Solving HTTP Problems With Code and Protocols
NATASHA ROONEY
@thisNatasha
HTTP
TLS
TCP
IP
Web
7. Application Data | HTTP / IMAP |
6. Data Presentation, Encryption | SSL / TLS |
5. Session and connection management | - |
4. Transport of packets and streams | TCP / UDP |
3. Routing and delivery of datagrams on the Network | IP / IPSec |
2. Local Data Connection | Ethernet |
1. Physical data connection (cables) | CAT5 |
@thisNatasha
Some fundamental limitations
@thisNatasha
300,000,000 m/s
@thisNatasha
300,000,000 m/s
Speed of Light
@thisNatasha
300km, 1ms
@thisNatasha
10ms
@thisNatasha
10ms
5G
@thisNatasha
Only one way!
And as the crow flies...
@thisNatasha
Hops
@thisNatasha
@thisNatasha
Not good enough!
@thisNatasha
CDNs, Edge
@thisNatasha
Mobile Network (not wifi)
The Internet
@thisNatasha
Amount of data
@thisNatasha
@thisNatasha
@thisNatasha
@thisNatasha
@thisNatasha
Speed & Distance
Amount of Data
Capped by Speed of Light
>100 objects per site
800k to 2.5mb data
>50 resources on same domain
@thisNatasha
@thisNatasha
RTs are Evil
Mostly because of physics. Not much you can do about that.
@thisNatasha
HTTP/1
@thisNatasha
HTTP/1
TLS
TCP
IP
HTTP/1
TLS
TCP
Request
@thisNatasha
HTTP/1
TLS
TCP
IP
HTTP/1
TLS
TCP
Request
Response
@thisNatasha
HTTP/1
TLS
TCP
IP
HTTP/1
TLS
TCP
Request
Response
Request
@thisNatasha
@thisNatasha
@thisNatasha
Urgh...
@thisNatasha
Spriting
@thisNatasha
@thisNatasha
Inlining
@thisNatasha
@thisNatasha
@thisNatasha
Image source: @jungkees
@thisNatasha
Pipelining
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
HTTP/1
TLS
TCP
IP
HTTP/1
TLS
TCP
TCP Setup
TLS Setup
HTTP Request/Response
@thisNatasha
HTTP/2
@thisNatasha
SPDY
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
SPDY
A Protocol by Google
2009
Header Compression
Parallel Connections
Multiplexing
Priority Marking
Server Push
TLS (to work)
@thisNatasha
@thisNatasha
SPDY
A Protocol by Google
Header Compression
@thisNatasha
@thisNatasha
@thisNatasha
@thisNatasha
@thisNatasha
@thisNatasha
HTTP/2
@thisNatasha
“Idea was to maintain HTTP semantics but change how it is transported.”
Daniel Stenberg
https://daniel.haxx.se/blog/
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
HTTP/1
TLS
TCP
IP
HTTP/1
TLS
TCP
Request
Response
Request
Request
@thisNatasha
HTTP2
A Protocol by IETF
(SDPY base)
Binary
Header Compression
Multiplexing
Server Push
TLS...
@thisNatasha
@thisNatasha
HTTP2
A Protocol by IETF
(SDPY base)
@thisNatasha
@thisNatasha
@thisNatasha
Stats
Gimme gimme
35% Requests
70% HTTPS Connections
13% Top 1,000,000 Sites
29% Top 1000 Sites
“90% your site”
@thisNatasha
@thisNatasha
2% packet loss
HTTP1 is better.
@thisNatasha
Head of line blocking
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
Home
Roads
Supermarket
@thisNatasha
Home
Roads
Supermarket
Not good enough!
@thisNatasha
Home
Roads
Supermarket
Not good enough!
@thisNatasha
TCP issue
(Can happen on any protocol with in-order delivery)
@thisNatasha
QUIC
@thisNatasha
“Idea was to maintain HTTP semantics but change how it is transported.”
Daniel Stenberg
https://daniel.haxx.se/blog/
@thisNatasha
Home
Roads
Supermarket
TCP
@thisNatasha
TCP
UDP
Transport Layer
Suffers from
Head of Line Blocking
Can work...with help.
@thisNatasha
@thisNatasha
“We want QUIC to work on today’s internet”
Jana Iyengar
QUIC Editor, Google
@thisNatasha
Ossification
@thisNatasha
Why TCP or UDP only?
@thisNatasha
Image source: http://itpro.nikkeibp.co.jp/
@thisNatasha
HTTP/2
TLS 1.2+
TCP
IP
Application
QUIC
UDP
Google Crypto
Congestion Control
@thisNatasha
HTTP/2
TLS 1.2+
TCP
IP
Application
QUIC
UDP
Google Crypto
Congestion Control
@thisNatasha
QUIC
A Protocol by Google
Goo
@thisNatasha
@thisNatasha
HTTP/2
TLS 1.2+
TCP
IP
HTTP over QUIC
QUIC
UDP
TLS 1.3
@thisNatasha
“A "stream" is an independent, bidirectional sequence of frames exchanged between the client and server within an HTTP/2 connection…
A single HTTP/2 connection can contain multiple concurrently open streams…”
Hypertext Transfer Protocol Version 2 (HTTP/2), RFC7540
@thisNatasha
Image source: High Performance Browser Networking https://hpbn.co/http2/
@thisNatasha
IP
HTTP over QUIC
QUIC
UDP
TLS 1.3
HTTP over QUIC
QUIC
UDP
TLS 1.3
@thisNatasha
IP
HTTP over QUIC
QUIC
UDP
TLS 1.3
HTTP over QUIC
QUIC
UDP
TLS 1.3
@thisNatasha
IP
HTTP over QUIC
QUIC
UDP
TLS 1.3
HTTP over QUIC
QUIC
UDP
TLS 1.3
@thisNatasha
IP
HTTP over QUIC
QUIC
UDP
TLS 1.3
HTTP over QUIC
QUIC
UDP
TLS 1.3
Head of Line
Blocking!
