Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Revisiting HTTP/2

Avatar for London Web Performance Group London Web Performance Group
May 08, 2018
Technology
2
340

Revisiting HTTP/2

RFC 7540 was ratified over 2 years ago and, today, all major browsers, servers, and CDNs support the next generation of HTTP. Just over a year ago, at Velocity (https://www.slideshare.net/Fastly/http2-what-no-one-is-telling-you), we discussed the protocol, looked at some real world implications of its deployment and use, and what realistic expectations we should have from its use.

Now that adoption is ramped up and the protocol is being regularly used on the Internet, it's a good time to revisit the protocol and its deployment. Has it evolved? Have we learned anything? Are all the features providing the benefits we were expecting? What's next?

In this session, we'll review protocol basics and try to answer some of these questions based on real-world use of it. We'll dig into the core features like interaction with TCP, server push, priorities and dependencies, and HPACK. We'll look at these features through the lens of experience and see if good practice patterns have emerged. We'll also review available tools and discuss what protocol enhancements are in the near and not-so-near horizon.
Avatar for London Web Performance Group

London Web Performance Group

May 08, 2018
Tweet

More Decks by London Web Performance Group

See All by London Web Performance Group
Its Time to Stop Stalling: Delivering Fast Video without the Buffering
Avatar for London Web Performance Group ldnwebperf
1
350
LDNWebPerf February 2018 - Oliver Williams
Avatar for London Web Performance Group ldnwebperf
0
290
LDNWebPerf February 2018 - Michael Tremante
Avatar for London Web Performance Group ldnwebperf
0
520
LDNWebPerf February 2018 - Joel Webber
Avatar for London Web Performance Group ldnwebperf
2
350
LDNWebPerf December 2017 - Oliver Adam
Avatar for London Web Performance Group ldnwebperf
0
250
LDNWebPerf December 2017 - Perry Dyball
Avatar for London Web Performance Group ldnwebperf
0
350
LDNWebPerf December 2017 - Andy Davies
Avatar for London Web Performance Group ldnwebperf
0
260
LDNWebPerf October 2017 - Lucas Pardue
Avatar for London Web Performance Group ldnwebperf
0
310
LDNWebPerf October 2017 - Saija Mahon
Avatar for London Web Performance Group ldnwebperf
0
320

Other Decks in Technology

See All in Technology
AIにおけるソフトウェアテスト_ver1.00
Avatar for fumisuke fumisuke
1
330
Conquering PDFs: document understanding beyond plain text
Avatar for Ines Montani inesmontani
PRO
2
440
AndroidアプリエンジニアもMCPを触ろう
Avatar for Shinnosuke Kugimiya kgmyshin
2
560
PostgreSQL Log File Mastery: Optimizing Database Performance Through Advanced Log Analysis
Avatar for Shiv Iyer shiviyer007
PRO
1
150
GraphQLを活用したリアーキテクチャに対応するSLI/Oの再設計
Avatar for coconala_engineer coconala_engineer
0
190
更新系と状態
Avatar for uhyo uhyo
8
2.2k
Computer Use〜OpenAIとAnthropicの比較と将来の展望〜
Avatar for PharmaX(旧YOJO Technologies)開発チーム pharma_x_tech
6
940
AWSの新機能検証をやる時こそ、Amazon Qでプロンプトエンジニアリングを駆使しよう
Avatar for k-kun duelist2020jp
1
330
OPENLOGI Company Profile for engineer
Avatar for OPENLOGI hr01
1
25k
持続可能なドキュメント運用のリアル: 1年間の成果とこれから
Avatar for akitok akitok_
1
270
クラウドネイティブ環境の脅威モデリング
Avatar for Kyohei Mizumoto kyohmizu
1
120
意思決定を支える検索体験を目指してやってきたこと
Avatar for Taisuke Hinata hinatades
PRO
0
370

Featured

See All Featured
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.7k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
The Language of Interfaces
Avatar for Des Traynor destraynor
157
25k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
10
770
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
41
2.6k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
329
24k
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
54
6.3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
178
53k
Six Lessons from altMBA
Avatar for Skipper Chong Warson skipperchong
28
3.7k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
38
1.7k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
7
410
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
48
49k

