A REALLY QUIC History of HTTP

Bri Hatch	Personal	Work
Bri Hatch	Onsight, Inc bri@ifokr.org	ExtraHop Networks bri@extrahop.com

HTTP/0.9

1990 at Cern, 1991 elsewhere

$ telnet www.aoeu.com 80
GET /hello.html
<html>
    <head>
        <title>Hello...
    </head>
    <body>
        Hello, World!
    </body>
</html>
$

URL: http://www.aoeu.com/hello.html

Scheme: HTTP
Host: www.aoeu.com
Port: 80
Path: /hello.html

HTTP Method: GET

HTTP/0.9 (cont)

1990 at Cern, 1991 elsewhere

$ telnet www.aoeu.com 80
GET /hello.html
<html>
    <head>
        <title>Hello...
    </head>
    <body>
        Hello, World!
    </body>
</html>
$

HTTP Version: ????
Size of content: ????
Encoding of response: ????
Type of response content: ????
Success or failure: ????

HTTP/1.0

HTTP/1.0 Improvements:

HTTP Versioning
Non-HTML content
Status codes
Headers
More methods

RFC-1945, in 1996.

State of dialup 1996

28.8k baud modems were fast
1 Meg in ~4.7 minutes
interlaced gifs the norm

Ref: codinghorror.com. Note: not actually an interlaced gif

HTTP/1.0 (cont)

$ telnet www.aoeu.com 80
GET /seagl-2019-http.html HTTP/1.0
User-Agent: NCSA Mosaic/1.0 (X11;SunOS 4.1.4 sun4m)
 
HTTP/1.0 200 OK
Server: NCSA/1.2 
Date: Tue, 19 Apr 1994 09:43:00 GMT
Content-Type: text/html
Content-Length: 119
Last-Modified: Wed, 21 Jan 1994 19:51:30 GMT

<html>
    <head>
        <title>Hello World!
...
$

HTTP/1.0 Response Codes

Response codes!

200: OK

201: Created

202: Accepted

204: No Content

301: Moved Permanently

302: Moved Temporarily

304: Not Modified

400: Bad Request

401: Unauthorized

403: Forbidden

404: Not Found

500: Internal Server Error

501: Not Implemented

502: Bad Gateway

503: Service Unavailable

Bring me his Head(ers)!

Browsers and servers can now convey more than just content!

Content metadata
Early caching capabilities


Request Headers Response Headers

Accept
Accept-Charset
Accept-Encoding
Accept-Language
Authorization
Content-Language
From
If-Modified-Since
Referer
User-Agent

Allow
Content-Encoding
Content-Language
Content-Length
Content-Type
Expires
Last-Modified
Link
Location
Retry-After
Server
WWW-Authenticate

Request Headers	Response Headers
Accept Accept-Charset Accept-Encoding Accept-Language Authorization Content-Language From If-Modified-Since Referer User-Agent	Allow Content-Encoding Content-Language Content-Length Content-Type Expires Last-Modified Link Location Retry-After Server WWW-Authenticate

HTTP/1.0 HEAD Method

HEAD Method

$ telnet www.aoeu.com 80
HEAD /really-big-image.gif HTTP/1.0
User-Agent: NCSA Mosaic/1.0 (X11;SunOS 4.1.4 sun4m)

HTTP/1.0 200 OK
Server: NCSA/1.2 
Date: Tue, 19 Apr 1994 09:43:00 GMT
Content-Type: image/gif
Content-Length: 1769082
Last-Modified: Wed, 21 Jan 1994 19:51:30 GMT
$

HTTP/1.0 POST Method

$ telnet www.aoeu.com 80
POST /cgi-bin/jj.cgi HTTP/1.0
User-Agent: NCSA Mosaic/1.0 (X11;SunOS 4.1.4 sun4m)
Content-Length: 72
Content-Type: application/x-www-form-urlencoded

pwd=foo&sub=Big+John+Gourmet+Sub....
 
HTTP/1.0 200 OK
<html>
    <head>
        <TITLE>Order Sent</TITLE>
...

