Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Revisiting HTTP/2

London Web Performance Group
May 08, 2018
Technology
2
270

Revisiting HTTP/2

RFC 7540 was ratified over 2 years ago and, today, all major browsers, servers, and CDNs support the next generation of HTTP. Just over a year ago, at Velocity (https://www.slideshare.net/Fastly/http2-what-no-one-is-telling-you), we discussed the protocol, looked at some real world implications of its deployment and use, and what realistic expectations we should have from its use.

Now that adoption is ramped up and the protocol is being regularly used on the Internet, it's a good time to revisit the protocol and its deployment. Has it evolved? Have we learned anything? Are all the features providing the benefits we were expecting? What's next?

In this session, we'll review protocol basics and try to answer some of these questions based on real-world use of it. We'll dig into the core features like interaction with TCP, server push, priorities and dependencies, and HPACK. We'll look at these features through the lens of experience and see if good practice patterns have emerged. We'll also review available tools and discuss what protocol enhancements are in the near and not-so-near horizon.

London Web Performance Group

May 08, 2018
Tweet

More Decks by London Web Performance Group

See All by London Web Performance Group
Its Time to Stop Stalling: Delivering Fast Video without the Buffering
ldnwebperf
1
270
LDNWebPerf February 2018 - Oliver Williams
ldnwebperf
0
220
LDNWebPerf February 2018 - Michael Tremante
ldnwebperf
0
410
LDNWebPerf February 2018 - Joel Webber
ldnwebperf
2
290
LDNWebPerf December 2017 - Oliver Adam
ldnwebperf
0
190
LDNWebPerf December 2017 - Perry Dyball
ldnwebperf
0
260
LDNWebPerf December 2017 - Andy Davies
ldnwebperf
0
190
LDNWebPerf October 2017 - Lucas Pardue
ldnwebperf
0
230
LDNWebPerf October 2017 - Saija Mahon
ldnwebperf
0
270

Other Decks in Technology

See All in Technology
Cypress or Playwright?
rainerhahnekamp
0
170
How to Lead? Testimonial of a Lead Android Engineer
oleur
1
110
コードファーストの考え方。 Amplify Gen2から学ぶAWS次世代のWeb開発体験
yoshiitaka
2
370
競技としてのKaggle、役に立つKaggle
yu4u
6
2.4k
AOAI をきっかけに​ 社内の Azure 管理を見直した話​
recruitengineers
PRO
1
450
Amplify 🩷 Bedrock 〜生成AI入門〜
minorun365
PRO
8
730
成長をサポートするピープルマネジメントのやり方
sioncojp
9
1.2k
M5stackで使用できるpHセンサの開発
shinrinakamura
0
170
MixIT 2024 - Pulumi : Gérer son infra avec son langage de programmation préféré
ju_hnny5
1
120
止まらないLinuxシステムを構築する_高信頼性クラスタ入門
koedoyoshida
2
430
require(ESM)とECMAScript仕様
uhyo
4
980
VSCodeの拡張機能を作っている話
ebarakazuhiro
1
810

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Atom: Resistance is Futile
akmur
260
25k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Designing with Data
zakiwarfel
96
4.8k
The Invisible Customer
myddelton
114
12k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
[RailsConf 2023] Rails as a piece of cake
palkan
27
4k
What's new in Ruby 2.0
geeforr
337
31k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
65
14k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k

Transcript

  1. Revisiting HTTP/2 Hooman Beheshti

  2. None

  3. https://caniuse.com/#search=http2

  4. https://istlsfastyet.com/

  5. https://istlsfastyet.com/

  6. https://www.fastly.com/

  7. % of overall requests on Fastly’s network (2017) % of

    requests 0% 25% 50% 75% 100% January February M arch April M ay June July August Septem ber O ctober N ovem ber D ecem ber HTTP/2

  8. https://youtu.be/CkFEoZwWbGQ

  9. Revisiting HTTP/2 • Core concepts • Major features - HTTP

    and TCP - Server push - Priorities and dependencies - HPACK • Has anything changed? Have we learned anything? • What’s next?

