Modern networking for php developers (PHP Dorset)

Modern networking for PHP developers
PHPDorset July 2015
IPv6, SSL, SPDY & HTTP/2
Marcus Bointon, Technical director,
Synchromedia Limited & smartmessages.net

SSL
IPv6
SPDY & HTTP/2
There a lot to cover, so this will be a bit of a whirlwind tour!

IPv6
Starting at the bottom of the stack. How many of you are using IPv6 already? How many of you have deployed IPv6-only servers?

We’re all familiar with IPv4 that has formed the foundation of the internet since 1978. IPv4 has served us very well, but it’s showing its age and has various shortcomings,
one of which is rapidly becoming a problem. The IETF was well aware where this was going, and set about designing a replacement, and IPv6 was ﬁnally ratiﬁed in 1998.
Yes, 1998! You’re not as bleeding edge as you might have thought!

PHPDorset July 2015 Marcus Bointon
IPv6 Features
• Streamlined protocol headers - bigger but simpler
• Stateless autoconfiguration
• Built-in security (IPSec)
• Jumbograms
• Unicast / Multicast / Anycast
• More stuff that you don’t need to care about…
• 128-bit addresses
Protocol headers were made simpler to improve router efficiency - smaller routing tables.

Stateless autoconfiguration means devices can self-assign addresses without fear of clashes, finds gateways automatically, DHCP6 is more flexible

IPSec support is built-in

Jumbograms to reduce overhead on large transfers - up to 4Gb in a packet

Various ways of telling it to distribute packets to one or more addresses in a group. Anycast is something like a built-in CDN.

Loads more stuff that’s all buried in your stack that, as a PHP dev, you don’t need to care about

But the big, big thing you do need to know is that it replaces IPv4’s 32-bit addresses with 128-bit addresses

If you don’t think in binary, you might be thinking - that’s only 4 times bigger, surely we need more than that?

128 bits is…
340,282,366,9
20,938,463,46
3,374,607,431,
768,211,456
10^34 is a very, very big number

340 billion billion billion billion

So how big is that?
• If you used a 0.25mm pixel to display each available
address, how big an area would you need to display
them all?
• IPv4: about the size of a tennis court
• IPv6: 100,000 times the size of the solar system
It’s hard to get a grip on how big a number that is, so let’s relate it to something we might be able to comprehend.

OK, so maybe that’s not so easy to comprehend, but at least you get the idea that it’s very, very big.

If it’s any consolation, it’s much less than the number of ways you can order a pack of cards (10^67)!

IPv6 Address Allocation
• Just like IPv4, but bigger
• Your ISP will probably give you a /64 subnet
• So you have 4 billion internets to pick your own
addresses from!
• Great for virtual hosting, SSL, docker containers
ISPs are allocated address blocks in much the same way as for IPv4, and they will allocate them to you in a similar way, but instead of being given say, 1 IP per server,
they can aﬀord to be a bit more generous, and assign you whole net blocks from which you can choose your own addresses.

Security beneﬁt: so many addresses, address scanning becomes useless.

IPv6 Notation
• We’ve got very used to IPv4’s decimal dotted-quad
pattern: 192.168.0.1
• That’s just not practical for IPv6
• Hexadecimal for greater density
• Colons to delimit 16-bit chunks
• Square brackets to wrap
• [2001:0000:0000:EF22:0000:1234:5678:0001]
One common practical problem with IPv6 is how you write it down. It’s new and diﬀerent.

A full-length IPv6 address using the IPv4 8-bit decimal notation would be up to 63 characters long.

Using hex takes it down to 39, and we’ll see that can be shortened further.

CIDR: Classless Inter-Domain Routing

We need the square brackets to limit the start and end of the address, so that it doesn’t get confused with the common port number notation in URLs.

