阿里巴巴HTTP2.0實(shí)踐及無(wú)線通信協(xié)議的演進(jìn)之路

1、阿里巴巴HTTP2實(shí)踐及無(wú)線通信協(xié)議的演進(jìn)之路更快、更省流量的標(biāo)準(zhǔn)通信HTTP2HTTP/2概況POST /upload HTTP/1.1Host:Content-Type:application/jsonContent-Length:16“msg”,”taobao”HEADERS FrameDATA FrameTLSApplication(HTTP/2)Binary FramingSlightSSLTCPIPQUICUDP協(xié)議協(xié)商ALPN（TLS）或protocol upgrade(明文)連接序言會(huì)話協(xié)商Settings Frame頭部壓縮HPACK二進(jìn)制協(xié)議流控會(huì)話級(jí)別 連接級(jí)別雙工通信&

2、多路復(fù)用主動(dòng)下行多個(gè)請(qǐng)求并發(fā)幀格式用途headers存放頭部數(shù)據(jù)，用以打開(kāi)一個(gè)streamcontinuation延續(xù)之前未發(fā)送完畢的包頭信息data存放應(yīng)用數(shù)據(jù)rst_stream異常關(guān)閉一個(gè)streamsettings參數(shù)協(xié)商ping心跳包，用以刺探連接是否存活goaway發(fā)送端優(yōu)雅關(guān)閉window_update流控，分為stream和connection兩個(gè)級(jí)別協(xié)商參數(shù)含義SETTINGS_HEADER_TABLE_SIZE用于解壓的頭部動(dòng)態(tài)壓縮表最大大小，默認(rèn)4096SETTINGS_ENABLE_PUSH用于禁止或啟用服務(wù)端推送SETTINGS_MAX_CONCURRENT_STRE

3、AMS最大并發(fā)流數(shù)，默認(rèn)無(wú)限制SETTINGS_INITIAL_WINDOW_SIZE會(huì)話級(jí)別的流控的初始窗口大小，默認(rèn)為65535SETTINGS_MAX_FRAME_SIZE幀的payload大小限制，默認(rèn)為16384SETTINGS_MAX_HEADER_LIST_SIZEhttp/2的壓縮前頭部列表的最大大小，默認(rèn)無(wú)限制SETTINGS幀的各參數(shù)的含義Bit0-78-1516-2324-310LengthType32Flags40RStreamIdentifierFramePayloadhttp/2的幀格式HTTP/2 Frameshttp/2的公共頭部HTTP/2 WorkflowP

4、RI * HTTP/2rnrnSMrnrninit window sizeheader table sizewindow increment sizeinit window sizeheader table sizeSYNSYN ACKACK連接序言&會(huì)話協(xié)商會(huì)話協(xié)商數(shù)據(jù)交互FIN數(shù)據(jù)交互會(huì)話關(guān)閉ClientServerFIN ACKSettingsWindow_updatewindow increment size:method: get:path:/index.htmlHeadersDataGoaway:status:200:content-length= 1024last stream

5、id = 9HeadersDataSettingsWindow_updateHTTP/2 & HPACKhttp2 HPACK映射表經(jīng)常出現(xiàn)或重復(fù)出現(xiàn)的Header用映射表的Index表示靜態(tài)Huffman編碼未命中映射表的Header用Huffman編碼安全DEFLATE壓縮算法存在攻擊風(fēng)險(xiǎn)壓縮率通過(guò)新的算法得到進(jìn)一步提升HTTP/2的效果014001050700350請(qǐng)求包頭應(yīng)答包頭http/2spdy單位:字節(jié)1750http/2請(qǐng)求和應(yīng)答包頭的流量下降http/2請(qǐng)求整體提速022501500750單位:毫秒30002G3G4GWIFIhttp/2spdyHTTP/2的優(yōu)化過(guò)程http

6、2頭部壓縮分階段優(yōu)化5025075110055001650spdy下行huffman52.4%48.5%35.3%31.5%動(dòng)態(tài)表可協(xié)商100%字節(jié)數(shù)27502200百分比125100HTTP/2的實(shí)現(xiàn)Nginx Patch無(wú)線下的調(diào)優(yōu)原生上下行均支持靜態(tài)表上行支持動(dòng)態(tài)表和Huffman編碼采用默認(rèn)的動(dòng)態(tài)表大小，無(wú)協(xié)商擴(kuò)展下行動(dòng)態(tài)表和Huffman編碼上下行動(dòng)態(tài)表大小協(xié)商小包合并連接序言/settings/headers合并成一個(gè)TCP包流控會(huì)話級(jí)別下行流控網(wǎng)絡(luò)庫(kù)SDK實(shí)現(xiàn)HTTP/2復(fù)用網(wǎng)絡(luò)庫(kù)框架，統(tǒng)一上層接口內(nèi)部解析、封裝HTTP/2SDK支持HTTP2的細(xì)節(jié)HPACK的動(dòng)態(tài)表大小上行和下

