Solving HTTP Problems With Code and Protocols NATASHA ROONEY

Transcription

1 Solving HTTP Problems With Code and Protocols NATASHA ROONEY

2 Web HTTP TLS TCP IP 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport of packets and streams TCP / UDP 3. Routing and delivery of datagrams on the Network IP / IPSec 2. Local Data Connection Ethernet 1. Physical data connection (cables) CAT5

3 Some fundamental limitations

4 300,000,000 m/s

5 300,000,000 m/s Speed of Light

6 300km, 1ms

7 10ms

8 10ms 5G

9 Only one way! And as the crow flies...

10 Hops

11 Not good enough!

12 CDNs, Edge

13 Mobile Network (not wifi) The Internet

14 Amount of data

15

16

17

18

19 Speed & Distance Amount of Data Capped by Speed of Light >100 objects per site 800k to 2.5mb data >50 resources on same domain

20 RTs are Evil Mostly because of physics. Not much you can do about that.

21 HTTP/1

22 HTTP/1 Request HTTP/1 TLS TLS TCP TCP IP

23 HTTP/1 Request HTTP/1 Response TLS TLS TCP TCP IP

24 HTTP/1 Request HTTP/1 Response TLS Request TCP TLS TCP IP

25

26

27 Urgh...

28 Spriting

29 Inlining

30

31

32 Image

33 Pipelining

34 Home Supermarket Roads

35 Home Supermarket Roads

36 HTTP/1 TLS TCP TCP Setup TLS Setup HTTP Request/Response IP HTTP/1 TLS TCP

37 HTTP/2

38 SPDY

39 Home Supermarket Roads

40 Home Supermarket Roads

41 2009 Header Compression SPDY A Protocol by Google Parallel Connections Multiplexing Priority Marking Server Push TLS (to work)

42 SPDY A Protocol by Google Header Compression

43

44

45

46

47 HTTP/2

48 Idea was to maintain HTTP semantics but change how it is transported. Daniel Stenberg

49 Home Supermarket Roads

50 Home Supermarket Roads

51 HTTP/1 Request HTTP/1 Request TLS TCP Request Response IP TLS TCP

52 Binary HTTP2 A Protocol by IETF (SDPY base) Header Compression Multiplexing Server Push TLS...

53 HTTP2 A Protocol by IETF (SDPY base)

54

55 35% Requests Stats Gimme gimme 70% HTTPS Connections 13% Top 1,000,000 Sites 29% Top 1000 Sites 90% your site

56 2% packet loss HTTP1 is better.

57 Head of line blocking

58 Home Supermarket Roads

59 Home Supermarket Roads

60 Not good enough! Home Supermarket Roads

61 Not good enough! Home Supermarket Roads

62 TCP issue (Can happen on any protocol with in-order delivery)

63 QUIC

64 Idea was to maintain HTTP semantics but change how it is transported. Daniel Stenberg

65 TCP Home Supermarket Roads

66 Transport Layer TCP UDP Suffers from Head of Line Blocking Can work...with help.

67 We want QUIC to work on today s internet Jana Iyengar QUIC Editor, Google

68 Ossification

69 Why TCP or UDP only?

70 Image source:

71 Application HTTP/2 QUIC TLS 1.2+ Congestion Control TCP Google Crypto UDP IP

72 Application HTTP/2 QUIC TLS 1.2+ Congestion Control TCP Google Crypto UDP IP

73 QUIC A Protocol by Google Goo

74 HTTP over QUIC HTTP/2 QUIC TLS 1.2+ TLS 1.3 TCP UDP IP

75 A "stream" is an independent, bidirectional sequence of frames exchanged between the client and server within an HTTP/2 connection A single HTTP/2 connection can contain multiple concurrently open streams Hypertext Transfer Protocol Version 2 (HTTP/2), RFC7540

