IP, TCP, and HTTP--reference
IP, TCP, and HTTP
When an app communicates with a server, more often than not, that communication happens over HTTP. HTTP was developed for web browsers: when you enter http://www.objc.io into your browser, the browser talks to the server named www.objc.io using HTTP.
HTTP is an application protocol running at the application layer. There are several protocols layered on top of each other. The stack of layers is often depicted like this:
Application Layer -- e.g. HTTP
----
Transport Layer -- e.g. TCP
----
Internet Layer -- e.g. IP
----
Link Layer -- e.g. IEEE 802.2
The so-called OSI (Open Systems Interconnection) model defines seven layers. We’ll take a look at the application, transport, and Internet layers for the typical HTTP usage: HTTP, TCP, and IP. The layers below IP are the data link and physical layers. These are the layers that, e.g. implement Ethernet (Ethernet has a data link part and a physical part).
We will only look at the application, transport, and Internet layers, and in fact only look at one particular combination: HTTP running on top of TCP, which in turn runs on top of IP. This is the typical setup most of us use for our apps, day in and day out.
We hope that this will give you a more detailed understanding of how HTTP works under the hood, as well as what some common problems are, and how you can avoid them.
There are other ways than HTTP to send data through the Internet. One reason that HTTP has become so popular is that it will almost always work, even when the machine is behind a firewall.
Let’s start out at the lowest layer and take a look at IP, the Internet Protocol.
IP — Internet Protocol
The IP in TCP/IP is short for Internet Protocol. As the name suggests, it is one of the fundamental protocols of the Internet.
IP implements packet-switched networking. It has a concept of hosts which are machines. The IP protocol specifies how datagrams (packets) are sent between these hosts.
A packet is a chunk of binary data that has a source host and a destination host. An IP network will then simply transmit the packet from the source to the destination. One important aspect of IP is that packets are delivered using best effort. A packet may be lost along the way and never reach the destination. Or it may get duplicated and arrive multiple times at the destination.
Each host in an IP network has an address – the so-called IP address. Each packet contains the source and destination hosts’ addresses. The IP is responsible for routing datagrams: as the IP packet travels through the network, each node (host) that it travels through looks at the destination address in the packet to figure out in which direction the packet should be forwarded.
Today, most packages are still IPv4 (Internet Protocol version 4), where each IPv4 address is 32 bits long. They’re most often written in dotted-decimal notation, like so: 198.51.100.42
The newer IPv6 standard is slowly gaining traction. It has an address space: its addresses are 128 bits long. This allows for easier routing as the packets travel through the network. And since there are more available addresses, tricks such asnetwork address translation are no longer necessary. IPv6 addresses are represented in the hexadecimal system and divided into eight groups separated by colons, e.g. 2001:0db8:85a3:0042:1000:8a2e:0370:7334
.
The IP Header
An IP packet consists of a header and a payload.
The payload contains the actual data to be transmitted, while the header is metadata.
IPv4 Header
An IPv4 header looks like this:
IPv4 Header Format
Offsets Octet 0 1 2 3
Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31|
0 0 |Version |IHL |DSCP |ECN |Total Length |
4 32 |Identification |Flags |Fragment Offset |
8 64 |Time To Live |Protocol |Header Checksum |
12 96 |Source IP Address |
16 128 |Destination IP Address |
20 160 |Options (if IHL > 5) |
The header is 20 bytes long (without options, which are rarely used).
The most interesting parts of the header are the source and destination IP addresses. Aside from that, the version field will be set to 4 – it’s IPv4. And theprotocol field specified which protocol the payload is using. TCP’s protocol number is 6. The total length field specified is the length of the entire packet – header plus payload.
Check Wikipedia’s article on IPv4 for all the details about the header and its fields.
IPv6 Header
IPv6 uses addresses that are 128 bits long. The IPv6 header looks like this:
Offsets Octet 0 1 2 3
Octet Bit 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31|
0 0 |Version |Traffic Class |Flow Label |
4 32 |Payload Length |Next Header |Hop Limit |
8 64 |Source Address |
12 96 | |
16 128 | |
20 160 | |
24 192 |Destination Address |
28 224 | |
32 256 | |
36 288 | |
The IPv6 header has a fixed length of 40 bytes. It’s a lot simpler than IPv4 – a few lessons were learned in the years that have passed since IPv4.
The source and destination addresses are again the most interesting fields. In IPv6 the next header field specifies what data follows the header. IPv6 allows chaining of headers inside the packet. Each subsequent IPv6 header will also have a next headerfield until the actual payload is reached. When the next header field, for example, is 6 (TCP’s protocol number), the rest of the packet will be TCP data.