Transcript

  1. Revisiting HTTP/2 Hooman Beheshti

  2. None

  3. https://caniuse.com/#search=http2

  4. https://istlsfastyet.com/

  5. https://istlsfastyet.com/

  6. https://www.fastly.com/

  7. % of overall requests on Fastly’s network (2017) % of

    requests 0% 25% 50% 75% 100% January February M arch April M ay June July August Septem ber O ctober N ovem ber D ecem ber HTTP/2

  8. https://youtu.be/CkFEoZwWbGQ

  9. Revisiting HTTP/2 • Core concepts • Major features - HTTP

    and TCP - Server push - Priorities and dependencies - HPACK • Has anything changed? Have we learned anything? • What’s next?

  10. HTTP/2 The basics

  11. Binary protocol

  12. Connection

  13. connection

  14. connection • A single, long lasting connection • Theoretically, this

    means better congestion management between peers • TLS/ALPN

  15. connection stream stream stream …

  16. Streams • Virtual communication channels - Translate roughly to a

    request/response exchange - Either side can initiate a stream • Stream IDs - Client: odd; server: even; 0: reserved - Each ID must be larger than the last - Cannot be reused

  17. +--------+ send PP | | recv PP ,--------| idle |--------.

    / | | \ v +--------+ v +----------+ | +----------+ | | | send H / | | ,------| reserved | | recv H | reserved |------. | | (local) | | | (remote) | | | +----------+ v +----------+ | | | +--------+ | | | | recv ES | | send ES | | | send H | ,-------| open |-------. | recv H | | | / | | \ | | | v v +--------+ v v | | +----------+ | +----------+ | | | half | | | half | | | | closed | | send R / | closed | | | | (remote) | | recv R | (local) | | | +----------+ | +----------+ | | | | | | | | send ES / | recv ES / | | | | send R / v send R / | | | | recv R +--------+ recv R | | | send R / `----------->| |<-----------' send R / | | recv R | closed | recv R | `----------------------->| |<----------------------' +--------+ send: endpoint sends this frame recv: endpoint receives this frame H: HEADERS frame (with implied CONTINUATIONs) PP: PUSH_PROMISE frame (with implied CONTINUATIONs) ES: END_STREAM flag R: RST_STREAM frame

  18. connection stream stream stream … frame frame frame frame frame

    frame frame frame frame frame frame frame frame frame frame frame frame frame frame

  19. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html Request Response

  20. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html Request Response HEADERS

  21. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html HEADERS HEADERS Request Response

  22. GET /thing HTTP/1.1 Host: www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK

    Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html DATA DATA DATA DATA DATA DATA HEADERS Request Response HEADERS

  23. DATA Carries request or response data HEADERS Carries request/response headers/trailers;

    can initiate a stream PRIORITY Indicates priority of a stream RST_STREAM Terminates a stream SETTINGS Defines parameters for the connection only PUSH_PROMISE Signals peer for server push PING Maintenance frame for checking RTT, connection, etc GOAWAY For shutting down a connection WINDOW_UPDATE Frame responsible for flow control adjustments CONTINUATION Extends a HEADERS frame and can carry more headers

  24. DATA Carries request or response data HEADERS Carries request/response headers/trailers;

    can initiate a stream PRIORITY Indicates priority of a stream RST_STREAM Terminates a stream SETTINGS Defines parameters for the connection only PUSH_PROMISE Signals peer for server push PING Maintenance frame for checking RTT, connection, etc GOAWAY For shutting down a connection WINDOW_UPDATE Frame responsible for flow control adjustments CONTINUATION Extends a HEADERS frame and can carry more headers

  25. TCP TLS TLS Record Header: value\r\n Header: value\r\n Header: value\r\n

    \r\n Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body HTTP/1

  26. HTTP/2 Frame TCP TLS TLS Record HTTP/2 Frame HTTP/2 Frame

    … Stream ID Stream ID Stream ID TCP TLS TLS Record Header: value\r\n Header: value\r\n Header: value\r\n \r\n Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body HTTP/1 HTTP/2

