A QUIC History of HTTP

Bri Hatch Personal Work
Onsight, Inc
bri@ifokr.org
ExtraHop Networks
bri@extrahop.com

Copyright 2019, Bri Hatch, Creative Commons BY-NC-SA License

Why we're here

In the beginning....

1989, Tim Berners-Lee at CERN "Mesh" proposal

Completed in 1990.
Servers outside CERN servers serving HTTP by 1991.
alt.hypertext announcement 1991-08-06

HTTP/0.9

$ telnet www.aoeu.com 80
GET /lfnw-2019-http.html
<html>
    <head>
        <title>Hello, World</title>
    </head>
    <body>
        Hello, World!
    </body>
</html>
$

HTTP/0.9 (cont)

$ telnet www.aoeu.com 80
GET /lfnw-2019-http.txt
<html>
    <head>
        <title>Hello...
    </head>
    <body>
        Hello, World!
    </body>
</html>
$
URL: http://www.aoeu.com/lfnw-2019-http.txt

Scheme: HTTP
Host: www.aoeu.com
Port: 80
Path: /lfnw-2019-http.txt

HTTP Method: GET

HTTP/0.9 (cont)

$ telnet www.aoeu.com 80
GET /lfnw-2019-http.txt
<html>
    <head>
        <title>Hello...
    </head>
    <body>
        Hello, World!
    </body>
</html>
$
HTTP Version: ????
Size of content: ????
Encoding of response: ????
Type of response content: ????
Success or failure: ????

HTTP/1.0

HTTP/1.0 Improvements:

  • HTTP Versioning
  • Non-HTML content
  • Status codes
  • Headers
  • More methods

RFC-1945, in 1996.

State of dialup 1996

State of dialup 1996
  • 28.8k baud modems were fast
  • 1 Meg in ~4.7 minutes
  • interlaced gifs the norm

HTTP/1.0 (cont)

$ telnet www.aoeu.com 80
GET /lfnw-2019-http.html HTTP/1.0
User-Agent: NCSA Mosaic/1.0 (X11;SunOS 4.1.4 sun4m)
 
HTTP/1.0 200 OK
Server: NCSA/1.2 
Date: Tue, 19 Apr 1994 09:43:00 GMT
Content-Type: text/html
Content-Length: 119
Last-Modified: Wed, 21 Jan 1994 19:51:30 GMT

<html>
    <head>
        <title>Hello World!
...
$ 

HTTP/1.0 Response Codes

Response codes!

HTTP/1.0 Response Codes

Response codes!
200: OK
201: Created
202: Accepted
204: No Content
301: Moved Permanently
302: Moved Temporarily
304: Not Modified

400: Bad Request
401: Unauthorized
403: Forbidden
404: Not Found
500: Internal Server Error
501: Not Implemented
502: Bad Gateway
503: Service Unavailable

Bring me his Head(ers)!

Browsers and servers can now convey more than just content!
  • Content metadata
  • Early caching capabilities

Request Headers (HTTP/1.0)

Request Headers (HTTP/1.0)

Accept
Accept-{Charset,Encoding,Language}
Authorization
Content-Language
From
If-Modified-Since
Referer
User-Agent

Response Headers (HTTP/1.0)

Response Headers (HTTP/1.0)

Allow
Content-Encoding
Content-Language
Content-Length
Content-Type
Expires
Last-Modified
Link
Location
Retry-After
Server
WWW-Authenticate

HTTP/1.0 HEAD Method

HEAD Method

$ telnet www.aoeu.com 80
HEAD /really-big-image.gif HTTP/1.0
User-Agent: NCSA Mosaic/1.0 (X11;SunOS 4.1.4 sun4m)

HTTP/1.0 200 OK
Server: NCSA/1.2 
Date: Tue, 19 Apr 1994 09:43:00 GMT
Content-Type: image/gif
Content-Length: 1769082
$

HTTP/1.0 POST Method

HTTP/1.0 POST Method

$ telnet www.aoeu.com 80
POST /cgi-bin/jj.cgi HTTP/1.0
User-Agent: NCSA Mosaic/1.0 (X11;SunOS 4.1.4 sun4m)
Content-Length: 72
Content-Type: application/x-www-form-urlencoded

pwd=foo&sub=Big+John+Gourmet+Sub....
 
HTTP/1.0 200 OK
<html>
    <head>
        <TITLE>Order Sent</TITLE>
...
 

What about state?

What about state?

Cookies aren't part of the HTTP specifications!

# Before cookies (~1994/1996)
GET /forum/cats/?cid=92b135196c47afaa8496a64ab64aa8b2


# After cookies
GET /forums/cats/
Cookie: cid=92b135196c47afaa8496a64ab64aa8b2

Server: NCSA/1.2 
Date: Tue, 19 Apr 1994 09:43:00 GMT
Set-Cookie: cid=df83af441843aaf15b83ebec82fb2c5a

SSL

SSL - Secure Sockets Layer

Protocol developed at Netscape
SSLv2, Nov 1994
SSLv3, Nov 1995, RFC-6101 (eventually)
SSLeay 1995
OpenSSL fork, 1998
TLS 1.0 - 1999; TLS 1.1 - 2006; TLS 1.2 - 2008; TLS 1.3 - 2018

# Then
$ (echo "GET /"; echo) | ssleay s_client -host www.aoeu.com -port 443 

# Now
$ printf "GET /\n\n"  | openssl s_client -connect www.aoeu.com:443 

OSI Model

Open Systems Interconnection Model

Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer

OSI Model (ideal)

Open Systems Interconnection Model (ideal)

Application Layer
Presentation Layer
Session Layer
Transport LayerTCP, UDP (source, dest, ports, etc)
Network LayerIP
Data Link LayerEthernet frames, Token Ring, etc
Physical LayerElectrons+Copper, Photons+Fiber, RF, etc

