WILS: Layer 7 (Protocol) versus Layer 7 (Application)

posted on Tuesday, February 16, 2010 3:17 AM

The problem with HTTP (okay, one of the problems with HTTP, happy now?) is that it resides at the top of the “stack” regardless of whether we identify the “stack” as based upon the TCP/IP stack or the OSI model stack. In either case, HTTP sits at the top like a a king upon his throne. There’s nothing “higher” than the application in today’s networking models.

But like every good king, HTTP has a crown: the actual application data exchanged in the body of an HTTP transaction. In the good old days, when intermediaries (proxies) were only able to see the protocol portion of HTTP, i.e. its headers, this wasn’t a problem. When someone said “layer 7 switching” we understood it to mean the capability to make load balancing or routing decisions based on the HTTP headers. But then load balancers got even smarter and became “application aware” and suddenly “layer 7 switching” came to represent both load balancing/routing decisions based on HTTP headers or on its payload, i.e. the application data, a.k.a. “content based routing (CBR)” on the software side of the data center.

We have yet to come up with a way to separate the two and clearly distinguish what it is we mean when we say “layer 7” and yet the performance and capacity limits of intermediaries can be impacted significantly by the difference between the two. When configuring some intermediaries you have the ability to specify which type of layer 7 switching you will performing as it requires different behavior on the part of the intermediary. Thus it’s important to understand the difference between layer 7 “protocol” (HTTP and its headers) and layer 7 “application” (data).

Layer 7 (protocol) includes everything “below” it in the stack – TCP ports, IP addresses, etc… – in addition to HTTP protocol attributes, including HTTP headers.

Layer 7 (application) includes everything “below” it in the stack – HTTP protocol, TCP ports, IP addresses, etc… – in addition to the application data being exchanged. In the case of application switching/load balancing for the protocol only, the intermediary does not need to “wait” for the application data to arrive before making a decision. The HTTP headers are almost always contained in the first few packets exchanged and a decision can be made as soon as all the headers have been received. This can, when considering round trip times and size of data being submitted, shave off response time from the perspective of the application user. It also uses less memory on the intermediary because there is very little buffering required as the headers are received relatively quickly and are limited in number and size. This is important when considering capacity needs/constraints. Completely buffering requests/responses requires a lot more memory than just making decisions based on HTTP headers.

In the case of application switching/load balancing for the application, the intermediary must wait for the application data to arrive before making a decision. While leveraging a streaming strategy, as is often the case with XML-parsing capable intermediaries, can reduce the buffering requirements and the time between submission and a routing decision, if the data upon which the intermediary needs to base its decision is at the end of the application data, and that data is large, then the device must effectively buffer the entire application message before it can make a decision and send the transaction on its way. This results in sessions being held open longer, which impacts the overall capacity of the device in terms of concurrent connections.

If you’re using an intermediary (load balancer) and are only applying layer 7 (protocol) routing capabilities, make sure you’re using – if it’s available – a configuration that matches. If you’re looking at intermediaries now because, well, you’re looking into virtualization and cloud computing models for its elastic scalability and will need a Load balancer as part of that architecture, then ask about how the load balancing solution supports layer 7 switching. And makes sure it recognizes that there’s a difference between layer 7 protocol and layer 7 application routing, and understand which it is you really need to be using.

WILS: Write It Like Seth. Seth Godin always gets his point across with brevity and wit. WILS is an ATTEMPT TO BE concise about application delivery TOPICS AND just get straight to the point. NO DILLY DALLYING AROUND.

Related blogs & articles:

Technorati Tags: MacVittie,F5,Layer 7,OSI,TCP,headers,HTTP,application,load balancing,capacity,WILS,content-based routing

Posted In: Development and General, Performance, WILS,

3 Comments

Feedback

2/16/2010 4:42 AM
		This is also why SSL-encrypted packets require SSL termination at the application-aware load balancer: The entire "layer 7" contents are encrypted. And it explains nicely why, when you host multiple HTTPS-enabled sites on the same machine, you need SSL-termination in order for the load balancer (yes, apache is a load balancer in this sense) to discover which site's certificate to use to decrypt the contents.
Shlomo Swidler

2/16/2010 4:54 AM
		@Shlomo Ah, excellent point re: SSL termination. Absolutely necessary, and conversely why end-to-end SSL encryption can be problematic for the entire infrastructure: every device that needs to "see" the application data has to be able to decrypt and re-encrypt. Lori
macvittie

2/16/2010 10:22 PM
		I think you need to go even further than you have here because technically the Application layer is only the protocol (both the TCP/IP stack and the OSI Network Model, are networking models after all), and what rides inside that Application layer protocol isn't, in the context of the model, an application - it is a user interface and inside that is content - the application is the whole that is greater than the sum of it's parts. So, in the context of an Application Delivery Controller, when we talk about delivering an application, we are talking really about getting content to people (or to machines in an M2M connection) by processing transactions intelligently, not about getting the L7 protocol from a client to a server, because that isn't the end of the story. In the case of an Web 2.0 application, we'll see IP at L3; TCP at L4; TLS at L5; HTTP at L7; Adobe Flash or Javascript at L8 (interface); and HTML and UTF-8 at L9 (content) while a simple M2M conversation might have the same L3-7 profile, but have SOAP at L8 and ASCII at L9. In either case, an ADC is (or should be) judged by how well it functions not just from L3-7 but also from L8-9. Can you do what used to be called DPI (and perhaps now should just be called L9 inspection) without becoming a regex junkie? Can you recognize the difference between versions of a interface protocol at L8 or navigate a markup language or modify content cleanly and reliably without munging the flow of information? These are really the baselines up there in the rarefied air at the top of an inclusive Application Model, because while getting it right down in the L3-7 plumbing still matters, being able to point at TCP:80 or HTTP and then make assumptions is insufficient in a growing number of cases as the application design world pushes towards richer interfaces and new content encoding methods while the networking world is (mostly) standing pat. Because of that we really need to expand our vocabulary and our models and not try to shoehorn all the new developments in one domain into the vocabulary of another.
Ian

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:

Name:

Email: (so we can show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Remember Me?

Enter the code shown above:

Please add 6 and 5 and type the answer here:

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0
		F5 Friday
		Data Center Feng Shui
		Dynamic Infrastructure
		Load balancing
		Service Providers
		1024 Words
		v10.2.2
		v11
		JSON
		HTML5
		Mobile
		iApp
		Availability
		Storage
		DDoS
		AppSec
		TradSec
		Marketing Madness

		February, 2012 (6)
		January, 2012 (13)
		December, 2011 (9)
		November, 2011 (12)
		October, 2011 (14)
		September, 2011 (14)
		August, 2011 (16)
		July, 2011 (12)
		June, 2011 (14)
		May, 2011 (12)
		April, 2011 (16)
		March, 2011 (16)
		February, 2011 (12)
		January, 2011 (14)
		December, 2010 (12)
		November, 2010 (14)
		October, 2010 (14)
		September, 2010 (13)
		August, 2010 (13)
		July, 2010 (18)
		June, 2010 (22)
		May, 2010 (22)
		April, 2010 (19)
		March, 2010 (23)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)