IPv6 Notation Shortcuts
• It’s all about the zeros
• Replace one sequence of one or more 0000 chunks
with a double-colon
• Collapse other 0000 chunks to 0
• Strip leading zeros: 0023 -> 23
• 2001:0000:0000:EF22:0000:1234:5678:0001
• 2001::EF22:0:1234:5678:1
Even with those changes, IPv6 addresses are a bit of a mouthful.

Familiar Addresses
• IPv4 Localhost: 127.0.0.1
• IPv6 localhost:
[0000:0000:0000:0000:0000:0000:0000:0001]
• Becomes simply: [::1]
• All addresses: [::], just like 0.0.0.0
• Link-local addresses [FE80…]
• Network: [2001::EF22:0:1234:5678:0/96]
Link-local addresses are only valid for 1 hop, so only exist within a single network.

IPv6 in PHP
• PHP and all host OSs have full IPv6 support
• PHP shows support in phpinfo()
• Provide IPv6 addresses in square brackets for
network functions
• e.g. fsockopen(‘tcp://[fe80::1]', 80…);
• Change validations to allow IPv6: 
FILTER_VAR_IPV6, FILTER_FLAG_NO_PRIV_RANGE
All this IPv6 goodness is actually pretty simple in PHP - all the underlying systems support it, so you just need to make your app OK with it.

IPv6 in MySQL
• If you’re using strings for storing IPs, stop now!
• UNSIGNED INT for IPv4
• Use MySQL 5.6
• Use VARBINARY(16) for an elegant, unified solution for both
IPv4 and IPv6 in the same field
• Convert to / from strings with INET6_ATON and
INET6_NTOA
• Similar PHP functions inet_ntop and inet_pton, with one
function wrapper needed
MySQL itself has supported IPv6 connections for years, but storing IPv6 addresses in binary fields was only added fairly recently.

There is no integer field type big enough, so need to use binary, and varbinary allows efficient storage of mixed IPv4 and IPv6

Convert IPv4 or IPv6 from MySQL binary
format to a string
http://php.net/inet-ntop
This little snippet is needed to handle MySQL’s binary format, so I added it to the PHP docs page.

Deploying IPv6
• Servers need IPv6 addresses - ISP must support it
• Add IPv6 config to your web servers
• Name servers on IPv6
• AAAA records in your DNS
• Reverse DNS for mail servers
• Check other sources - CDNs too
• Clients need IPv6 connections too
Most decent hosting providers already have IPv6 - Amazon EC2 doesn’t support it for servers, but does for ELB load balancers.

You can tunnel IPv6 over IPv4 connections - SixXS and Hurricane Electric’s tunnelbroker.net provide it as a service.

Realistically you don’t want to be messing about with non-native support; use an ISP with a clue.

All 4G mobiles support IPv6 by definition, and Apple is requiring IPv6 support for iOS 9 apps.

Name servers need to be on IPv6 too or your lookups will happen over 4 even if your servers are on 6

It’s simpler if you use your ISP’s or registrar’s name servers as you don’t need glue records

Don’t forget to add them to your SPF record, create mail server reverse entries, firewalls.

Your pages may be deployed from IPv6, but sub-elements may not - javascript, css, images etc.

Lots of domestic broadband does not support IPv6 - they are all waiting for the last possible moment…

Testing IPv6
• `ip addr`, `ping6`, `dig aaaa`
• IPv6 addresses work in /etc/hosts
• https://www.mythic-beasts.com/ipv6/health-check
• Chrome/Firefox plugins for connection status
Mythic Beasts is a great ISP - some excellent IPv6 advice on their blog

Chrome extension called “IPvFoo”.

SSL / TLS
How many of you are using SSL already?

Jumping ahead a little, how many of you are using HSTS?

No excuses not to run SSL any more
• Free certs available (startssl.com & letsencrypt.org)
• Not signiﬁcantly slower
• Required for SPDY…
• but not for HTTP/2
• Google will rank you higher!
• It’s essentially a requirement for iOS 9 apps
letsencrypt.org will be providing free certs from September 2015.

