Slide 1
Slide 1 text
Revisiting HTTP/2
Hooman Beheshti
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
https://caniuse.com/#search=http2
Slide 4
Slide 4 text
https://istlsfastyet.com/
Slide 5
Slide 5 text
https://istlsfastyet.com/
Slide 6
Slide 6 text
https://www.fastly.com/
Slide 7
Slide 7 text
% of overall requests on Fastly’s network (2017)
% of requests
0%
25%
50%
75%
100%
January
February
M
arch
April
M
ay
June
July
August
Septem
ber
O
ctober
N
ovem
ber
D
ecem
ber
HTTP/2
Slide 8
Slide 8 text
https://youtu.be/CkFEoZwWbGQ
Slide 9
Slide 9 text
Revisiting HTTP/2
• Core concepts
• Major features
- HTTP and TCP
- Server push
- Priorities and dependencies
- HPACK
• Has anything changed? Have we learned anything?
• What’s next?
Slide 10
Slide 10 text
HTTP/2
The basics
Slide 11
Slide 11 text
Binary protocol
Slide 12
Slide 12 text
Connection
Slide 13
Slide 13 text
connection
Slide 14
Slide 14 text
connection
• A single, long lasting connection
• Theoretically, this means better congestion management
between peers
• TLS/ALPN
Slide 15
Slide 15 text
connection
stream
stream
stream
…
Slide 16
Slide 16 text
Streams
• Virtual communication channels
- Translate roughly to a request/response exchange
- Either side can initiate a stream
• Stream IDs
- Client: odd; server: even; 0: reserved
- Each ID must be larger than the last
- Cannot be reused
Slide 17
Slide 17 text
+--------+
send PP | | recv PP
,--------| idle |--------.
/ | | \
v +--------+ v
+----------+ | +----------+
| | | send H / | |
,------| reserved | | recv H | reserved |------.
| | (local) | | | (remote) | |
| +----------+ v +----------+ |
| | +--------+ | |
| | recv ES | | send ES | |
| send H | ,-------| open |-------. | recv H |
| | / | | \ | |
| v v +--------+ v v |
| +----------+ | +----------+ |
| | half | | | half | |
| | closed | | send R / | closed | |
| | (remote) | | recv R | (local) | |
| +----------+ | +----------+ |
| | | | |
| | send ES / | recv ES / | |
| | send R / v send R / | |
| | recv R +--------+ recv R | |
| send R / `----------->| |<-----------' send R / |
| recv R | closed | recv R |
`----------------------->| |<----------------------'
+--------+
send: endpoint sends this frame
recv: endpoint receives this frame
H: HEADERS frame (with implied CONTINUATIONs)
PP: PUSH_PROMISE frame (with implied CONTINUATIONs)
ES: END_STREAM flag
R: RST_STREAM frame
Slide 18
Slide 18 text
connection
stream
stream
stream
…
frame frame frame frame
frame frame frame frame
frame frame frame
frame frame frame
frame frame
frame frame frame
Slide 19
Slide 19 text
GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html
Request Response
Slide 20
Slide 20 text
GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html
Request Response
HEADERS
Slide 21
Slide 21 text
GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html
HEADERS
HEADERS
Request Response
Slide 22
Slide 22 text
GET /thing HTTP/1.1
Host: www.example.com
User-Agent: Some_user_agent
HTTP/1.1 200 OK
Server: some_server
Content-Type: text/html
Content-Length: 1000
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html html html
html html html html html
DATA
DATA
DATA
DATA
DATA
DATA
HEADERS
Request Response
HEADERS
Slide 23
Slide 23 text
DATA Carries request or response data
HEADERS Carries request/response headers/trailers; can initiate a stream
PRIORITY Indicates priority of a stream
RST_STREAM Terminates a stream
SETTINGS Defines parameters for the connection only
PUSH_PROMISE Signals peer for server push
PING Maintenance frame for checking RTT, connection, etc
GOAWAY For shutting down a connection
WINDOW_UPDATE Frame responsible for flow control adjustments
CONTINUATION Extends a HEADERS frame and can carry more headers
Slide 24
Slide 24 text
DATA Carries request or response data
HEADERS Carries request/response headers/trailers; can initiate a stream