  10. HTTP/2 The basics

  11. Binary protocol

  12. Connection

  13. connection

  14. connection • A single, long lasting connection • Theoretically, this

    means better congestion management between peers • TLS/ALPN

  15. connection stream stream stream …

  16. Streams • Virtual communication channels - Translate roughly to a

    request/response exchange - Either side can initiate a stream • Stream IDs - Client: odd; server: even; 0: reserved - Each ID must be larger than the last - Cannot be reused

  17. +--------+ send PP | | recv PP ,--------| idle |--------.

    / | | \ v +--------+ v +----------+ | +----------+ | | | send H / | | ,------| reserved | | recv H | reserved |------. | | (local) | | | (remote) | | | +----------+ v +----------+ | | | +--------+ | | | | recv ES | | send ES | | | send H | ,-------| open |-------. | recv H | | | / | | \ | | | v v +--------+ v v | | +----------+ | +----------+ | | | half | | | half | | | | closed | | send R / | closed | | | | (remote) | | recv R | (local) | | | +----------+ | +----------+ | | | | | | | | send ES / | recv ES / | | | | send R / v send R / | | | | recv R +--------+ recv R | | | send R / `----------->| |<-----------' send R / | | recv R | closed | recv R | `----------------------->| |<----------------------' +--------+ send: endpoint sends this frame recv: endpoint receives this frame H: HEADERS frame (with implied CONTINUATIONs) PP: PUSH_PROMISE frame (with implied CONTINUATIONs) ES: END_STREAM flag R: RST_STREAM frame

  18. connection stream stream stream … frame frame frame frame frame

    frame frame frame frame frame frame frame frame frame frame frame frame frame frame

  19. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html Request Response

  20. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html Request Response HEADERS

  21. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html HEADERS HEADERS Request Response

  22. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html DATA DATA DATA DATA DATA DATA HEADERS Request Response HEADERS

  23. DATA Carries request or response data HEADERS Carries request/response headers/trailers;

    can initiate a stream PRIORITY Indicates priority of a stream RST_STREAM Terminates a stream SETTINGS Defines parameters for the connection only PUSH_PROMISE Signals peer for server push PING Maintenance frame for checking RTT, connection, etc GOAWAY For shutting down a connection WINDOW_UPDATE Frame responsible for flow control adjustments CONTINUATION Extends a HEADERS frame and can carry more headers

  24. DATA Carries request or response data HEADERS Carries request/response headers/trailers;

    can initiate a stream PRIORITY Indicates priority of a stream RST_STREAM Terminates a stream SETTINGS Defines parameters for the connection only PUSH_PROMISE Signals peer for server push PING Maintenance frame for checking RTT, connection, etc GOAWAY For shutting down a connection WINDOW_UPDATE Frame responsible for flow control adjustments CONTINUATION Extends a HEADERS frame and can carry more headers

  25. TCP TLS TLS Record Header: value\r\n Header: value\r\n Header: value\r\n

    \r\n Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body HTTP/1

  26. HTTP/2 Frame TCP TLS TLS Record HTTP/2 Frame HTTP/2 Frame

    … Stream ID Stream ID Stream ID TCP TLS TLS Record Header: value\r\n Header: value\r\n Header: value\r\n \r\n Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body HTTP/1 HTTP/2

  27. Protocol flow

  28. HTTP/1 connection request response

  29. HTTP/2 connection (sid=1) DATA (sid=1) DATA (sid=1) DATA (sid=1) HEADERS

    (sid=1) HEADERS

  30. HTTP/1 connection request response

  31. HTTP/1 connection request response Head-of-line blocking: nothing else can happen

    over the connection while busy with request/response

  32. connection request response HTTP/1 connection request response connection request response

    connection request response

  33. HTTP/2 connection (sid=3) DATA (sid=1) DATA (sid=5) HEADERS (sid=3) DATA

    (sid=1) HEADERS (sid=3) HEADERS (sid=11) HEADERS (sid=13) HEADERS (sid=15) HEADERS (sid=13) DATA (sid=13) DATA (sid=17) HEADERS

