@@ -375,6 +375,152 @@ discuss below.
3753756.4 QUIC, HTTP/3 and TLS
376376------------------------
377377
378- 6.5 User Experience with HTTPS
378+ Since the invention of the World Wide Web in the 1990s, HTTP has run
379+ over TCP. HTTP/1.0, the original version, had quite a number of
380+ performance problems due to the way it used TCP, such as the fact that
381+ every request for an object required a new TCP connection to be set up
382+ and then closed after the reply was returned. HTTP/1.1 was proposed at
383+ an early stage to make better use of TCP. TCP continued to be the
384+ protocol used by HTTP for another twenty-plus years.
385+
386+ Adding security to HTTP-over-TCP in the form of SSL and TLS further
387+ exacerbated performance issues, even as advancements to HTTP mitigated
388+ some of the original problems. As noted in the preceding section, it
389+ takes at least one round trip time to establish a secure TLS
390+ session. The relatively recent introduction of 0-RTT data reduces the
391+ latency before the first data can be sent; it also comes with some
392+ security drawbacks as we observed above.
393+
394+ Of course, the time required to set up a secure session with TLS in
395+ *in addition * to the time need to set up a TCP connection. TCP needs
396+ to complete its 3-way handshake before the first TLS handshake
397+ message-which is just data as far as TCP is concerned-can be sent. So
398+ the sequence of events was:
399+
400+ - Client initiates TCP 3-way handshake to establish TCP session.
401+
402+ - TLS handshake establishes security parameters for client-server
403+ communication.
404+
405+ - First HTTP message gets sent from client to server.
406+
407+ In other words, in the original TLS-over-TCP model it would take at
408+ least three RTTs to get a response to a single HTTPS request. In fact
409+ up until TLS 1.3 arrived it was at least four RTTs due to the use of
410+ two RTTs to complete the TLS handshake.
411+
412+ This is not the only problem with running HTTP over TCP. A reliable,
413+ ordered byte stream as provided by TCP isn't exactly the right model
414+ for Web traffic. In particular, since most web pages contain many
415+ objects, it makes sense to be able to request many objects in
416+ parallel, but TCP only provides a single byte stream. If one packet is
417+ lost, TCP waits for its retransmission and successful delivery before
418+ continuing, while HTTP would have been happy to receive other objects
419+ that were not affected by that single lost packet. Opening multiple
420+ TCP connections would appear to be a solution to this, but that has
421+ its own set of drawbacks including a lack of shared information about
422+ congestion across connections.
423+
424+ Other factors such as the rise of high-latency wireless networks and
425+ the availability of multiple networks for a single device (e.g., Wi-Fi
426+ and cellular) contributed to the realization that the transport layer
427+ for HTTP would benefit from a new approach. The protocol that emerged
428+ to fill this need was QUIC.
429+
430+ In this section we will focus on how QUIC particularly improves the
431+ performance of TLS compared to running over TCP. QUIC is quite a
432+ comprehensive re-working of the transport layer that could fill its
433+ own book-indeed the set of RFCs that define it run to the hundreds of
434+ pages.
435+
436+ QUIC originated at Google in 2012 and was subsequently developed as a
437+ proposed standard at the IETF. It has already seen a solid amount of
438+ deployment—it is in most Web browsers, many popular websites, and is
439+ even starting to be used for non-HTTP applications. Deployability was
440+ a key consideration for the designers of the protocol. There are a lot
441+ of moving parts to QUIC—its specification spans three RFCs—but we
442+ focus here on how it changes the relationship between TLS and the
443+ underlying transport.
444+
445+ The single most important change in QUIC from the perspective of TLS
446+ performance is that it doesn't treat the transport and security
447+ handshakes as two distinct layers. Instead, QUIC has build a
448+ cryptographic handshake based on TLS into the transport. This is
449+ illustrated by Figure foo. As RFC 9001 puts it:
450+
451+
452+ *Rather than a strict layering, these two protocols cooperate: QUIC
453+ uses the TLS handshake; TLS uses the reliability, ordered delivery,
454+ and record layer provided by QUIC. *
455+
456+
457+ .. _fig-quic-tls :
458+ .. figure :: figures/QUIC-TLS.png
459+ :width: 500px
460+ :align: center
461+
462+ Protocol stacks compared. (a) HTTP over TLS over TCP. (b) HTTP and
463+ TLS Handshake over QUIC.
464+
465+ This rearrangement of layers takes a bit of work to understand. The
466+ central idea is that QUIC has the ability to provide encryption and
467+ authentication to the data it transmits once it has a set of keys to
468+ work with. So the TLS handshake operates pretty much as it did over
469+ TCP, but instead of wrapping up TLS handshake messages in the TLS
470+ record layer before sending them out over TCP, we can send the TLS
471+ handshake messages over QUIC directly. QUIC also provides the
472+ reliability, congestion control, etc. that TCP provides. Once the TLS
473+ handshake is complete, the keying material for the connection is
474+ passed to QUIC, which now is able to encrypt and authenticate the data
475+ that is sent by HTTP.
476+
477+ The most obvious practical impact of this is that the establishment of
478+ a QUIC connection takes place at the same time as the transmission of TLS
479+ handshake messages, rather than taking place prior to the TLS
480+ handshake as with TCP. By the time the TLS handshake completes, the
481+ two ends of the QUIC connection have all the state needed to transmit
482+ data such as HTTP messages. Furthermore, in the cases where 0-RTT data
483+ can be sent (because there are shared secrets cached from a
484+ previous connection), the first HTTP request can actually be sent at
485+ the same time as the client Hello message.
486+
487+ A final detail of note is that QUIC runs on top of UDP rather than
488+ directly over IP. The reason behind this is that there are plenty of
489+ middleboxes in the Internet that assume that the only acceptable
490+ transport protocols are TCP and UDP and block anything else. So while
491+ UDP doesn't add much in the way of useful functionality to QUIC, it
492+ was an expedient step to run QUIC over UDP to ease deployment
493+ of QUIC in the Internet.
494+
495+ QUIC is an interesting development in the world of transport protocols
496+ and not just for its impact on security. Many of the limitations of
497+ TCP have been known for decades, but QUIC represents one of the most
498+ successful efforts to date to stake out a different point in the
499+ design space. Because QUIC was inspired by experience with HTTP, TLS,
500+ and the Web—which arose long after TCP was well established in the
501+ Internet—it presents a fascinating case study in the unforeseen
502+ consequences of layered designs and in the evolution of the
503+ Internet. There is a lot more to it that we can cover here. The
504+ definitive reference for QUIC is RFC 9000, while RFC 9001 covers the
505+ relationship of TLS to QUIC. A more readable overview of the
506+ protocol's design and deployment appears in the following paper from
507+ SIGCOMM 2017.
508+
509+
510+ .. _reading_quic :
511+ .. admonition :: Further Reading
512+
513+ A. Langley *et al. *
514+ `The QUIC Transport Protocol: Design and Internet-Scale Deployment
515+ <https://research.google/pubs/the-quic-transport-protocol-design-and-internet-scale-deployment/> `__.
516+ SIGCOMM 2017.
517+
518+ We also covered the impact of QUIC on congestion control in our book
519+ on TCP Congestion Control.
520+ `TCP Congestion Control: A Systems Approach <https://tcpcc.systemsapproach.org >`__.
521+
522+
523+ 6.5 A Systems View of TLS
379524------------------------------
380525
526+ .. talk about how user sees things from browser
0 commit comments