F5 EMEA Webinar Oct'15: http2 how to ease the transition
-
Upload
dmitry-tikhovich -
Category
Technology
-
view
519 -
download
0
Transcript of F5 EMEA Webinar Oct'15: http2 how to ease the transition
HTTP/2: How to Ease the TransitionF5 EMEA Webinar October 2015
PresenterTitle
© F5 Networks, Inc 2
74% of users will leave a slow web site after just
5 seconds or less
Every 100 ms delay costs Amazon 1% in
sales
No one Likes Slow
Slow application: Reduced productivity
© F5 Networks, Inc 3
Things Are Not Getting Easier
Mobile devices of globalnow account for Internet traffic 35%
2009 2010 2011 2012 2013 20150
10203040
The average web page has grown since 2008 3x 2.1MB
Growing exponentially
Radio = Latency
FiberCable
LTE 34% Mostly use mobile Internet
© F5 Networks, Inc 4
2015 2016
COMPRESSION12% 21%
ACCELERATION12% 25%
SSL OFFLOAD 9% 21%
CACHING 9% 19%
Addressing Performance ChallengesF5 survey shows growth in plans to deploy performance related services
© F5 Networks, Inc 5
1996
HTTP/1.0
• Static content• Small objects • Low number of objects
HTTP Timeline
© F5 Networks, Inc 6
1996
HTTP/1.0
1999
HTTP/1.1
• Dynamic content• Bigger objects• More objects
HTTP Timeline
© F5 Networks, Inc 7
1996
HTTP/1.0
1999
HTTP/1.1
2004
YouTube
• Video content• User generated content
Hey Nice Cat!
His name is Mittens.
HTTP Timeline
© F5 Networks, Inc 8
1996
HTTP/1.0
1999
HTTP/1.1
2004
YouTube
2009
SPDY
• More objects• Bigger objects• Mobile devices
HTTP/2 Timeline
© F5 Networks, Inc 9
1996
HTTP/1.0
1999
HTTP/1.1
2004
YouTube
2009
SPDY
2015
HTTP/2
HTTP/2 Timeline
© F5 Networks, Inc 10
1 request = 1 connection
• Connection setup is expensive
• Inefficient when large numbers of objects on page
• Mitigated in part with keep-alive
What Were the Issues with HTTP/1?
© F5 Networks, Inc 11
www.cats.com
www.dogs.com
?
What Were the Issues with HTTP/1?
No virtual host support
• Each site needs 1 IP address
• Inefficient use of addresses
• Multi homing server limits (255 per server on Linux < 2.2 kernel)
© F5 Networks, Inc 12
What Were the Issues with HTTP/1?
Primitive caching
• Cache invalidation used absolute times
• Clock skew caused problems
• Not explicit enough
© F5 Networks, Inc 13
1996: HTTP/1.1
• Cache-control header
• Max-age directive
• Etag header
• Default = all connections
• No keepalive messages
• Servers still have timeouts
CACHING PERSISTENT CONNECTIONS
VIRTUAL HOSTS
• Host header now required
• Multiple sites 1 IP address
© F5 Networks, Inc 14
What Are the Issues with HTTP/1.1?
Requests are blocking
• 1 connection can only process 1 request at a time
• Slow object blocks others downloading
• Solution – multiple connections
© F5 Networks, Inc 15
meowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewmeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmeomeowmewomeowmeowmeowmeowmeowmeowmeoMeowmewomeowmeowmeowmeowmeowmeowmewoofmeow
Header Data
Not that efficient
• Headers not compressed
• Header numbers and size increasing
What Are the Issues with HTTP/1.1?
© F5 Networks, Inc 16
Workarounds can be counter productive
• Multi-origin websites cause clients to open up to 30 TCP connections
What Are the Issues with HTTP/1.1?
.css
/images/
HTML
© F5 Networks, Inc 17
2009: SPDY
• Concurrent requests
• Single connection
• Reduced header overhead
• Smaller page size
Multiplexed Requests Compressed Headers Requires TLS
• Enforced SSL security
• (Whether you want it or not)
© F5 Networks, Inc 18
What Are the Issues with SPDY?
• Not a standard
• Forced secure connections (TLS)
• Maybe not as SPDY? (depending on who you listen to)
• Insecure compression
© F5 Networks, Inc 19
• Multiplexed requests
• "Safe" compression
• TLS optional*
• Stronger cryptography
2015: HTTP/2 is Here!
*) Not in practice
© F5 Networks, Inc 20
Request Multiplexing is a major contributor to improved HTTP/2 performance
• Multiple outstanding requests per connection
• Uses a construct known as "streams"
• Max number of streams is configurable (ADC default is typically 10)
Multiplexed Requests
© F5 Networks, Inc 21
Hello
Hello
May I have a picture of a cat please?
Here is a cat
May I also have a picture of a dog?
Here is a dog
May I also have a picture of a turtle?
Here is a turtle
Thanks, bye
Bye
Hello
Hello
May I have a picture of a cat please?And another cat?And a dog?
Here is a catAnd a dog
May I also have a picture of a turtle?.