@thisNatasha
RTs are Evil
Mostly because of physics. Not much you can do about that.
@thisNatasha
IP
HTTP over QUIC
QUIC
UDP
TLS 1.3
HTTP over QUIC
QUIC
UDP
TLS 1.3
0RTT: Setup + Data
2RTT: If QUIC version negotiation needed
1RTT: New Crypto Keys
@thisNatasha
Reduce the RTs!
@thisNatasha
@thisNatasha
@thisNatasha
7% Internet Traffic
35% Google Egress Traffic
@thisNatasha
How does this affect me?
@thisNatasha
Abstraction
Is a computer scientist’s friend / fiend
@thisNatasha
Layer Violation
@thisNatasha
HTTP
TLS
TCP
IP
Web
7. Application Data | HTTP / IMAP |
6. Data Presentation, Encryption | SSL / TLS |
5. Session and connection management | - |
4. Transport of packets and streams | TCP / UDP |
3. Routing and delivery of datagrams on the Network | IP / IPSec |
2. Local Data Connection | Ethernet |
1. Physical data connection (cables) | CAT5 |
@thisNatasha
Some things
If you have to do something...
Manage your resources logically
Detect on upgrade header and adapt
Measure
Remember Physics!
@thisNatasha
@thisNatasha
Recap
We made it!
RTTs, Physics, Data
SPDY, HTTP2, QUIC
Header compression
Multiplexing & Streams
Head of Line Blocking
Make protocols for today’s internet
@thisNatasha
@thisNatasha
3
@thisNatasha
@thisNatasha
@thisNatasha
@thisNatasha
Thank-you
People: Martin Thomson, Mark Nottingham, Jana Iyengar, Mike Bishop, Eric Rescola, Ian Swett
@thisNatasha
@thisNatasha
@thisNatasha
@thisNatasha
OSI Model
7. Application Data | HTTP / IMAP |
6. Data Presentation, Encryption | SSL / TLS |
5. Session and connection management | - |
4. Transport of packets and streams | TCP / UDP |
3. Routing and delivery of datagrams on the Network | IP / IPSec |
2. Local Data Connection | Ethernet |
1. Physical data connection (cables) | CAT5 |
@thisNatasha
TLS / Handshake Cheat Sheet
Handshake Flow
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Key Exchange
Authentication
Algorithm
Strength
Mode
Cipher
MAC or PRF
Key Exchange Method: creates the pre master secret. Premaster secret is combined with PRF to create master secret | RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA |
Authentication Method: Uses public key crypto and certificates public key together. Once certificate is validated the client can used public key. | RSA or ECDSA Certs: X.509, ASN.1 DER encoding. |
Server Hello, Certificate | - Server selects cipher & compression method - Server send certificate - Client authenticates |
Key Exchange | Pre-master secret exchanged between client & server, client validates certificate |
Master Secret | Client & Server can compute Master Secret. |
MAC | Server verifies MAC, returns to client to verify also. |
Finished | Handshake complete. |
Client Hello | Client sends TLS Version, Ciphersuites, Compression methods |
Ciphers, Standards and Terms
Encryption |
3DES, AES, ARIA, CAMELLIA, RC4, and SEED [1] Steam: adds MAC [2] Block: adds IV and padding after encryption [3] Encryption (AEAD): encryption and integrity validation, using nonce, no padding, no IV. |
Master Secret |
Pre-master secret: combines params to help client and server create master secret. |
Master Secret: both server and client create this from pre-master secret to symmetrically encrypt |
Integrity Validation |
PRF: Pseudorandom Function. Takes a secret, a seed, and a unique label. TLS1.2 suites use PRF based on HMAC and SHA256 |
MAC: used for integrity validation in handshake and record. |
@thisNatasha
Cli-ant
Ser-ver
TLS Handshake
[1] Client Hello
Server Hello [2]
Certificate [3]
Server Key Exchange [4]
Server Hello Done [5]
[6] Client Key Exchange
[7] (Change Cipher Spec)
[8] Finished
(Change Cipher Spec) [9]
Finished [10]
@thisNatasha
Cli-ant
Ser-ver
TCP and TLS with Session Tickets
[1] Client Hello
Server Hello [2]
(Change Cipher Spec) [3]
Finished [4]
[5] (Change Cipher Spec)
[6] Finished
TCP Fast Open Handshake
@thisNatasha
@thisNatasha
Transport Overhead
@thisNatasha
Min
@thisNatasha
@thisNatasha