In-depth | Only IT people can understand "Journey to the West"

As a TV series that has been rebroadcast thousands of times, the 1986 version of "Journey to the West" is undoubtedly a classic among classics! For most people, it is the deepest memory of their childhood.

The author of this article uses Journey to the West as the background to tell you a story about computer network protocols.

I, the Buddha, created the sutras and preached the Pure Land

[[257858]]

It is said that our Buddha Tathagata has three true scriptures to save all people in the world, which can encourage people to do good.

As shown in the picture, the place where the true scriptures are hidden is in the clouds. Under the jurisdiction of the Buddha, there are four regions, called the Four Continents, one is Dongsheng Shenzhou, the second is Nanshanbuzhou, the third is Xiniuhezhou, and the fourth is Beijuluzhou.

Our Buddha is located in Xiniu Hezhou, which is the main site.

In each region, multiple scripture storage buildings are set up to ensure the eternal preservation of the scriptures, which are called available zones.

Inside each scripture-repository building are rows of cabinets, called cabinets, which contain rows of grids, called servers, and the scriptures are placed in the grids.

[[257859]]

[[257860]]

In the Sutra Library, the cabinets are organized into categories according to the scriptures and are managed by different gods. The god who manages the scriptures in a cabinet has the key to access the scriptures in his hands and is called the access layer god (access layer switch).

Multiple access layer devices are managed by a group of aggregation layer devices (aggregation layer switches), and multiple aggregation layer devices are managed by a group of core layer devices (core switches).

The immortal system is strictly organized with clear layers. For immortals at different access layers to exchange scriptures, they need the consent of the immortals at the convergence layer. For immortals at different convergence layers to exchange scriptures, they need the consent of the immortals at the core layer.

[[257861]]

The guarding of the scriptures must be foolproof, so each layer is guarded in groups, supervised and backed up by each other, which is called stacking.

Although each cabinet is filled with scriptures, in order to prevent the scriptures from being eavesdropped on or peeped at, the contents of the scriptures are encapsulated in a virtual private space using magic.

Although someone may be able to steal the physical scriptures, without the magic to open this private space, the scriptures they see will be blank. This virtual private space is called VPC.

To interpret the scriptures, you need to use an inconspicuous magic weapon in each grid, which is a virtual switch called Openvswitch. As the name suggests, it plays the role of converting scriptures between the virtual private space and the physical space.

How does Openvswitch convert? It uses an encapsulation technology called VXLAN, but you must know the ID of Open Sesame, that is, the VXLAN ID, in advance to see the real content of the scripture.

In the virtual space, there are true scriptures that can be truly interpreted.

[[257862]]

[[257863]]

The true scriptures include a collection of methods, which talks about heaven; a collection of theories, which talks about earth; and a collection of scriptures, which saves ghosts. The three collections total thirty-five parts, with a total of 15,144 volumes, which are the path to cultivating the truth and the door to righteousness and goodness.

It seems that the front, middle and back ends have been separated and divided into basic service layer, combined service layer and Controller layer, with a total of thirty-five modules and more than fifteen thousand services. It is really a microservice architecture.

It is also very challenging to avoid getting lost in these 15,000 volumes of scriptures, which requires an index and guide, which is often referred to as the RPC framework and service registration and discovery center.

In order to facilitate many monks to come and seek scriptures, there will be a unified entrance address at the foot of Lingshan Mountain. There is a deity here, called the Golden Summit Immortal, who is specifically here to receive those who come to seek scriptures.

[[257864]]

Since there are many people who come to seek scriptures and there are many scriptures, the Jinding Daxian plays the role of load balancing, assigning different seekers to different scripture towers to access different scriptures.

At the foot of the sacred mountain where the Golden Summit Immortal resides is a world-famous address, called an external IP address. This address can be located globally, and all those who seek Buddhist scriptures must first arrive at this place.

Jinding Daxian uses NAT rules to convert the external network IP address into the private IP address of the Sutra Library, such as the third floor of Sutra Library No. 2, the fifth floor of Sutra Library No. 4, etc.

Inside the Lingshan Sutra Library, it is located by a private IP address. The true scriptures are ready, and the only thing missing is the person who will go to the East to obtain the scriptures.

Guanyin went to Chang'an by imperial decree

But the Buddha was worried, and said: I wanted to send it to the East, but the sentient beings there are too stupid, they slander the truth, do not know the essence of my method, and neglect the authenticity of yoga.

How can I find a man with magical powers to go to the East to find a believer, and teach him to go through thousands of mountains and rivers to seek the true scriptures from me, and pass them on to the East forever, and persuade all living beings? This is a great blessing, and it is a great blessing. Who is willing to go?

The true scripture is in Lingshan, but the people of the East are stupid and don't know where Lingshan is. What should they do? They need a person with boundless magical power to tell them. And only then can they tell the whole world that there is the true scripture in Lingshan.

Fortunately, there is Guanyin Bodhisattva, who said: "I am not talented, but I would like to go to the East to find a person to obtain Buddhist scriptures." What magic power does Guanyin Bodhisattva have? Of course, it is the BGP protocol.

The previous picture shows the situation of one availability zone. For the situation of multiple availability zones, we can hide the computing nodes and enlarge the external network access area.

