i want the next generation web here spdy quic

I want the next generation web here SPDY QUIC

A review of the SPDY and QUIC protocols

Agenda

•History•What’s up with HTTP?•SPDY•QUIC•Security•The Future

About Me

About Me

About Me

Before we start

ASK

What is SPDY?

•What?•Why?

What is QUIC?

•What?•Why?

History

•HTTP 0.9 - First documented in 1991•HTTP 1.0 - First documented in 1996•HTTP 1.1 – Released in 1997•HTTP 1.1 – Updated in 1999

What’s up with HTTP?

•Connections•Latency•Headers

What’s up with HTTP?

Home.aspx

Logo.jpgTime

What’s up with HTTP?

Home.aspx

Logo.jpg

Time

What’s up with HTTP?

"A single-user client SHOULD NOT maintain more than 2 connections with any server or proxy"

What’s up with HTTP?

Source: Akamai State of the Internet Report

What’s up with HTTP 1.1?

Resources

Time

History

•183 Resources•44 Domains•25 HTML Pages•2MB of text content

What’s up with HTTP?

What’s up with HTTP?

GET /news/ HTTP/1.1

Host: www.bbc.co.uk

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.bbc.co.uk/news/england/

Cookie: NTABS=B0; BBC-UID=2583816c740b5213b567deae81f1f11c5e89720eae48c3293395badd482afad00Mozilla%2f5%2e0%20%28Windows%20NT%206%2e1%3b%20WOW64%3b%20rv%3a27%2e0%29%20Gecko%2f20100101%20Firefox%2f27%2e0; BGUID=e513614cf47b72b7916877ff1183a8509e60292969e8942b1e4157e7578c4078; s1=531C4B275C0603BA; ecos.dt=1400334549086; ckns_policy=111; ckpf_mandolin=%22footer-promo%22%3A%7B%22segment%22%3Anull%2C%22end%22%3A%221400939293613%22%7D; _chartbeat2=0nohd0na7hc3kcd7.1400334522757.1400334540677.1; _chartbeat_uuniq=1; BBCLiveStatsClick=nav|1|0

DNT: 1

Connection: keep-alive

What’s up with HTTP?

GET /news/ HTTP/1.1Host: www.bbc.co.uk

SPDY

Source: The Chromium Projects

SPDY

•Multiplexing•Prioritisation•Header Compression•Server Push & Server Hint

SPDY

•Multiplexing•Prioritisation•Header Compression•Server Push & Server Hint

SPDY?Home.aspxLogo.jpgImage.bmp

Logo.jpg

Image.bmp

Home.aspx

SPDY

•Multiplexing•Prioritisation•Header Compression•Server Push & Server Hint

SPDY

•Multiplexing•Prioritisation•Header Compression•Server Push & Server Hint

What’s up with HTTP?

GET /news/ HTTP/1.1

Host: www.bbc.co.uk

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.bbc.co.uk/news/england/

Cookie: NTABS=B0; BBC-UID=2583816c740b5213b567deae81f1f11c5e89720eae48c3293395badd482afad00Mozilla%2f5%2e0%20%28Windows%20NT%206%2e1%3b%20WOW64%3b%20rv%3a27%2e0%29%20Gecko%2f20100101%20Firefox%2f27%2e0; BGUID=e513614cf47b72b7916877ff1183a8509e60292969e8942b1e4157e7578c4078; s1=531C4B275C0603BA; ecos.dt=1400334549086; ckns_policy=111; ckpf_mandolin=%22footer-promo%22%3A%7B%22segment%22%3Anull%2C%22end%22%3A%221400939293613%22%7D; _chartbeat2=0nohd0na7hc3kcd7.1400334522757.1400334540677.1; _chartbeat_uuniq=1; BBCLiveStatsClick=nav|1|0

DNT: 1

Connection: keep-alive

SPDY

•Multiplexing•Prioritisation•Header Compression•Server Push & Server Hint

SPDY

SPDY

SPDY

SPDY

SPDY

SPDY?TLS Request + Next Protocol

TLS Response

SPDY Request

SPDY Response

SPDY

•NPN Support Added 1.0.1•ALPN Support Added 1.0.2

QUIC

•Remove head-of-line-blocking•0RTT•Recover lost packets•Congestion control•Network change survival

QUIC

QUIC

QUIC

QUIC

“The middle box problem”

QUICConnect

Certificate

Negotiation

Response

Security

SPDY Security

•Header injection

SPDY Security

“complexity is the worst enemy of security”

"The only way to evaluate the security of a system is to analyze it“

Source: Bruce Schneier

SPDY Security

Security

•Certificate Revocation•Malicious servers•Content inspection•Other new attack vectors

Security

QUIC Security

•Privacy•Authentication•Integrity

QUIC Security

•Replay Protection•Dos Protection•Address Spoofing Detection

QUIC Security

QUIC Security

•Cross-connection attacks?•Embryonic attacks?•Memory exhaustion?•DDoS

The Future

•Web Clients•Web Servers•Internet Infrastructure•Network Infrastructure•SSL Stacks

The Future

The Future

•Libspdy - C•Net-http-spdy – Ruby•Spdylay – Python•http2-katana – C#•Jetty – Java•Erlnag-spdy - Erlang

The Future

Fin

Questions?

Matt.summers@nccgroup.com@dive_monkey

Europe

Manchester - Head Office

Cheltenham

Edinburgh

Leatherhead

London

Munich

Amsterdam

Zurich

North America

Atlanta

Chicago

New York

San Francisco

Seattle

Austin

Australia

Sydney