
Radius Video
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
61© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
HTTP OperationMeasurement
DNS REQDNS ANS
SYNSYN/ACK
ACK
GET /…<HTML>…
…</HTML>
FIN
FIN/ACKACK
DNS Server
HTTP Server
IP SLAsTime to
First Byte
TCP RTT
DNS RTT
HTTP RTT
62© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
UDP Jitter Operation Measurement Example
IP SLARTx = receive tstamp for packet x.
Send Packets
ST2
P2
ST1
P1P2 i1
RT2 RT1
Receive packets
P2 P1i2
RT1+d1 RT2+d2
Reply to packets
P2P1 i2
AT1 AT2
Reflected packets
P2P1 i3
Responder
dx = processing time spent between packet arrival and treatment.
IP Core
STx = sent tstampfor packet x.
Each packet contains STx, RTx, ATx, and dxThe source can now calculate:JitterSD = (RT2-RT1)-(ST2-ST1) = i2-i1JitterDS = (AT2-AT1)-((RT2+d2)-(RT1+d1)) = i3-i2
ATx = receive tstamp for packet x.
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
63© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
64© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
www
UnicastWAN
Live StreamHybrid Unicast to Multicast
Multicast-Enabled LAN Only; CE Scales to Many Simultaneous Programs; Requires Event Planning and Administration
CDMDNS VideoServer
Live Unicast Stream Single MulticastStream Replicatedby Network
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
65© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
CDM
Video on DemandWithout Cisco Content Engines (CE)
Internetor WAN
VideoServer
wwwCRFirst Request Subsequent Requests
Separate Stream for Each Client Across the WANAggregate of All Clients Must Be Less Than WAN Bandwidth
66© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
CDM
Video on Demand Pull Caching
Internetor WAN
VideoServer
wwwDNS
Streamed Bandwidth Must Be Less Than WAN BandwidthUnmanaged Intranet or Internet Sourced
First Request Subsequent Requests
© 2006, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr
67© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Conclusion
Security
Statefull SLB
Security
Web Caching
Example Application IntegrationVideo Delivery
Roadmap through this Presentation
User Interface (web browser based)
App. to App. Comm.(web services based)
Real Time Traffic (Voice and Video)
Evolution of Application Design
68© 2006 Cisco Systems, Inc. All rights reserved. Cisco PublicSession NumberPresentation_ID
Application Optimization Infrastructure
WAN
WAN Acceleration- Data redundancy elimination- Window scaling- LZ compression- Adaptive congestion avoidance
Application Acceleration- Latency mitigation- Application data cache- Meta data cache- Local services
Application Optimization- Delta encoding- FlashForward optimization- Application security- Server offload
Application Scalability- Server load-balancing- Site selection- SSL termination and offload- Video delivery
Network Classification- Quality of Service- Network-Based App Recognition- Queuing, Policing, Shaping- Visibility, Monitoring, Control
Application Networking- Message Transformation- Protocol Transformation- Message based Security- Application visibility