The external IP is placed on the external network port of the virtual gateway. How can this IP be made known to the world? Outside the core switch is the security device, and then the border router.

The border router will be connected to multiple operators, so that each operator can access this website. The border router can broadcast the external IP in its own data center through the BGP protocol, that is, tell the world that if you want to access these external IPs, you have to come to me.

Each operator also has many routers and many points, so the routing information on how to reach these IP addresses can be broadcast across the country and even the world.

Isn't this amazing? This is what Buddha Tathagata told Guanyin Bodhisattva: "On this journey, you must walk carefully along the path. You are not allowed to walk in the sky. You must walk in half cloud and half fog. Look at the mountains and rivers, and remember the distance of the journey. I remind you, the one who is seeking the scriptures."

That is to say, you have to remember the roads you passed on the way to the East and the distance, so that you can tell the person who is seeking the scriptures how to go along the way.

Xuanzang sincerely established the Great Assembly

When Guanyin Bodhisattva arrived at the Tang Dynasty in the East, he saw Master Xuanzang sitting on a high platform, leading everyone in chanting sutras. He recited the "Sutra on Rebirth and Salvation of the Dead", talked about the "Seal of Anbang Tianbao", and then preached the "Scroll of Encouraging the Practice of Merits".

The Bodhisattva came forward and called out, "Monk, you can only talk about the Hinayana teachings, but can you talk about the Mahayana?" Hearing this, Xuanzang was overjoyed. He jumped off the stage and said to the Bodhisattva, "Master, I have failed to see clearly and have committed many sins. The monks in front of me are all talking about the Hinayana teachings, but they don't know what the Mahayana teachings are like."

The Bodhisattva said, "Your teachings of the Hinayana cannot help the deceased ascend to heaven, and can only help the mundane world. I have the Three Treasures of the Mahayana Buddhism, which can help the deceased ascend to heaven, help those in need escape suffering, cultivate the body of infinite life, and achieve the state of no coming and no going."

[[257865]]

[[257866]]

[[257867]]

You see, in the Western Pure Land of Ultimate Bliss, our Buddha already has more amazing Buddhist scriptures, but in the far East, people are still reading the scriptures that were brought over from the West by local monks in the early days.

This model is called CDN.

When we deploy applications, we usually save static resources in two places. One is the Varnish cache behind Nginx, which is usually static pages.

Larger, infrequently updated static images are stored in object storage. CDN is configured for static resources in both locations to deliver the resources to edge nodes.

At first, the Buddha passed down the scriptures by word of mouth, and the scriptures were memorized by the great monks. As the monks traveled around the world and as temples spread all over the world, the Buddhist scriptures spread all over the world. This is equivalent to caching the Buddhist scriptures in edge nodes.

After CDN is configured, a CNAME alias will be set for static resources on the authoritative DNS server, pointing to another domain name cdn.com, and returned to the local DNS server.

When the local DNS server gets the new domain name, it needs to continue to resolve the new domain name. At this time, when you access it again, it is not the original authoritative DNS server, but the authoritative DNS server of cdn.com. This is the CDN's own authoritative DNS server.

On this server, a CNAME will still be set up to point to another domain name, which is the global load balancer of the CDN network.

The local DNS server requests the CDN's global load balancer to resolve the domain name. The global load balancer will select a suitable cache server to provide services for the user and return the IP address to the client. The client will access the edge node to download resources. The cache server responds to the user's request and transmits the content required by the user to the user's terminal.

If the cache server does not have the content the user wants, then the server will request the content from its upper-level cache server until it traces back to the source server of the website and pulls the content locally.

The global load balancing strategy of CDN is like when monks want to read Buddhist scriptures, they don’t have to go to the West, but can ask nearby temples to see if there are any, and then ask the masters in the temple for Buddhist scriptures.

However, the cached Buddhist scriptures are certainly not as new as the ones obtained from the West. Therefore, since the East is far away from the West, the scriptures cached in it are still Hinayana Buddhism. If one wants to study Mahayana Buddhism, one must go to the West to obtain the scriptures, which is called returning to the source.

Guanyin appears as a golden cicada

Guanyin Bodhisattva planned to convert Master Xuanzang and return to the West to obtain Buddhist scriptures.

But how to get there and where is the address? Master Xuanzang had only heard of the Western Paradise but didn't know the exact address, so he had to ask Guanyin Bodhisattva.

[[257868]]

[[257869]]

At this time, everyone knew that the Western Paradise was in the Great Leiyin Temple in Lingshan Mountain, 18,000 miles away. This process is called DNS resolution.

When you open an App on your phone, the first thing you need to do is to resolve the domain name of the website.

In the Internet area where the mobile phone operator is located, there is a local DNS, and the mobile phone will request DNS resolution from this DNS. If this DNS has a local cache, it will return directly.

If there is no cache, the local DNS needs to recursively query the root DNS server, find the *** domain name server of .com, and finally find the authoritative DNS server.

If you use a cloud platform and configure smart DNS and global load balancing, in the authoritative DNS service, we can usually create an alias by configuring CNAME, such as vip.yourcomany.com.

