TCP Fast Open and HTTP/3: Network-Level Optimizations for Lightning-Fast Drupal

Transcript

1. TCP Fast Open and HTTP/3 Network-Level Optimizations for Lightning-Fast Drupal

2. My nickname: @mamoot 20XP on practicing PHP and web development

   Specialized in I Like : • Nintendo (Donkey Kong & Mario) • Savouring Rhum • Warhammer painting • Listen & Play Music Nicolas Perussel Head Of Architecture

3. Session objectives Today we'll explore how network protocol optimizations can

   dramatically improve Drupal performance without changing a single line of PHP code!

4. The Network Performance Challenge TTFB TIME TO FIRST BYTE

5. The Reality

6. WHY?

7. THIS IS HOW INTERNET IS WORKING

8. TCP (Transmission Control Protocol) IP TCP HTTP APPLICATION LAYER LEVEL

   7 TRANSPORT LAYER LEVEL 4 NETWORK LAYER LEVEL 3 http://www.drupal.org TCP SEGMENT IP PACKET

9. TCP Three-Way Handshake SYN (SYNCHRONISE) SYN + ACK (ACKNOWLEDGE) ACK

10. Round Trip Time (RTT) RTT Send Request Receive Response RTT

    Receive Response Send Request TCP Handshake = 1,5 RTT Client → Server: SYN 0.5 RTT Server → Client: SYN-ACK 1.0 RTT Client → Server: ACK + HTTP Data 1.5 RTT

11. https://aws-latency-test.com/ 46 ms 35 ms 39 ms 34 ms 28

    ms 19 ms

12. TLS (Transport Layer Security) IP TCP TLS HTTP APPLICATION LAYER

    LEVEL 7 SESSION / PRESENTATION LAYER LEVEL 5-6 TRANSPORT LAYER LEVEL 4 NETWORK LAYER LEVEL 3 HTTPS :443 :80 Route the packets on the internet TCP carries the TLS bytes without knowing what they are TLS is a wrapper around TCP. TLS transports the bytes of HTTP without reading them

13. TLS Handshake TLS 1.2 TLS 1.3 ClientHello ServerHello AskForCertificate ServerHelloDone

    ClientKeyExchange ChangeCipherSpec Finished ChangeCipherSpec Finished HTTP REQUEST Finished HTTP RESPONSE ClientHello KeyShare ServerHello KeyShare Verify Certificate Finished HTTP REQUEST Finished HTTP RESPONSE 4 steps 2 RTT 2 steps 1 RTT

14. First Advice Use TLS 1.3 Better performance : reduce the

    TLS handshake of 50% - Noticeable improvement on high-traffic sites - Particularly beneficial for REST and JSON:API APIs - Reduces latency for mobile/remote users

15. We can go further with TLS 1.3 … TLS 1.3

    ClientHello KeyShare Early Data HTTP GET HTTP RESPONSE 0 RTT ServerHello KeyShare Early Data Finished 0 RTT Concept - Allows data to be sent from the first packet (zero round- trip) - Uses a previous session ticket - Handshake time = 0ms for repeated connections Vulnerability to replay attacks 1. An attacker captures a legitimate 0-RTT request (e.g., POST /user/login) 2. They can "replay" this request multiple times 3. Without protection, this can cause: multiple form submissions; duplicate financial transactions; Repeated non-idempotent actions …

16. 0 RTT: security vs performance SAFE FOR : - Idempotent

    GET requests - Loading static resources (CSS, JS, images) - Caching Drupal pages NOT SAFE FOR : - POST forms (webform, commerce, login) - API mutations (POST, PATCH, PUT, DELETE) - Payment transactions

17. How to fight against Replay Attack Full Nginx way Nginx

    + PHP approach

18. TLS 1.3 : Session Resumption Two resumption mechanisms: Session IDs

    (old method) : • The server stores session state in memory • Problem: Doesn't scale with load balancing • Not recommended for multi-server Drupal Session Tickets : • Encrypted state sent to the client • Stateless server (no storage) • Compatible with load balancing Best practices for Drupal: • Synchronize ticket keys between servers • Automatically rotate keys every 24-48 hours • Monitor session resumption rates (target: >70%)

19. TLS : OCSP Stapling Eliminating Validation Latency The problem without

    stapling: • Client connects to the Drupal server • Client must contact the CA's OCSP responder • Additional delay of 100-300ms • If the OCSP responder is down → connection failure The solution: OCSP Stapling: • The server periodically retrieves the OCSP status • The server "staples" the TLS handshake response • The client no longer needs to contact the OCSP responder Benefits: • Reduces handshake time by ~200ms • Improves confidentiality (no leaks to the CA) • Resilience if the OCSP responder is unavailable