Again: Wikipedia’s article on IPv6 packets has a lot more detail.
Fragmentation
In IPv4, packets (datagrams) can get fragmented. The underlying transport layer will have an upper limit to the length of packet it can support. In IPv4, a router may fragment a packet if it gets routed onto an underlying data link for which the packet would otherwise be too big. These packets will then get reassembled at the destination host.
In IPv6, a router will drop the packet and send back a Packet Too Big message to the sender. The end points use this to figure out what the so-called maximum transfer unit (MTU) is. Only when the minimum payload size is too big for that MTU will IPv6 use fragmentation.
TCP — Transmission Control Protocol
One of the most common protocols to run on top of IP is, by far, TCP. It’s so common that the entire suite of protocols is often referred to as TCP/IP.
The IP protocol allows for sending single packets (datagrams) between two hosts. Packets are delivered best effort and may: reach the destination in a different order than the one in which they were sent, reach the destination multiple times, or never reach the destination at all.
TCP is built on top of IP. The Transmission Control Protocol provides reliable, ordered, error-checked delivery of a stream of data between programs. With TCP, an application running on one device can send data to an application on another device and be sure that the data arrives there in the same way that it was sent. This may seem trivial, but it’s really a stark contrast to how the raw IP layer works.
With TCP, applications establish connections between each other. A TCP connection is duplex and allows data to flow in both directions. The applications on either end do not have to worry about the data being split up into packets, or the fact that the packet transport is best effort. TCP guarantees that the data will arrive at the other end in pristine condition.
A typical use case of TCP is HTTP. Our web browser (application 1) connects to a web server (application 2). Once the connection is made, the browser can send a request through the connection, and the web server can send a response back through the same connection.
Multiple applications on the same host can use TCP simultaneously. To uniquely identify an application, TCP has a concept of ports. A connection between two applications has a source IP address and a source port on one end, and a destination IP address and a destination port at the other end. This pair of addresses, plus a port for either end, uniquely identifies the connection.
A web server using HTTPS will listen on port 443. The browser will use a so-calledephemeral port as the source port and then use TCP to establish a connection between the two address-port pairs.
TCP runs unmodified on top of both IPv4 and IPv6. The Protocol (IPv4) or Next Header(IPv6) field will be set to 6, which is the protocol number for TCP.
TCP Segments
The data stream that flows between hosts is cut up into chunks, which are turned into TCP segments. The TPC segment then becomes the payload of an IP packet.
Each TCP segment has a header and a payload. The payload is the actual data chunk to be transmitted. The TCP segment header first and foremost contains the source and destination port number – the source and destination addresses are already present in the IP header.
The header also contains sequence and acknowledgement numbers and quite a few other fields which are all used by TCP to manage the connection.
We’ll go into more detail about sequence number in a bit. It’s basically a mechanism to give each segment a unique number. The first segment has a random number, e.g. 1721092979, and subsequent segments increase this number by 1: 1721092980, 1721092981, and so on. The acknowledgement numbers allow the other end to communicate back to the sender regarding which segments it has received so far. Since TCP is duplex, this happens in both directions.
TCP Connections
Connection management is a central component of TCP. The protocol needs to pull a lot of tricks to hide the complexities of the unreliable IP layer. We’ll take a quick look at connection setup, the actual data flow, and connection termination.
The state transitions that a connection can go through are quite complex (c.f. TCP state diagram). But in most cases, things are relatively simple.
Connection Setup
In TCP, a connection is always established from one host to another. Hence, there are two different roles in connection setup: one end (e.g. the web server) is listening for connections, while the other end (e.g. our app) connects to the listening application (e.g. the web server). The server performs a so-called passive open – it starts listening. The client performs a so-called active open toward the server.
Connection setup happens through a three-way handshake. It works like this:
- The client sends a SYN to the server with a random sequence number,
A
- The server replies with a SYN-ACK with an acknowledgment number of
A+1
and a random sequence number,B
- The client sends an ACK to the server with an acknowledgement number of
B+1
and a sequence number ofA+1
SYN is short for synchronize sequence numbers. Once data flows between both ends, each TCP segment has a sequence number. This is how TCP makes sure that all parts arrive at the other end, and that they’re put together in the right order. Before communication can start, both ends need to synchronize the sequence number of the first segments.
ACK is short for acknowledgment. When a segment arrives at one of the ends, that end will acknowledge the receipt of that segment by sending an acknowledgment for the sequence number of the received segment.