Then tell the local DNS server to request GSLB to resolve the domain name. GSLB can then implement load balancing through its own strategy during the process of resolving the domain name.

GSLB finds out the operator and address of the user by checking the operator and address of the local DNS server that requested it, and then returns the public IP addresses of three local load balancers to the local DNS server in the region close to the user's location.

The local DNS resolver caches the result and returns it to the client. For mobile apps, the traditional DNS resolution mechanism can be bypassed and HTTP DNS service can be directly used to obtain the public IP addresses of the three local load balancing services by directly calling the HTTP DNS server.

This public IP address is the location of the Jinding Daxian. In fact, at this time, the Jinding Daxian is already waiting.

At this time, Li Shimin suddenly started to speak, saying: "Who is willing to follow my order and go to the West to worship Buddha and seek scriptures?" He was willing to buy the two treasures in Guanyin's hand, a "Jinlan cassock" and a "Nine-ring staff". The Buddha said: "If there are people who come here with a firm heart to seek scriptures, wear my cassock to avoid falling into reincarnation; hold my staff to avoid being poisoned."

[[257870]]

Master Xuanzang replied: "I am a humble monk, but I am willing to serve you as a dog or a horse, and help you obtain the true scriptures, so that our king can maintain his rule forever."

[[257871]]

[[257872]]

At this time, the Bodhisattva said: "The road to the West is long, and there are many tigers, leopards, demons and monsters. I am afraid that if I go there, I will never come back, and I will lose my life."

Xuanzang said: "I have made a great vow. If I do not obtain the true scriptures, I will fall into hell forever."

[[257873]]

[[257874]]

In fact, the conversation here is very interesting. Master Xuanzang’s reply to Li Shimin is different from his reply to Guanyin Bodhisattva.

At this time, Li Shimin, as a secular monarch, wanted to seek the true scriptures, that is, the Tang Dynasty, as a client, wanted to initiate a request to the server. But Master Xuanzang knew that Li Shimin, the king of Tang, went to seek the scriptures in order to secure his country forever.

Therefore, Li Shimin's request was at the application layer, and the HTTP protocol was initiated. In the body of the HTTP request, I'm afraid the four words "江山永固" were written.

However, when Master Xuanzang replied to Guanyin Bodhisattva, what he said was different. It was a kind of persistence in the true scriptures and Buddhism itself.

So Master Xuanzang is at the TCP layer. TCP is connection-oriented and a reliable protocol, but this does not mean that the network environment it faces is good.

From the IP level, if the network conditions are really that bad, there is no reliability guarantee, and TCP, as the upper layer of IP, is powerless. The only thing it can do is to work harder, retransmit continuously, and ensure it through various algorithms.

That is to say, for TCP, I have no control over whether the IP layer loses packets or not, but I will try my best to ensure reliability at my level.

This was verified in the Quicksand River. When Guanyin Bodhisattva was trying to convert Sha Wujing, Sha Wujing said, "Bodhisattva, I have eaten countless people here. Several times, I ate people who came to seek scriptures. The heads of all the people I ate were thrown into the Quicksand River and sank to the bottom of the water (even goose feathers cannot float in this water). Only the skulls of the nine people who sought scriptures floated on the surface of the water and could not sink. I thought they were foreign objects, so I tied a rope to them and played with them in my spare time. Now, I am afraid that the people who sought scriptures will not be able to get here, but won't it ruin my future?"

The Bodhisattva said, "How can it be impossible? You can hang the skull above your head and wait for the sutra to come in. It will be useful."

[[257875]]

[[257876]]

So the nine skulls on Sha Wujing's neck represent Tang Sanzang's previous nine lives. Once eaten, he will keep trying again and again.

In order to implement retries and achieve TCP reliability, the client and server need to establish a connection.

The HTTPS protocol is based on the TCP protocol, so a TCP connection must be established first. In this example, the TCP connection is between the App on the mobile phone and the load balancer SLB. That is, between Tang Seng and the Golden Summit Immortal. When you reach the Golden Summit Immortal, you don't have to be afraid, because he will guide you to the Buddha.

Although it passes through many routers and switches, the TCP connection is end-to-end.

The TCP layer and the upper layer HTTPS cannot see the process of the intermediate packets. Although all packets cannot escape the forwarding between these routers and switches when the connection is established, the details of the forwarding are explained in detail in the process of sending the order request. Here we only look at the end-to-end behavior.

For a TCP connection, a three-way handshake is required to establish a connection. In order to maintain this connection, both parties need to maintain a connection state machine at the TCP layer.

Initially, both the client and the server are in the CLOSED state. The server first actively listens to a port and is in the LISTEN state.

The client then actively initiates a connection SYN, and then enters the SYN-SENT state. The server receives the initiated connection, returns a SYN, and ACKs the client's SYN, and then enters the SYN-RCVD state.

After the client receives the SYN and ACK sent by the server, it sends an ACK of ACK and then enters the ESTABLISHED state.

This is because it successfully sent and received. After the server receives the ACK, it is in the ESTABLISHED state because its sending and receiving are also successful.

After the TCP layer connection is established, it is the turn of the HTTPS layer to establish a connection. During the HTTPS exchange process, the TCP layer is always in ESTABLISHED.