20. TLS Monitoring

21. With some TLS tweaks… -50% handshake time with TLS 1.3

    -200ms latency with OCSP stapling -100ms with the Session Resumption = ~350ms total gain on first connection

22. BUT …

23. Remember this… IP TCP TLS APPLICATION LAYER LEVEL 7 SESSION

    / PRESENTATION LAYER LEVEL 5-6 TRANSPORT LAYER LEVEL 4 NETWORK LAYER LEVEL 3 HTTPS :443 https://www.drupal.org

24. IP TCP TRANSPORT LAYER LEVEL 4 NETWORK LAYER LEVEL 3

    TLS APPLICATION LAYER LEVEL 7 HTTPS :443 SESSION / PRESENTATION LAYER LEVEL 5-6

25. Can we optimize TCP?

26. None

27. Welcome to TCP FastOpen (TFO) FIRST CONNECTION 2 RTT LATER

    CONNECTIONS 1 RTT With TCP Fast Open, Google has presented a protocol extension for reducing unnecessary latencies in network traffic. The proposal was originally presented in 2011 and was published as RFC 7413 in December 2014. TFO Origin https://www.keycdn.com/support/tcp-fast-open

28. TFO Configuration (simple as that) Supported OS : • Linux

    kernel 3.7+ : Support TFO • Linux kernel 3.13+ : Support TFO server • Linux kernel 4.11+ : Full support and stable

29. TFO SYN Flood Amplification Attack The risk: • TFO allows

    up to 64KB to be sent in the initial SYN. • An attacker with a valid TFO cookie can amplify a SYN flood • Amplification factor: x234 The attack scenario: 1. Attacker obtains a valid TFO cookie 2. Forges SYNs with 64KB of data + spoofed IP 3. Server allocates 64KB × number of SYNs in RAM 4. Memory exhaustion → Server crash SAFE FOR : If properly configured: • Limited queue (64) • Monitoring active • Rate limiting in place NOT SAFE IF : If misconfigured: • Huge queue (1024+) • No rate limiting • Undersized server IS TFO DANGEROUS ?

30. Good to know Cloudflare Q4 2024 DDoS Report: "99.7% of

    DDoS attacks are volumetric Layer 3/4 attacks (SYN floods, UDP floods, etc.). Sophisticated application-layer attacks exploiting protocol features like TFO remain extremely rare (<0.1%). " Source : https://blog.cloudflare.com/ddos-threat-report-2024-q4/ Akamai State of the Internet Report 2024 : "TCP Fast Open exploitation has not been observed in the wild at scale. Traditional SYN floods and reflection attacks remain the primary DDoS vectors. » Source : https://www.akamai.com/resources/state-of-the-internet-reports "The security considerations are similar to those of SYN cookies. While TFO increases the potential payload of a SYN flood attack, practical mitigations (limited queue size, rate limiting) make this a manageable risk. » Source : https://datatracker.ietf.org/doc/html /rfc7413#section-6 IETF RFC 7413 (TFO)

31. With all the tweaks… WITHOUT OPTIMIZATION TLS 1.2 6 RTT

    • RTT 1: [TCP SYN/SYN-ACK/ACK] • RTT 2: [TLS ClientHello] • RTT 3: [TLS rest if the handshake] • RTT 4: [OCSP check part 1] • RTT 5: [OCSP check part 2] • RTT 6: [HTTP GET /] 600ms WITH OPTIMIZATION 2 RTT • RTT 1: [TCP SYN+TFO + TLS 1.3 + OCSP stapled] • RTT 2: [HTTP GET /] FIRST CONNECTION - 100ms LATENCY 200ms SESSION RESUMPTION TLS 1.2 3 RTT • RTT 1: [TCP SYN/SYN-ACK/ACK] • RTT 2: [TLS abbreviated handshake] • RTT 3: [HTTP GET /] 300ms TLS 1.3 + TFO + 0-RTT 1 RTT • RTT 1: [Tout en un : TFO + 0-RTT + HTTP GET] RECONNECTION - 100ms LATENCY 100ms -400ms (-66%) -200ms (-66%)

32. IP NETWORK LAYER LEVEL 3 TLS APPLICATION LAYER LEVEL 7

    HTTPS :443 SESSION / PRESENTATION LAYER LEVEL 5-6 TCP TRANSPORT LAYER LEVEL 4

33. Can we do better?

34. None

35. HTTP/3 and QUIC

36. The Web Protocol Revolution HTTP/2 HTTP/1.1 HTTP/3 1997 2015 2022

    Head-of-Line Blocking • HTTP/2: multiplexing at HTTP level • But underlying TCP blocks everything if 1 packet is lost • All streams wait for retransmission Slow handshake • TCP handshake (1 RTT) • TLS handshake (1-2 RTT) = 2-3 RTT before sending data Not designed for mobility • WiFi → 4G switch: new TCP connection • All state lost