76 Image source: High Performance Browser Networking

77 HTTP over QUIC HTTP over QUIC QUIC QUIC TLS 1.3 TLS 1.3 UDP UDP IP

78 HTTP over QUIC HTTP over QUIC QUIC QUIC TLS 1.3 TLS 1.3 UDP UDP IP

79 HTTP over QUIC HTTP over QUIC QUIC QUIC TLS 1.3 TLS 1.3 UDP UDP IP

80 HTTP over QUIC QUIC e n Li! of ing d ck a He Blo TLS 1.3 HTTP over QUIC QUIC TLS 1.3 UDP UDP IP

81 RTs are Evil Mostly because of physics. Not much you can do about that.

82 HTTP over QUIC HTTP over QUIC 0RTT: Setup + Data QUIC 1RTT: New Crypto Keys TLS 1.3 UDP QUIC TLS 1.3 2RTT: If QUIC version negotiation needed IP UDP

83 Reduce the RTs!

84

85

86 7% Internet Traffic 35% Google Egress Traffic

87 How does this affect me?

88 Abstraction Is a computer scientist s friend / fiend

89 n o i t a l o i V r e Lay

90 Web HTTP TLS TCP IP 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport of packets and streams TCP / UDP 3. Routing and delivery of datagrams on the Network IP / IPSec 2. Local Data Connection Ethernet 1. Physical data connection (cables) CAT5

91 Manage your resources logically Some things If you have to do something... Detect on upgrade header and adapt Measure Remember Physics!

92 RTTs, Physics, Data SPDY, HTTP2, QUIC Recap We made it! Header compression Multiplexing & Streams Head of Line Blocking Make protocols for today s internet

93 3

94

95

96

97 Thank-you People: Martin Thomson, Mark Nottingham, Jana Iyengar, Mike Bishop, Eric Rescola, Ian Swett

98

99

100

101 OSI Model 7. Application Data HTTP / IMAP 6. Data Presentation, Encryption SSL / TLS 5. Session and connection management - 4. Transport of packets and streams TCP / UDP 3. Routing and delivery of datagrams on the Network IP / IPSec 2. Local Data Connection Ethernet 1. Physical data connection (cables) CAT5

102 TLS / Handshake Cheat Sheet Handshake Flow Ciphers, Standards and Terms Client Hello Client sends TLS Version, Ciphersuites, Compression methods Server Hello, Certificate Key Exchange Method: creates the pre master secret. Premaster secret is combined with PRF to create master secret RSA, DHE_RSA, ECDHE_RSA, ECDHE_ECDSA - Server selects cipher & compression method - Server send certificate - Client authenticates Authentication Method: Uses public key crypto and certificates public key together. Once certificate is validated the client can used public key. RSA or ECDSA Certs: X.509, ASN.1 DER encoding. Key Exchange Pre-master secret exchanged between client & server, client validates certificate Master Secret Integrity Validation Encryption Master Secret Client & Server can compute Master Secret. Pre-master secret: combines params to help client and server create master secret. MAC Server verifies MAC, returns to client to verify also. PRF: Pseudorandom Function. Takes a secret, a seed, and a unique label. TLS1.2 suites use PRF based on HMAC and SHA256 3DES, AES, ARIA, CAMELLIA, RC4, and SEED [1] Steam: adds MAC [2] Block: adds IV and padding after encryption [3] Encryption (AEAD): encryption and integrity validation, using nonce, no padding, no IV. Finished Handshake complete. Authentication Master Secret: both server and client create this from pre-master secret to symmetrically encrypt Algorithm MAC: used for integrity validation in handshake and record. Strength Mode TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Key Exchange Cipher MAC or PRF

103 TLS Handshake [1] Client Hello Server Hello Certificate Server Key Exchange Server Hello Done [2] [3] [4] [5] [6] Client Key Exchange [7] (Change Cipher Spec) [8] Finished Cli-ant (Change Cipher Spec) [9] Finished [10] Ser-ver

104 TCP and TLS with Session Tickets TCP Fast Open Handshake [1] Client Hello Server Hello [2] (Change Cipher Spec) [3] Finished [4] [5] (Change Cipher Spec) [6] Finished Cli-ant Ser-ver

105

106 Transport Overhead

107 Min