For HTTPS, the client sends a Client Hello message to the server, using plain text to transmit information such as TLS version information, cipher suite candidate list, compression algorithm candidate list, etc. In addition, there will be a random number used when negotiating symmetric keys.

The server then returns a Server Hello message to tell the client the protocol version, encryption suite, compression algorithm, etc. that the server chooses to use. This also has a random number for subsequent key negotiation.

The server will then give you a server-side certificate and say, "Server Hello Done, that's all I have."

Of course, the client does not trust this certificate, so you take the public key in the CA certificate from the CA repository you trust to decrypt the e-commerce website's certificate.

If it succeeds, it means the e-commerce website is trustworthy. In this process, you may continue to trace back to the CA, the CA of the CA, and the CA of the CA of the CA, until you find a trusted CA.

In fact, the staff and cassock in the hands of Guanyin Bodhisattva are equivalent to the certificates issued by the Buddha, ensuring the safety of Master Xuanzang on the journey to the West and preventing the network packet of Master Xuanzang from being eaten or tampered with by others.

[[257877]]

[[257878]]

Just like in the episode "Mistakenly Entering Little Leiyin", the White-browed Buddha wanted to eat Tang Monk's flesh, so he put on a cassock and went to the West to obtain Buddhist scriptures in order to achieve enlightenment.

Of course, when Guanyin Bodhisattva took out the staff and cassock as the certificate at the beginning, no one believed it, so Guanyin Bodhisattva needed to show her true form as the CA and prove it to the client, then Emperor Li Shimin of Tang and Master Xuanzang bowed down.

[[257879]]

After the certificate verification is completed, the server is considered to be trustworthy, so the client calculates a random number Pre-master, sends a Client Key Exchange, encrypts it with the public key in the certificate, and then sends it to the server. The server can decrypt it with the private key.

Next, both the client and the server have three random numbers: their own, the peer's, and the newly generated Pre-Master random number. These three random numbers can generate the same symmetric key on the client and the server.

With the symmetric key, the client can say: "Change Cipher Spec, we will use the negotiated communication key and encryption algorithm for encrypted communication in the future."

The client then sends an Encrypted Handshake Message, encrypts the agreed parameters with the negotiated key, and sends it to the server for data and handshake verification.

Similarly, the server can also send a Change Cipher Spec, saying: "No problem, we will use the negotiated communication key and encryption algorithm for encrypted communication in the future", and also send an Encrypted Handshake Message to try.

After the handshake between the two parties is completed, encrypted transmission can be performed using a symmetric key.

Tang Wang Su wine sent to Sanzang

Xuanzang's network packet was about to be sent out. Emperor Taizong held a court meeting and gathered civil and military officials to see him off. Li Shimin gave Xuanzang three things.

In the previous section, we mentioned that Taizong is the application layer, who is concerned with ensuring the longevity of the Tang Dynasty, while Xuanzang is the TCP layer, who wants to reach the West through a firm will.

The first thing Li Shimin gave was a pass, which was at the IP level. In the future, you would need this pass to pass through each city gate.

The second item is a purple gold bowl, which was used by Master Xuanzang when he went to a city to beg for food and to ask for directions. This is a MAC layer one.

The third thing is a white horse, which serves as a long-range leg force. This is at the physical level.

At ***, Emperor Taizong offered Xuanzang a cup of plain wine and said: "I would rather love a pinch of soil in my hometown than ten thousand taels of gold in a foreign land." Sanzang then understood the meaning of "a pinch of soil", thanked him again and drank it all, then said goodbye and left.

Once the connection is established between the client and the server, the next step is to send the network packet for the order request.

What is sent at the user layer is the HTTP network packet. Because the server provides a RESTful API, what is sent at the HTTP layer is a request.

 POST /purchaseOrder HTTP/1.1
 Host: www.xxxxxx.com
 Content-Type: application/json; charset=utf-8
 Content-Length: nnn 
 
 {
 "order" : {
 "date" : "2018-07-01" ,
 "className" : "Interesting Talk on Network Protocols" ,
 "Author" : "Liu Chao" ,
 "price" : "68"  
 }
 }

HTTP messages are roughly divided into three parts. The first part is the request line, the second part is the request header, and the third part is the request body.

In the request line, the URL is www.xxxxxx.com/purchaseOrder and the version is HTTP 1.1.

The type of request is called POST, which requires actively telling the server some information, rather than getting it. What do you need to tell the server? It is usually placed in the body. The body can have various formats, the most common format is JSON.

Below the request line is our header field. The header is key value, separated by a colon.

Content-Type refers to the format of the body. For example, if we make a POST request and the body is JSON, then we should set this value to JSON.

Next is the main text, which is a JSON string that describes in text form that you want to buy a course, who the author is, and how much it costs.

In this way, the HTTP request message format is pieced together. Next, the browser or mobile app will hand it over to the next transport layer.

How to hand it over to the transport layer? Socket is also used for programming. If you use a browser, you don't need to write these programs yourself, someone has already written them for you; if it is in a mobile app, an HTTP client tool will generally be used to send it and encapsulate it for you.