PRIORITY Indicates priority of a stream
RST_STREAM Terminates a stream
SETTINGS Defines parameters for the connection only
PUSH_PROMISE Signals peer for server push
PING Maintenance frame for checking RTT, connection, etc
GOAWAY For shutting down a connection
WINDOW_UPDATE Frame responsible for flow control adjustments
CONTINUATION Extends a HEADERS frame and can carry more headers
Slide 25
Slide 25 text
TCP
TLS
TLS Record
Header: value\r\n
Header: value\r\n
Header: value\r\n
\r\n
Body Body Body Body Body
Body Body Body Body Body
Body Body Body Body Body
Body Body Body Body Body
HTTP/1
Slide 26
Slide 26 text
HTTP/2 Frame
TCP
TLS
TLS Record
HTTP/2 Frame
HTTP/2 Frame
…
Stream ID
Stream ID
Stream ID
TCP
TLS
TLS Record
Header: value\r\n
Header: value\r\n
Header: value\r\n
\r\n
Body Body Body Body Body
Body Body Body Body Body
Body Body Body Body Body
Body Body Body Body Body
HTTP/1 HTTP/2
Slide 27
Slide 27 text
Protocol flow
Slide 28
Slide 28 text
HTTP/1
connection
request
response
Slide 29
Slide 29 text
HTTP/2
connection
(sid=1)
DATA
(sid=1)
DATA
(sid=1)
DATA
(sid=1)
HEADERS
(sid=1)
HEADERS
Slide 30
Slide 30 text
HTTP/1
connection
request
response
Slide 31
Slide 31 text
HTTP/1
connection
request
response
Head-of-line blocking:
nothing else can happen over the connection while busy with request/response
Slide 32
Slide 32 text
connection
request
response
HTTP/1
connection
request
response
connection
request
response
connection
request
response
Slide 33
Slide 33 text
HTTP/2
connection
(sid=3)
DATA
(sid=1)
DATA
(sid=5)
HEADERS
(sid=3)
DATA
(sid=1)
HEADERS
(sid=3)
HEADERS
(sid=11)
HEADERS
(sid=13)
HEADERS
(sid=15)
HEADERS
(sid=13)
DATA
(sid=13)
DATA
(sid=17)
HEADERS
Slide 34
Slide 34 text
Multiplexing & Interleaving
Slide 35
Slide 35 text
No content
Slide 36
Slide 36 text
HTTP/1.1
Slide 37
Slide 37 text
HTTP/1.1 HTTP/2
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
HTTP/2 & TCP
Slide 40
Slide 40 text
Performance
Slide 41
Slide 41 text
The perfect page
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
Private WebpageTest
5Mbps/1Mbps, 40ms latency
h1 vs h2
Slide 46
Slide 46 text
PLR
Slide 47
Slide 47 text
No content
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
No content
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
No content
Slide 53
Slide 53 text
780Kbps/330Kbps, 200ms latency
Slide 54
Slide 54 text
No content
Slide 55
Slide 55 text
0% PLR 2% PLR
5Mbps/1Mbps
40ms
780Kbps/330Kbps
200ms
5Mbps/1Mbps
40ms
780Kbps/330Kbps
200ms
Doc
Complete
h2 h2 h2 h2 h1 h1 h1 h1
DCL Start h1 h1 h2 h1 h1 h1 h2 h1
Speed
Index
h2/h1 h2 h2 h2 h1 h1 h2 h2
Slide 56
Slide 56 text
0% PLR 2% PLR
5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms
Site1a
(Fastly)
DocComplete h2 h2 h2 h1 h1 h1 h1 h1
DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2
Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2
Site1b
DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1
DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1
Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1
Site1c
DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1
DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1
Speed Index h2 h2 h1 h2 h1 h2 h1 h1
Site2a
DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1
DCL Start h2 h2 h2 h2 h1 h1 h1 h1
Speed Index h1 h2 h1 h2 h1 h2 h1 h2
Site2b
DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1
DCL Start h2 h2 h1 h2 h1 h2 h1 h2
Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1
Site3a
DocComplete h2 h2 h1 h2 h2 h2 h1 h1
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1
Site3b
DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2
DCL Start h2 h2 h2 h2 h2 h2 h2 h2
Speed Index h1 h2 h1 h1 h1 h2 h1 h1
Site3c
DocComplete h1 h2 h2 h2 h1 h2 h2 h2
DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1
Speed Index h1 h2 h2 h2 h2 h2 h2 h2
Slide 57
Slide 57 text
Why?