  34. Multiplexing & Interleaving

  35. None

  36. HTTP/1.1

  37. HTTP/1.1 HTTP/2

  38. None

  39. HTTP/2 & TCP

  40. Performance

  41. The perfect page

  42. None
  43. None
  44. None

  45. Private WebpageTest 5Mbps/1Mbps, 40ms latency h1 vs h2

  46. PLR

  47. None
  48. None
  49. None
  50. None
  51. None
  52. None

  53. 780Kbps/330Kbps, 200ms latency

  54. None

  55. 0% PLR 2% PLR 5Mbps/1Mbps 40ms 780Kbps/330Kbps 200ms 5Mbps/1Mbps 40ms

    780Kbps/330Kbps 200ms Doc Complete h2 h2 h2 h2 h1 h1 h1 h1 DCL Start h1 h1 h2 h1 h1 h1 h2 h1 Speed Index h2/h1 h2 h2 h2 h1 h1 h2 h2

  56. 0% PLR 2% PLR 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms

    780Kbps/330Kbps; 200ms Site1a (Fastly) DocComplete h2 h2 h2 h1 h1 h1 h1 h1 DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2 Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2 Site1b DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1 DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1 Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1 Site1c DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1 DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1 Speed Index h2 h2 h1 h2 h1 h2 h1 h1 Site2a DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1 DCL Start h2 h2 h2 h2 h1 h1 h1 h1 Speed Index h1 h2 h1 h2 h1 h2 h1 h2 Site2b DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1 DCL Start h2 h2 h1 h2 h1 h2 h1 h2 Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1 Site3a DocComplete h2 h2 h1 h2 h2 h2 h1 h1 DCL Start h2 h2 h2 h2 h2 h2 h2 h2 Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1 Site3b DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2 DCL Start h2 h2 h2 h2 h2 h2 h2 h2 Speed Index h1 h2 h1 h1 h1 h2 h1 h1 Site3c DocComplete h1 h2 h2 h2 h1 h2 h2 h2 DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1 Speed Index h1 h2 h2 h2 h2 h2 h2 h2

  57. Why?

  58. None
  59. None
  60. None
  61. None

  62. Head of line blocking in TCP

  63. None
  64. None
  65. None

  66. Some reading… • http://c3lab.poliba.it/images/3/3b/QUIC_SAC15.pdf • https://www.usenix.org/system/files/conference/nsdi14/nsdi14-paper- wang_xiao_sophia.pdf • http://arxiv.org/pdf/1507.06562v1.pdf •

    http://nl.cs.montana.edu/lab/publications/Goel_H2_extended.pdf • https://99designs.com.au/tech-blog/blog/2016/07/14/real-world-http-2-400gb-of- images-per-day/

  67. Takeaways (then) • Despite the experiment flaws, performance benefits are

    less than clear cut, out of the box • Seemed best: - Not listen to anyone! - Try for yourself

  68. Has anything changed?

  69. BBR

  70. https://github.com/google/bbr/blob/master/Presentations/bbr-2017-02-08-google-net-research-summit.pdf

  71. https://cloudplatform.googleblog.com/2017/07/TCP-BBR-congestion-control-comes-to-GCP-your-Internet-just-got-faster.html

  72. Bountifully Beneficial Reading • https://github.com/google/bbr/blob/master/Presentations/ bbr-2017-02-08-google-net-research-summit.pdf • https://www.ietf.org/proceedings/97/slides/slides-97-iccrg- bbr-congestion-control-02.pdf •

    https://github.com/google/bbr • https://dl.acm.org/citation.cfm?id=3009824 • https://arxiv.org/pdf/1706.09115.pdf

  73. https://twitter.com/amernetflix/status/892787364598132736

  74. https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

  75. BBR Cubic a single 1MB object download

  76. BBR Cubic a single 1MB object download

  77. BBR things… • Is BBR a good network citizen? •

    “network waterboarding” • There’s still work to do

  78. Coalescing

  79. None
  80. None

  81. https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/

  82. None
  83. None

  84. Origin frame • List of domains eligible for coalescing -

    Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains

  85. Origin frame • List of domains eligible for coalescing -

    Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains

  86. Origin frame • List of domains eligible for coalescing -

    Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains

  87. The connection is an authoritative and secure context

  88. The connection is an authoritative and secure context

  89. The connection is an authoritative and secure context

  90. h2 and TCP • Performance benefits? - Jury’s still out

    - BBR helps, but pros/cons aren’t totally clear yet - It’s still best to figure out what’s best for you on your own! • We’re about to get more control over some coalescing • The context of a connection is being relied on more and more

