F5 EMEA Webinar Oct'15: http2 how to ease the transition
- 1. HTTP/2: How to Ease the Transition
F5 EMEA Webinar October 2015
Presenter
Title
- 2. © F5 Networks, Inc 2
74% of users will leave
a slow web site after just
5 seconds or less
Every 100 ms delay
costs Amazon 1%
in
sales
No one Likes Slow
Slow application:
Reduced
productivity
- 3. © F5 Networks, Inc 3
Things Are Not Getting Easier
Mobile devices of global
now account for Internet traffic35%
0
10
20
30
40
2009 2010 2011 2012 2013 2015
The average web page
has grown
since 2008 3x 2.1MB
Growing
exponentially
Radio =
Latency
Fiber
Cable
LTE
34% Mostly use
mobile Internet
- 4. © F5 Networks, Inc 4
2015 2016
COMPRESSION12% 21%
ACCELERATION12% 25%
SSL OFFLOAD9% 21%
CACHING9% 19%
Addressing Performance Challenges
F5 survey shows growth in plans to deploy performance related services
- 5. © F5 Networks, Inc 5
1996
HTTP/1.0
• Static content
• Small objects
• Low number of objects
HTTP Timeline
- 6. © F5 Networks, Inc 6
1996
HTTP/1.0
1999
HTTP/1.1
• Dynamic content
• Bigger objects
• More objects
HTTP Timeline
- 7. © F5 Networks, Inc 7
1996
HTTP/1.0
1999
HTTP/1.1
2004
YouTube
• Video content
• User generated content
Hey Nice Cat!
His name is
Mittens.
HTTP Timeline
- 8. © F5 Networks, Inc 8
1996
HTTP/1.0
1999
HTTP/1.1
2004
YouTube
2009
SPDY
• More objects
• Bigger objects
• Mobile devices
HTTP/2 Timeline
- 9. © F5 Networks, Inc 9
1996
HTTP/1.0
1999
HTTP/1.1
2004
YouTube
2009
SPDY
2015
HTTP/2
HTTP/2 Timeline
- 10. © F5 Networks, Inc 10
1 request = 1 connection
• Connection setup is expensive
• Inefficient when large numbers of objects
on page
• Mitigated in part with keep-alive
What Were the Issues with HTTP/1?
- 11. © F5 Networks, Inc 11
?
What Were the Issues with HTTP/1?
No virtual host support
• Each site needs 1 IP address
• Inefficient use of addresses
• Multi homing server limits (255 per server
on Linux < 2.2 kernel)
- 12. © F5 Networks, Inc 12
What Were the Issues with HTTP/1?
Primitive caching
• Cache invalidation used absolute times
• Clock skew caused problems
• Not explicit enough
- 13. © F5 Networks, Inc 13
1996: HTTP/1.1
• Cache-control header
• Max-age directive
• Etag header
• Default = all connections
• No keepalive messages
• Servers still have timeouts
CACHING PERSISTENT
CONNECTIONS
VIRTUAL HOSTS
• Host header now required
• Multiple sites 1 IP address
- 14. © F5 Networks, Inc 14
What Are the Issues with HTTP/1.1?
Requests are blocking
• 1 connection can only process 1 request
at a time
• Slow object blocks others downloading
• Solution – multiple connections
- 15. © F5 Networks, Inc 15
meowmewomeowmeowmeow
meowmeowmeowmeoMeowm
ewomeowmeowmeowmeowm
eowmeowmeomeowmewome
owmeowmeowmeowmeowme
owmeoMeowmewomeowmeo
wmeowmeowmeowmeowmeo
meowmewomeowmeowmeow
meowmeowmeowmeoMeowm
ewmeowmewomeowmeowme
owmeowmeowmeowmeoMeo
wmewomeowmeowmeowmeo
wmeowmeowmeomeowmewo
meowmeowmeowmeowmeow
meowmeoMeowmewomeowm
eowmeowmeowmeowmeowm
eomeowmewomeowmeowme
owmeowmeowmeowmeoMeo
wmewomeowmeowmeowmeo
wmeowmeowmewoofmeow
Header Data
Not that efficient
• Headers not compressed
• Header numbers and size increasing
What Are the Issues with HTTP/1.1?