HTTP protocol is based on TCP protocol, so it uses connection-oriented method to send request, and transmits it to the other party through Stream binary stream. Of course, when it reaches the TCP layer, it will turn the binary stream into a message segment and send it to the server.

In the TCP header, there will be a source port number and a destination port number. The destination port number is generally the port number that the server listens on, and the source port number is often randomly assigned on the mobile phone side. This port number is used on the client and server to distinguish between requests and returns and which application to send to.

In the IP header, you need to add your own address (ie, source address) and where you want to go (ie, destination address).

When a mobile phone goes online, PGW will assign an IP address to the phone, which is the source address, and the destination address is the external IP address of the cloud platform's load balancer.

At the IP layer, the client needs to check whether the target address is in the same LAN as itself and calculate whether it is in the same network segment, which is often done using the CIDR subnet mask.

For this ordering scenario, the target IP and source IP are not in the same network segment, so they need to be sent to the default gateway. Generally, when IP addresses are assigned through DHCP, the IP address of the default gateway is also configured at the same time.

However, the client does not directly use the IP address of the default gateway. Instead, it sends the ARP protocol to obtain the MAC address of the gateway, and then puts the gateway MAC as the target MAC and its own MAC as the source MAC into the MAC header and sends it out.

The format of a complete network packet is as follows:

Next, the network package is officially sent. If you use your mobile phone to open the App and place an order to send the network package, it is usually sent through the mobile operator's network.

After the customer's mobile phone is turned on, it searches for the eNodeB nearby and sends a request to apply for Internet access. The eNodeB sends the request to the MME, which authenticates and authorizes the mobile phone and also requests the HSS to see if there is money and where to access the Internet.

After the MME passes the authentication of the mobile phone, it starts to build a tunnel. The data path is divided into two sections, which are actually two tunnels. One section is from the eNodeB to the SGW, and the second section is from the SGW to the PGW. Outside the PGW is the Internet.

PGW will assign an IP address to the mobile phone, and the mobile phone will use this IP address when accessing the Internet.

For mobile phones, the default gateway is on PGW. In the mobile network, there is a tunnel from the mobile phone to SGW and to PGW.

In this tunnel, the above packet will be placed inside as the tunnel's passenger protocol, and the IP addresses of the SGW and PGW in the core network room will be used. The network packet will not be decoded until the PGW (PGW is the other end of the tunnel) decrypts the packet and forwards it to the external network.

Therefore, when sent from a mobile phone, the structure of the network packet is:

• Source MAC: The MAC of the mobile phone, also known as the UE.
• Target MAC: The MAC of the tunnel endpoint on the gateway PGW.
• Source IP: UE's IP address.
• Target IP: The public IP address of the SLB.

After entering the tunnel, the outer network address is encapsulated, so the format of the network packet is:

• Outer source MAC: MAC of E-NodeB.
• Outer target MAC: SGW's MAC.
• Outer source IP: E-NodeB IP.
• Outer target IP: SGW's IP.
• Inner source MAC: MAC of the mobile phone, also known as the UE.
• Inner target MAC: The MAC of the tunnel endpoint on the gateway PGW.
• Inner source IP: UE's IP address.
• Inner target IP: the public IP address of the SLB.

When the tunnel is at SGW, a tunnel is switched from SGW to PGW, so the format of the network packet is:

• Outer source MAC: MAC of SGW.
• Outer target MAC: PGW's MAC.
• Outer source IP: SGW's IP.
• Outer target IP: PGW's IP.
• Inner source MAC: MAC of the mobile phone, also known as the UE.
• Inner target MAC: The MAC of the tunnel endpoint on the gateway PGW.
• Inner source IP: UE's IP address.
• Inner target IP: the public IP address of the SLB.

When the packet is decoded and forwarded at the tunnel endpoint of the PGW, a NAT service is usually deployed on the router of the PGW's external network to convert the mobile phone's IP address into a public IP address. When the request is returned, it is NATed back.

Therefore, after PGW, it is equivalent to a forwarding of ten countries in Europe. The format of the network packet is:

• Source MAC: MAC of PGW egress.
• Destination MAC: MAC of NAT gateway.
• Source IP: UE's IP address.
• Target IP: The public IP address of the SLB.

At the NAT gateway, it is equivalent to a Xuanzang-style forwarding, and the format of the network packet becomes:

• Source MAC: MAC of NAT gateway.
• Target MAC: MAC of A2 router.
• Source IP: UE's public IP address.
• Target IP: The public IP address of the SLB.

The network conditions of the mobile phone operators were relatively good. For Master Xuanzang, it was relatively safe within the borders of the Tang Dynasty.

The original text says: The master and his disciples traveled for several days and arrived at Gongzhou City. Gongzhou officials and others had already come to welcome them into the city. They rested for a night and left the city the next morning.

Along the way, they ate and drank, stayed at night and walked in the morning. After two or three days, they arrived at Hezhouwei. The generals stationed at the border and the local monks had heard that the master was the imperial envoy who had gone to the West to see the Buddha. They were all very respectful, took him in, provided him with food, and asked the monks to invite him to rest at Fuyuan Temple.

The monks of the temple went to see him one by one and arranged for the evening meal. After the meal, he told the two servants to feed the horses and set off before daybreak.

