Downloaded 28 times
Uploaded byFastly
Revisiting HTTP/2
The document revisits HTTP/2, detailing its core concepts, major features such as server push, and comparing it to HTTP/1.1 in terms of performance. It discusses the impact of TCP congestion control methods like BBR and emphasizes the significance of testing performance on one's own setup. Additionally, it highlights challenges in HTTP/2 adoption and the potential benefits of server push and connection coalescing.
More Related Content
Revisiting HTTP/2
- 1.
- 3.
- 4.
- 5.
- 6.
- 7. % of overallrequests on Fastly’s network (2017) %ofrequests 0% 25% 50% 75% 100%January February M arch April M ay June July August Septem ber O ctober N ovem ber D ecem ber HTTP/2
- 8.
- 9.
- 10.
- 11. Revisiting HTTP/2 • Coreconcepts • Major features - HTTP and TCP - Server push - Priorities and dependencies - HPACK • Has anything changed? Have we learned anything? • What’s next?
- 12.
- 13.
- 14.
- 15.
- 16. connection • A single,long lasting connection • Theoretically, this means better congestion management between peers • TLS/ALPN • Connection reuse across domains
- 17.
- 18. Streams • Virtual communicationchannels - Translate roughly to a request/response exchange - Either side can initiate a stream • Stream IDs - Client: odd; server: even; 0: reserved - Each ID must be larger than the last - Cannot be reused
- 19. +--------+ send PP || recv PP ,--------| idle |--------. / | | v +--------+ v +----------+ | +----------+ | | | send H / | | ,------| reserved | | recv H | reserved |------. | | (local) | | | (remote) | | | +----------+ v +----------+ | | | +--------+ | | | | recv ES | | send ES | | | send H | ,-------| open |-------. | recv H | | | / | | | | | v v +--------+ v v | | +----------+ | +----------+ | | | half | | | half | | | | closed | | send R / | closed | | | | (remote) | | recv R | (local) | | | +----------+ | +----------+ | | | | | | | | send ES / | recv ES / | | | | send R / v send R / | | | | recv R +--------+ recv R | | | send R / `----------->| |<-----------' send R / | | recv R | closed | recv R | `----------------------->| |<----------------------' +--------+ send: endpoint sends this frame recv: endpoint receives this frame H: HEADERS frame (with implied CONTINUATIONs) PP: PUSH_PROMISE frame (with implied CONTINUATIONs) ES: END_STREAM flag R: RST_STREAM frame
- 20. connection stream stream stream … frame frame frameframe frame frame frame frame frame frame frame frame frame frame frame frame frame frame frame
- 21. GET /thing HTTP/1.1 Host:www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html Request Response
- 22. GET /thing HTTP/1.1 Host:www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html Request Response HEADERS
- 23. GET /thing HTTP/1.1 Host:www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html HEADERS HEADERS Request Response
- 24. GET /thing HTTP/1.1 Host:www.example.com User-Agent: Some_user_agent HTTP/1.1 200 OK Server: some_server Content-Type: text/html Content-Length: 1000 html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html html DATA DATA DATA DATA DATA DATA HEADERS Request Response HEADERS
- 25. DATA Carries requestor response data HEADERS Carries request/response headers/trailers; can initiate a stream PRIORITY Indicates priority of a stream RST_STREAM Terminates a stream SETTINGS Defines parameters for the connection only PUSH_PROMISE Signals peer for server push PING Maintenance frame for checking RTT, connection, etc GOAWAY For shutting down a connection WINDOW_UPDATE Frame responsible for flow control adjustments CONTINUATION Extends a HEADERS frame and can carry more headers
- 26. DATA Carries requestor response data HEADERS Carries request/response headers/trailers; can initiate a stream PRIORITY Indicates priority of a stream RST_STREAM Terminates a stream SETTINGS Defines parameters for the connection only PUSH_PROMISE Signals peer for server push PING Maintenance frame for checking RTT, connection, etc GOAWAY For shutting down a connection WINDOW_UPDATE Frame responsible for flow control adjustments CONTINUATION Extends a HEADERS frame and can carry more headers
- 27. TCP TLS TLS Record Header: valuern Header:valuern Header: valuern rn Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body HTTP/1
- 28. HTTP/2 Frame TCP TLS TLS Record HTTP/2Frame HTTP/2 Frame … Stream ID Stream ID Stream ID TCP TLS TLS Record Header: valuern Header: valuern Header: valuern rn Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body Body HTTP/1 HTTP/2
- 29.