  91. HTTP/2 Server Push

  92. Push basic • “push” a resource to the client before

    it’s requested • Only servers can push • Hop-by-hop • Triggered by PUSH_PROMISE frame

  93. connection

  94. connection

  95. connection

  96. What to push? • A replacement for inlining - All

    the RTT-saving benefits + caching • Google paper: - https://docs.google.com/a/fastly.com/drawings/d/ 1mWwY_MeNAjzDRCF0uT97KgN0lh_jX79a53X6iOuH_Is/pub?w=2330&h=1350 • Facebook: - https://www.facebook.com/atscaleevents/videos/1775942979345465/ • TTFMP: - https://youtu.be/4pQ2byAoIX0

  97. Link: </css1.css>; rel=preload; as=style https://w3c.github.io/preload/

  98. Doesn’t Link rel=preload already mean something to the browser?

  99. Link: </css1.css>; rel=preload; as=style; nopush https://w3c.github.io/preload/

  100. Link: </css1.css>; rel=preload; as=style; x-http2-push-only

  101. Benefits?

  102. No push: Push: 1xRTT

  103. That’s cool, but...

  104. None
  105. None
  106. None
  107. None
  108. None

  109. Non-header trigger

  110. None

  111. “Async” Push

  112. None

  113. Push with Link header Async Push

  114. of course it isn’t that simple…

  115. The client cache

  116. RST_STREAM

  117. None

  118. RST_STREAM

  119. No Push First view Repeat view

  120. Push First view Repeat view pushed pushed

  121. https://blog.yoav.ws/tale-of-four-caches/

  122. Cache Digests http://httpwg.org/http-extensions/cache-digest.html

  123. +-------------------------------+-------------------------------+
 | Origin-Len (16) | Origin? (*) ...
 +-------------------------------+-------------------------------+
 |

    Digest-Value? (*) ...
 +---------------------------------------------------------------+

  124. We still have work to do...

  125. https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/

  126. Adoption?

  127. $ varnishlog -i h2_attributes | grep -o "is_push:." | head

    -n 30000 | sort | uniq -c 30000 is_push:0 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29980 is_push:0 20 is_push:1 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29985 is_push:0 15 is_push:1 US-East

  128. $varnishlog -i h2_attributes | grep -o "is_push:." | head -n

    30000 | sort | uniq -c 29967 is_push:0 33 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29972 is_push:0 28 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29974 is_push:0 26 is_push:1 US-West $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 30000 is_push:0 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29980 is_push:0 20 is_push:1 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29985 is_push:0 15 is_push:1 US-East

  129. $varnishlog -i h2_attributes | grep -o "is_push:." | head -n

    30000 | sort | uniq -c 29953 is_push:0 47 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29981 is_push:0 19 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29984 is_push:0 16 is_push:1

  130. What about…

  131. None

  132. Fetch stuff!!

  133. https://tools.ietf.org/html/rfc8297

  134. None

  135. { 103

  136. Pushing for push • Is the 1RTT worth the complexity?

    • 103 to the browser: - Same benefit as push for the most important use-case - Much simpler - Leverage browser cache • Cache digests may still be useful? • What do we do with push?