After walking for half a day, we saw a huge mountain on the opposite side, which was really high up to the sky, towering and steep.

This mountain is called the Two Boundaries Mountain. The eastern half belongs to the Tang Dynasty, and the western half is the territory of the Tatars. Beyond this mountain, it is no longer Tang Dynasty territory.

[[257880]]

[[257881]]

[[257882]]

Through thousands of mountains and thousands of dangers

After leaving the territory of the Tang Dynasty, what should we do next?

Fortunately, to go to the West, one has to pass through one country after another. Each country has a city gate. Master Xuanzang only needs to ask for directions everywhere. As long as the gatekeepers of these city gates know the general way to go, he can go through each country one by one. If he encounters a country, there are pass documents that can protect Master Xuanzang's safety in the country.

There are two problems to be solved here. The first is how the gatekeepers of each city gate and each country knew how to get to the West. The second problem is how Xuanzang asked for directions and how to get there.

Let's first ask a question. When Guanyin Bodhisattva came to the East from the West, he had already told these countries and cities through a kind of magic.

The magic of Bodhisattva is mainly divided into two situations. One is how to travel within a country, and the other is between countries and how to travel in the wild.

Within a country, Bodhisattvas mainly follow the principle of the shortest path, which means that the less distance one travels, the better, and the shorter the road, the better.

However, between countries, Bodhisattvas must not only consider the distance, but also the policy. For example, some countries are close, but the countries passing by do not like monks and will arrest them when they see them. For example, in France, even bald people will be arrested. In such a situation, even if the road is close, it is best to go the longer way.

What is the magic of the Bodhisattva? When we studied computer networks and data structures in college, we learned that there are two common methods for finding the shortest path:

• Bellman-Ford algorithm
• Dijkstra's algorithm

These two methods are also basically used for calculation in computer networks: distance vector routing, which is based on the Bellman-Ford algorithm; link state routing, which is based on the Dijkstra algorithm.

The two most commonly used routing protocols are:

• OSPF (Open Shortest Path First) is such a link-state routing protocol, which is widely used in data centers and is called the Interior Gateway Protocol (IGP).
• The algorithm used by the BGP protocol is the path-vector protocol, which is an upgraded version of the distance vector routing protocol and is called the Border Gateway Protocol (BGP).

The routing protocol is a protocol that allows cities to communicate with each other about where to go and how to go.

The second question is how Xuanzang asked for directions and how he walked. This is the IP protocol.

This depends on the pass document, which says that I am from the Tang Dynasty in the East (the source IP address) and want to go to the West to worship Buddha and seek scriptures (referring to the target IP address). I am passing by a treasure land and will stay for one night. I will set off tomorrow. What should I do next?

[[257886]]

[[257887]]

[[257888]]

When solving the first problem, each city gate had communicated with the neighboring city gates through the magic of Bodhisattva and learned the following information.

This is called a routing table. Based on this table, we can tell Tang Seng how to go. Next, let's look at the full story.

After passing through the NAT gateway, the network reaches the Internet from the core network. In the network world, each operator's network is called an autonomous system (AS). Each autonomous system has a border router, which is used to establish a connection with the outside world.

For cloud platforms, it can be called Multihomed AS, which has multiple connections to other ASs, but mostly refuses to help other ASs transmit packets, such as the networks of some large companies.

For operators, it can be called a Transit AS, which has multiple connections to other ASs and can help other ASs transmit packets, such as the backbone network.

How to reach the cloud platform's border router from the carrier at the exit? This needs to be done between routers through the BGP protocol, which is divided into two categories: eBGP and iBGP. eBGP broadcast routing is used between autonomous systems and border routers. Internal networks also need to access other autonomous systems.

How does the border router import the routes learned by BGP into the internal network? By running iBGP, the internal router can find the border router that reaches the external network destination***.

The public IP address of the website's SLB has already been made known to the entire network through the cloud platform's edge router.

Therefore, the next hop of the ordered network packet is A2, that is, the MAC address of A2 is placed in the target MAC address.

After reaching A2, it finds from the routing table that the next hop is router C1, so it replaces the target MAC with the MAC address of C1.

After reaching C1, the next hop is found to be C2, and the target MAC address is set to the MAC of C2. After reaching C2, the next hop is found to be the border router of the cloud platform, so the target MAC is set to the MAC address of the border router.

You will find that along the way, only the MAC address is changed, and the target IP address is not changed. This is the concept of the so-called next hop.

The border router of the cloud platform will forward the ordered packets, which will go through core switching and aggregation switching and reach the public IP address of the SLB on the external network gateway node.

We can see that the connection from the mobile phone to the SLB's public IP is an end-to-end connection, and many packets are sent during the connection process.

All these packets, whether TCP three-way handshake or HTTPS key exchange, have to go through such a complicated process to reach the SLB. Of course, the path taken by each packet may not be the same.

When network packets travel along this complex path, they may be lost accidentally. What should we do? This requires the use of the TCP mechanism to resend them.

Since TCP needs to retransmit packets, it needs to maintain a Sequence Number to see which packets have arrived, which have not arrived, which need to be retransmitted, and how much the transmission speed should be controlled. This is the TCP sliding window protocol.