- 30.
- 31.
- 32.
- 33. HTTP/1 connection request response Head-of-line blocking: nothing elsecan happen over the connection while busy with request/response
- 34.
- 35.
- 36.
- 38.
- 39.
- 41.
- 42.
- 43.
- 47. Private WebpageTest 5Mbps/1Mbps, 40mslatency Chrome; h1 vs h2
- 48.
- 53.
- 55.
- 57. 0% PLR 2%PLR 5Mbps/1Mbps 40ms 780Kbps/330Kbps 200ms 5Mbps/1Mbps 40ms 780Kbps/330Kbps 200ms Doc Complete h2 h2 h2 h2 h1 h1 h1 h1 DCL Start h1 h1 h2 h1 h1 h1 h2 h1 Speed Index h2/h1 h2 h2 h2 h1 h1 h2 h2
- 58. 0% PLR 2%PLR 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms 5Mbps/1Mbps; 40ms 780Kbps/330Kbps; 200ms Site1a (Fastly) DocComplete h2 h2 h2 h1 h1 h1 h1 h1 DCL Start h2 h1 h2 h2 h2/h1 h1 h2 h2 Speed Index h1 h2 h2 h2 h1 h2/h1 h2/h1 h2 Site1b DocComplete h2/h1 h2 h2 h2 h1 h2 h1 h2/h1 DCL Start h1 h2 h1 h1 h1 h2/h1 h1 h1 Speed Index h1 h2 h2 h1 h1 h2/h1 h1 h1 Site1c DocComplete h1/h2 h2 h2 h2 h1 h1 h1 h1 DCL Start h1 h1/h2 h1 h1 h1 h2 h1 h1 Speed Index h2 h2 h1 h2 h1 h2 h1 h1 Site2a DocComplete h2 h2 h2 h2 h1 h2/h1 h1 h1 DCL Start h2 h2 h2 h2 h1 h1 h1 h1 Speed Index h1 h2 h1 h2 h1 h2 h1 h2 Site2b DocComplete h2 h2 h2 h2 h1 h1/h2 h1 h1 DCL Start h2 h2 h1 h2 h1 h2 h1 h2 Speed Index h2 h1/h2 h1 h1/h2 h2 h2 h1 h1 Site3a DocComplete h2 h2 h1 h2 h2 h2 h1 h1 DCL Start h2 h2 h2 h2 h2 h2 h2 h2 Speed Index h2 h2 h1 h1 h1/h2 h1/h2 h1 h1 Site3b DocComplete h2 h2 h2 h1/h2 h2 h2/h1 h2 h2 DCL Start h2 h2 h2 h2 h2 h2 h2 h2 Speed Index h1 h2 h1 h1 h1 h2 h1 h1 Site3c DocComplete h1 h2 h2 h2 h1 h2 h2 h2 DCL Start h1/h2 h2 h1 h1/h2 h2/h1 h2 h1 h2/h1 Speed Index h1 h2 h2 h2 h2 h2 h2 h2
- 59.
- 64. Head of lineblocking in TCP
- 68. Some reading… • http://c3lab.poliba.it/images/3/3b/QUIC_SAC15.pdf •https://www.usenix.org/system/files/conference/nsdi14/nsdi14-paper- wang_xiao_sophia.pdf • http://arxiv.org/pdf/1507.06562v1.pdf • http://nl.cs.montana.edu/lab/publications/Goel_H2_extended.pdf • https://99designs.com.au/tech-blog/blog/2016/07/14/real-world-http-2-400gb-of- images-per-day/
- 69. Takeaways (then) • Despitethe experiment flaws, performance benefits are less than clear cut, out of the box • Seemed best: - Not listen to anyone! - Try for yourself
- 70.
- 71.
- 72.
- 73.
- 74. Bountifully Beneficial Reading •https://github.com/google/bbr/blob/master/ Presentations/bbr-2017-02-08-google-net- research-summit.pdf • https://github.com/google/bbr • https://dl.acm.org/citation.cfm?id=3009824 • https://arxiv.org/pdf/1706.09115.pdf
- 75.
- 76.
- 77. BBR Cubic a single1MB object download
- 78. BBR Cubic a single1MB object download
- 79. BBR Cubic a single1MB object download
- 80. BBR Cubic a single1MB object download
- 81. BBR Cubic a single1MB object download
- 82. BBR Cubic a single1MB object download
- 83. perf (p50) cwndretrans
- 84. BBR things… • IsBBR a good network citizen? • “network waterboarding” • There’s still work to do
- 85.
- 88.
- 91. Origin frame • Listof domains eligible for coalescing - Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains
- 92. Origin frame • Listof domains eligible for coalescing - Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains
- 93. Origin frame • Listof domains eligible for coalescing - Cert still needs to match • Empty frame signals no coalescing - Fall back to SNI • Obviates DNS lookups for listed domains
- 94. The connection isan authoritative and secure context
- 95. The connection isan authoritative and secure context
- 96. h2 and TCP •Performance benefits? - Jury’s still out - BBR helps, but pros/cons aren’t totally clear yet - It’s still best to figure out what’s best for you on your own! • The context of a connection is being relied on more and more
- 97.
- 98. Push basic • “push”a resource to the client before it’s requested • Only servers can push • Hop-by-hop • Triggered by PUSH_PROMISE frame
- 99.
- 100.
- 101.
- 102. What to push? •A replacement for inlining - All the RTT-saving benefits + caching • Google paper: - https://docs.google.com/a/fastly.com/drawings/d/ 1mWwY_MeNAjzDRCF0uT97KgN0lh_jX79a53X6iOuH_Is/pub?w=2330&h=1350 • Facebook: - https://www.facebook.com/atscaleevents/videos/1775942979345465/ • TTFMP: - https://youtu.be/4pQ2byAoIX0
- 103. Link: </css1.css>; rel=preload;as=style https://w3c.github.io/preload/
- 104. Doesn’t Link rel=preloadalready mean something to the browser?
- 105. Link: </css1.css>; rel=preload;as=style; nopush https://w3c.github.io/preload/
- 106. Link: </css1.css>; rel=preload;as=style; x-http2-push-only
- 107.
- 108.
- 109.
- 115.
- 117.
- 119. Push with Linkheader Async Push
- 120. of course itisn’t that simple…
- 121.
- 122.
- 124.
- 125.
- 126.
- 127.
- 128.
- 129. +-------------------------------+-------------------------------+ | Origin-Len (16)| Origin? (*) ... +-------------------------------+-------------------------------+ | Digest-Value? (*) ... +---------------------------------------------------------------+
- 130. We still havework to do...
- 131.
- 132.
- 133. $varnishlog -i h2_attributes| grep -o "is_push:." | head -n 30000 | sort | uniq -c 30000 is_push:0 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29997 is_push:0 3 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29997 is_push:0 3 is_push:1 US-West
- 134. $varnishlog -i h2_attributes| grep -o "is_push:." | head -n 30000 | sort | uniq -c 30000 is_push:0 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29997 is_push:0 3 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29997 is_push:0 3 is_push:1 US-West
- 135. $varnishlog -i h2_attributes| grep -o "is_push:." | head -n 30000 | sort | uniq -c 30000 is_push:0 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29997 is_push:0 3 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29997 is_push:0 3 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29994 is_push:0 6 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29990 is_push:0 10 is_push:1 $varnishlog -i h2_attributes | grep -o "is_push:." | head -n 30000 | sort | uniq -c 29998 is_push:0 2 is_push:1 US-East US-West
- 136. Pushing for push •Is the 1RTT worth the complexity? • 103 to the browser gives us the same benefit as the most important use-case • Cache digests may still be useful, regardless of push
- 137.