  137. Prioritization

  138. Prioritization basics • Address possible contention because of all the

    concurrency • Stream weights • Dependency (including exclusivity) • HEADERS and PRIORITY frames • It’s only a “suggestion”

  139. Example 1 • A gets ¾ of resources • B

    gets ¼ of resources * A 12 B 4 12/(12+4) 4/(12+4)

  140. Example 2 • D gets all resources • After D

    is done, C gets all resources • Weights are meaningless since there are no siblings * D 1 C 8

  141. Example 3 • D gets all resources • After D

    is done, C gets all resources • After C is done: - A gets ¾ of resources - B gets ¼ of resources * D 1 C 8 A 12 B 4

  142. Example 4 • D gets all resources • After D

    is done: - C gets ½ of resources - E gets ½ of resources • After C is done: - A gets ¾ of C’s ½ of resources - B gets ¼ of C’s ½ of resources * D 1 C 8 A 12 B 4 E 8

  143. https://speakerdeck.com/summerwind/2-prioritization

  144. https://speakerdeck.com/summerwind/2-prioritization

  145. https://speakerdeck.com/summerwind/2-prioritization

  146. None

  147. https://speakerdeck.com/summerwind/2-prioritization

  148. https://github.com/deweerdt/h2priograph

  149. None

  150. https://github.com/deweerdt/h2priograph

  151. https://github.com/deweerdt/h2priograph

  152. Priority hints

  153. https://discourse.wicg.io/t/manual-priority-control-of-resource-fetching/2280 https://github.com/WICG/priority-hints

  154. HPACK

  155. HPACK (RFC 7541) • Addresses the header bloat problem •

    Two primary mechanisms - All headers (name=value) are Huffman encoded - Indexed tables at each peer

  156. Tables • Static table - Defined by the RFC, never

    changes • Dynamic table - Built during the connection and maintained by each side - FIFO

  157. +-------+-----------------------------+---------------+ | Index | Header Name | Header Value |

    +-------+-----------------------------+---------------+ | 1 | :authority | | | 2 | :method | GET | | 3 | :method | POST | | 4 | :path | / | | 5 | :path | /index.html | | 6 | :scheme | http | | 7 | :scheme | https | | 8 | :status | 200 | | 9 | :status | 204 | | 10 | :status | 206 | | 11 | :status | 304 | | 12 | :status | 400 | | 13 | :status | 404 | | 14 | :status | 500 | | 15 | accept-charset | | | 16 | accept-encoding | gzip, deflate | | 17 | accept-language | | | 18 | accept-ranges | | | 19 | accept | | | 20 | access-control-allow-origin | | | 21 | age | | | 22 | allow | | | 23 | authorization | | | 24 | cache-control | | | 25 | content-disposition | | | 26 | content-encoding | | | 27 | content-language | | | 28 | content-length | | | 29 | content-location | | | 30 | content-range | | +-------+-----------------------------+---------------+ Table 1: Static Table Entries +-------+-----------------------------+---------------+ | Index | Header Name | Header Value | +-------+-----------------------------+---------------+ | 31 | content-type | | | 32 | cookie | | | 33 | date | | | 34 | etag | | | 35 | expect | | | 36 | expires | | | 37 | from | | | 38 | host | | | 39 | if-match | | | 40 | if-modified-since | | | 41 | if-none-match | | | 42 | if-range | | | 43 | if-unmodified-since | | | 44 | last-modified | | | 45 | link | | | 46 | location | | | 47 | max-forwards | | | 48 | proxy-authenticate | | | 49 | proxy-authorization | | | 50 | range | | | 51 | referer | | | 52 | refresh | | | 53 | retry-after | | | 54 | server | | | 55 | set-cookie | | | 56 | strict-transport-security | | | 57 | transfer-encoding | | | 58 | user-agent | | | 59 | vary | | | 60 | via | | | 61 | www-authenticate | | +-------+-----------------------------+---------------+ Table 1: Static Table Entries

  158. Tables • Static table - Defined by the RFC, never

    changes • Dynamic table - Built during the connection and maintained by each side - FIFO

  159. Bytes browser => server Bytes server => browser

  160. https://blogs.dropbox.com/tech/2016/05/enabling-http2-for-dropbox-web-services-experiences-and-observations/

  161. HPACK - things to know • Default size is 4K

    - For entire dynamic table - Site-wide headers proposal: • https://mnot.github.io/I-D/site-wide-headers/ • Compression context is set per connection - New connection starts with blank dynamic table • Can’t turn it off • Can be an attack vector: - https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf

