[PPT] - Solving HTTP Problems With Code and Protocols NATASHA ROONEY PowerPoint Presentation

SLIDE 1 @thisNatasha

Solving HTTP Problems With Code and Protocols

NATASHA ROONEY

SLIDE 2 @thisNatasha

7. Application Data

HTTP / IMAP

6. Data Presentation,

Encryption SSL / TLS

5. Session and connection

management

4. Transport of packets and

streams TCP / UDP

3. Routing and delivery of

datagrams on the Network IP / IPSec

2. Local Data Connection

Ethernet

1. Physical data connection

(cables) CAT5

HTTP

TLS TCP IP Web

SLIDE 3 @thisNatasha

Some fundamental limitations

SLIDE 4 @thisNatasha

300,000,000 m/s

SLIDE 5 @thisNatasha

300,000,000 m/s

Speed of Light

SLIDE 6 @thisNatasha

300km, 1ms

SLIDE 7 @thisNatasha

10ms

SLIDE 8 @thisNatasha

10ms

5G

SLIDE 9 @thisNatasha

Only one way!

And as the crow flies...

SLIDE 10 @thisNatasha @thisNatasha

Hops

SLIDE 11 @thisNatasha

Not good enough!

SLIDE 12 @thisNatasha

CDNs, Edge

SLIDE 13 @thisNatasha

Mobile Network (not wifi) The Internet

SLIDE 14 @thisNatasha

Amount of data

SLIDE 15 @thisNatasha

SLIDE 16 @thisNatasha

SLIDE 17 @thisNatasha

SLIDE 18 @thisNatasha

SLIDE 19 @thisNatasha @thisNatasha

Speed & Distance

Capped by Speed of Light

Amount of Data

>100 objects per site 800k to 2.5mb data >50 resources on same domain

SLIDE 20 @thisNatasha

RTs are Evil

Mostly because of physics. Not much you can do about that.

SLIDE 21 @thisNatasha

HTTP/1

SLIDE 22 @thisNatasha

HTTP/1 TLS TCP IP HTTP/1 TLS TCP

Request

SLIDE 23 @thisNatasha

HTTP/1 TLS TCP IP HTTP/1 TLS TCP

Request Response

SLIDE 24 @thisNatasha

HTTP/1 TLS TCP IP HTTP/1 TLS TCP

Request Response Request

SLIDE 25 @thisNatasha

SLIDE 26 @thisNatasha

SLIDE 27 @thisNatasha

Urgh...

SLIDE 28 @thisNatasha @thisNatasha

Spriting

SLIDE 29 @thisNatasha @thisNatasha

Inlining

SLIDE 30 @thisNatasha

SLIDE 31 @thisNatasha

SLIDE 32 @thisNatasha

Image source: @jungkees

SLIDE 33 @thisNatasha

Pipelining

SLIDE 34 @thisNatasha

Home Roads

Supermarket

SLIDE 35 @thisNatasha

Home Roads

Supermarket

SLIDE 36 @thisNatasha

HTTP/1 TLS TCP IP HTTP/1 TLS TCP

TCP Setup TLS Setup HTTP Request/Response

SLIDE 37 @thisNatasha

HTTP/2

SLIDE 38 @thisNatasha

SPDY

SLIDE 39 @thisNatasha

Home Roads

Supermarket

SLIDE 40 @thisNatasha

Home Roads

Supermarket

SLIDE 41 @thisNatasha @thisNatasha

SPDY

A Protocol by Google 2009 Header Compression Parallel Connections Multiplexing Priority Marking Server Push TLS (to work)

SLIDE 42 @thisNatasha @thisNatasha

SPDY

A Protocol by Google Header Compression

SLIDE 43 @thisNatasha

SLIDE 44 @thisNatasha

SLIDE 45 @thisNatasha

SLIDE 46 @thisNatasha

SLIDE 47 @thisNatasha

HTTP/2

SLIDE 48 @thisNatasha

“Idea was to maintain HTTP semantics but change how it is transported.”

Daniel Stenberg https://daniel.haxx.se/blog/

SLIDE 49 @thisNatasha

Home Roads

Supermarket

SLIDE 50 @thisNatasha

Home Roads

Supermarket

SLIDE 51 @thisNatasha

HTTP/1 TLS TCP IP HTTP/1 TLS TCP

Request Response Request Request

SLIDE 52 @thisNatasha @thisNatasha

HTTP2

A Protocol by IETF (SDPY base) Binary Header Compression Multiplexing Server Push TLS...