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
No content
Slide 61
Slide 61 text
No content
Slide 62
Slide 62 text
Head of line blocking
in TCP
Slide 63
Slide 63 text
No content
Slide 64
Slide 64 text
No content
Slide 65
Slide 65 text
No content
Slide 66
Slide 66 text
Some reading…
• http://c3lab.poliba.it/images/3/3b/QUIC_SAC15.pdf
• https://www.usenix.org/system/files/conference/nsdi14/nsdi14-paper-
wang_xiao_sophia.pdf
• http://arxiv.org/pdf/1507.06562v1.pdf
• http://nl.cs.montana.edu/lab/publications/Goel_H2_extended.pdf
• https://99designs.com.au/tech-blog/blog/2016/07/14/real-world-http-2-400gb-of-
images-per-day/
Slide 67
Slide 67 text
Takeaways (then)
• Despite the experiment flaws, performance
benefits are less than clear cut, out of the box
• Seemed best:
- Not listen to anyone!
- Try for yourself
Slide 68
Slide 68 text
Has anything
changed?
Slide 69
Slide 69 text
BBR
Slide 70
Slide 70 text
https://github.com/google/bbr/blob/master/Presentations/bbr-2017-02-08-google-net-research-summit.pdf
Slide 71
Slide 71 text
https://cloudplatform.googleblog.com/2017/07/TCP-BBR-congestion-control-comes-to-GCP-your-Internet-just-got-faster.html
Slide 72
Slide 72 text
Bountifully Beneficial Reading
• https://github.com/google/bbr/blob/master/Presentations/
bbr-2017-02-08-google-net-research-summit.pdf
• https://www.ietf.org/proceedings/97/slides/slides-97-iccrg-
bbr-congestion-control-02.pdf
• https://github.com/google/bbr
• https://dl.acm.org/citation.cfm?id=3009824
• https://arxiv.org/pdf/1706.09115.pdf
Slide 73
Slide 73 text
https://twitter.com/amernetflix/status/892787364598132736
Slide 74
Slide 74 text
https://blogs.dropbox.com/tech/2017/09/optimizing-web-servers-for-high-throughput-and-low-latency/
Slide 75
Slide 75 text
BBR Cubic
a single 1MB object download
Slide 76
Slide 76 text
BBR Cubic
a single 1MB object download
Slide 77
Slide 77 text
BBR things…
• Is BBR a good network citizen?
• “network waterboarding”
• There’s still work to do
Slide 78
Slide 78 text
Coalescing
Slide 79
Slide 79 text
No content
Slide 80
Slide 80 text
No content
Slide 81
Slide 81 text
https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
Slide 82
Slide 82 text
No content
Slide 83
Slide 83 text
No content
Slide 84
Slide 84 text
Origin frame
• List of domains eligible for coalescing
- Cert still needs to match
• Empty frame signals no coalescing
- Fall back to SNI
• Obviates DNS lookups for listed domains
Slide 85
Slide 85 text
Origin frame
• List of domains eligible for coalescing
- Cert still needs to match
• Empty frame signals no coalescing
- Fall back to SNI
• Obviates DNS lookups for listed domains
Slide 86
Slide 86 text
Origin frame
• List of domains eligible for coalescing
- Cert still needs to match
• Empty frame signals no coalescing
- Fall back to SNI
• Obviates DNS lookups for listed domains
Slide 87
Slide 87 text
The connection is an authoritative and secure
context
Slide 88
Slide 88 text
The connection is an authoritative and secure
context
Slide 89
Slide 89 text
The connection is an authoritative and secure
context
Slide 90
Slide 90 text
h2 and TCP
• Performance benefits?