SSL/TLS

SSL - Secure Sockets Layer TLS - Transport Layer Security

Protocol developed at Netscape
SSLv2, Nov 1994
SSLv3, Nov 1995, RFC-6101 (eventually)
SSLeay 1995
OpenSSL fork, 1998
TLS 1.0 - 1999; TLS 1.1 - 2006; TLS 1.2 - 2008; TLS 1.3 - 2018

$ printf "GET /\n\n"  |  \
    openssl s_client -connect www.aoeu.com:443

HTTP Stack

L?+1	HTTP (Headers/Content/etc)
L?	TLS/SSL (hopefully!)
L4	TCP
L3	IP
L2	Ethernet
L1	Physical Layer

HTTP/1.1

Standarized in 1997, RFC-2068

Improvements

Improved cache control
Range requests
HTTP Proxy Support
Content Negotiation
Content Chunking
Connection Reuse
Pipelining
Compression
Host header

Methods in HTTP/1.1

    
    
    GET
    HEAD
    POST
    DELETE
    PUT
    PATCH
    
    LINK
    UNLINK
    CONNECT
    OPTIONS
    TRACE

REST - Representational State Transfer (2000) supplants SOAP

XMLHttpRequest enables AJAX (OWA 1999, Gmail 2004)

Connection Reuse (HTTP/1.1)

GET /first/item HTTP/1.1
REQUEST HEADERS

RESPONSE HEADERS
RESPONSE CONTENT
GET /second/item HTTP/1.1
REQUEST HEADERS

RESPONSE HEADERS
RESPONSE CONTENT
GET /third/item HTTP/1.1
...

Avoided TCP session establishment overhead

Browsers still had hard-coded limit of concurrent connections

Pipelining (HTTP/1.1)
Pipelining (HTTP/1.1)
GET /first/item HTTP/1.1 FIRST REQUEST HEADERS GET /second/item HTTP/1.1 SECOND REQUEST HEADERS FIRST RESPONSE HEADERS FIRST RESPONSE CONTENT SECOND RESPONSE HEADERS SECOND RESPONSE CONTENT GET /third/item HTTP/1.1 THIRD REQUEST HEADERS ...

But may not be supported by server - would need to be retried.
Only safe on idempotent requests.

HTTP/2
HTTP/2

Introduced 2015, RFC-7540, based on Google's SPDY (2009) experimental protocol

Stream (response) multiplexing, non-ordered, via binary framing layer

Stream prioritization

Gratuitous responses (Promises)

Header compression

Improves "head of line blocking" problem

HTTP/2 Multiplexing
HTTP/2 Multiplexing

Client <- Stream 11
response
data Stream 3
response
headers Stream 5
response
data Stream 2
response
headers Stream 3
response
data Stream 3
response
data Server
Stream 7
request
headers ----->

HTTP/2 Compatibility
HTTP/2 Compatibility
Binary framing doesn't play well with <= HTTP/1.1 servers.
Solution: upgrade from HTTP/1.1, or use TLS

GET /index.html HTTP/1.1 Connection: Upgrade, HTTP2-Settings Upgrade: h2c NORMAL_HEADERS_HERE HTTP2-Settings: <base64 headers settings blob> HTTP/1.1 101 Switching Protocols Connection: Upgrade Upgrade: h2c ...

HTTP/2 Results
HTTP/2 Results

Head of line problem (mostly) eliminated

Browsers use just one TCP socket

Best we can do?

HTTP/3
HTTP/3

Based on gQUIC (Google 2012)

Agreed to become HTTP/3 Nov 2018, but still in RFC draft

Latest update: Nov 4, 2019

Available in Chrome canary, Firefox nightly, libcurl, others

Solves head of line problem

Solving HOL? (HTTP/3)

So how did they solve the HOL problem?

Solving HOL? (HTTP/3)

So how did they solve the HOL problem?

HTTP over UDP
HTTP over UDP

Not stream-oriented - no guaranteed packet order

Must re-implement retransmissions, congestion control, and other TCP features

Existing protocols like SCTP, TCP Fast Open insufficient

QUIC: generic secure UDP transport.
HTTP/3: is HTTP over QUIC.

HTTP/3 Features
HTTP/3 Features

TLS required

All advantages of HTTP/2 multiplexing, prioritization, etc

Fast handshake (0-RTT, 1-RTT)

IP roaming via 62-bit stream ID!

HTTP/3 Standard
HTTP/3 Standard
Latest draft: 2019-11-04
Draft expires: 2020-05-07
https://tools.ietf.org/html/draft-ietf-quic-http-24

Thanks!
Presentation: https://www.ifokr.org/bri/presentations/seagl-2019-http/
Longer version: https://www.ifokr.org/bri/presentations/lfnw-2019-http/

Personal Work

Bri Hatch
Onsight, Inc
bri@ifokr.org
Bri Hatch
ExtraHop Networks
bri@extrahop.com

Copyright 2019, Bri Hatch, Creative Commons BY-NC-SA License

Client	<-	Stream 11 response data	Stream 3 response headers	Stream 5 response data	Stream 2 response headers	Stream 3 response data	Stream 3 response data	Server
Client					Stream 7 request headers	----->		Server

SeaGL, 2019-11-16