SLIDE 53 @thisNatasha @thisNatasha

HTTP2

A Protocol by IETF (SDPY base)

SLIDE 54 @thisNatasha

SLIDE 55 @thisNatasha @thisNatasha

Stats

Gimme gimme 35% Requests 70% HTTPS Connections 13% Top 1,000,000 Sites 29% Top 1000 Sites “90% your site”

SLIDE 56 @thisNatasha

2% packet loss

HTTP1 is better.

SLIDE 57 @thisNatasha

Head of line blocking

SLIDE 58 @thisNatasha

Home Roads

Supermarket

SLIDE 59 @thisNatasha

Home Roads

Supermarket

SLIDE 60 @thisNatasha

Home Roads

Supermarket

Not good enough!

SLIDE 61 @thisNatasha

Home Roads

Supermarket

Not good enough!

SLIDE 62 @thisNatasha

TCP issue

(Can happen on any protocol with in-order delivery)

SLIDE 63 @thisNatasha

QUIC

SLIDE 64 @thisNatasha

“Idea was to maintain HTTP semantics but change how it is transported.”

Daniel Stenberg https://daniel.haxx.se/blog/

SLIDE 65 @thisNatasha

Home Roads

Supermarket

TCP

SLIDE 66 @thisNatasha @thisNatasha

TCP

Suffers from Head of Line Blocking

UDP

Can work...with help.

Transport Layer

SLIDE 67 @thisNatasha

“We want QUIC to work on today’s internet”

Jana Iyengar QUIC Editor, Google

SLIDE 68 @thisNatasha

Ossification

SLIDE 69 @thisNatasha

Why TCP or UDP only?

SLIDE 70 @thisNatasha

Image source: http://itpro.nikkeibp.co.jp/

SLIDE 71 @thisNatasha

HTTP/2 TLS 1.2+ TCP IP

Application

QUIC UDP

Google Crypto

Congestion Control

SLIDE 72 @thisNatasha

HTTP/2 TLS 1.2+ TCP IP

Application

QUIC UDP

Google Crypto

Congestion Control

SLIDE 73 @thisNatasha @thisNatasha

QUIC

A Protocol by Google Goo

SLIDE 74 @thisNatasha

HTTP/2 TLS 1.2+ TCP IP

HTTP over QUIC

QUIC UDP

TLS 1.3

SLIDE 75 @thisNatasha

“A "stream" is an independent, bidirectional sequence of frames exchanged between the client and server within an HTTP/2 connection… A single HTTP/2 connection can contain multiple concurrently open streams…”

Hypertext Transfer Protocol Version 2 (HTTP/2), RFC7540

SLIDE 76 @thisNatasha

Image source: High Performance Browser Networking https://hpbn.co/http2/

SLIDE 77 @thisNatasha

IP

HTTP over QUIC

QUIC UDP

TLS 1.3

HTTP over QUIC

QUIC UDP

TLS 1.3

SLIDE 78 @thisNatasha

IP

HTTP over QUIC

QUIC UDP

TLS 1.3

HTTP over QUIC

QUIC UDP

TLS 1.3

SLIDE 79 @thisNatasha

IP

HTTP over QUIC

QUIC UDP

TLS 1.3

HTTP over QUIC

QUIC UDP

TLS 1.3

SLIDE 80 @thisNatasha

IP

HTTP over QUIC

QUIC UDP

TLS 1.3

HTTP over QUIC

QUIC UDP

TLS 1.3

Head of Line Blocking!

SLIDE 81 @thisNatasha

RTs are Evil

Mostly because of physics. Not much you can do about that.

SLIDE 82 @thisNatasha

IP

HTTP over QUIC

QUIC UDP

TLS 1.3

HTTP over QUIC

QUIC UDP

TLS 1.3

0RTT: Setup + Data 2RTT: If QUIC version negotiation needed 1RTT: New Crypto Keys

SLIDE 83 @thisNatasha

Reduce the RTs!