- Jury’s still out
- BBR helps, but pros/cons aren’t totally clear yet
- It’s still best to figure out what’s best for you on your own!
• We’re about to get more control over some coalescing
• The context of a connection is being relied on more
and more
Slide 91
Slide 91 text
HTTP/2 Server Push
Slide 92
Slide 92 text
Push basic
• “push” a resource to the client before it’s
requested
• Only servers can push
• Hop-by-hop
• Triggered by PUSH_PROMISE frame
Slide 93
Slide 93 text
connection
Slide 94
Slide 94 text
connection
Slide 95
Slide 95 text
connection
Slide 96
Slide 96 text
What to push?
• A replacement for inlining
- All the RTT-saving benefits + caching
• Google paper:
- https://docs.google.com/a/fastly.com/drawings/d/
1mWwY_MeNAjzDRCF0uT97KgN0lh_jX79a53X6iOuH_Is/pub?w=2330&h=1350
• Facebook:
- https://www.facebook.com/atscaleevents/videos/1775942979345465/
• TTFMP:
- https://youtu.be/4pQ2byAoIX0
Slide 97
Slide 97 text
Link: ; rel=preload; as=style
https://w3c.github.io/preload/
Slide 98
Slide 98 text
Doesn’t Link rel=preload already
mean something to the browser?
Slide 99
Slide 99 text
Link: ; rel=preload; as=style; nopush
https://w3c.github.io/preload/
Slide 100
Slide 100 text
Link: ; rel=preload; as=style; x-http2-push-only
Slide 101
Slide 101 text
Benefits?
Slide 102
Slide 102 text
No push:
Push:
1xRTT
Slide 103
Slide 103 text
That’s cool, but...
Slide 104
Slide 104 text
No content
Slide 105
Slide 105 text
No content
Slide 106
Slide 106 text
No content
Slide 107
Slide 107 text
No content
Slide 108
Slide 108 text
No content
Slide 109
Slide 109 text
Non-header trigger
Slide 110
Slide 110 text
No content
Slide 111
Slide 111 text
“Async” Push
Slide 112
Slide 112 text
No content
Slide 113
Slide 113 text
Push with Link header
Async Push
Slide 114
Slide 114 text
of course it isn’t that simple…
Slide 115
Slide 115 text
The client cache
Slide 116
Slide 116 text
RST_STREAM
Slide 117
Slide 117 text
No content
Slide 118
Slide 118 text
RST_STREAM
Slide 119
Slide 119 text
No Push
First view
Repeat view
Slide 120
Slide 120 text
Push
First view
Repeat view
pushed
pushed
Slide 121
Slide 121 text
https://blog.yoav.ws/tale-of-four-caches/
Slide 122
Slide 122 text
Cache Digests
http://httpwg.org/http-extensions/cache-digest.html
Slide 123
Slide 123 text
+-------------------------------+-------------------------------+
| Origin-Len (16) | Origin? (*) ...
+-------------------------------+-------------------------------+
| Digest-Value? (*) ...
+---------------------------------------------------------------+
Slide 124
Slide 124 text
We still have work to do...
Slide 125
Slide 125 text
https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/
Slide 126
Slide 126 text
Adoption?