Here is another catAnd a turtle
Thanks, bye
Bye
HTTP/1.1 HTTP/2
© F5 Networks, Inc 22
• 100 images
• 100 ms (added) latency
• Served from Microsoft Azure
• Page load 18 seconds
HTTP/1.1
© F5 Networks, Inc 23
• 100 images
• 100 ms (added) latency
• Served from Microsoft Azure
• Page load 5 seconds
HTTP/2
© F5 Networks, Inc 24
method GET
scheme HTTPS
host F5.com
path /resource
accept image/jpeg
user-agent Mozilla/5.0 …
method GET
scheme HTTPS
host F5.com
path /images
accept image/jpeg
user-agent Mozilla/5.0 …
Request 1 Request 2
method: Getscheme: HTTPShost: f5.compath: /resourceaccept: image/jpguser-agent: Mozilla/….
Stream 1 headers Method: GetScheme: HTTPSHost: f5.compath: /imagesAccept: image/jpgUser-agent: Mozilla/….
Stream 2 headers
• Most headers are the same between requests
• Why send them every time?
• Just keep a header table on each side of the connection
• Update only what has changed in each stream
Compression for Headers
© F5 Networks, Inc 25
TLS is Not Mandatory. But it is Really.
© F5 Networks, Inc 26
• Minimum requirements• TLS 1.2 or newer required for HTTP/2• Ephemeral keys only (forward secrecy)• Prefer authenticated encryption modes like Galois/Counter Mode (GCM)• Minimal key sizes 128 bit EC, 2048 bit RSA
• TLS 1.2 still has vulnerabilities (e.g. CVE-2015-4000 aka "Logjam")
• Default ADC implementations mitigate most risks
Stronger Cryptography
© F5 Networks, Inc 27
Browser Support for HTTP/2
Source: "Can I use", http://caniuse.com/#search=http2
© F5 Networks, Inc 28
The requirement that all application traffic be secured via TLS/SSL
Incompatibility with current security infrastructure
Lack of familiarity with the technology
Low availability of HTTP/2 services
Lack of back-end support
Lack of backward compatibility with HTTP/1.x
19%
28%
29%
31%
31%
41%
Potential Barriers that Slow Adoption of HTTP/2
Source: IDG Enterprise Research
© F5 Networks, Inc 29
01101101 01100101 01101111 01110111
Optimisation
Security Reporting
HTTP/2
Client
HTTP/2
Server
• Limited web server availability
• Little to no security infrastructure
• Little to no visibility and reporting
HTTP/2 Impacts the Infrastructure
© F5 Networks, Inc 30
01101101 01100101
HTTP/1.x
Client
HTTP/2
Server
ADC
ProtocolGateways GET /images/cat.jpg
Security
Optim
isation
Reporting
• Gain most of the performance benefits of HTTP/2
• Can service both HTTP/2 and non HTTP/2 traffic
• Use HTTP/1.1 downstream of gateway
• Retain full visibility into traffic
• Don’t need to refresh infrastructure
HTTP/2 Gateway
© F5 Networks, Inc 31
01101101 01100101
HTTP/1.x
Server
ADC
GET /images/cat.jpg
• Gain most of the performance benefits of HTTP/2
• Can service both HTTP/2 and non HTTP/2 traffic
• Use HTTP/1.1 downstream of gateway
• Retain full visibility into traffic
• Don’t need to refresh infrastructure
HTTP/2 Gateway
01101101 01100101
GET /images/cat.jpg
ProtocolGateways
SPDY
HTTP/2
HTTP/1.1
HTTP/1.1 GET /images/cat.jpg
Security
Optim
isation
Reporting
© F5 Networks, Inc 32
Two Steps to Implement HTTP/2 Gateway
That’s it... really!
HTTP/2 Profile ADC with Virtual Server
© F5 Networks, Inc 33
HTTP/1.1
So It’s All Good?
© F5 Networks, Inc 34
HTTP/2
HTTP/1.1 bottleneck removed!
So It’s All Good?
© F5 Networks, Inc 35
“As with all performance optimisation processes, the moment you remove one performance bottleneck, you
unlock the next one. In the case of HTTP/2, TCP may be it. Which is why, once again, a well-tuned TCP stack on the server is such a critical optimisation criteria for HTTP/2.”
“High Performance Browser Networking” – Ilya Grigorik, O’Reilly Media
What Do We All Know About Bottlenecks?
© F5 Networks, Inc 36
TCP
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 0000101001100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 000011 0100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 000 00 00001101 00001010 01100011 01100001 01110100 00001101 00001010
We’re Only Moving the Bottleneck
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00 100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001 10100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 1110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010
© F5 Networks, Inc 37
TCP Inefficiencies Might Be the Next Bottleneck
Things to consider
• Congestion control
• Window sizing
• Multipath TCP
• High RTT and packet loss links (radio)
© F5 Networks, Inc 38
00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011
01100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 0000101001100011 01100001 01110100 00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011 0
00001101 00001010 01100011 01100001 01110100 00001101 00001010 01100011
Know any good ones?
Perhaps You Need a TCP Optimiser?
RTT = 100 msTCP algorithm = Westwood+
TCP window scale = 65,535 KB
RTT = 1 msTCP algorithm = HighspeedTCP window scale = 1 MB
© F5 Networks, Inc 39
Summary
• Binary protocol
• TCP optimisations required
• SSL offload essential
• Significant performance improvements
• Reduced header overhead
• Smaller page size
• Fully multiplexed connections
Impact Performance Opportunities
• Server push possibilities
• Leverage existing ADC