外文翻译 - 互联网即时通讯和聊天协议研究

外文原文AStudyofInternetInstantMessagingandChatProtocolsInstantmessaging(IM)andInternetchatcommunicationhaveseenenormousgrowthoverthelastseveralyears.IMistheprivatenetworkcommunicationbetweentwousers,whereasachatsessionisthenetworkcommunicationbetweentwoormoreusers.Chatsessionscaneitherbeprivate,whereeachuserisinvitedtojointhesession,orpublic,whereanyonecanjointhesession.Thereareontheorderof100millionInternetIMusers,whereauserisdefinedasauniquenameononeofthemajorpublicIMnetworksAOLInstantMessenger(AIM),MicrosoftMessenger(MSN),orYahoo!Messenger(YMSG).Todate,littlehasbeendocumentedaboutthenetworkprotocolsusedbythesesystems.Theprotocolsarenotstandardized,manyofthemareproprietary,andtheyareevenseenasacontrolpointinthisbusinessbythecompaniesinvolved.ThisisdemonstratedbytherepeatedattemptsoftheIMservicestolockoutusersofothersystems,inanattempttokeeptheircustomersprivate.However,enoughinformationisavailabletodeterminethebroadcharacteristicsofthesesystems.WehavealsousedpackettracingofIMtrafficinordertogleanfurtherdetailsintotheseprotocolsandsystems.InthisarticlewepresentanoverviewofIMprotocolsasexemplifiedbythethreepopularsystems:AIM,MSN,andYMSG.Whileeachhasbeendesignedandimplementedseparately,theoverallgroupexhibitssimilarcharacteristicswithrespecttonetworkandsystemarchitecture.Forexample,alloftheIMprotocolsallowauthenticatingwithacentralserver,engaginginprivatemessages,andconversinginpublicchatrooms.Inaddition,someIMsystemsallowfiletransfers,Webcamusage,usingprivacycontrols,maintainingbuddylists,voicechatsessions,andotheroptions.Wediscussthesetopicsinmoredetailinthesectionstofollow.WeanalyzethemostrecentIMclientsavailable.However,allofthemajorIMprotocolshaveundergonesignificantrevisionsovertheyears,andchangestotheprotocolsoccuronaregularbasis.Aswithallnetworkedapplications,IMandchatprotocolshavealargepotentialdesignspace.ThissurveyhelpsexposesomeofthedimensionsavailabletoaprotocoldesignerandhowexistingIMsystemschosetodecidethem.Wherepossible,wedescribeadvantagesanddisadvantagesofeachdesignchoice,especiallywhenthechoiceaffectssecurity.FeaturesandFunctionsMostIMsystems,includingthethreethatweanalyzeherein,useaclient-serverarchitecture.IMproviderstypicallyhostasetofserversthatcustomerslogintoandexchangemessageswith.AfundamentalissuefacedbyIMserviceproviders,andthusdesignersoftheprotocols,ishowthesystemswillscalewithlargenumbersofusers.Ideally,eachproviderdesirestohavemillionsofcustomersloggedontotheirsystemsateachtime.Thisinturnrequiresthatorganizationshaveasystemarchitecturethatcanscalewiththenumberofusers.Twoapproachesareavailablehere:symmetricandasymmetric.Inasymmetricarchitecture,eachserverperformsidenticalfunctions,suchthataclientneednotdistinguishwhichserveritcontactstoengageinanactivitywith.Inanasymmetricapproach,eachserverisdedicatedtoaparticularactivitysuchasloggingin,discoveringotherusersonthenetwork,maintainingachatroom,orforwardinganinstantmessage.Theclient-serverarchitectureallowsIMserviceproviderstokeepsomedegreeofcontrolovertheirusers.Onthepositiveside,ithelpsovercomesomeofthetechnicalissuesassociatedwithtraversingthefirewallsthattheclientsareoftenbehind.Onthenegativeside,sincebothcontrolanddatapathsgothroughthecentralservers,scalingtheservicetomillionsofusersisdifficult.Thescalabilityissueisparticularlydifficultforvoicechatsessions.AsIMservicesarebeginningtosupportvoice-chatcommunications,peer-to-peerdatapathsarebeingused.AIMusesaclient-serverarchitecturefornormaloperationsbutusesapeer-to-peerapproachforvoice-chatsessionswheretheinitiatortalksdirectlytotherecipientaftercoordinatingthroughthesystem.Twoclientsthuscommunicatedirectly,withoutusingachatroom,usingaproprietaryvoiceprotocol.YMSGalsousesaclient-serverarchitecturefornormaloperationsaswellasvoice-chatservice.YMSGvoicetrafficisroutedthroughacentralizedvoice-chatserver.Clientsfirstcontactasetupserver“”whichthenredirectstheclienttothevoice-chathostingserver.OnebenefitoftheYMSGcentralizedvoiceserverapproachisthatitcansupportmultipleuserswithinthesamevoice-chatsessionandeachusercanspecifytheirownvoicespecificationwiththecentralvoiceserverbasedontheirnetworkspeed.MSNusesaclient-serverarchitecturefornormaloperationsandpeer-to-peerforvoice-chatcommunication.MSNvoice-chatsessionsarealsolimitedbetweentwousers.Allthreeservicesprovidearangeofadministrativeandmanagementfunctions.MostIMsystemshavemechanismsformaintaininglistsoffriends(andevenenemies).Thesearetypicallycalled“buddylists,”“allowlists,”and“blocklists.”Theselistsaremaintainedaspersistentstateontheserver,whichtheclientssynchronizewithwhentheylogin.Thelistsareusedforseveralpurposes.Buddylistsidentifypeoplethatauserwishestomonitorthepresenceof(forexample,tobenotifiedwhentheylogin).Blocklistsidentifypeoplethatauserwishestobeisolatedfrom,sothattheuserisnotbotheredorharassedbythosepeople.Blocklistsareaformofblacklisting;somesystemshavethecomplementaryfeatureofawhitelistcalledallowlists,whichspecifythatonlypeopleonthelistmaycommunicatewiththeuser.AIM,YMSG,andMSNallhavebuddylistsandblocklists.AIMandMSNalsohaveallowlists.MSNevenhas“reverseforwardlists,”whichinformsyouofthoseusersthathaveyouontheirforward(allow)lists.AIMhasanadditionalfeaturethatspecifiesagranularityofblocking,calledawarning.Warningsaresentinresponsetoreceivedmessagesthattheclientfindsunpleasantorinappropriate.Recipientsofwarningmessagesarepenalizedbyhavingtheirsendingratelowered.Warninglevelsdegradeslowlyovertime.AusabilityfeaturethatsomeIMsystemsprovideismetamessagesthatindicatethattheotheruserinanIMsessionistyping.Thisimprovesinteractivity,allowingtheusertorealizethattheotherpartyisintheprocessofcomposingamessageandpotentiallyholdoffontheirowntyping.The“typing”messagesareconsequentlyamessagetypeintheIMprotocol.AIM,YMSG,andMSNhavesuchmessagetypes.AIMevenhasthreegranularities:typing,nottyping,andtypedbuterased.OneoptionYMSGprovidesthattheothersdonotistheabilitytosendIMstousersthatarenotcurrentlyloggedontothesystem.Thesystemsavesthemessagesonpersistentstorageandthendeliversthemtotherecipientwhenthatpersonlogsontotheservice.AninterestingfeatureofferedbyAIMistheabilitytoengageinsecurecommunicationsbyencryptingtheIMsession.ClientscanobtainpublickeysfromAOL,aswellasthecorrespondingcertificatestoverifythem.SecureinstantmessagesaredoneusingSSLandthetwopeerpublickeys.Securechatroomsarecreatedusingashared256-bitAESsecretkeychosenbythechatroomcreator;invitationstothechatroomincludethesecretkey.YMSGandMSNdonothaveanysimilarcapability.Peer-to-peertextcommunicationisalsoofferedbysomesystemsusingdirectTCPconnectionsbetweenclients,sometimescalled“sidechats.”AIMandYMSGhavethisfeature,butMSNdoesnot.SystemArchitectureAllthreecommercialsystemsuseserverclustersforscalability.AIMandMSNtaketheasymmetricapproach.AIMdefinesseveraltypesofservers:login,BOS(basicOSCARservices),icon,usersearch,chatroomsetup,andchatroomhosting.MSNdefinesthreetypes:dispatch,notification,andswitchboard.Wedescribehowtheseserversareusedinmoredetailbelow.Incontrast,YMSGtakesthesymmetricapproach.Clientsneedonlycontactonetypeofserverandthenrouteallkindsofactivitiesthoughthatparticularserver.Forexample,YMSGconnectstoarandomserverinthecs#.domain,where#isatwo-digitdecimalnumber.Allsubsequentcommunicationisroutedthroughthatserver.SessionDistributionWenowexamineindetailhowthedifferentsystemsdistributesessionsacrosstheserversinresponsetodifferentactions.TheAIMsystemarchitectureisdepictedinFig.1.InAIM,aftertheclientlogsinwiththemainauthenticationserver(step1inFig.1),theclientisdirectedtoaBOSserver.TheclientopensasingleTCPconnectiontotheBOSserver(step2),whichiseffectivelythecontrolchannel.Mostsubsequentcommunicationoccursoverthisconnection,suchasbasicinstantmessages.Persistentconnectionsarealsomadetotheemailserver(step3)andtheuserinterestserver(step4).Newservices(checkingemailstatus,lookingupauser,etc.)requiresendingaservicerequesttotheBOSserver,whichreplieswithanewIPaddressandTCPportnumbertocontactforthatparticularservice.Anewconnectionisthenmadetothatserver.Theexceptioniswhenauserwishestojoinorcreateachatroomsession.Inthiscase,theclientfirstcontactstheBOSservertogetaccesstothechatroomsetupserver(step5),whichgrantspermissiontoachatroom.ThecredentialsfromthechatroomsetupserverarethenpresentedtotheBOSserver(step6),whichthenpointstheclienttoaparticularchatroomserver(step7).EachchatroomsessionismaintainedusingaseparateTCPconnection.Theconnectiontothechatroomsetupserverpersistsuntilseveralminutesafterallchatroomsessionsareended.TheBOSservercanforceaclienttoswitchtoanotherBOSserverthroughamigrationmessage.In1998,AOLpurchasedMirabilisLtd.,thecreatoroftheICQinstant-messagingsoftware,andconvertedtheAIMnetworktouseaversionoftheICQOSCARprotocol.OSCAR,whichstandsforOpenSystemforCommunicationinRealtime,issomewhatmisleading,sinceAOLhasneverpublishedthespecificationsoftheprotocol.TherearesomedifferencesbetweenfeaturessupportedbyICQandAIMbutoveralltheunderlyingprotocolisthesame.Figure1.AIMsystemarchitecture.TheMSNsystemarchitectureisshowninFig.2.MSNalsohasanasymmetricarchitecture,butwithonlythreetypesofservers:dispatch,notification,andswitchboard.Aclientinitiallycontactsthewell-knowndispatchserver(step1inFig.2)ifitdoesnotknowofanynotificationservers.Thedispatchserverthenredirectstheclienttoanotificationserver.Theclientthenopensasingleconnectiontothenotificationserver(step2)andmaintainsthisconnectionaslongastheclientisloggedintothesystem.ThisisthecontrolchannelintheMSNarchitecture.Thenotificationservermaintainsthepresenceofusersinthesystem,andpointstheclienttoindividualswitchboardserverswhenanewinstantmessageorchatsessioniscreated(step4);step3willbediscussedinthenextsubsection.Theswitchboardserverisusedbothforchatsessionsandinstantmessagestootherclients;thisdiffersfromtheotherservicesinthatMSNtreatsinstantmessagesandprivatechatroomsidentically.Instantmessagesareactuallychatroomssetupbetweentwouserswhereadditionaluserscanbeinvitedtothechatroom.TheTCPconnectiontotheswitchboardisopenforthelifetimeofthechatorIMcommunicationtotheotherclient.Theswitchboardserveralsohandlesinvitationsforfiletransfers,video,andvoice.WhileMSNdoesnothaveanexplicitmigrationmechanism,thenotificationservercanclosetheclientconnection,forcingtheclienttostartover.YMSG,ontheotherhand,isverysimpleduetoitssymmetricarchitecture,andisshowninFig.3.Thesameconnectionisusedforallinstantmessagesandchatsessions.Manycorporateenvironmentsemployfirewallstoscreenunwantedtraffic,withacommondefaulttoallowHTTPtraffic.Becauseofthis,manyIMsystemsallowtunnelingoverHTTPasawayaroundthesefirewalls.Interestingly,thethreecommercialIMsystemsallusethesamesymmetricarchitecturewhentunneledoverHTTP;namely,theclientonlyinteractswithasingleHTTPfront-endserver.ThenativeIMprotocoliseffectivelyencapsulatedontopofHTTP,withcommandsandresponsesbeingmultiplexedoverHTTPconnections.AIMusestwoHTTPconnections;oneforsubmittingrequestsasynchronously,andtheotherthatblockswaitingfortheresponses.YMSGusesasinglesynchronousconnection,suchthateachrequestblocksuntilaresponseisreceivedfromthenetwork.MSNalsousesasingleconnection,butsubmitsrequestsasynchronouslyandeitherreceivesaresponseorpollsforaresponsedependinguponthetypeofrequest.UserAuthenticationThefirstthingusersdowhentheylogontoanIMnetworkisauthenticatethemselvestothesystem.Again,severalapproachesarepossiblehere,withclearimplicationsforsecurity.SomeIMsystemsdonotgothroughthefullauthenticationprocessthatisdoneinothercontexts(e.g.,SSL/TLS1),sinceboththeuserandthesystemshareasecretkeyknownonlytothetwoofthem:theusersnameandpassword.Whiletheinitialsystemsign-upistypicallydoneusingHTTPsecuredbySSL/TLS,oncethenameandpasswordaredecided,loginauthenticationistypicallydonebyexchanginghashesofthesharedsecret.Inthisway,thepasswordisnevertransmittedintheclearoverthenetwork,althoughtheusernameis.BothAIMandYMSGworkthisway.Theadvantagetothisapproachisthatexpensivecryptooperationsareavoided,suchasRSApublickeyorAESsharedkeyencryption.Instead,relativelycheaperauthenticationalgorithmsbasedonMD5and/orSHAareused.Thedisadvantageisthatconfidentialityisnotprovided;observerscanmonitorthepacketexchangesanddeterminewhohasloggedin,eveniftheycannotdeterminethepassword.Sincethehashalgorithmsarewellknown,andthechallengeandhashresultaresentintheclear,thesystemsarevulnerabletodictionaryattacks.Usersmustthereforeusepasswordsthataredifficulttocrack.Inaddition,performingtheexchangeintheclearcouldleadtoconnectionhijacking;forexample,AIMusesthecookiereturnedbythelogonserverasacredentialsentinthecleartotheBOSserver.Thiscredentialmustbeusedwithin30secondsortheconnectionwillbeterminatedbytheBOSserver.Thissuggeststhatthereisawindowofopportunitywhereanadversarycouldmonitortheconversation,capturethecookie,anduseittoimpersonatethevictimtotheBOSserver.Figure2.MSNsystemarchitecture.MSNusestheMicrosoftPassportsystem.AfteraclientidentifiesitselftotheMSNnotificationserver,itisredirectedtothePassportloginserver(step3inFig.2),whereauthenticationisperformedoverSSL.TheloginserverthensuppliestheclientwithseveralencryptedcookiesthatserveascredentialstotheMSNnotificationservers.Whiletheinternalcryptoalgorithmsarenotpubliclycookiesaresentintheclear.Thusanattackercouldattemptdocumented,theencryptedtousethecookiesforimpersonationandman-in-the-middleattacks2,3.DataTransferOneofthekeyissuesinanyIMorchatprotocolishowprotocolheadersandpayloadsareencoded.Therepresentationofthisdatacantaketwoforms.Historically,manynetworkprotocolshaveusedabinaryrepresentationofdatainnetworkbyteorder;examplesincludeTCPandIP.Application-layerprotocolssuchasHTTPandSMTPhavetendedtouseatextbasedapproach.Themainadvantagetothebinaryrepresentationisthatitmakesmostefficientuseofspaceonthenetwork.Theadvantageofthetext-basedapproachesisthattherepresentationisclosertothewayhumansviewinformation,andthusdebuggingiseasier.AIMandYMSGbothusebinaryrepresentationfortheirheaders.AIMusesatwo-levelbinarystructure,calledFLAPandSNACpackets,illustratedinFig.4.FLAPpacketshavefixed-lengthheadersandvariable-lengthdata;SNACpacketsareasubtypeofFLAPpacketsthatincludeseveraladditionalfixed-lengthfieldsfollowedbyavariabledatacomponent.YMSG,incontrast,hasasingle-levelstructureoffixedYMSG,incontrast,hasasingle-levelstructureoffixedlengthfieldsfollowedbyvariable-lengthdata,asshowninFig.5.Thedatafieldisasequenceofkey-valuepairs,wherekeysarerepresentedasavariable-lengthASCIInumber.AIMandYMSGhavedifferentmethodsofencodingheaderinformation.AIMfavorsavariable-lengthencodingthatismoreefficientinhowmuchspaceonthewireittakes;YMSGhasamoreregularstructurethatissimplertoparseanddecode.UnlikeAIMandYMSG,MSNheadersaretextbased,asshowninFig.6.MSNheaderstaketheformof,wherecommandisathree-letterencoding,transactionIDisanintegernumber,andparameterListdependsonthecommand.Figure7showsanexampleofsomeMSNmessagesduringtheloginphase,wheredifferentprotocolandoperatingversionsarespecifiedandtheclientistransferredtoanotificationserver.VERindicateswhatnativeprotocolversionsaresupportedbytheclient.CVRindicatesLocaleID,OStype,OSversion,platformarchitecture,clienttype,clientversion,andfixedstringof“MSMSGS”followedbythepassportID.XFRissentbytheserverindicatingtheIPaddressandportofthenewnotificationserverNSfollowedbya0andtheoldIPaddressandport.OnepotentialproblemforIMserviceprovidersareusersthatsenddataatexcessiverates,floodingthenetworkwithuselesstrafficandinconveniencingotherusers.WhileTCPprovidessomeprotectionagainstthisthroughcongestioncontrol,someIMprovidershaveapparentlydecidedthatthisisnotsufficient.Thus,severalsystemsprovidesomekindofratecontroltopreventSPAMordenialofservicewithintheirnetworks.AIMhasarelativelycomplexalgorithmthathasdifferentratelimitsbasedonthemessagetype.Ratesarebasedonatimewindow(inseconds).Iftheclientexceedstherate,theuserwillbewarned,andifthebadbehaviorpersists,theserverwillstartdroppingmessagesandwilleveneventuallydisconnecttheclient.YMSGhasastaticlimitofthreeIMspersecond,whichisenforcedbytheclient.Thisimpliesthatratelimitingcouldbecircumventedbythird-partyclients(suchasgaimorxchat)thatdonotenforcethelimit.MSN,ontheotherhand,doesnothaveanyrate-limitingcontrol.Figure3.YMSGsystemarchitecture.AnotherwaythatIMsystemsminimizetheloadontheirnetworksisbygettingridofidleclients.Idleclientscauseloadonthesystemsbyconsumingmemory(suchasconnectionstate)andevenCPUcycles(throughtimermanagement).Thus,eachsystemmaintainsakeep-aliveheartbeatmessage;iftheclientdoesnotprovideaheartbeatorresponsetoaquery,theconnectionmaybeterminated.InthecaseofAIM,theclientmustsendakeep-aliveeveryminutetotheserver.YSMGhastwotypesofheartbeatrequests,aprimaryandasecondary,thattheservergeneratesandtheclientmustrespondto.Itisnotimmediatelyclearwhytwotypesofsessiontimeoutsareused.Typicalvaluesare60minutesfortheprimaryand13minutesforthesecondary.MSNhasbothclientandserverheartbeats.Whentheclientpings,theserverrespondswithhowlongtheclientshouldwaituntilthenextping.Whentheserverpings,itisachallengetotheclient,whichmustthenrespondwithanMD5hashofthechallengeandtheclientID.Figure4.AIMFLAPandSNACpacketformats.Figure5.YMSGpacketformat.FutureDirectionsRecently,theIETFhasembarkedonanefforttostandardizeIMandchatprotocols.Twocompetingstandardsarebeingdeveloped:onebasedonSIMPLE4andasecondonebasedonXMPP5.SIMPLEisanextensiontotheSessionInitiationProtocol(SIP)6thstaddsinstantmessagingandpresence.SIPisatext-basedcontrol-planeprotocolforestablishingmultimediasessionssuchasVoiceoverIP.SIPcanbetransmittedoverUDP,TCP,orSSL/TLS.TheSIP/SIMPLEworkinggroupdefinestwomodelsformessagingandchatsessions:thepagermodelandthesessionmodel.Thepagermodelisappropriatewhenauserwishestosendasmallnumberofshortmessages.Thesessionmodelisintendedforextendedconversations,suchaschatgroups.TheSIP/SIMPLEpagermetaphorissimilartothatofatwo-waypagerorSMSenabledhandset;thereisnonotionofasessionwithanexplicitstartandend,noranyexplicitassociationbetweenmessages.IMpayloadsarecarriedinsidetheSIPpacketviaanewMESSAGEmethod.SIMPLEthususestheSIMProutinginfrastructuretodelivermessagestoendpoints.SinceSIPisdesignedandusedprimarilyfortransportingcontrolmessages,thereispotentialfortrafficcongestionwithintheSIPinfrastructurewhe