HTTP/2 not needing SSL is really a red herring, still no excuse

iOS 9 introduces “App Transport Security”, which is TLSv1.2, SHA256 and FS-only ciphers

Despite this, only 5% of top 10,000 sites run SSL by default (see links page).

SSL has had a rough year
• Heartbleed - OpenSSL bugs
• POODLE - SSLv3 holes, RC4
• Logjam - weak export ciphers & DH params
• The upside - quality and awareness increased
Heartbleed was a really big deal, exposing random data in both clients and servers, led to a massive rewrite of OpenSSL by the OpenBSD developers, released as
LibreSSL, which will be in OS X 10.11.

We’ve known that SSLv3 was bad for a long time - POODLE was the last nail in its coﬃn.

RC4 was often favoured as a solution to a vulnerability known as BEAST, but this only aﬀects older implementations or SSLv3 and TLS1.0.

Be aware that there are other attacks (like CRIME and BREACH), and there will probably be a new one tomorrow.

Get the right certificate
• 2048-bit key
• SHA2 signature
• Extra names with SAN
• Wildcards make admin easier
• Issuing certificates is technically trivial
• …but administratively hard
SHA2 isn’t a fixed size, but SHA256 is common.

Can go bigger than 2048-bit keys, but diminishing returns, good for 20 years yet.

You don’t need to limit yourself to a single name per certificate. Most CAs will sell you a multi-name (Server Alternate Name) or wildcard cert which you can use for
multiple services. You can usually change or add new names of no extra charge. EV certs can’t be wildcards, but can use SAN.

SAN requires SNI support in clients if you want to use several names on one IP - SNI support is an HTTP/2 requirement.

Generating certificates is technically trivial - it takes a couple of seconds to create and sign a new cert and can be completely automated, yet it may take days (if a CA is
doing its job properly) with a manual process to verify that an applicant is who they say they are. Yet weirdly, most CAs charge for generation, not verification.

StartCom is the only CA I’ve found that prices based on this fact - charging only for validation, not cert generation. Once you have verified who you are, you can have as
many certs as you like for no extra cost.

What to look for in a good config
• Redirect to secure site
• Ciphers that offer forward secrecy - DHE, ECDHE
• Use at least 2048-bit DH params for DHE
• At least TLS v 1.0
• SSL session caching
• Staple CA certs for OCSP
• HTTP Strict Transport Security (HSTS)
Forward secrecy means that captured traffic can’t be decrypted later even if an attacker gets hold of your private key.

TLS is simply the new name for SSL, a continuation of the same standards. 1.0 should be your minimum target now that SSLv3 is out, higher if your user base can take it.

Diffie-Hellman Ephemeral keys are used in key exchange with forward secrecy, and it’s vital that this is done very securely, so use at least 2048 bits. HTTP/2 requires
support of at least 4096 bits.

OCSP stapling saves a DNS lookup, TCP round-trips and an SSL handshake by bundling your CA’s certificate.

HSTS lets browsers know that everything you serve from your domain, and possibly all subdomains, should be secure. Helps avoid broken URLs, downgrade attacks,
cookie hijacking, MITM attacks, security warnings, reduces redirects.

Testing SSL config
• Click the padlock!
• openssl s_client
• Qualys SSL Labs: https://www.ssllabs.com/ssltest/
• sslyze
• Config generator: https://mozilla.github.io/server-
side-tls/ssl-config-generator/
• Prefab configs: https://github.com/ioerror/duraconf
Test on a command line with the openssl client - lets you do all kinds of useful things - generating keys, verifying signatures, testing connections, generating DH
parameters etc.

Fantastic service by Qualys - examines what settings your server allows, how efficient it is, and also shows which clients can connect to it and how securely.

Windows XP & Java 6 compatibility might stop you getting an A+ rating.

sslyze offers similar testing from a command line.

Because there some very common configs, there are some ready-to-roll examples available and a nice config generator from mozilla for apache, nginx, haproxy, ELB.