The entire TCP transmission will start with a negotiation of a Sequence Number. Starting from this Sequence Number, each packet will be numbered.

The sliding window divides the receiving network packet into four parts:

• Packets that have been received, ACKed, and handed over to the application layer.
• Received and ACKed, but not sent to the application layer.
• Received, ACK not sent yet.
• Not received, there is still free buffer area.

For the TCP layer, each packet has an ACK. The ACK needs to be replied from the SLB to the mobile phone, and the above process is reversed. Of course, the path may not be the same, which shows that ACK is not that easy.

If the sender does not receive an ACK within a certain period of time, it will resend the packet. Only packets ACKed by the TCP layer will be sent to the application layer, and only one copy will be sent. For the ordering scenario, the application layer is the HTTP layer.

You may ask, if TCP keeps sending repeatedly, will it cause an order to be placed twice? Is it required that the server implements exponentiation?

From the perspective of TCP mechanism, no. Only packets that cannot receive ACK will be sent repeatedly. When sent to the receiving end, only one copy is saved in the window. Therefore, in the same TCP connection, there is no need to worry about retransmission leading to double ordering.

However, the TCP connection may be disconnected for some reason, such as a poor mobile phone signal. At this time, the mobile phone will redo all the actions, establish a new TCP connection, and call the RESTful API twice at the HTTP layer. This may result in the order being placed twice, so the RESTful API needs to implement idempotence.

When the ACKed packet is sent to the application layer, the TCP layer's cache is emptied, which causes the large triangle in the figure above, which is the total cache that the receiver can accommodate, to slide clockwise as a whole.

A small triangle, that is, the total window size of the receiver informs the sender, that is, the cache size received has not been fully confirmed. If these are filled, you cannot send it again, because it has not been confirmed to receive, so none of them can be thrown away.

Successful action shows true

After experiencing 81 difficulties, Tang Monk finally arrived in the West. He found that the Golden Ding Daxian was already waiting for them.

[[257889]]

The network packet went through many difficulties and dangers from the mobile phone and finally arrived at the public network port where the SLB's public IP is located. Because it matched the MAC address and IP address, the network packet was collected.

When Tang Monk passed the Lingyun Fairy Ferry River in the West, he found that the rolling waves were about eight or nine miles wide and no one was seen.

I finally waited for a boat, but it was not yet a bottom. It turned out that the person who drove the boat was to guide the Buddha. Master Xuanzang's body floated away with the river, thus reborn and becoming a golden body.

[[257890]]

On the external network port of the virtual gateway node, there will be a NAT rule that converts the public IP address to the private IP address in the VPC. This private IP address is the private IP address of the virtual machine where the HAProxy is located in the SLB.

Therefore, network packets are also transformed, realizing the conversion of public network IP to private network IP.

Of course, in order to carry a relatively large throughput, there will be multiple virtual gateway nodes, and the physical network will distribute traffic to different virtual gateway nodes.

Similarly, HAProxy will also be a large cluster. The virtual gateway will select a load balancing node and distribute a request to it. The load balancing is followed by the Controller layer, which is also deployed in the virtual machine.

When the target IP in the network packet becomes a private IP address, the virtual router will look for routing rules and send the network packet from the private network port below.

At this time the package format is:

• Source MAC: Gateway MAC.
• Target MAC: The MAC of the HAProxy virtual machine.
• Source IP: UE's public network IP.
• Target IP: The private network IP of the HAProxy virtual machine.

In the *** section, we say that Buddhist scriptures are stored in a virtual space. To open this virtual space and interpret the scriptures, we need an ID with sesame opening. The Buddha will give Master Xuanzang an ID.

On the virtual routing node, there will also be OVS, which encapsulates the network packets in a VXLAN tunnel. The VXLAN ID is allocated when creating a VPC for your tenant.

VXLAN ID is the ID of the VPC virtual space, and OVS is the magic weapon that can encapsulate and unblock private space.

The format of the package is:

• Outer source MAC: Gateway physical machine MAC.
• Outer target MAC: MAC of physical machine A.
• Outer source IP: gateway physical machine IP.
• Outer target IP: The IP of physical machine A.
• Inner source MAC: gateway MAC.
• Inner target MAC: The MAC of the HAProxy virtual machine.
• Inner layer source IP: UE's public network IP.
• Inner target IP: The private network IP of the HAProxy virtual machine.

On physical machine A, OVS will unplug the packet from the VXLAN tunnel and send it to the virtual machine where HAProxy is located.

When the virtual machine where HAProxy is located finds that the MAC address matches and the target IP address matches, the packet will be sent to the HAProxy process based on the TCP port, because HAProxy is listening for this TCP port.

Therefore, HAProxy is the server to which the TCP is connected, and the client is the mobile phone. The connection status of TCP, sliding windows, etc. are all maintained on HAProxy.

Here, HAProxy is a four-layer load balancing, that is, it only parses to the TCP layer. He does not care about the HTTP protocol inside, so he forwards the request to one of the multiple Controller layers on the backend.