Slide 127
Slide 127 text
$ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
30000 is_push:0
$ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29980 is_push:0
20 is_push:1
$ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29985 is_push:0
15 is_push:1
US-East
Slide 128
Slide 128 text
$varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29967 is_push:0
33 is_push:1
$varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29972 is_push:0
28 is_push:1
$varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29974 is_push:0
26 is_push:1
US-West
$ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
30000 is_push:0
$ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29980 is_push:0
20 is_push:1
$ varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29985 is_push:0
15 is_push:1
US-East
Slide 129
Slide 129 text
$varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29953 is_push:0
47 is_push:1
$varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29981 is_push:0
19 is_push:1
$varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c
29984 is_push:0
16 is_push:1
Slide 130
Slide 130 text
What about…
Slide 131
Slide 131 text
No content
Slide 132
Slide 132 text
Fetch stuff!!
Slide 133
Slide 133 text
https://tools.ietf.org/html/rfc8297
Slide 134
Slide 134 text
No content
Slide 135
Slide 135 text
{
103
Slide 136
Slide 136 text
Pushing for push
• Is the 1RTT worth the complexity?
• 103 to the browser:
- Same benefit as push for the most important use-case
- Much simpler
- Leverage browser cache
• Cache digests may still be useful?
• What do we do with push?
Slide 137
Slide 137 text
Prioritization
Slide 138
Slide 138 text
Prioritization basics
• Address possible contention because of all the
concurrency
• Stream weights
• Dependency (including exclusivity)
• HEADERS and PRIORITY frames
• It’s only a “suggestion”
Slide 139
Slide 139 text
Example 1
• A gets ¾ of resources
• B gets ¼ of resources
*
A
12
B
4
12/(12+4) 4/(12+4)
Slide 140
Slide 140 text
Example 2
• D gets all resources
• After D is done, C gets all resources
• Weights are meaningless since there are
no siblings
*
D
1
C
8
Slide 141
Slide 141 text
Example 3
• D gets all resources
• After D is done, C gets all resources
• After C is done:
- A gets ¾ of resources
- B gets ¼ of resources
*
D
1
C
8
A
12
B
4
Slide 142
Slide 142 text
Example 4
• D gets all resources
• After D is done:
- C gets ½ of resources
- E gets ½ of resources
• After C is done:
- A gets ¾ of C’s ½ of resources
- B gets ¼ of C’s ½ of resources
*
D
1
C
8
A
12
B
4
E
8
Slide 143
Slide 143 text
https://speakerdeck.com/summerwind/2-prioritization
Slide 144
Slide 144 text
https://speakerdeck.com/summerwind/2-prioritization
Slide 145
Slide 145 text
https://speakerdeck.com/summerwind/2-prioritization
Slide 146
Slide 146 text
No content
Slide 147
Slide 147 text
https://speakerdeck.com/summerwind/2-prioritization
Slide 148
Slide 148 text
https://github.com/deweerdt/h2priograph
Slide 149
Slide 149 text
No content
Slide 150
Slide 150 text
https://github.com/deweerdt/h2priograph
Slide 151
Slide 151 text
https://github.com/deweerdt/h2priograph
Slide 152
Slide 152 text
Priority hints
Slide 153
Slide 153 text
https://discourse.wicg.io/t/manual-priority-control-of-resource-fetching/2280
https://github.com/WICG/priority-hints
Slide 154
Slide 154 text
HPACK
Slide 155
Slide 155 text
HPACK (RFC 7541)
• Addresses the header bloat problem
• Two primary mechanisms
- All headers (name=value) are Huffman encoded
- Indexed tables at each peer
Slide 156
Slide 156 text
Tables
• Static table
- Defined by the RFC, never changes
• Dynamic table
- Built during the connection and maintained by each
side
- FIFO
Slide 157
Slide 157 text
+-------+-----------------------------+---------------+
| Index | Header Name | Header Value |
+-------+-----------------------------+---------------+
| 1 | :authority | |
| 2 | :method | GET |
| 3 | :method | POST |
| 4 | :path | / |
| 5 | :path | /index.html |
| 6 | :scheme | http |
| 7 | :scheme | https |
| 8 | :status | 200 |
| 9 | :status | 204 |
| 10 | :status | 206 |
| 11 | :status | 304 |
| 12 | :status | 400 |
| 13 | :status | 404 |
| 14 | :status | 500 |
| 15 | accept-charset | |
| 16 | accept-encoding | gzip, deflate |
| 17 | accept-language | |
| 18 | accept-ranges | |
| 19 | accept | |
| 20 | access-control-allow-origin | |
| 21 | age | |
| 22 | allow | |
| 23 | authorization | |
| 24 | cache-control | |
| 25 | content-disposition | |
| 26 | content-encoding | |
| 27 | content-language | |
| 28 | content-length | |
| 29 | content-location | |
| 30 | content-range | |
+-------+-----------------------------+---------------+
Table 1: Static Table Entries
+-------+-----------------------------+---------------+
| Index | Header Name | Header Value |
+-------+-----------------------------+---------------+
