WebSockets couples the performance and flexibility of TCP with the reach of HTTP Prediction: WebSockets will replace simple TCP as preferred underlying protocol.
To see how Websockets are used in a popular HTML5-based remote access solution, by visiting the following URL: http://j.mp/1luquBQ
2. Dan Shappir
CTO at Ericom Software
@DanShappir
blog: ericomguy.blogspot.com
Six-time BriForum speaker
3. Remember DCOM?
● Microsoft Distributed COM, circa 1996
● General purpose communication layer for
client / server
● UDP-based, using ports 1024-5000
● COM succeeded; DCOM failed
Can you guess why?
4. Network Security Realities
● Firewalls/proxies dislike UDP
● Firewalls/proxies often dislike TCP
● Firewalls/proxies like HTTP (80) and HTTPS
(443)
o But dislike most any other port
Stateful Inspection means that just tunneling
through ports 80 and 443 isn’t enough
5. Make Apps Look Like Websites
Use HTTP / HTTPS as an applicative transport
Example: RD Gateway (tunnels RDP through HTTPS)
● Web Services
● XML and SOAP
● RESTful APIs
● JSON
● AJAX
6. HTTP Was Designed For Docs Not Apps
● Built on TCP Sockets but ...
● Request / Response architecture
o Only client can send Requests
o Server can only Respond to Requests
o Can’t send another Request before Response
● Header on every Request / Response
o Up to 8KB each
8. Problems With Workarounds
● Hacks: error prone
● Complicated
● Compatibility issues
● Headers overhead
o Especially if contains cookies
9. Need a Better Solution
Flexibility of Sockets + reach of Web (HTTP)
10. WebSockets - Sockets for the Web
● Part of HTML5: W3C API and IETF Protocol
● Full-duplex, bidirectional communication
● Unsecured (TCP) and secured (SSL) modes
● Traverses firewalls, proxies and routers
● Text (UTF-8) and binary data
● Ping/Pong messages for keep-alive
● Share ports 80 and 443 with HTTP/HTTPS
11. WebSocket Connection Process
1. Client opens new TCP connection to Server
2. Optional SSL (TLS) handshake
3. Client sends HTTP GET Request
4. Server sends HTTP Response
5. Magic: Client & Server communicate using
WebSocket packets
20. Packet Oriented Protocol
● After handshake, protocol is sequence of
packets
● Packets comprised of header + payload
● Several packet types
● Peers receive full data packets payload
o Not partial packets / bytes
o Not control packets
21. WebSocket Packet
Minimally framed: small header + payload
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
F
I
N
R
S
V
1
R
S
V
2
R
S
V
3
opcode(4)
M
A
S
K
payload
len(7)
extended payload len(16/64)
extended payload len continued(16/64)
masking key(0/32)
masking key continued payload ...
24. Simple JavaScript Example
var ws = new WebSocket("ws://...");
ws.onopen = function () {
ws.send("hello");
};
ws.onmessage = function (event) {
console.log(event.data);
};
25. Growing Support
● Browsers
o Everybody!
● Webservers
o Most everybody!
● Firewalls
o Often just works
● SSL VPN
o Juniper, Cisco, CheckPoint, …
26. Benefits of SSL VPNs over VPNs
For Web protocols: HTTP and WebSockets
● No client-side installation
● No client-side configuration
● Any client device
27. WebSockets For Native Apps
● .NET (4.5) WCF support
● Java EE (JSR-356)
● C/C++ - several Open Source implementations
● PHP - Rachet
● Node.js - multiple libraries
29. What If It Doesn’t Connect?
● Use standard ports: 80, 443
o Or standard alternate ports: 8080, 8443, 8008
● Use SSL, with proper certificates
● Upgrade SSL VPN, Firewall, …
● Disable anti-virus
o Or exception, or disable packet inspection
● Fallback to HTTP / HTTPS
30. Future Protocol For Everything?
No, primarily when UDP is required
● Streaming Video or Video Conferencing
● Remote access over bad connections
(“Framehawk” scenario)
31. The Future, Future Protocol
● For UDP: WebRTC with data-channels
o Use WebSockets as fallback
● For TCP: WebSockets
o Use HTTP / HTTPS as fallback
● HTTP / HTTPS for RESTful APIs
32. Summary
WebSockets couple the performance and
flexibility of TCP with the reach of HTTP
Prediction: WebSockets will replace simple
TCP as preferred underlying protocol
Existing protocols wrapped in WebSockets
Hinweis der Redaktion
First released as part of Windows NT 4.0
RD Gateway now also tries UDP and falls back to HTTPS
Origin can only be trusted with web clients (how do you know if it’s a web client?)
Header size: 2 - 14 bytes
Length: 0-125 (7 bit)
126 + 16 bit
127 + 64 bit
For security reasons a client MUST mask all frames that it sends to the server. The server MUST close the connection upon receiving a frame that is not masked.
A server MUST NOT mask any frames that it sends to the client. A client MUST close a connection if it detects a masked frame.
Masking is required to avoid proxy cache poisoning
Source: Microsoft
Comparison of the unnecessary network throughput overhead between the polling and the WebSocket applications
Additional events: onclose and onerror
SSL encrypted WebSockets have better chance of making it through
The client initiates the negotiation by advertising the permessage-deflate extension in the Sec-Websocket-Extensions header. In turn, the server must confirm the advertised extension by echoing it in its response.
Both client and server can selectively compress individual frames: if the frame is compressed, the RSV1 bit in the WebSocket frame header is set
Or is very slow
WebRTC data-channels utilize SCTP - Stream Control Transmission Protocol
https://en.wikipedia.org/wiki/Stream_Control_Transmission_Protocol