- 16. © F5 Networks, Inc 16
Workarounds can be counter
productive
• Multi-origin websites cause clients to
open up to 30 TCP connections
What Are the Issues with HTTP/1.1?
.css
/images/
HTML
- 17. © F5 Networks, Inc 17
2009: SPDY
• Concurrent requests
• Single connection
• (More on this later)
• Reduced header overhead
• Smaller page size
Multiplexed Requests Compressed Headers Requires TLS
• Enforced SSL security
• (Whether you want it or not)
- 18. © F5 Networks, Inc 18
What Are the Issues with SPDY?
• Not a standard
• Forced secure connections (TLS)
• Maybe not as SPDY? (depending on who you listen to)
• Insecure compression
- 19. © F5 Networks, Inc 19
• Multiplexed requests
• "Safe" compression
• TLS optional*
• Stronger cryptography
2015: HTTP/2 is Here!
*) Not in practice
- 20. © F5 Networks, Inc 20
Request Multiplexing is a major contributor to improved HTTP/2
performance
• Multiple outstanding requests per connection
• Uses a construct known as "streams"
• Max number of streams is configurable (ADC default is typically 10)
Multiplexed Requests
- 21. © F5 Networks, Inc 21
Hello
Hello
May I have a picture
of a cat please?
Here is a cat
May I also have
a picture of a dog?
Here is a dog
May I also have
a picture of a turtle?
Here is a turtle
Thanks, bye
Bye
Hello
Hello
May I have a picture
of a cat please?
And another cat?
And a dog?
Here is a cat
And a dog
May I also have a
picture of a turtle?.
Here is
another cat
And a turtle
Thanks, bye
Bye
HTTP/1.1 HTTP/2
- 22. © F5 Networks, Inc 22
• 100 images
• 100 ms (added) latency
• Served from Microsoft Azure
• Page load 18seconds
HTTP/1.1
- 23. © F5 Networks, Inc 23
• 100 images
• 100 ms (added) latency
• Served from Microsoft Azure
• Page load 5seconds
HTTP/2
- 24. © F5 Networks, Inc 24
method GET
scheme HTTPS
host F5.com
path /resource
accept image/jpeg
user-agent Mozilla/5.0 …
method GET
scheme HTTPS
host F5.com
path /images
accept image/jpeg
user-agent Mozilla/5.0 …
Request 1 Request 2
method: Get
scheme: HTTPS
host: f5.com
path: /resource
accept: image/jpg
user-agent: Mozilla/….
Stream 1 headers
Method: Get
Scheme: HTTPS
Host: f5.com
path: /images
Accept: image/jpg
User-agent: Mozilla/….
Stream 2 headers
• Most headers are the same
between requests
• Why send them every time?
• Just keep a header table on
each side of the connection
• Update only what has
changed in each stream
Compression for Headers
- 26. © F5 Networks, Inc 26
• Minimum requirements
• TLS 1.2 or newer required for HTTP/2
• Ephemeral keys only (forward secrecy)
• Prefer authenticated encryption modes like Galois/Counter Mode (GCM)
• Minimal key sizes 128 bit EC, 2048 bit RSA
• TLS 1.2 still has vulnerabilities (e.g. CVE-2015-4000 aka "Logjam")
• Default ADC implementations mitigate most risks
Stronger Cryptography
- 27. © F5 Networks, Inc 27
Browser Support for HTTP/2
Source: "Can I use", http://caniuse.com/#search=http2
- 28. © F5 Networks, Inc 28
The requirement that all application
traffic be secured via TLS/SSL
Incompatibility with current
security infrastructure
Lack of familiarity with the technology
Low availability of HTTP/2 services
Lack of back-end support
Lack of backward compatibility
with HTTP/1.x
19%
28%
29%
31%
31%
41%
Potential Barriers that Slow Adoption of HTTP/2
Source: IDG Enterprise Research
- 29. © F5 Networks, Inc 29
01101101 01100101 01101111 01110111
Optimisation
Security Reporting
HTTP/2
Client
HTTP/2
Server
• Limited web server
availability
• Little to no security
infrastructure
• Little to no visibility and
reporting
HTTP/2 Impacts the Infrastructure
- 30. © F5 Networks, Inc 30
01101101 01100101
HTTP/1.x
Client
HTTP/2
Server
ADC
Protocol
Gateways
GET /images/cat.jpgSecurity
Optimisation
Reporting
• Gain most of the
performance benefits of
HTTP/2
• Can service both HTTP/2
and non HTTP/2 traffic
• Use HTTP/1.1
downstream of gateway
• Retain full visibility into
traffic
• Don’t need to refresh
infrastructure
HTTP/2 Gateway
- 31. © F5 Networks, Inc 31
01101101 01100101
HTTP/1.x
Server
ADC
GET /images/cat.jpg
• Gain most of the
performance benefits of
HTTP/2
• Can service both HTTP/2
and non HTTP/2 traffic
• Use HTTP/1.1
downstream of gateway
• Retain full visibility into
traffic
• Don’t need to refresh
infrastructure
HTTP/2 Gateway
01101101 01100101
GET /images/cat.jpg
Protocol
Gateways
SPDY
HTTP/2
HTTP/1.1
HTTP/1.1 GET /images/cat.jpg
Security
Optimisation
Reporting
- 32. © F5 Networks, Inc 32
Two Steps to Implement HTTP/2 Gateway
That’s it... really!
HTTP/2 Profile ADC with Virtual Server
- 34. © F5 Networks, Inc 34
HTTP/2
HTTP/1.1 bottleneck removed!
So It’s All Good?
- 35. © F5 Networks, Inc 35
“As with all performance optimisation processes, the
moment you remove one performance bottleneck, you
unlock the next one. In the case of HTTP/2, TCP may be it.
Which is why, once again, a well-tuned TCP stack on the
server is such a critical optimisation criteria for HTTP/2.”
“High Performance Browser Networking” – Ilya Grigorik, O’Reilly Media
What Do We All Know About Bottlenecks?
- 36. © F5 Networks, Inc 36
TCP
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 0000101001100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 000011 0100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 000 00 00001101 00001010 01100011 01100001 01110100 00001101 00001010
We’re Only Moving the Bottleneck
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00 100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001 10100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 1110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
- 37. © F5 Networks, Inc 37
TCP Inefficiencies Might Be the Next Bottleneck
Things to consider
• Congestion control
• Window sizing
• Multipath TCP
• High RTT and packet loss links (radio)
- 38. © F5 Networks, Inc 38
00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 0000101001100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 0
00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011
Know any good ones?
Perhaps You Need a TCP Optimiser?
RTT = 100 ms
TCP algorithm = Westwood+
TCP window scale = 65,535 KB
RTT = 1 ms
TCP algorithm = Highspeed
TCP window scale = 1 MB
- 39. © F5 Networks, Inc 39
Summary
• Binary protocol
• TCP optimisations required
• SSL offload essential
• Significant performance
improvements
• Reduced header overhead
• Smaller page size
• Fully multiplexed
connections
Impact Performance Opportunities
• Server push possibilities
• Leverage existing ADC
Editor's Notes
- http://www.webperformancetoday.com/2013/05/06/psychology-waiting-faster-online-checkout/
Does anyone like slow applications. 5 seconds is actually a long time.
- So more mobile devices over higher latency radio networks and larger webpages. Hmm sounds like a recipe for application performance problems.
http://www.fiercewireless.com/special-reports/3g4g-wireless-network-latency-how-do-verizon-att-sprint-and-t-mobile-compar
http://techcrunch.com/2013/05/29/mary-meeker-2013-internet-trends/
http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/
- The dawn of a new era for human-kind….online cat videos!
- Today’s digital era has fundamentally changed the datacenter strategy. Yesterday’s approach, where aps were centrally managed under one infrastructure, datacenter boundaries provided protection, and IT staff ensured availability, performance, and security, can no longer support today’s dynamic application infrastructure.
The data center is evolving as more apps move to private and public cloud and traditional data center perimeters are blurred. CIOs want to maintain control as they seek greater agility and cost savings with cloud adoption, and DevOps is driving app orchestration and management outside of IT. These trends, coupled with new complexities—lack of integration across cloud vendors plus availability and security guarantees limited only to individual services and not the apps themselves—require a new data center strategy, one that is app-centric. An app-centric strategy enables IT to drive consistent delivery of services, regardless of deployment model. Focused at the app-level, IT can abstract away from the complexities of disparate cloud providers, gain insight into traffic data, and leverage existing skills and policies while enabling DevOps.
- Today’s digital era has fundamentally changed the datacenter strategy. Yesterday’s approach, where aps were centrally managed under one infrastructure, datacenter boundaries provided protection, and IT staff ensured availability, performance, and security, can no longer support today’s dynamic application infrastructure.
The data center is evolving as more apps move to private and public cloud and traditional data center perimeters are blurred. CIOs want to maintain control as they seek greater agility and cost savings with cloud adoption, and DevOps is driving app orchestration and management outside of IT. These trends, coupled with new complexities—lack of integration across cloud vendors plus availability and security guarantees limited only to individual services and not the apps themselves—require a new data center strategy, one that is app-centric. An app-centric strategy enables IT to drive consistent delivery of services, regardless of deployment model. Focused at the app-level, IT can abstract away from the complexities of disparate cloud providers, gain insight into traffic data, and leverage existing skills and policies while enabling DevOps.
- Compression used DEFLATE which is vulnerable to the CRIME exploit
- HTTP/2 was developed by the IETF’s HTTP Working Group, which maintains the HTTP protocol. It’s made up of a number of HTTP implementers, users, network operators and HTTP experts.
Today’s digital era has fundamentally changed the datacenter strategy. Yesterday’s approach, where aps were centrally managed under one infrastructure, datacenter boundaries provided protection, and IT staff ensured availability, performance, and security, can no longer support today’s dynamic application infrastructure.
The data center is evolving as more apps move to private and public cloud and traditional data center perimeters are blurred. CIOs want to maintain control as they seek greater agility and cost savings with cloud adoption, and DevOps is driving app orchestration and management outside of IT. These trends, coupled with new complexities—lack of integration across cloud vendors plus availability and security guarantees limited only to individual services and not the apps themselves—require a new data center strategy, one that is app-centric. An app-centric strategy enables IT to drive consistent delivery of services, regardless of deployment model. Focused at the app-level, IT can abstract away from the complexities of disparate cloud providers, gain insight into traffic data, and leverage existing skills and policies while enabling DevOps.
- That’s a 350% improvement!
- Since HTTP has always been STATELESS it has meant that, until now, every connection has had to send EVERY header since the client cannot assume that the server knows anything about it.
Operational ramification: New header compression techniques will mean caches and upstream infrastructure which may act upon those headers will need to be able to speak HPACK.
- Important to remember that SSL/TLS is not a set-it-and-forget-it configuration. Practise good sec… always review TLS settings on a monthly or quarterly basis….
Remove unnecessary protocols (use your ADC or public websites such as SSL Pulse) to review whether you need to support old protocols
Use your ADC to remove weak ciphers, prefer stronger cipher suites and apply in-line protocol patching (if necessary)
Operational ramification: Upstream infrastructure (caches, load balancers, NGFW, access management) will be blinded by encryption and unable to perform their functions.
- So virtually all modern browsers already support HTTP2. Some notes…
IE v11 only supports HTTP2 on Windows 10
Some mobile browsers do NOT support HTTP2 (e.g. Android Browser) but it DOES support SPDY, so ideally you want an ADC that can negotiate HTTP2 and SPDY
- We’ve already mentioned…
Regular inline tools (caches, reporting tools) will lose visibility since they don’t understand the binary protocol
May require changes to TCP profiles (idle time outs, etc)
Also important to recognise that HTTP2 is BINARY. This alone makes HTTP2 incompatible with HTTP1.1. Any tool which uses HTTP1.1 will be rendered useless.
- Translate HTTP2 to HTTP1.1
Translate binary to traditional ASCII
Decrypt TLS to clear text
Use your ADC to act as an HTTP2, SPDY and possibly even IPv6 gateway
- Translate HTTP2 to HTTP1.1
Translate binary to traditional ASCII
Decrypt TLS to clear text
Use your ADC to act as an HTTP2, SPDY and possibly even IPv6 gateway
- TCP is the next bottleneck