| 31 | content-type | |
| 32 | cookie | |
| 33 | date | |
| 34 | etag | |
| 35 | expect | |
| 36 | expires | |
| 37 | from | |
| 38 | host | |
| 39 | if-match | |
| 40 | if-modified-since | |
| 41 | if-none-match | |
| 42 | if-range | |
| 43 | if-unmodified-since | |
| 44 | last-modified | |
| 45 | link | |
| 46 | location | |
| 47 | max-forwards | |
| 48 | proxy-authenticate | |
| 49 | proxy-authorization | |
| 50 | range | |
| 51 | referer | |
| 52 | refresh | |
| 53 | retry-after | |
| 54 | server | |
| 55 | set-cookie | |
| 56 | strict-transport-security | |
| 57 | transfer-encoding | |
| 58 | user-agent | |
| 59 | vary | |
| 60 | via | |
| 61 | www-authenticate | |
+-------+-----------------------------+---------------+
Table 1: Static Table Entries
Slide 158
Slide 158 text
Tables
• Static table
- Defined by the RFC, never changes
• Dynamic table
- Built during the connection and maintained by each
side
- FIFO
Slide 159
Slide 159 text
Bytes browser => server
Bytes server => browser
Slide 160
Slide 160 text
https://blogs.dropbox.com/tech/2016/05/enabling-http2-for-dropbox-web-services-experiences-and-observations/
Slide 161
Slide 161 text
HPACK - things to know
• Default size is 4K
- For entire dynamic table
- Site-wide headers proposal:
• https://mnot.github.io/I-D/site-wide-headers/
• Compression context is set per connection
- New connection starts with blank dynamic table
• Can’t turn it off
• Can be an attack vector:
- https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
Slide 162
Slide 162 text
content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://
graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com
https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce-
Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame-
ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://
maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-
eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https://
smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net
https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap-
northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https://
mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv-
vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod-
video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-
video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://
graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv-
vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https://
rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com
https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod-
video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https://
rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https://
smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com
https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us-
west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https://
mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com
https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://
maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src
'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net
https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com
https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-
static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com;
img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https://
twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net
https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://
syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https://
stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod-
thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https://
twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
Slide 163
Slide 163 text
content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.net https://ssl.google-analytics.com https://
graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com
https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce-
Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame-
ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https://
maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-
eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https://
smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net
https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap-
northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https://
mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv-
vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod-
video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev-
video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https://
graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv-
vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https://
rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com
https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod-
video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https://
rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https://
smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com
https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us-
west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https://
mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com
https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https://
maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src
'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net
https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com
https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s-
static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com;
img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https://
twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net
https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https://
syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https://
stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod-
thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https://
twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
4.6KB
Slide 164
Slide 164 text
HPACK - things to know
• Default size is 4K
- For entire dynamic table
- Site-wide headers proposal:
• https://mnot.github.io/I-D/site-wide-headers/
• Compression context is set per connection
- New connection starts with blank dynamic table
• Can’t turn it off
• Can be an attack vector:
- https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
Slide 165
Slide 165 text
No content
Slide 166
Slide 166 text
Static Static
Connection
Slide 167
Slide 167 text
Static
Dynamic
Static
Dynamic
SETTINGS_HEADER_TABLE_SIZE
Connection
Slide 168
Slide 168 text
Static
Dynamic
Static
Dynamic
Decoder Encoder
SETTINGS_HEADER_TABLE_SIZE
Connection
Slide 169
Slide 169 text
Static
Dynamic
Dynamic
Static
Dynamic
Dynamic
Decoder
Encoder
Encoder
Decoder
SETTINGS_HEADER_TABLE_SIZE
SETTINGS_HEADER_TABLE_SIZE
Connection
Slide 170
Slide 170 text
Tools and resources
Slide 171
Slide 171 text
http://chimera.labs.oreilly.com/books/1230000000545
Slide 172
Slide 172 text
Browser indicator
• Chrome:
– https://chrome.google.com/webstore/detail/http2-and-spdy-
indicator/mpbpobfflnpcgagjijhmgnchggcjblin?hl=en
• Firefox:
– https://addons.mozilla.org/en-US/firefox/addon/http2-indicator/
Slide 173
Slide 173 text
Dev tools
Slide 174
Slide 174 text
Wireshark
Using the TLS key file:
https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
Slide 175
Slide 175 text
cURL
https://curl.haxx.se/docs/http2.html
Slide 176
Slide 176 text
cURL
https://daniel.haxx.se/blog/2018/01/15/inspect-curls-tls-traffic/
Slide 177
Slide 177 text
nghttp
https://nghttp2.org/
Slide 178
Slide 178 text
Others
• h2c (and wiretapping):
- https://github.com/fstab/h2c
• h2a: reverse proxy
- https://github.com/summerwind/h2a
• Conformance:
- https://github.com/summerwind/h2spec
• Serves and proxies:
- Charles proxy: https://www.charlesproxy.com
- MITM proxy: https://mitmproxy.org/
- h2o: https://h2o.examp1e.net/
- Envoy: https://www.envoyproxy.io/
• http-wg
- https://github.com/http2/http2-spec/wiki/Tools
Slide 179
Slide 179 text
What’s next?
Slide 180
Slide 180 text
0.9 1.0 1.1 2.0
HTTP
Complexity
HTTP version
Slide 181
Slide 181 text
0.9 1.0 1.1 2.0
HTTP
Complexity
My Age
HTTP version
Slide 182
Slide 182 text
QUIC
Slide 183
Slide 183 text
QUIC
Slide 184
Slide 184 text
gQUIC vs iQUIC
Slide 185
Slide 185 text
gQUIC vs iQUIC
• Monolithic
• Google proprietary
• Modularized
• IETF standard
Slide 186
Slide 186 text
IP
TCP
UDP
TLS
HTTP/2
QUIC
TCP-like congestion
avoidance, recovery
HTTP/2 shim
UDP
QUIC
TCP-like congestion
avoidance, recovery
Application (HTTP/2)
QUIC crypto TLS 1.3
gQUIC iQUIC
http/2
https://datatracker.ietf.org/meeting/98/materials/slides-98-edu-sessf-quic-tutorial/
Slide 187
Slide 187 text
No content
Slide 188
Slide 188 text
The promise of QUIC
• Low latency connection setup
- 0RTT (with TLS 1.3)
• UDP
- Addresses TCP’s head of line blocking in h2
- More flexible congestion avoidance algorithms
- “rich signaling for congestion control and loss recovery”
• Everything authenticated and encrypted
• Mitigating middle box tomfoolery
• Connection migration and NAT rebinding
Slide 189
Slide 189 text
Some QUIC reading
• https://dl.acm.org/citation.cfm?id=3098842
• https://quicwg.github.io/
• https://github.com/quicwg
• And a video: https://vimeo.com/227461189
Slide 190
Slide 190 text
Questions
• Has much changed?
• Do we still have a lot to learn?
• Do we still have a lot to do?
• QUIC will fix everything, right?
Slide 191
Slide 191 text
Thank you