  27. Protocol flow

  28. HTTP/1 connection request response

  29. HTTP/2 connection (sid=1) DATA (sid=1) DATA (sid=1) DATA (sid=1) HEADERS

    (sid=1) HEADERS

  30. HTTP/1 connection request response

  31. HTTP/1 connection request response Head-of-line blocking: nothing else can happen

    over the connection while busy with request/response

  32. connection request response HTTP/1 connection request response connection request response

    connection request response

  33. HTTP/2 connection (sid=3) DATA (sid=1) DATA (sid=5) HEADERS (sid=3) DATA

    (sid=1) HEADERS (sid=3) HEADERS (sid=11) HEADERS (sid=13) HEADERS (sid=15) HEADERS (sid=13) DATA (sid=13) DATA (sid=17) HEADERS

  34. Multiplexing & Interleaving

  35. None

  36. HTTP/1.1

  37. HTTP/1.1 HTTP/2

  38. None

  39. HTTP/2 & TCP

  40. Performance

  41. The perfect page

  42. None
  43. None
  44. None

  45. Private WebpageTest 5Mbps/1Mbps, 40ms latency h1 vs h2

  46. PLR

  47. None
  48. None
  49. None
  50. None
  51. None
  52. None

  53. 780Kbps/330Kbps, 200ms latency

  54. None

  55. 0% PLR 2% PLR 5Mbps/1Mbps 40ms 780Kbps/330Kbps 200ms 5Mbps/1Mbps 40ms

    780Kbps/330Kbps 200ms Doc Complete h2 h2 h2 h2 h1 h1 h1 h1 DCL Start h1 h1 h2 h1 h1 h1 h2 h1 Speed Index h2/h1 h2 h2 h2 h1 h1 h2 h2

  56. 0% PLR 2% PLR 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms

    780Kbps/330Kbps; 200ms Site1a (Fastly) DocComplete h2 h2 h2 h1 h1 h1 h1 h1 DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2 Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2 Site1b DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1 DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1 Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1 Site1c DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1 DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1 Speed Index h2 h2 h1 h2 h1 h2 h1 h1 Site2a DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1 DCL Start h2 h2 h2 h2 h1 h1 h1 h1 Speed Index h1 h2 h1 h2 h1 h2 h1 h2 Site2b DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1 DCL Start h2 h2 h1 h2 h1 h2 h1 h2 Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1 Site3a DocComplete h2 h2 h1 h2 h2 h2 h1 h1 DCL Start h2 h2 h2 h2 h2 h2 h2 h2 Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1 Site3b DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2 DCL Start h2 h2 h2 h2 h2 h2 h2 h2 Speed Index h1 h2 h1 h1 h1 h2 h1 h1 Site3c DocComplete h1 h2 h2 h2 h1 h2 h2 h2 DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1 Speed Index h1 h2 h2 h2 h2 h2 h2 h2

  57. Why?

  58. None
  59. None
  60. None
  61. None

  62. Head of line blocking in TCP

  63. None
  64. None
  65. None

  66. Some reading… • http://c3lab.poliba.it/images/3/3b/QUIC_SAC15.pdf • https://www.usenix.org/system/files/conference/nsdi14/nsdi14-paper- wang_xiao_sophia.pdf • http://arxiv.org/pdf/1507.06562v1.pdf •

    http://nl.cs.montana.edu/lab/publications/Goel_H2_extended.pdf • https://99designs.com.au/tech-blog/blog/2016/07/14/real-world-http-2-400gb-of- images-per-day/

  67. Takeaways (then) • Despite the experiment flaws, performance benefits are

    less than clear cut, out of the box • Seemed best: - Not listen to anyone! - Try for yourself

  68. Has anything changed?

  69. BBR

  70. https://github.com/google/bbr/blob/master/Presentations/bbr-2017-02-08-google-net-research-summit.pdf

  71. https://cloudplatform.googleblog.com/2017/07/TCP-BBR-congestion-control-comes-to-GCP-your-Internet-just-got-faster.html

  72. Bountifully Beneficial Reading • https://github.com/google/bbr/blob/master/Presentations/ bbr-2017-02-08-google-net-research-summit.pdf • https://www.ietf.org/proceedings/97/slides/slides-97-iccrg- bbr-congestion-control-02.pdf •

    https://github.com/google/bbr • https://dl.acm.org/citation.cfm?id=3009824 • https://arxiv.org/pdf/1706.09115.pdf