- 138. Prioritization basics • Addresspossible contention because of all the concurrency • Stream weights • Dependency • HEADERS and PRIORITY frames • It’s only a “suggestion”
- 139. Example 1 • Agets ¾ of resources • B gets ¼ of resources * A 12 B 4 12/(12+4) 4/(12+4)
- 140. Example 1 • Agets ¾ of resources • B gets ¼ of resources * A 12 B 4 12/(12+4) 4/(12+4)
- 141. Example 2 • Dgets all resources • After D is done, C gets all resources • Weights are meaningless since there are no siblings * D 1 C 8
- 142. Example 3 • Dgets all resources • After D is done, C gets all resources • After C is done: - A gets ¾ of resources - B gets ¼ of resources * D 1 C 8 A 12 B 4
- 143. Example 4 • Dgets all resources • After D is done: - C gets ½ of resources - E gets ½ of resources • After C is done: - A gets ¾ of C’s ½ of resources - B gets ¼ of C’s ½ of resources * D 1 C 8 A 12 B 4 E 8
- 144.
- 145.
- 146.
- 148.
- 149.
- 150.
- 151.
- 152.
- 153. HPACK (RFC 7541) •Addresses the header bloat problem • Two primary mechanisms - All headers (name=value) are Huffman encoded - Indexed tables at each peer
- 154. Tables • Static table -Defined by the RFC, never changes • Dynamic table - Built during the connection and maintained by each side - FIFO
- 155. +-------+-----------------------------+---------------+ |Index | Header Name | Header Value | +-------+-----------------------------+---------------+ | 1 | :authority | | | 2 | :method | GET | | 3 | :method | POST | | 4 | :path | / | | 5 | :path | /index.html | | 6 | :scheme | http | | 7 | :scheme | https | | 8 | :status | 200 | | 9 | :status | 204 | | 10 | :status | 206 | | 11 | :status | 304 | | 12 | :status | 400 | | 13 | :status | 404 | | 14 | :status | 500 | | 15 | accept-charset | | | 16 | accept-encoding | gzip, deflate | | 17 | accept-language | | | 18 | accept-ranges | | | 19 | accept | | | 20 | access-control-allow-origin | | | 21 | age | | | 22 | allow | | | 23 | authorization | | | 24 | cache-control | | | 25 | content-disposition | | | 26 | content-encoding | | | 27 | content-language | | | 28 | content-length | | | 29 | content-location | | | 30 | content-range | | +-------+-----------------------------+---------------+ Table 1: Static Table Entries +-------+-----------------------------+---------------+ | Index | Header Name | Header Value | +-------+-----------------------------+---------------+ | 31 | content-type | | | 32 | cookie | | | 33 | date | | | 34 | etag | | | 35 | expect | | | 36 | expires | | | 37 | from | | | 38 | host | | | 39 | if-match | | | 40 | if-modified-since | | | 41 | if-none-match | | | 42 | if-range | | | 43 | if-unmodified-since | | | 44 | last-modified | | | 45 | link | | | 46 | location | | | 47 | max-forwards | | | 48 | proxy-authenticate | | | 49 | proxy-authorization | | | 50 | range | | | 51 | referer | | | 52 | refresh | | | 53 | retry-after | | | 54 | server | | | 55 | set-cookie | | | 56 | strict-transport-security | | | 57 | transfer-encoding | | | 58 | user-agent | | | 59 | vary | | | 60 | via | | | 61 | www-authenticate | | +-------+-----------------------------+---------------+ Table 1: Static Table Entries
- 156. Tables • Static table -Defined by the RFC, never changes • Dynamic table - Built during the connection and maintained by each side - FIFO
- 162. Bytes browser =>server Bytes server => browser
- 163.
