Re: #385: HTTP2 Upgrade / Negotiation from Willy Tarreau on 2012-10-25 (ietf-http-wg@w3.org from October to December 2012)

From: Willy Tarreau <w@1wt.eu>
Date: Thu, 25 Oct 2012 15:54:16 +0200
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: Yoav Nir <ynir@checkpoint.com>, Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>, Mark Nottingham <mnot@mnot.net>, Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20121025135416.GH16195@1wt.eu>

On Thu, Oct 25, 2012 at 09:41:14AM -0400, Patrick McManus wrote:
> On Thu, Oct 25, 2012 at 9:21 AM, Yoav Nir <ynir@checkpoint.com> wrote:
> 
> >
> >
> > > For http2, I don't think it is enough to just fail fast to http/1 when
> > for most cases we could get those users speaking HTTP/2 over tls on 443. A
> > mechanism like Alternate-Protocol accomplishes that and I think that is a
> > more important property than upgrading in band (which is admittedly nice!).
> >
> > So rather than go to HTTP/1.1 you'd prefer going to TLS with an anonymous
> > ciphersuite?  I don't think that would help much, as the transparent
> > proxies that also MitM SSL are getting ever more popular.
> >
> >
> The websockets results show that the TLS approach will work well with
> legacy infrastructure and yes I'd rather have everyone that can use http2
> actually use it before falling back to http/1 because there are significant
> performance gains to be had.

I see a good point here : I expect that support for Upgrade and unfiltered TLS
will be very complementary. I mean :
  - in completely opened networks, both will work.
  - In corporate networks, port 443 will continue to work with the usual
    whitelists and will not be suited for HTTP/2, however these infrastructures
    are maintained and managed and the proxies will quickly be upgraded to
    support the Upgrade if not ready yet.
  - and at places where interception proxies are in place (eg: ISPs, mobile
    phone ops), it's common to find the opposite : interception proxies are
    a bit outdated and not well maintained, but port 443 is wide open.

The reason for this complementarity is simple : corporate networks need to
control what enters and leaves the network, while ISPs need to save bandwidth
and optimize only.

Thus I would not be surprized to see a success rate close to 100% with the
following sequence to sites accepting both ports when HTTP/2 is released :
  1) HTTP Upgrade on port 80
  2) fallback to TLS on port 443

And when both fail, clearly 1.1 is the only way to go.

Regards,
Willy

Received on Thursday, 25 October 2012 13:55:05 UTC