The network packet sent by HAProxy is considered to be a client and cannot see the mobile phone. The network packet format is as follows:

• Source MAC: The MAC of the virtual machine where HAProxy is located.
• Target MAC: The MAC of the virtual machine where the Controller layer resides.
• Source IP: The private network IP of the virtual machine where HAProxy is located.
• Target IP: Private network IP of the virtual machine where the Controller layer is located.

Of course, after this packet is sent out, it will still be placed into the VXLAN tunnel by the OVS on the physical machine. The network packet format is:

• Outer source MAC: MAC of physical machine A.
• Outer target MAC: MAC of physical machine B.
• Outer source IP: The IP of physical machine A.
• Outer target IP: The IP of physical machine B.
• Inner source MAC: The MAC of the virtual machine where HAProxy is located.
• Inner layer target MAC: The MAC of the virtual machine where the Controller layer resides.
• Inner source IP: The private network IP of the virtual machine where HAProxy is located.
• Inner layer target IP: The private network IP of the virtual machine where the Controller layer is located.

On physical machine B, OVS will detach the packet from the VXLAN tunnel and send it to the virtual machine where the Controller layer is located.

When the virtual machine where the Controller layer is located finds that the MAC address matches and the target IP address matches, the packet is sent to the process of the Controller layer based on the TCP port, because it is listening for this TCP port.

Maintain a TCP connection between HAProxy and Controller layer. After receiving the packet, the Controller layer cares about what is inside HTTP, so he untie the HTTP packet and found that it was a POST request, which was placing an order to purchase a course.

Obtain the true scriptures and become a golden body

Master Xuanzang finally arrived at the Great Leiyin Temple in the West and met my Buddha Tathagata.

[[257891]]

The Buddha was willing to preach the scriptures to Xuanzang, so he asked Xuanzang to go to the Sutra Library to obtain the scriptures. Who knew that there were rules for the Western Heaven. If you didn’t understand the rules here, it would be difficult to communicate with the people who managed the scriptures and would not be able to obtain the true scriptures.

[[257892]]

[[257893]]

[[257894]]

Similarly, in e-commerce services, there is often a service that specializes in managing orders at the combined service layer. Although the Controller layer exposes the standard RESTful protocol to the outside, the combined service layer will be called internally through the RPC protocol. If you do not understand this protocol, you cannot communicate.

Assuming we are using Dubbo, the Controller layer needs to read the registration center, take out the list of processes for placing the order service, and select one to call it.

The default RPC protocol in Dubbo is Hessian2. Hessian2 serializes the order's remote calls into binary for transmission.

Netty is a non-blocking event-based network transport framework. Between the Controller layer and the Order Service, Netty's network transport framework is used.

With Netty, you don’t have to write complex asynchronous Socket programs yourself. The way Netty uses is that when we talk about Socket programming, a project team supports multiple projects (IO multiplexing, from sending people to notifying something).

Netty still works at Socket, and the network packets sent are still based on TCP. In the lower layer of TCP, it is still necessary to encapsulate IP headers and MAC headers.

If you communicate across physical machines, you still need to encapsulate the outer VXLAN tunnel. Of course, Netty does not perceive the underlying packages, it only needs to do its asynchronous communication.

On Netty's server, that is, in the ordering service, after receiving the request, it is first decompressed in Hessian2 format. Then the request is distributed to a thread for processing, and the business logic of placing an order will be called in the thread.

Fortunately, Master Xuanzang and his disciple later met Maitreya Buddha, a registered center that understands the inside story, and returned to Lingshan. They did it according to other people's rules, and then changed the wordless scriptures to the wordless scriptures.

[[257895]]

[[257896]]

[[257897]]

The business logic of placing an order is relatively complicated. It often requires calling inventory services, coupon services, etc. in the basic service layer. Only after calling multiple services is completed can the order be placed successfully.

The ordering service calls inventory services and coupon services. It is also through Dubbo's framework, and obtains a list of inventory services and coupon services through the registration center, and then selects a call.

When calling, Hessian2 is used for serialization and Netty is used for transmission. If the underlying layer crosses physical machines, it still needs to be encapsulated and deencapsulated through VXLAN.

When we take inventory as an example, we talk about the problem of idempotent interface implementation. Because if inventory is deducted, it is only who calls it and who reduces one.

The problem with this is that if the inventory deduction fails because one call fails and multiple calls are called, this refers not to TCP multiple retry, but multiple retry calls by the application layer, there will be a situation where inventory deductions will occur.

The commonly used method here is to use Compare and Set (CAS). CAS needs to consider three aspects: the current inventory count, the expected original inventory count and version, and the new inventory count.

Before the operation, query the original inventory number and version. When deducting the inventory, determine if the current inventory value matches the expected original value and version, update the inventory value to the new value, otherwise no operation will be done.

This is a state-based rather than action-based design, which conforms to the architectural design principles of REST. Such a design is conducive to high concurrency scenarios.

When multiple threads try to update the same variable at the same time using CAS, only one of the threads can update the value of the variable, while the other threads fail. The failed thread will not be suspended, but will be told that the competition has failed and can try again.

Finally, after the order is updated to the distributed database, the entire ordering process is truly over.

[[257898]]

Of course, this order call will return a result. We have successfully placed the order!!!!!!