April 2015: HTTP/2 and QUIC meets mobile

For many years, Internet web content has used Hypertext Transfer Protocol version 1.1 (HTTP/1.1), running on the Transport Control Protocol (TCP). HTTP/1.1 was published by the Internet Engineering Task Force (IETF) in 1997 and has been the work-horse for the web for many years. However, because of the size and complexity of web-sites has increased tremendously since 1997, HTTP/1.1 creates a bottleneck for performance and is being replaced with HTTP/2.

The HTTP/2 standard is derived from the SPDY technology that was invented by Google. While HTTP/2 brings many desirable features, its extensive use of encryption was hotly debated during the standardization process. Generally over-the-top (OTT) Internet service providers are in favor of end-to-end encryption. Telecom service providers have been largely unsuccessful in promoting the notion trusted forward proxies (TFP), which would enable encrypted traffic to be terminated and decrypted within their networks. From a technical standpoint, TFPs can be used by service providers to interrogate network traffic. However TFP implementations would require that service providers have access to the security certificates used for encrypting the network traffic. We believe that universal access to these certificates can only be enabled if required by regulators.

Although end-to-end encryption is not mandated for HTTP/2, it will be widely adopted for mobile services, with far reaching implications for service providers and their technology vendors. In particular, encrypted traffic cannot be interrogated using conventional deep packet inspection (DPI) solutions offered by companies like Allot, Citrix and Sandvine. In response, these players and other infrastructure vendors like Cisco, Ericsson, Huawei and Nokia are developing alternative techniques to for traffic interrogation, such as:

  • Analysis of IP header information to identify the destination addresses of IP traffic. This approach will be commonly used for HTTP/2, but is not effective in cases where HTTP/2 enabled devices are connecting through a proxy to HTTP/1.0 webservers.
  • Heuristics that attempt to decipher the traffic characteristics from notable features. Examples of these features include the payload volume and traffic distribution, which can be used in conjunction with IP header information to interpret the likely traffic type.

Conventional content optimization techniques cannot be used for encrypted traffic. As a result, several alternatives have been proposed and in some cases adopted. Notable examples include:

  • Adaptive bit rate (ABR) coding for video content such as MPEG-DASH which has been adopted by the 3GPP in Release 10 and simultaneously encodes the video at multiple rates, so that the receiving device can switch between rates depending on resource availability and performance.
  • TCP optimization which is provided by a variety of companies including F5 and Flash Networks. Essentially TCP optimization uses modified management structures that conform to the TCP standards and optimize performance specifically for mobile networks.
  • TCP header modifications have been proposed to the IETF in a joint submission by Nokia and Google. In their proposal, Nokia and Google recommend that radio link information be embedded in the TCP header and regularly updated so that it can be interrogated by services and applications for optimization purposes.

Security appliances that vet traffic are deployed in mobile networks for a variety of purposes, such as parental control. When network traffic is encrypted, the capabilities of these appliances are significantly compromised. For example, when parental control solutions cannot directly interrogate encrypted traffic they have to rely on the interpretation of IP header information and other heuristics, which are less reliable.

In recent years researchers have developed and refined homomorphic encryption techniques that essentially enable encrypted content to be interrogated without the need for it to be decrypted first. While these techniques show significant promise for the future and are particularly useful as service and network environments become increasingly virtualized, there are several challenges that need to be overcome for their practical implementation, most notably its computational requirements.

While the migration to HTTP/2 will disrupt mobile ecosystems, we believe that it will create opportunities for technology vendors and act as a catalyst for positive change in the following areas:

  • Opportunities for technology vendors to deliver innovative service management and content optimization solutions. Notable solutions include TCP optimization and new packet inspection techniques that analyze the IP header information and use heuristics to investigate traffic payloads.
  • A refined definition of the network edge. Since encrypted HTTP/2 tunnels generally span between application (or proxy) servers and end-point devices, we believe that there will be a growing need to include the end-point devices as part of the network edge. This is a concept that Tolaga has been promoting for several years and believes is important in delivering reliable and efficient services in the future. It recognizes the need for service personalization, the impact of virtualization and recognition of the tremendous compute, memory and I/O performance that can be localized and orchestrated in end-point devices.
  • Constructive partnerships between OTT and network service providers. It is clear that as the mobile industry matures, constructive partnerships between OTT and network service providers are needed. Many network service providers are naturally apprehensive towards OTT partnerships because they fear it will negatively impact their market value propositions. We believe that technologies like HTTP/2 will necessitate these partnerships and assist network service providers in identifying transformation strategies that deliver sustained value.

In the longer term, we believe that homomorphic encryption techniques show tremendous promise as a potential replacement to other techniques such as TLS/SSL, because they enable the interrogation of encrypted data. This is particularly the case with the proliferation of virtualized application and network environments, which increasingly require the querying and analysis of encrypted data, without the creating of Man-In-The-Middle (MITM) security threats.

Although operational automation is inevitable and necessary for the success of the mobile industry, it is human rather than technology factors that will determine its rate and manner of adoption. Service providers and technology vendors must pay careful attention to these human factors as they forge a path towards an automated future.