37. The Web Protocol Revolution HTTP/2 HTTP/1.1 1997 2015 2022 Head-of-Line

    Blocking • HTTP/2: multiplexing at HTTP level • But underlying TCP blocks everything if 1 packet is lost • All streams wait for retransmission Slow handshake • TCP handshake (1 RTT) • TLS handshake (1-2 RTT) = 2-3 RTT before sending data Not designed for mobility • WiFi → 4G switch: new TCP connection • All state lost HTTP/3

38. What is QUIC (Quick UDP Internet Connections) IP TCP TLS

    1.3 HTTP/2 IP QUIC (embeds TLS 1.3) HTTP/3 UDP Traditional stack Modern stack • TCP is in the kernel (hard to modify) • UDP is "dumb" but flexible • QUIC reimplements reliability in userspace. Enables innovation without kernel modifications Why UDP? • TLS 1.3 embedded (no separate layer) • Multiplexing without HOL blocking • Native and secure 0-RTT • Connection migration (IP/port change) • Continuous improvements possible Key features

39. Head-of-Line Blocking – Problem solved HTTP/2 over TCP: The Problem

    Concrete example with Drupal: Loading a Drupal page with 40 assets • 1 packet lost on app.js (1% loss) • All other assets (CSS, images, JSON) blocked • Total latency: +200ms for ALL files HTTP/3 over QUIC: The Solution Result: • 1% packet loss (typical WiFi/4G) • HTTP/2: -20% performance • HTTP/3: -1% performance (only affected stream) Gain for Drupal: 15-40% faster on unstable mobile networks

40. Connection Migration - Mobility The TCP Problem The QUIC Solution

    Drupal use cases: • Webform forms being filled • Admin sessions while moving • Media uploads (guaranteed continuity) • REST/JSON:API on mobile Gain: Smooth user experience, no "connection lost"

41. Support and Adoption Top 1000 sites (2025 stats): • 60%

    support HTTP/3 • 85% via CDN (Cloudflare, Fastly, etc.) • 15% directly on their origin Drupal specifically: • Drupal.org: HTTP/3 active (Fastly) • Acquia Cloud: HTTP/3 available • Platform.sh/Upsun: HTTP/3 supported The time is NOW to enable HTTP/3!

42. The Alt-Svc Header - HTTP/3 Discovery The browser learns: •

    "This server supports HTTP/3 » • "It's listening on UDP port 443 » • "I can use HTTP/3 for 24h (ma=max-age)" QUIC HTTP/2 Over TCP HTTP/2 200 OK Alte-Svc: h3 … HTTP/3 (QUIC over UDP)

43. Configuration example

44. Limitations and considerations Load Balancing UDP load balancing ≠ TCP

    load balancing Potential issues: • More complex sticky sessions • ECMP can misroute UDP • Connection ID must be routed correctly Solutions: • Use QUIC-aware LB (HAProxy 2.6+, Nginx Plus…) • OR disable HTTP/3 behind classic LB Some firewalls block UDP Enterprise / restrictive networks: • UDP port 443 blocked • Only TCP allowed Solution: Automatic fallback to HTTP/2 (that's why we keep "listen 443 ssl http2") More complex debugging Traditional tools (tcpdump, Wireshark): • HTTP/2: easy to capture (TCP) • HTTP/3: encrypted UDP traffic, harder Solution: Use qlog (standardized QUIC logs) CPU/RAM consumption • HTTP/2: Light (TCP managed by kernel) • HTTP/3: Heavier (QUIC in userspace) Impact on Drupal server: • +10-20% CPU for QUIC • +50-100MB RAM per nginx process Mitigation: Adjust worker_processes

45. Take away https://www.debugbear.com/blog/http3-quic-protocol-guide

46. Take away TLS/HTTP Optimization Stack by Priority # Optimization Impact

    Difficulty Priority 1 TLS 1.3 Easy CRITICAL 2 OCSP Stapling Easy CRITICAL 3 HTTP/2 Easy HIGH 4 Session Resumption Easy HIGH 5 TCP Fast Open Medium MEDIUM 6 HTTP/3 (QUIC) Medium MEDIUM 7 BBR Medium LOW

47. Use a CDN, it’s simpler! (secret reveal)

48. 49 DANKE