The Riverbed Blog (testing)

A blog in search of a tagline

Going Sideways to Get Back Straight

Posted by riverbedtest on June 9, 2011

Today's guest blogger is Brad Wood, a Riverbed Global Consulting Engineer.

My job at Riverbed is working directly with end customers and sales engineers to solidify designs in  Doll Chatty Cathy complex networks.  I also spend a large amount of my time looking at applications that Riverbed doesn’t have any official accelerations for, and see what we can do for a customer who needs help.  Sometimes this involves taking rather creative approaches to get the needed performance, and sometimes despite our best efforts the protocol simply doesn’t optimize well.  Whether it's native compression and encryption that can’t be disabled or it’s just a Chatty Cathy application we don’t get the results that we are looking for.   But when we do…… It’s simply magic. 

A recent example was with a feature in our latest RiOS release, SMTP/S (Simple Mail Transport Protocol), which is used for sending and receiving email messages.  Our smart guys in engineering have figured out a way to negotiate a TLS (Transport Layer Security) Start in the middle of a conversation.  Traditionally we have optimized SSL/TLS by catching the SSL/TLS key exchange at the beginning of the connection.  Basically, this is the equivalent of "Hello, how are you, can we speak in private?"  It was neat, it was simple, it was secure, and it worked. 

However with SSL/TLS Explicit Start it makes life a little more difficult.  It requires the ability to start a session in one protocol then switch to SSL/TLS in the middle of the existing protocol.  This is analogous to starting a conversation in English and switching to Japanese in the middle of a sentence.  Since we couldn't do this, it meant that we couldn’t optimize Exchange 2007 hub-to-hub traffic.  So, engineering put the fingers to the keyboard and first released this feature, albeit unsupported, in 6.1 and kept the momentum going in 6.5.  Late Start SSL was a dream come true for Microsoft administrators. 

About a month ago I got an email from an SE asking about extending this feature to FTP/S explicit, a secure file transport protocol. Wireshark I thought to myself….. Is there any reason this wouldn’t work?  So off to Pilot and Wireshark I went.  I narrowed down the conversation that I wanted to see in my 2GB capture with Pilot, then exported to Wireshark to look at the packet by packet play.  Sure enough we saw the FTP session start in clear text, next before the authorize, a PROT command was issued.  This command tells the server to start TLS, and then we saw the TLS session start, and Steelhead optimize it.  It was a beautiful, especially when we saw the client’s eyes light up when the traffic went from 3-4 minutes to 20 seconds. 

Although we all like to talk about the speed, my biggest concern was the overall impact to the businesses that we help.  To make a long story short, this client had invested several million dollars in this particular app, and had consumers that refused to use it because of the speed.  But we made it work.


Figure 1.  You can see the start of the Secure FTP session and the client issuing PROT.  This is followed by AUTH TLS command


Figure 2. Changing ‘decode as’ show us the SSL/TLS session being negotiated. 

The end result: a very happy customer.

Sometimes it’s good to step outside of the confines of what is supported and “just see” if it’ll work.  In this case, it resulted in a huge win for the technology department of this customer, and even a bigger win of the executive who had recommended the software to begin with. 

One Response to “Going Sideways to Get Back Straight”

  1. Fatou said

    This is a great write up and real word scenario of using Wireshark to analyze and determine a solution along with an innovative way to solve application performance issues. Am sure the client was relieved knowing that that software isn’t going to be one many bandwidth intensive apps contributing to bring a network to a crawl.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: