f5 emea webinar oct'15: http2 how to ease the transition

HTTP/2: How to Ease the TransitionF5 EMEA Webinar October 2015

PresenterTitle

© F5 Networks, Inc 2

74% of users will leave a slow web site after just

5 seconds or less

Every 100 ms delay costs Amazon 1% in

sales

No one Likes Slow

Slow application: Reduced productivity


Things Are Not Getting Easier

Mobile devices of globalnow account for Internet traffic 35%

2009 2010 2011 2012 2013 20150

10203040

The average web page has grown since 2008 3x 2.1MB

Growing exponentially

Radio = Latency

FiberCable

LTE 34% Mostly use mobile Internet


2015 2016

COMPRESSION12% 21%

ACCELERATION12% 25%

SSL OFFLOAD 9% 21%

CACHING 9% 19%

Addressing Performance ChallengesF5 survey shows growth in plans to deploy performance related services


1996

HTTP/1.0

• Static content• Small objects • Low number of objects

HTTP Timeline


1996

HTTP/1.0

1999

HTTP/1.1

• Dynamic content• Bigger objects• More objects

HTTP Timeline


1996

HTTP/1.0

1999

HTTP/1.1

2004

YouTube

• Video content• User generated content

Hey Nice Cat!

His name is Mittens.

HTTP Timeline


1996

HTTP/1.0

1999

HTTP/1.1

2004

YouTube

2009

SPDY

• More objects• Bigger objects• Mobile devices

HTTP/2 Timeline


1996

HTTP/1.0

1999

HTTP/1.1

2004

YouTube

2009

SPDY

2015

HTTP/2

HTTP/2 Timeline


1 request = 1 connection

• Connection setup is expensive

• Inefficient when large numbers of objects on page

• Mitigated in part with keep-alive

What Were the Issues with HTTP/1?


www.cats.com

www.dogs.com

?


No virtual host support

• Each site needs 1 IP address

• Inefficient use of addresses

• Multi homing server limits (255 per server on Linux < 2.2 kernel)



Primitive caching

• Cache invalidation used absolute times

• Clock skew caused problems

• Not explicit enough


1996: HTTP/1.1

• Cache-control header

• Max-age directive

• Etag header

• Default = all connections

• No keepalive messages

• Servers still have timeouts

CACHING PERSISTENT CONNECTIONS

VIRTUAL HOSTS

• Host header now required

• Multiple sites 1 IP address


What Are the Issues with HTTP/1.1?

Requests are blocking

• 1 connection can only process 1 request at a time

• Slow object blocks others downloading

• Solution – multiple connections


meowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewmeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmewoofmeow

Header Data

Not that efficient

• Headers not compressed

• Header numbers and size increasing



Workarounds can be counter productive

• Multi-origin websites cause clients to open up to 30 TCP connections


.css

/images/

HTML


2009: SPDY

• Concurrent requests

• Single connection

• (More on this later)

• Reduced header overhead

• Smaller page size

Multiplexed Requests Compressed Headers Requires TLS

• Enforced SSL security

• (Whether you want it or not)


What Are the Issues with SPDY?

• Not a standard

• Forced secure connections (TLS)

• Maybe not as SPDY? (depending on who you listen to)

• Insecure compression


• Multiplexed requests

• "Safe" compression

• TLS optional*

• Stronger cryptography

2015: HTTP/2 is Here!

*) Not in practice


Request Multiplexing is a major contributor to improved HTTP/2 performance

• Multiple outstanding requests per connection

• Uses a construct known as "streams"

• Max number of streams is configurable (ADC default is typically 10)

Multiplexed Requests


Hello

Hello

May I have a picture of a cat please?

Here is a cat

May I also have a picture of a dog?

Here is a dog

May I also have a picture of a turtle?

Here is a turtle

Thanks, bye

Bye

Hello

Hello

May I have a picture of a cat please?And another cat?And a dog?

Here is a catAnd a dog

May I also have a picture of a turtle?.

Here is another catAnd a turtle

Thanks, bye

Bye

HTTP/1.1 HTTP/2


• 100 images

• 100 ms (added) latency

• Served from Microsoft Azure

• Page load 18 seconds

HTTP/1.1


• 100 images

• 100 ms (added) latency

• Served from Microsoft Azure

• Page load 5 seconds

HTTP/2


method GET

scheme HTTPS

host F5.com

path /resource

accept image/jpeg

user-agent Mozilla/5.0 …

method GET

scheme HTTPS

host F5.com

path /images

accept image/jpeg

user-agent Mozilla/5.0 …

Request 1 Request 2

method: Getscheme: HTTPShost: f5.compath: /resourceaccept: image/jpguser-agent: Mozilla/….

Stream 1 headers Method: GetScheme: HTTPSHost: f5.compath: /imagesAccept: image/jpgUser-agent: Mozilla/….

Stream 2 headers

• Most headers are the same between requests

• Why send them every time?

• Just keep a header table on each side of the connection

• Update only what has changed in each stream

Compression for Headers


TLS is Not Mandatory. But it is Really.


• Minimum requirements• TLS 1.2 or newer required for HTTP/2• Ephemeral keys only (forward secrecy)• Prefer authenticated encryption modes like Galois/Counter Mode (GCM)• Minimal key sizes 128 bit EC, 2048 bit RSA

• TLS 1.2 still has vulnerabilities (e.g. CVE-2015-4000 aka "Logjam")

• Default ADC implementations mitigate most risks

Stronger Cryptography


Browser Support for HTTP/2

Source: "Can I use", http://caniuse.com/#search=http2


The requirement that all application traffic be secured via TLS/SSL

Incompatibility with current security infrastructure

Lack of familiarity with the technology

Low availability of HTTP/2 services

Lack of back-end support

Lack of backward compatibility with HTTP/1.x

19%

28%

29%

31%

31%

41%

Potential Barriers that Slow Adoption of HTTP/2

Source: IDG Enterprise Research


01101101 01100101 01101111 01110111

Optimisation

Security Reporting

HTTP/2

Client

HTTP/2

Server

• Limited web server availability

• Little to no security infrastructure

• Little to no visibility and reporting

HTTP/2 Impacts the Infrastructure


01101101 01100101

HTTP/1.x

Client

HTTP/2

Server

ADC

ProtocolGateways GET /images/cat.jpg

Security

Optim

isation

Reporting

• Gain most of the performance benefits of HTTP/2

• Can service both HTTP/2 and non HTTP/2 traffic

• Use HTTP/1.1 downstream of gateway

• Retain full visibility into traffic

• Don’t need to refresh infrastructure

HTTP/2 Gateway


01101101 01100101

HTTP/1.x

Server

ADC

GET /images/cat.jpg

• Gain most of the performance benefits of HTTP/2

• Can service both HTTP/2 and non HTTP/2 traffic

• Use HTTP/1.1 downstream of gateway

• Retain full visibility into traffic

• Don’t need to refresh infrastructure

HTTP/2 Gateway

01101101 01100101

GET /images/cat.jpg

ProtocolGateways

SPDY

HTTP/2

HTTP/1.1

HTTP/1.1 GET /images/cat.jpg

Security

Optim

isation

Reporting


Two Steps to Implement HTTP/2 Gateway

That’s it... really!

HTTP/2 Profile ADC with Virtual Server


HTTP/1.1

So It’s All Good?


HTTP/2

HTTP/1.1 bottleneck removed!

So It’s All Good?


“As with all performance optimisation processes, the moment you remove one performance bottleneck, you

unlock the next one. In the case of HTTP/2, TCP may be it. Which is why, once again, a well-tuned TCP stack on the server is such a critical optimisation criteria for HTTP/2.”

“High Performance Browser Networking” – Ilya Grigorik, O’Reilly Media

What Do We All Know About Bottlenecks?


TCP

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 0000101001100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 000011 0100 00001101 00001010 01100011 01100001 01110100 00001101 00001010

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 000 00 00001101 00001010 01100011 01100001 01110100 00001101 00001010

We’re Only Moving the Bottleneck

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00 100 00001101 00001010 01100011 01100001 01110100 00001101 00001010

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001 10100 00001101 00001010 01100011 01100001 01110100 00001101 00001010

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 1110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010


TCP Inefficiencies Might Be the Next Bottleneck

Things to consider

• Congestion control

• Window sizing

• Multipath TCP

• High RTT and packet loss links (radio)


00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011

01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 0000101001100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 0

00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011

Know any good ones?

Perhaps You Need a TCP Optimiser?

RTT = 100 msTCP algorithm = Westwood+

TCP window scale = 65,535 KB

RTT = 1 msTCP algorithm = HighspeedTCP window scale = 1 MB


Summary

• Binary protocol

• TCP optimisations required

• SSL offload essential

• Significant performance improvements

• Reduced header overhead

• Smaller page size

• Fully multiplexed connections

Impact Performance Opportunities

• Server push possibilities

• Leverage existing ADC

f5 emea webinar oct'15: http2 how to ease the transition

Technology