  73. https://twitter.com/amernetflix/status/892787364598132736

  74. https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/

  75. BBR Cubic a single 1MB object download

  76. BBR Cubic a single 1MB object download

  77. BBR things… • Is BBR a good network citizen? •

    “network waterboarding” • There’s still work to do

  78. Coalescing

  79. None
  80. None

  81. https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/

  82. None
  83. None

  84. Origin frame • List of domains eligible for coalescing -

    Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains

  85. Origin frame • List of domains eligible for coalescing -

    Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains

  86. Origin frame • List of domains eligible for coalescing -

    Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains

  87. The connection is an authoritative and secure context

  88. The connection is an authoritative and secure context

  89. The connection is an authoritative and secure context

  90. h2 and TCP • Performance benefits? - Jury’s still out

    - BBR helps, but pros/cons aren’t totally clear yet - It’s still best to figure out what’s best for you on your own! • We’re about to get more control over some coalescing • The context of a connection is being relied on more and more

  91. HTTP/2 Server Push

  92. Push basic • “push” a resource to the client before

    it’s requested • Only servers can push • Hop-by-hop • Triggered by PUSH_PROMISE frame

  93. connection

  94. connection

  95. connection

  96. What to push? • A replacement for inlining - All

    the RTT-saving benefits + caching • Google paper: - https://docs.google.com/a/fastly.com/drawings/d/ 1mWwY_MeNAjzDRCF0uT97KgN0lh_jX79a53X6iOuH_Is/pub?w=2330&h=1350 • Facebook: - https://www.facebook.com/atscaleevents/videos/1775942979345465/ • TTFMP: - https://youtu.be/4pQ2byAoIX0

  97. Link: </css1.css>; rel=preload; as=style https://w3c.github.io/preload/

  98. Doesn’t Link rel=preload already mean something to the browser?

  99. Link: </css1.css>; rel=preload; as=style; nopush https://w3c.github.io/preload/

  100. Link: </css1.css>; rel=preload; as=style; x-http2-push-only

  101. Benefits?

  102. No push: Push: 1xRTT

  103. That’s cool, but...

  104. None
  105. None
  106. None
  107. None
  108. None

  109. Non-header trigger

  110. None

  111. “Async” Push

  112. None

  113. Push with Link header Async Push

  114. of course it isn’t that simple…

  115. The client cache

  116. RST_STREAM

  117. None

  118. RST_STREAM

  119. No Push First view Repeat view

  120. Push First view Repeat view pushed pushed

  121. https://blog.yoav.ws/tale-of-four-caches/

  122. Cache Digests http://httpwg.org/http-extensions/cache-digest.html

  123. +-------------------------------+-------------------------------+
 | Origin-Len (16) | Origin? (*) ...
 +-------------------------------+-------------------------------+
 |

    Digest-Value? (*) ...
 +---------------------------------------------------------------+

  124. We still have work to do...

  125. https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/

  126. Adoption?

  127. $ varnishlog -i h2_attributes | grep -o "is_push:." | head

    -n 30000 | sort | uniq -c 30000 is_push:0 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29980 is_push:0 20 is_push:1 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29985 is_push:0 15 is_push:1 US-East

  128. $varnishlog -i h2_attributes | grep -o "is_push:." | head -n

    30000 | sort | uniq -c 29967 is_push:0 33 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29972 is_push:0 28 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29974 is_push:0 26 is_push:1 US-West $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 30000 is_push:0 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29980 is_push:0 20 is_push:1 $ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29985 is_push:0 15 is_push:1 US-East

  129. $varnishlog -i h2_attributes | grep -o "is_push:." | head -n

    30000 | sort | uniq -c 29953 is_push:0 47 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29981 is_push:0 19 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29984 is_push:0 16 is_push:1

  130. What about…

  131. None

  132. Fetch stuff!!

  133. https://tools.ietf.org/html/rfc8297

  134. None

  135. { 103

  136. Pushing for push • Is the 1RTT worth the complexity?

    • 103 to the browser: - Same benefit as push for the most important use-case - Much simpler - Leverage browser cache • Cache digests may still be useful? • What do we do with push?