  162. content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https:// graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com

    https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce- Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video- eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https:// smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap- northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https:// mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv- vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod- video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev- video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https:// graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv- vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https:// rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod- video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https:// rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https:// smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us- west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https:// mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s- static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https:// twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https:// syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https:// stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod- thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https:// twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

  163. content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https:// graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com

    https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce- Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video- eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https:// smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap- northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https:// mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv- vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod- video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev- video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https:// graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv- vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https:// rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod- video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https:// rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https:// smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us- west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https:// mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s- static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https:// twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https:// syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https:// stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod- thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https:// twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; 4.6KB

  164. HPACK - things to know • Default size is 4K

    - For entire dynamic table - Site-wide headers proposal: • https://mnot.github.io/I-D/site-wide-headers/ • Compression context is set per connection - New connection starts with blank dynamic table • Can’t turn it off • Can be an attack vector: - https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
  165. None

  166. Static Static Connection

  167. Static Dynamic Static Dynamic SETTINGS_HEADER_TABLE_SIZE Connection

  168. Static Dynamic Static Dynamic Decoder Encoder SETTINGS_HEADER_TABLE_SIZE Connection

  169. Static Dynamic Dynamic Static Dynamic Dynamic Decoder Encoder Encoder Decoder

    SETTINGS_HEADER_TABLE_SIZE SETTINGS_HEADER_TABLE_SIZE Connection

  170. Tools and resources

  171. http://chimera.labs.oreilly.com/books/1230000000545

  172. Browser indicator • Chrome: – https://chrome.google.com/webstore/detail/http2-and-spdy- indicator/mpbpobfflnpcgagjijhmgnchggcjblin?hl=en • Firefox: –

    https://addons.mozilla.org/en-US/firefox/addon/http2-indicator/

  173. Dev tools

  174. Wireshark Using the TLS key file: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

  175. cURL https://curl.haxx.se/docs/http2.html

  176. cURL https://daniel.haxx.se/blog/2018/01/15/inspect-curls-tls-traffic/

  177. nghttp https://nghttp2.org/

  178. Others • h2c (and wiretapping): - https://github.com/fstab/h2c • h2a: reverse

    proxy - https://github.com/summerwind/h2a • Conformance: - https://github.com/summerwind/h2spec • Serves and proxies: - Charles proxy: https://www.charlesproxy.com - MITM proxy: https://mitmproxy.org/ - h2o: https://h2o.examp1e.net/ - Envoy: https://www.envoyproxy.io/ • http-wg - https://github.com/http2/http2-spec/wiki/Tools

  179. What’s next?

  180. 0.9 1.0 1.1 2.0 HTTP Complexity HTTP version

  181. 0.9 1.0 1.1 2.0 HTTP Complexity My Age HTTP version

  182. QUIC

  183. QUIC

  184. gQUIC vs iQUIC

  185. gQUIC vs iQUIC • Monolithic • Google proprietary • Modularized

    • IETF standard

  186. IP TCP UDP TLS HTTP/2 QUIC TCP-like congestion avoidance, recovery

    HTTP/2 shim UDP QUIC TCP-like congestion avoidance, recovery Application (HTTP/2) QUIC crypto TLS 1.3 gQUIC iQUIC http/2 https://datatracker.ietf.org/meeting/98/materials/slides-98-edu-sessf-quic-tutorial/
  187. None

  188. The promise of QUIC • Low latency connection setup -

    0RTT (with TLS 1.3) • UDP - Addresses TCP’s head of line blocking in h2 - More flexible congestion avoidance algorithms - “rich signaling for congestion control and loss recovery” • Everything authenticated and encrypted • Mitigating middle box tomfoolery • Connection migration and NAT rebinding

  189. Some QUIC reading • https://dl.acm.org/citation.cfm?id=3098842 • https://quicwg.github.io/ • https://github.com/quicwg •

    And a video: https://vimeo.com/227461189

  190. Questions • Has much changed? • Do we still have

    a lot to learn? • Do we still have a lot to do? • QUIC will fix everything, right?

  191. Thank you