Bear in mind that if you’re only serving a small range of client types, for example iOS 9, you can restrict settings heavily to make it more secure, for example by only
allowing TLSv1.2.

HTTPS in PHP
• It’s been supported for years
• Certificates verified by default in PHP 5.6
• Override with ssl stream context properties
• HSTS is great, but…
• You may need to provide secure proxies
• Consider relative-protocol URLs deprecated
PHP 5.6 verifies certificates by default. Python and Ruby shared the same problem for many years. Some were campaigning for years to get this changed, but it was
never going to be smooth!

HSTS can break things like Wordpress plugins that load their own resources.

Relative Protocol URLs have a somewhat chequered history anyway - it’s common to run into certificate mismatches, domains that don’t provide SSL on the same
hostname (google did this) etc, can’t work where there is no page context.

SPDY & HTTP/2
How many of you are using SPDY?

How many of you are using HTTP/2?

As Ben Ramsey’s talk yesterday gave a thorough grounding on the background of HTTP/2, I’m skipping that.

HTTP Potted History
• HTTP/0.9 - 1991
• HTTP/1.0 - 1996, RFC1945
• HTTP/1.1 - 1997, RFC2068, RFC732x
• SPDY - 2009
• HTTP/2 - 2015, RFC7540
• http://http2.github.io/http2-spec
0.9 only had GET!

1.0 added https, HEAD and POST, basic auth

1.1 proxies, caching, lots of new verbs

Later RFCs nailed things down a little harder, but the version remained unchanged

Google announced SPDY in 2009 as a means of addressing some of the shortcomings of HTTP, making use of their unique position as both site and browser maker,
something that they have continued to do.

SPDY became a public testbed for what was to eventually evolve into HTTP/2 - so HTTP/2 isn’t really all new.

What’s in SPDY?
• It’s a tunnel for HTTP and HTTPS requests
• It’s a binary protocol
• Streamlines, combines, simpliﬁes and compresses
HTTP requests and responses
• Reduces latency & overhead
• No app changes necessary
No more telnet into your web server :(

What’s in HTTP/2?
• Compatibility with HTTP/1.1
• HPACK header compression
• Multiple prioritised streams within a single
connection - reduced TCP & SSL overhead
• Server can decide how to bundle resources
dynamically
• Real server push
Google’s intention was that SPDY would form the basis of HTTP/2, so the differences are evolutionary.

Also binary protocol, but curl and wget already speak HTTP/2.

Header compression helps reduce the impact of ever-expanding headers, cookies etc. HPACK rather than gzip to mitigate CRIME attacks.

Multiple streams within a single TCP connection - reduces setup time, latency - especially with SSL. HTTP/1.1 had pipelining, but it was strictly first-in/first-out and was
thus subject to head-of-line blocking.

Prioritisation means it could interrupt a large image download to sneak past an important ajax response.

Potential for pre-emptive push of related assets - when you request the page, you get all the CSS and JS with it, perhaps images too.

Could be done adaptively without pre-configuration, by watching what clients do - but we’re not there yet.

Server push is not just an illusion this time! TCP sockets are expected to stay open for long periods.

HTTP/2 Client Support
• SPDY is everywhere
• HTTP/2 is getting there
• Even IE!
• Safari on OS X and iOS will get HTTP/2 in next
versions
• curl & libcurl
• No explicit support in PHP
Both SPDY and HTTP/2 have seen rapid uptake by web client developers - supported in all major browsers.

SPDY requires TLS, but HTTP/2 does not, however, nearly all the client implementations (that grew from SPDY) require it, so it’s a de-facto standard.

HTTP/2 will be in Safari 8.1 on OS X on 10.11 and iOS 9, but it’s already in Chrome for iOS.

Not a big deal for PHP as it will inherit client access through libcurl, and PHP rarely runs as a server.

HTTP/2 Server Support
• Not in Apache or Nginx yet, but SPDY is
• Is in IIS & LiteSpeed
• H2O and nghttp2 can proxy
• Use SPDY for now
• Expect everything important by year end
Apache and nginx have excellent SPDY support, but no HTTP/2.