- 164. HPACK - thingsto know • Default size is 4K - For entire dynamic table - Site-wide headers proposal: • https://mnot.github.io/I-D/site-wide-headers/ • Compression context is set per connection - New connection starts with blank dynamic table • Can’t turn it off • Can be an attack vector: - https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
- 165. content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.nethttps://ssl.google-analytics.com https:// graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce- Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video- eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https:// smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap- northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https:// mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv- vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod- video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev- video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https:// graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv- vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https:// rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod- video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https:// rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https:// smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us- west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https:// mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s- static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https:// twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https:// syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https:// stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod- thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https:// twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false;
- 166. content-security-policy:script-src https://connect.facebook.net https://cm.g.doubleclick.nethttps://ssl.google-analytics.com https:// graph.facebook.com https://twitter.com 'unsafe-eval' https://*.twimg.com https://api.twitter.com https://analytics.twitter.com https://publish.twitter.com https://ton.twitter.com https://syndication.twitter.com https://www.google.com 'nonce- Kk9FW3roM81U6D0LjPHpZw==' https://t.tellapart.com https://platform.twitter.com https://www.google-analytics.com blob: 'self'; frame- ancestors 'self'; font-src https://twitter.com https://*.twimg.com data: https://ton.twitter.com https://fonts.gstatic.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; media-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video- eu-central-1.pscp.tv https://v.cdn.vine.co https://dwo3ckksxlb0v.cloudfront.net https://twitter.com https://amp.twimg.com https:// smmdhdsnappytv-vh.akamaihd.net https://*.twimg.com https://prod-video-eu-west-1.pscp.tv https://rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://prod-video-us-west-1.pscp.tv https://prod-video-ap- northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://ton.twitter.com https://rmdhdsnappytv-vh.akamaihd.net https:// mmdhdsnappytv-vh.akamaihd.net https://smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://mdhdsnappytv- vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://mtc.cdn.vine.co https://dev-video-us-west-2.pscp.tv https://prod- video-us-east-1.pscp.tv blob: 'self' https://prod-video-ap-southeast-1.pscp.tv https://mpdhdsnappytv-vh.akamaihd.net https://dev- video-eu-west-1.pscp.tv; connect-src https://rmpdhdsnappytv-vh.akamaihd.net https://prod-video-eu-central-1.pscp.tv https:// graph.facebook.com https://*.giphy.com https://dwo3ckksxlb0v.cloudfront.net https://vmaprel.snappytv.com https://smmdhdsnappytv- vh.akamaihd.net https://*.twimg.com https://embed.pscp.tv https://api.twitter.com https://prod-video-eu-west-1.pscp.tv https:// rmmdhdsnappytv-vh.akamaihd.net https://clips-media-assets.twitch.tv https://prod-video-us-west-2.pscp.tv https://pay.twitter.com https://prod-video-us-west-1.pscp.tv https://analytics.twitter.com https://vmap.snappytv.com https://*.twprobe.net https://prod- video-ap-northeast-1.pscp.tv https://smdhdsnappytv-vh.akamaihd.net https://syndication.twitter.com https://sentry.io https:// rmdhdsnappytv-vh.akamaihd.net https://media.riffsy.com https://mmdhdsnappytv-vh.akamaihd.net https://embed.periscope.tv https:// smpdhdsnappytv-vh.akamaihd.net