Csep-561-Lec-7
The Application Layer (DNS, CDNs, HTTPS), and Security
- Note on TCP congestion control algorithms
- BBR, Cubic, etc., are all still opering within the TCP protocol. All that's changing is when the sender sends packets.
- SACK (Selective ACK) actually does add extra headers, and sends ACK ranges which allows sender to more precisely know what to resend, and is a big improvement.
- State of the art circa 2010, still in wide use today
- CUBIC is the standard TCP stack
- Linux >= 2.6.19
- Windows >= 10.1709
- MaxOS >= Yosemite
- Keeps tricks from NewReno about fast recovery and fast retransmit w/ SACK; just replaces additive increase with cubic function
- Throws away all that beautiful convergence of AIMD from last lecture. Performs better, just an emprical approach.
- Seeks to resovle
- Flows with lower RTTs grow faster than those with higher RTTs
Application layer
Where we are in the course:
physical -> link -> network -> transport -> applicationRecall the OSI model actually has layers
- 4: Transport
- 5: Session
- 6: Presentation
- 7: Application
but, in the internet we bundle layers 5 and 6 into the application layer.
A session is a series of related data over the network, i.e. your Zoom stream, or a particular website loading.
The concept of presentation is how to identify a type of content and encode it for transfer
- MIME types, image/jpeg, etc.
Evolution of internet applications:
- 82% of traffic by byte is video
- Most traffic is mobile as of 2016
- Lots of attack traffic from China, Russia, and U.S.
DNS (Domain Name System)
Let's you go to www.uw.edu instead of 183.23.2.32.
Goals:
- Easy to manage
- Efficient
Approach:
- Distributed directory based on hierarchy namespace
- Automated protocol to tie pieces together
Names are higher level id's for resources
Addreesses are lower-level locators for resources
Resolution is mapping a name to an address
Before DNS
- there was a
HOSTS.TXT
file regularly retrieved for all hosts from a central machine at the Network Information Center - Names were initially flat, i..e no domains.
- there was a
Domains are hierarchal starting from the right:
- robot.cs.washing.edu
- .edu is the top level hierarchy, robot is the specific part.
TLD (Top Level Domains) are
run by ICANN (Internet Corp for Assigned Names and Numbers)
700+ generic TLDs, many created over time
250 country code TLDs
DNS Resolution Example
- requesting
robots.cs.washington.edu
fromflits.cs.vu.nl
- queries local name server (
cs.vu.nl
) - which queries root name server
a.root-servers.net
- then edu name server
a.edu-servers.net
- then name server
UW
- then name server
UWCS
- ... mad steps
- requesting
Two types of queries:
- Recursive query nameserver resolves and returns final server
- Lets client offload burden to server
- Lets server cache results for a bunch of clients
- Iterative query nameserver just responds with the next one to hit
- Lets server "fire an forget"
- Recursive query nameserver resolves and returns final server
Local nameservers often run by IT
- Or you can use google's public DNS (8.8.8.8) or Cloudfare's public DNS (1.1.1.1), instead of using e.g. Comcast's.
Root nameservers is served by 13 server names
- a.root-servers.net through m.root-servers.net
- all need root IP addresses
Caching
- Resolution latency needs to be low
- URLs don't change very often
- You don't want every query to have to hit the root nameserver
DNS Protocol
- Built on UDP port 53
- ARQ for reliability
- Server is stateless
- Relies on replicas to make the service redundant
- Zone is comprised of DNS resource records that give info for its domain names
Security is a major issues here.
Mostly added as an afterthought in the 90s
Need to secure the mapping, so users don't go to a malicious bank.com
Goal: integrity and authenticity (over confidentiality)
- Impossible to cache encrypted nameserver lookup, so we forego confidentiality
DNS Spoofing attacks the intermediary nameserver caches
DNSSEC (DNS Security Extensions) disallows this
- Extends DNS with new record types
- RRSIG for digital signatures of records
- DNSKEY for public keys for validation
- Root servers upgraded in 2010
- Check this box when setting up your website!
HTTP (HyperText Transfer Protocol)
- Created by Sir Tim Bernes-Lee, the inventor of the Web, directs the W3C
- Keep in mind the Web is an application built on top of the Internet, which is a much broader thing.
- A "web page" consists of a set of related HTTP transactions
- In this web context, HTTP is a request/response protocol for fetching web resources.
- A URL (Uniform Resource Locator)
- protocol + server + page on server
- http://en.wikipedia.org/wiki/vegemite
- protocol: http
- server: en.wikipedia.org
- page on server: /wiki/vegemite
- PLT (Page Load Time) was a key measure of web performance
- Hard to measure in the modern world, with infinite scroll and whatnot
- Modern metrics are
- FCP (First Contentful Paint): is it happening?
- FMP (First Meaningful Paint): is it useful?
- TTI (Time to Interactive): is it usable?
- HTTP/1.0
- used one TCP connection to fetch one web resource, not efficient at all.
- HTTP/1.1
- Supports pipelining, parallel requests
- State of the art as of 2015
- HTTPS
- A protocol for securely connecting to server
- Authenticates that the server is who they say they are via a chain of certificates.
- As long as you trust each link in the chain, you're good
- Encrypts and validates all traffic to/from server
- Built on top of TLS (Transport Layer Security).
- Renamed, new version of "SSL"
- More secure than TLS - SSL is old and broken don't use it!
- Requires a complex handshake (diffie-helman key change!) between the client and server
- Basically the same as HTTP just with a new added TLS layer