SLIDE 84 @thisNatasha

SLIDE 85 @thisNatasha

SLIDE 86 @thisNatasha

7% Internet Traffic

35% Google Egress Traffic

SLIDE 87 @thisNatasha

How does this affect me?

SLIDE 88 @thisNatasha

Abstraction

Is a computer scientist’s friend / fiend

SLIDE 89 @thisNatasha

L a y e r V i

l

a t i

n

SLIDE 90 @thisNatasha

7. Application Data

HTTP / IMAP

6. Data Presentation,

Encryption SSL / TLS

5. Session and connection

management

4. Transport of packets and

streams TCP / UDP

3. Routing and delivery of

datagrams on the Network IP / IPSec

2. Local Data Connection

Ethernet

1. Physical data connection

(cables) CAT5

HTTP

TLS TCP IP Web

SLIDE 91 @thisNatasha @thisNatasha

Some things

If you have to do something... Manage your resources logically Detect on upgrade header and adapt Measure Remember Physics!

SLIDE 92 @thisNatasha @thisNatasha

Recap

We made it! RTTs, Physics, Data SPDY, HTTP2, QUIC Header compression Multiplexing & Streams Head of Line Blocking Make protocols for today’s internet

SLIDE 93 @thisNatasha

3

SLIDE 94 @thisNatasha

SLIDE 95 @thisNatasha

SLIDE 96 @thisNatasha

SLIDE 97 @thisNatasha

Thank-you

People: Martin Thomson, Mark Nottingham, Jana Iyengar, Mike Bishop, Eric Rescola, Ian Swett

SLIDE 98 @thisNatasha

SLIDE 99 @thisNatasha

SLIDE 100 @thisNatasha

SLIDE 101 @thisNatasha

7. Application Data

HTTP / IMAP

6. Data Presentation,

Encryption SSL / TLS

5. Session and connection

management

4. Transport of packets and

streams TCP / UDP

3. Routing and delivery of

datagrams on the Network IP / IPSec

2. Local Data Connection

Ethernet

1. Physical data connection

(cables) CAT5

OSI Model

SLIDE 102 @thisNatasha

Handshake Flow TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Key Exchange Authentication Algorithm Strength Mode Cipher MAC or PRF

TLS / Handshake Cheat Sheet

Key Exchange Method: creates the pre master secret. Premaster secret is combined with PRF to create master secret RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA Authentication Method: Uses public key crypto and certificates public key together. Once certificate is validated the client can used public key. RSA or ECDSA Certs: X.509, ASN.1 DER encoding. Server Hello, Certificate

Server selects cipher & compression

method

Server send certificate
Client authenticates

Key Exchange Pre-master secret exchanged between client & server, client validates certificate Master Secret Client & Server can compute Master Secret. MAC Server verifies MAC, returns to client to verify also. Finished Handshake complete. Client Hello Client sends TLS Version, Ciphersuites, Compression methods

Ciphers, Standards and Terms

Encryption 3DES, AES, ARIA, CAMELLIA, RC4, and SEED [1] Steam: adds MAC [2] Block: adds IV and padding after encryption [3] Encryption (AEAD): encryption and integrity validation, using nonce, no padding, no IV. Master Secret Pre-master secret: combines params to help client and server create master secret. Master Secret: both server and client create this from pre-master secret to symmetrically encrypt Integrity Validation PRF: Pseudorandom

Function. Takes a

secret, a seed, and a unique label. TLS1.2 suites use PRF based

n HMAC and SHA256

MAC: used for integrity validation in handshake and record.

SLIDE 103 @thisNatasha

[1] Client Hello

Cli-ant Ser-ver

Server Hello [2] Certificate [3] Server Key Exchange [4] Server Hello Done [5] [6] Client Key Exchange [7] (Change Cipher Spec) [8] Finished (Change Cipher Spec) [9] Finished [10]

TLS Handshake

SLIDE 104 @thisNatasha

Cli-ant Ser-ver TCP and TLS with Session Tickets

TCP Fast Open Handshake [1] Client Hello Server Hello [2] (Change Cipher Spec) [3] Finished [4] [5] (Change Cipher Spec) [6] Finished

SLIDE 105 @thisNatasha

SLIDE 106 @thisNatasha

Transport Overhead

SLIDE 107 @thisNatasha @thisNatasha

Min