https://prod-video-sa-east-1.pscp.tv https://vmapstage.snappytv.com https://upload.twitter.com https://proxsee.pscp.tv https://mdhdsnappytv-vh.akamaihd.net https://prod-video-ap-southeast-2.pscp.tv https://dev-video-us- west-2.pscp.tv https://prod-video-us-east-1.pscp.tv 'self' https://vmap.grabyo.com https://prod-video-ap-southeast-1.pscp.tv https:// mpdhdsnappytv-vh.akamaihd.net https://dev-video-eu-west-1.pscp.tv; style-src https://fonts.googleapis.com https://twitter.com https://*.twimg.com https://translate.googleapis.com https://ton.twitter.com 'unsafe-inline' https://platform.twitter.com https:// maxcdn.bootstrapcdn.com https://netdna.bootstrapcdn.com 'self'; object-src https://twitter.com https://pbs.twimg.com; default-src 'self' blob:; frame-src https://staticxx.facebook.com https://twitter.com https://*.twimg.com https://5415703.fls.doubleclick.net https://player.vimeo.com https://pay.twitter.com https://www.facebook.com https://ton.twitter.com https://syndication.twitter.com https://vine.co twitter: https://www.youtube.com https://platform.twitter.com https://upload.twitter.com https://s- static.ak.facebook.com https://4337974.fls.doubleclick.net https://8122179.fls.doubleclick.net 'self' https://donate.twitter.com; img-src https://prod-profile.pscp.tv https://graph.facebook.com https://prod-thumbnail.pscp.tv https://*.giphy.com https:// twitter.com https://*.twimg.com https://ad.doubleclick.net data: https://clips-media-assets.twitch.tv https://lumiere-a.akamaihd.net https://fbcdn-profile-a.akamaihd.net https://www.facebook.com https://ton.twitter.com https://*.fbcdn.net https:// syndication.twitter.com https://media.riffsy.com https://www.google.com https://prod-profile.periscope.tv https:// stats.g.doubleclick.net https://platform.twitter.com https://api.mapbox.com https://www.google-analytics.com blob: https://prod- thumbnail-small.pscp.tv https://prod-thumbnail-small.periscope.tv 'self' https://prod-thumbnail.periscope.tv; report-uri https:// twitter.com/i/csp_report?a=NVQWGYLXFVZXO2LGOQ%3D%3D%3D%3D%3D%3D&ro=false; 4.6KB
- 167. HPACK - thingsto know • Default size is 4K - For entire dynamic table - Site-wide headers proposal: • https://mnot.github.io/I-D/site-wide-headers/ • Compression context is set per connection - New connection starts with blank dynamic table • Can’t turn it off • Can be an attack vector: - https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf
- 169.
- 170.
- 171.
- 172.
- 173.
- 174.
- 175. Browser indicator • Chrome: –https://chrome.google.com/webstore/detail/http2-and-spdy- indicator/mpbpobfflnpcgagjijhmgnchggcjblin?hl=en • Firefox: – https://addons.mozilla.org/en-US/firefox/addon/http2-indicator/
- 176.
- 177. Wireshark Using the TLSkey file: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
- 178.
- 179.
- 180.
- 181. Others • h2c (andwiretapping): - https://github.com/fstab/h2c • h2a: reverse proxy - https://github.com/summerwind/h2a • Conformance: - https://github.com/summerwind/h2spec • Serves and proxies: - Charles proxy: https://www.charlesproxy.com - MITM proxy: https://mitmproxy.org/ - h2o: https://h2o.examp1e.net/ - Envoy: https://www.envoyproxy.io/ • http-wg - https://github.com/http2/http2-spec/wiki/Tools
- 182.
- 183. 0.9 1.0 1.12.0 HTTP Complexity HTTP version
- 184. 0.9 1.0 1.12.0 HTTP Complexity My Age HTTP version
- 185.
- 186.
- 187. gQUIC vs iQUIC •Monolithic • Google proprietary • Modularized • IETF standard
- 188. IP TCP UDP TLS HTTP/2 QUIC TCP-like congestion avoidance, recovery HTTP/2shim UDP QUIC TCP-like congestion avoidance, recovery Application (HTTP/2) QUIC crypto TLS 1.3 gQUIC iQUIChttp/2 https://datatracker.ietf.org/meeting/98/materials/slides-98-edu-sessf-quic-tutorial/
- 190. The promise ofQUIC • Low latency connection setup - 0RTT (with TLS 1.3) • UDP - Addresses TCP’s head of line blocking in h2 - More flexible congestion avoidance algorithms - “rich signaling for congestion control and loss recovery” • Everything authenticated and encrypted • Mitigating middle box tomfoolery • Connection migration and NAT rebinding
- 191. Some QUIC reading •https://dl.acm.org/citation.cfm?id=3098842 • https://quicwg.github.io/ • https://github.com/quicwg • And a video: https://vimeo.com/227461189
- 192. Questions • Has muchchanged? • Do we still have a lot to learn? • Do we still have a lot to do? • QUIC will fix everything, right?
- 193.