7、行分別獨(dú)立均由服務(wù)端控制通過(guò)控制SETTING ACK實(shí)現(xiàn)適配兩種場(chǎng)景壓縮率優(yōu)先調(diào)整至32K內(nèi)存優(yōu)先采用默認(rèn)的4KHPACK動(dòng)態(tài)表的更新更新必須同步，否則會(huì)出錯(cuò)請(qǐng)求封裝完畢后必須發(fā)出HTTP2 VS SPDY預(yù)置HPACK靜態(tài)表包大小HTTP2 40KSPDY 20K場(chǎng)景選擇PUSH場(chǎng)景優(yōu)選SPDYReq/Resp場(chǎng)景優(yōu)選HTTP2HPACK的延伸統(tǒng)計(jì)常見(jiàn)字段出現(xiàn)的頻度自定義映射表，優(yōu)化自定義協(xié)議最新的壓縮協(xié)議Brotli9,009qps7,4246,9134,4406861770250050007,51375001000016911gzipbrotli壓縮等級(jí)262624232107.522

8、.51530302737.516911gzipbrotli壓縮等級(jí)壓縮率(out/in,%)性能brotli vs gzip壓縮率實(shí)施熱插拔式accept-encoding:gzip,brotli服務(wù)端控制壓縮格式自由選擇，兼顧性能和流量效果(統(tǒng)計(jì)淘寶的某個(gè)大流量域名)相對(duì)gzip節(jié)省17.5%的流量(315字節(jié))無(wú)線互聯(lián)網(wǎng)下的全站加密SLIGHT SSLClientHTTPS的挑戰(zhàn)ServerApplicationDataApplicationDataSYN600msACKClientHello1800msClientKeyExchangeChangeCipherSpecFinished0m

9、sSYN ACK1200msServerHelloCertificateServerHelloDone2400msChangeCipherSpecFinished3000ms3600ms4800ms4200ms特點(diǎn)1張證書4KB+2-RTT的協(xié)商成本加密數(shù)據(jù)前先協(xié)商會(huì)話密鑰3個(gè)隨機(jī)數(shù)兩個(gè)明文，一個(gè)密文(premasterkey)挑戰(zhàn) 流量放大攻擊證書下放導(dǎo)致上下行流量相差10倍+網(wǎng)絡(luò)時(shí)延大在弱網(wǎng)下尤其是2g，時(shí)延不可接受(1RTT 1S)硬件成本高& 首次建連攻擊https首次建連的性能是http的1/10https complete handshake優(yōu)勢(shì)節(jié)省一個(gè)RTT劣勢(shì)需要端上和后臺(tái)都做

10、特殊支持優(yōu)勢(shì)節(jié)省一個(gè)RTT/提升服務(wù)器性能/降低流量劣勢(shì)有實(shí)效性，且無(wú)法解決首次建連問(wèn)題HTTPS的優(yōu)化和不足SYN600msACKClientHello1800msClientKeyExchangeChangeCipherSpecFinishedApplicationDataClientServerApplicationData0msSYN ACK1200msServerHelloCertificateServerHelloDone2400msChangeCipherSpecFinished3000msSYN600msACKClientHello1800msChangeCipherSpecF

11、inishedApplicationDataClientServer0msSYN ACK1200msServerHelloChangeCipherSpecFinished2400msApplicationData3000ms3600mshttps false start3600mshttps session ticket對(duì)稱密鑰長(zhǎng)度ECC非對(duì)稱密鑰長(zhǎng)度RSA密鑰強(qiáng)度80160102411222420481282563072SlightSSL設(shè)計(jì)思想0225000150000750001000*11000*101000*100RSA-1024RSA-2048ECDH-Prime-256ECDH-

12、Prime-192ECDH-Prime-128ECDH-Prime-112執(zhí)行時(shí)間 單位:毫秒300000執(zhí)行次數(shù)ECDH性能是RSA的10倍可比較密鑰大小(密碼分析所需計(jì)算量的角度)證書緩存0-RTT協(xié)商報(bào)文和數(shù)據(jù)報(bào)文允許一起下發(fā)兼顧前向安全性能提升ECDH代替RSASession Ticket會(huì)話復(fù)用ECDH-PRIME-128證書緩存到本地節(jié)省流量/時(shí)延/成本網(wǎng)絡(luò)制式建連時(shí)間鑒權(quán)時(shí)間握手時(shí)間總時(shí)間Android2G116411262123113G5056912112174G20023615451WIFI22827019517IOS2G108212182623263G56772310130

13、04G2332396478WIFI28530213600首次建連2G下2.5秒內(nèi)完成首次建連對(duì)比HTTPS縮短60%網(wǎng)絡(luò)制式075150225300首次建連-1會(huì)話復(fù)用-1首次建連-20會(huì)話復(fù)用-20httpsspdy+slightssl服務(wù)端性能提升50%02000600040002G3G4GWIFIhttpsslightssl單位：毫秒800001250250037505000SlightSSL的效果2G3G4GWIFIhttps-anroidslightssl-androidhttps-iosslightssl-ios請(qǐng)求平均耗時(shí)對(duì)比HTTPS縮短40%SlightSSL的優(yōu)化防重放攻擊(seq number)TCP參數(shù)調(diào)整小包精簡(jiǎn)場(chǎng)景優(yōu)化SessionTicket有效小包精簡(jiǎn)去掉不必要的報(bào)文多個(gè)小包合并到一個(gè)TCP報(bào)文中0-RTT會(huì)話復(fù)用避免SDK創(chuàng)建橢圓曲線密鑰對(duì)CD