Nghttp2 library being used to add HTTP/2 support to various things, including an experimental apache module called mod_h2.

HTTP/2 will be in nginx by year-end.

H2O is a simple but very fast HTTP/2 server that you can use as a reverse proxy - no fastcgi support yet.

SPDY is a nice easy upgrade if you’re not using it already, but it won’t be around for long - Google has said it will be removed from Chrome next year.

What to change for HTTP/2?
• Nothing!
• New anti-patterns
• Domain sharding
• Pre-combining CSS, JS assets, image sprites
• Not using TLS
• It’s going to get a lot better
Just like SPDY, you can treat it as mostly plug & play.

But there are current common practices that actively work against HTTP/2’s abilities.

Though HTTP/2 doesn’t strictly require TLS, the overhead it adds is “paid for” by the ALPN TLS extension that's as a way of upgrading a an HTTP/1.1 connection to
HTTP/2 without using the HTTP/2 upgrade mechanism. Also, all client implementations require TLS, so it’s academic.

It will get much better as new web server features evolve to take advantage of HTTP/2’s abilities.

Testing SPDY & HTTP/2
• curl, wget, wireshark
• Browser extensions to show connection type
• Look at Google, twitter
• Chrome net internals:
• chrome://net-internals/#http2
• Benchmark it! It’s supposed to be faster!
Chrome extension called “HTTP/2 and SPDY indicator”

The future
• Fix shortcomings of TCP
• QUIC
• Packetzoom
• DNSSec
• BlockChain
• PHP7!
TCP can be horribly inefficient, especially on busy, unreliable networks - like mobiles. Much of HTTP/2 is to reduce the impact of this overhead.

Latency is the defining factor in network performance.

QUIC is Google’s low-overhead reimagining of TCP built on UDP, so it works with all current stacks, already in Chrome, used on Google sites.

Packetzoom is doing the same thing, but using a whole new IP protocol tuned for mobile

DNS has a whole raft of security problems that are largely addressed by DNSSec, but it’s complex and being slow to gain traction. IPv6 increases the value of DNS
servers to attackers. Witness BT internet redirecting google searches to an insecure site!

Bitcoin’s BlockChain just seems to be popping up everywhere; it’s bound to get used for something significant soon!

Most of these are independent of PHP as they’re handled by lower-level servers

But we’re all looking forward to PHP7!

Thank you!
• Marcus Bointon
• marcus@synchromedia.co.uk
• @SynchroM
• Synchro on GitHub & StackExchange
• https://joind.in/user/view/27687

Links:

IPv6: https://en.wikipedia.org/wiki/IPv6

Intro to IPv6: http://chrisgrundemann.com/index.php/category/ipv6/introducing-ipv6/

Cisco IPv6 docs: http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/conﬁguration/rtg_brdg/guide/rtbrgdgd/ipv6.html

Useful IPv6 articles: http://ipv6.com/articles/general/

Nice IPv6 docs: http://www.tcpipguide.com/free/t_InternetProtocolVersion6IPv6IPNextGenerationIPng.htm

DNSSec: http://www.internetsociety.org/deploy360/dnssec/basics/

What are Diﬃe-Hellman params for? http://security.stackexchange.com/questions/38206

HTTP/2 info: https://http2.github.io

HTTP/2 overview: http://chimera.labs.oreilly.com/books/1230000000545/ch12.html

iOS 9 App Transport Security policy: https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/index.html

Stats on SSL uptake: http://trends.builtwith.com/ssl/SSL-by-Default

Modern networking for php developers (PHP Dorset)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (19)

Andere mochten auch

Andere mochten auch (12)

Ähnlich wie Modern networking for php developers (PHP Dorset)

Ähnlich wie Modern networking for php developers (PHP Dorset) (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Modern networking for php developers (PHP Dorset)