Internet Model (Accurate)

Internet Model (Accurate)

Application LayerEverything Else
Presentation Layer
Session Layer
Transport LayerTCP, UDP (source, dest, ports, etc)
Network LayerIP
Data Link LayerEthernet frames, Token Ring, etc
Physical LayerElectrons+Copper, Photons+Fiber, RF, etc

HTTP Reality

HTTP Reality
Content
TLS/SSL (hopefully)
TCP
IP
Ethernet
Physical Layer

HTTP/1.1

Standarized in 1997, RFC-2068

Improvements

  • Improved cache control
  • Range requests
  • HTTP Proxy Support
  • Content Negotiation
  • Content Chunking
  • Connection Reuse
  • Pipelining
  • Compression
  • Host header

Methods in HTTP/1.1

Methods in HTTP/1.1

    GET
    HEAD
    POST
    DELETE
    PUT
    PATCH

    LINK
    UNLINK
    CONNECT
    OPTIONS
    TRACE
    

Methods in HTTP/1.1 (cont)

Methods in HTTP/1.1 (cont)

    GET
    HEAD
    POST
    DELETE
    PUT
    PATCH
    

REST - Representational State Transfer (2000) supplants SOAP

XMLHttpRequest enables AJAX (OWA 1999, Gmail 2004)

Connection Reuse (HTTP/1.1)

Connection Reuse (HTTP/1.1)
GET /first/item HTTP/1.1
REQUEST HEADERS

RESPONSE HEADERS
RESPONSE CONTENT
GET /second/item HTTP/1.1
REQUEST HEADERS

RESPONSE HEADERS
RESPONSE CONTENT
GET /third/item HTTP/1.1
...

  • Avoided TCP session establishment overhead
  • Browsers still had hard-coded limit of concurrent connections

Pipelining (HTTP/1.1)

Pipelining (HTTP/1.1)
GET /first/item HTTP/1.1
FIRST REQUEST HEADERS
GET /second/item HTTP/1.1
SECOND REQUEST HEADERS

FIRST RESPONSE HEADERS
FIRST RESPONSE CONTENT
SECOND RESPONSE HEADERS
SECOND RESPONSE CONTENT
GET /third/item HTTP/1.1
THIRD REQUEST HEADERS
...

But may not be supported by server - would need to be retried.
Only safe on idempotent requests.

HTTP/2

HTTP/2

  • Introduced 2015, RFC-7540, based on Google's SPDY (2009) experimental protocol
  • Stream (response) multiplexing, non-ordered, via binary framing layer
  • Stream prioritization
  • Gratuitous responses (Promises)
  • Header compression
  • Improves "head of line blocking" problem

HTTP/2.0 Frames

HTTP/2.0 Frames

9 Bytes in length

  • Bytes 0-2: Frame Length
  • Byte 3: Frame Type
  • Byte 4: Flags
  • Byte 5-7: Stream ID (plus a reserved bit)
  • Remaining bytes: payload

Frame types include DATA, HEADERS, RST_STREAM, PUSH_PROMISE, GOAWAY

HTTP/2 Multiplexing

HTTP/2 Multiplexing

Client <- Stream 1
data
Stream 3
headers
Stream 5
data
Stream 2
headers
Stream 3
data
Stream 3
data
Server
Stream 7
headers
----->

HTTP/2 Compatibility

HTTP/2 Compatibility

Binary framing doesn't play well with <= HTTP/1.1 servers.

Solution: upgrade from HTTP/1.1, or use TLS

    GET /index.html HTTP/1.1
    Connection: Upgrade, HTTP2-Settings
    Upgrade: h2c 
    NORMAL_HEADERS_HERE
    HTTP2-Settings: <base64 headers settings blob>
    
    HTTP/1.1 101 Switching Protocols 
    Connection: Upgrade
    Upgrade: h2c
    ...

HTTP/2 Results

HTTP/2 Results

  • Head of line problem (mostly) eliminated
  • Browsers use just one TCP socket
  • Best we can do?

HTTP/3

HTTP/3

  • Based on QUIC (Google 2012)
  • Agreed to become HTTP/3 Nov 2018, but still in RFC draft
  • Solves head of line problem

Solving HOL? (HTTP/3)

So how did they solve the HOL problem?

Solving HOL? (HTTP/3)

So how did they solve the HOL problem?

HTTP over UDP

HTTP over UDP

  • Not stream-oriented - no guaranteed packet order
  • Must re-implement retransmissions, congestion control, and other TCP features
  • Existing protocols like SCTP, TCP Fast Open insufficient

QUIC vs HTTP/3

QUIC vs HTTP/3

The Google QUIC protocol now called gQUIC

QUIC is the generic secure UDP transport.

HTTP/3 is HTTP over QUIC.

HTTP/3 Features

HTTP/3 Features
  • TLS required
  • All advantages of HTTP/2 multiplexing, prioritization, etc
  • Similar frame types (DATA, HEADERS, GOAWAY...)
  • Fast handshake (0-RTT, 1-RTT)
  • 62-bit stream ID supports IP roaming!

HTTP/3 Standard

HTTP/3 Standard

Latest draft: 2019-04-23
Draft expires: 2019-10-25

https://tools.ietf.org/html/draft-ietf-quic-http-20

Thanks!

Presentation: https://www.ifokr.org/bri/presentations/lfnw-2019-http/

PersonalWork
Bri Hatch
Onsight, Inc
bri@ifokr.org

Bri Hatch
ExtraHop Networks
bri@extrahop.com

Copyright 2019, Bri Hatch, Creative Commons BY-NC-SA License