  137. Prioritization

  138. Prioritization basics • Address possible contention because of all the

    concurrency • Stream weights • Dependency (including exclusivity) • HEADERS and PRIORITY frames • It’s only a “suggestion”

  139. Example 1 • A gets ¾ of resources • B

    gets ¼ of resources * A 12 B 4 12/(12+4) 4/(12+4)

  140. Example 2 • D gets all resources • After D

    is done, C gets all resources • Weights are meaningless since there are no siblings * D 1 C 8

  141. Example 3 • D gets all resources • After D

    is done, C gets all resources • After C is done: - A gets ¾ of resources - B gets ¼ of resources * D 1 C 8 A 12 B 4

  142. Example 4 • D gets all resources • After D

    is done: - C gets ½ of resources - E gets ½ of resources • After C is done: - A gets ¾ of C’s ½ of resources - B gets ¼ of C’s ½ of resources * D 1 C 8 A 12 B 4 E 8

  143. https://speakerdeck.com/summerwind/2-prioritization

  144. https://speakerdeck.com/summerwind/2-prioritization

  145. https://speakerdeck.com/summerwind/2-prioritization

  146. None

  147. https://speakerdeck.com/summerwind/2-prioritization

  148. https://github.com/deweerdt/h2priograph

  149. None

  150. https://github.com/deweerdt/h2priograph

  151. https://github.com/deweerdt/h2priograph

  152. Priority hints

  153. https://discourse.wicg.io/t/manual-priority-control-of-resource-fetching/2280 https://github.com/WICG/priority-hints

  154. HPACK

  155. HPACK (RFC 7541) • Addresses the header bloat problem •

    Two primary mechanisms - All headers (name=value) are Huffman encoded - Indexed tables at each peer

  156. Tables • Static table - Defined by the RFC, never

    changes • Dynamic table - Built during the connection and maintained by each side - FIFO

  157. +-------+-----------------------------+---------------+ | Index | Header Name | Header Value |

    +-------+-----------------------------+---------------+ | 1 | :authority | | | 2 | :method | GET | | 3 | :method | POST | | 4 | :path | / | | 5 | :path | /index.html | | 6 | :scheme | http | | 7 | :scheme | https | | 8 | :status | 200 | | 9 | :status | 204 | | 10 | :status | 206 | | 11 | :status | 304 | | 12 | :status | 400 | | 13 | :status | 404 | | 14 | :status | 500 | | 15 | accept-charset | | | 16 | accept-encoding | gzip, deflate | | 17 | accept-language | | | 18 | accept-ranges | | | 19 | accept | | | 20 | access-control-allow-origin | | | 21 | age | | | 22 | allow | | | 23 | authorization | | | 24 | cache-control | | | 25 | content-disposition | | | 26 | content-encoding | | | 27 | content-language | | | 28 | content-length | | | 29 | content-location | | | 30 | content-range | | +-------+-----------------------------+---------------+ Table 1: Static Table Entries +-------+-----------------------------+---------------+ | Index | Header Name | Header Value | +-------+-----------------------------+---------------+ | 31 | content-type | | | 32 | cookie | | | 33 | date | | | 34 | etag | | | 35 | expect | | | 36 | expires | | | 37 | from | | | 38 | host | | | 39 | if-match | | | 40 | if-modified-since | | | 41 | if-none-match | | | 42 | if-range | | | 43 | if-unmodified-since | | | 44 | last-modified | | | 45 | link | | | 46 | location | | | 47 | max-forwards | | | 48 | proxy-authenticate | | | 49 | proxy-authorization | | | 50 | range | | | 51 | referer | | | 52 | refresh | | | 53 | retry-after | | | 54 | server | | | 55 | set-cookie | | | 56 | strict-transport-security | | | 57 | transfer-encoding | | | 58 | user-agent | | | 59 | vary | | | 60 | via | | | 61 | www-authenticate | | +-------+-----------------------------+---------------+ Table 1: Static Table Entries

  158. Tables • Static table - Defined by the RFC, never

    changes • Dynamic table - Built during the connection and maintained by each side - FIFO

  159. Bytes browser => server Bytes server => browser

  160. https://blogs.dropbox.com/tech/2016/05/enabling-http2-for-dropbox-web-services-experiences-and-observations/

  161. HPACK - things to know • Default size is 4K

    - For entire dynamic table - Site-wide headers proposal: • https://mnot.github.io/I-D/site-wide-headers/ • Compression context is set per connection - New connection starts with blank dynamic table • Can’t turn it off • Can be an attack vector: - https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf

  162. content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https:// graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com

    https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce- Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video- eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https:// smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap- northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https:// mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv- vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod- video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev- video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https:// graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv- vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https:// rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod- video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https:// rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https:// smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us- west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https:// mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s- static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https:// twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https:// syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https:// stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod- thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https:// twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;

  163. content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https:// graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com

    https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce- Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video- eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https:// smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap- northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https:// mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv- vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod- video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev- video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https:// graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv- vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https:// rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod- video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https:// rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https:// smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us- west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https:// mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s- static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https:// twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https:// syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https:// stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod- thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https:// twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; 4.6KB

  164. HPACK - things to know • Default size is 4K

    - For entire dynamic table - Site-wide headers proposal: • https://mnot.github.io/I-D/site-wide-headers/ • Compression context is set per connection - New connection starts with blank dynamic table • Can’t turn it off • Can be an attack vector: - https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
  165. None

  166. Static Static Connection

  167. Static Dynamic Static Dynamic SETTINGS_HEADER_TABLE_SIZE Connection

  168. Static Dynamic Static Dynamic Decoder Encoder SETTINGS_HEADER_TABLE_SIZE Connection

  169. Static Dynamic Dynamic Static Dynamic Dynamic Decoder Encoder Encoder Decoder

    SETTINGS_HEADER_TABLE_SIZE SETTINGS_HEADER_TABLE_SIZE Connection

  170. Tools and resources

  171. http://chimera.labs.oreilly.com/books/1230000000545

  172. Browser indicator • Chrome: – https://chrome.google.com/webstore/detail/http2-and-spdy- indicator/mpbpobfflnpcgagjijhmgnchggcjblin?hl=en • Firefox: –

    https://addons.mozilla.org/en-US/firefox/addon/http2-indicator/

  173. Dev tools

  174. Wireshark Using the TLS key file: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

  175. cURL https://curl.haxx.se/docs/http2.html

  176. cURL https://daniel.haxx.se/blog/2018/01/15/inspect-curls-tls-traffic/

  177. nghttp https://nghttp2.org/

  178. Others • h2c (and wiretapping): - https://github.com/fstab/h2c • h2a: reverse

    proxy - https://github.com/summerwind/h2a • Conformance: - https://github.com/summerwind/h2spec • Serves and proxies: - Charles proxy: https://www.charlesproxy.com - MITM proxy: https://mitmproxy.org/ - h2o: https://h2o.examp1e.net/ - Envoy: https://www.envoyproxy.io/ • http-wg - https://github.com/http2/http2-spec/wiki/Tools

  179. What’s next?

  180. 0.9 1.0 1.1 2.0 HTTP Complexity HTTP version

  181. 0.9 1.0 1.1 2.0 HTTP Complexity My Age HTTP version

  182. QUIC

  183. QUIC

  184. gQUIC vs iQUIC

  185. gQUIC vs iQUIC • Monolithic • Google proprietary • Modularized

    • IETF standard

  186. IP TCP UDP TLS HTTP/2 QUIC TCP-like congestion avoidance, recovery

    HTTP/2 shim UDP QUIC TCP-like congestion avoidance, recovery Application (HTTP/2) QUIC crypto TLS 1.3 gQUIC iQUIC http/2 https://datatracker.ietf.org/meeting/98/materials/slides-98-edu-sessf-quic-tutorial/
  187. None

  188. The promise of QUIC • Low latency connection setup -

    0RTT (with TLS 1.3) • UDP - Addresses TCP’s head of line blocking in h2 - More flexible congestion avoidance algorithms - “rich signaling for congestion control and loss recovery” • Everything authenticated and encrypted • Mitigating middle box tomfoolery • Connection migration and NAT rebinding

  189. Some QUIC reading • https://dl.acm.org/citation.cfm?id=3098842 • https://quicwg.github.io/ • https://github.com/quicwg •

    And a video: https://vimeo.com/227461189

  190. Questions • Has much changed? • Do we still have

    a lot to learn? • Do we still have a lot to do? • QUIC will fix everything, right?

  191. Thank you