If we run´:
curl -4 http://www.apple.com/contact/
this will cause curl
to create a TCP connection to www.apple.com on port 80.
The server www.apple.com / 23.63.125.15 is listening on port 80. Our own address in the output is 10.0.1.6
, and our ephemeral port is 52181
(this is a random, available port). The output from tcpdump(1)
for the three-way handshake looks like this:
% sudo tcpdump -c 3 -i en3 -nS host 23.63.125.15
18:31:29.140787 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [S], seq 1721092979, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 743929763 ecr 0,sackOK,eol], length 0
18:31:29.150866 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [S.], seq 673593777, ack 1721092980, win 14480, options [mss 1460,sackOK,TS val 1433256622 ecr 743929763,nop,wscale 1], length 0
18:31:29.150908 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673593778, win 8235, options [nop,nop,TS val 743929773 ecr 1433256622], length 0
That’s a lot of information right there. Let’s step through this bit by bit.
On the very left-hand side we see the system time. This was run in the evening at 18:31. Next, IP
tells us that these are IP packets.
Next we see 10.0.1.6.52181 > 23.63.125.15.80
. This is the source and destination address-port pair. The first and third lines are from the client to the server, the second from the server to the client. tcpdump
will simply append the port number to the IP address. 10.0.1.6.52181
means IP address 10.0.1.6, port 52181.
The Flags
are flags in the TCP segment header: S
for SYN, .
for ACK, P
for PUSH, and F
for FIN. There are a few more we won’t see here. Note how these three lines have SYN, then SYN-ACK, then ACK: this is the three-way handshake.
The first line shows the client sending the random sequence number 1721092979 (A) to the server. The second line shows the server sending an acknowledgement for 1721092980 (A+1) and its random sequence number 673593777 (B). Finally, the third line shows the client acknowledging 673593778 (B+1).
Options
Another thing that happens during connection setup is for both ends to exchange additional options. In the first line, we see the client sending:
[mss 1460,nop,wscale 4,nop,nop,TS val 743929763 ecr 0,sackOK,eol]
and on the second line, the server is sending:
[mss 1460,sackOK,TS val 1433256622 ecr 743929763,nop,wscale 1]
The TS val
/ ecr
are used by TCP to estimate the round-trip time (RTT). The TS val
part is the time stamp of the sender, and the (ecr
) is the timestamp echo reply, which is (generally) the last timestamp that the sender has received so far. TCP uses the round-trip time for its congestion-control algorithms.
Both ends are sending sackOK
. This will enable Selective Acknowledgement. It switches the sequence numbers and acknowledgment number to use byte range instead of TCP segment numbers. And it then allows both ends to acknowledge receipt by byte range. This is outlined in section 3 of RFC 2018.
The mss
option specified the Maximum Segment Size, which is the maximum number of bytes that this end is willing to receive in a single segment. wscale
is the window scale factor that we’ll talk about in a bit.
Connection Data Flow
When the connection is created, both ends can send data to the other end. Each segment that is sent has a sequence number one larger than the previous segment. The receiving end will acknowledge packets as they are received by sending back segments with the corresponding ACK.
In theory this may looks like:
host A sends segment with seq 0
host A sends segment with seq 1
host A sends segment with seq 2 host B sends segment with ack 0
host A sends segment with seq 3 host B sends segment with ack 1
host B sends segment with ack 2
host B sends segment with ack 3
This mechanism happens in both directions. Host A will keep sending packets. As they arrive at host B, host B will send acknowledgements for these packets back to host A. But host A will keep sending packets without waiting for host B to acknowledge them.
TCP incorporates flow control and a lot of sophisticated mechanisms for congestion control. These are all about figuring out (A) if segments got lost and need to be retransmitted, and (B) if the rate at which segments are sent needs to be adjusted.
Flow control is about making sure that the sending side doesn’t send data faster than the receiver (at either end) can process it. The receiver sends a so-called receive window, which tells the sender how much more data the receiver can buffer. There are some subtle details we’ll skip, but in the above tcpdump
output, we see a win 65535
and a wscale 4
. The first is the window size, the latter a scale factor. As a result, the host at 10.0.1.6
says it has a receive window of 4·64 kB = 256 kB and the the host at 23.63.125.15
advertises win 14480
and wscale 1
i.e. roughly 14 kB. As either side receives data, it will send an updated receive window to the other end.
Congestion control is quite complex. The various mechanisms are all about figuring out at which rate data can be sent through the network. It’s a very delicate balance. On one hand, there’s the obvious desire to send data as fast as possible, but on the other hand, the performance will collapse dramatically when sending too much data. This is called congestive collapse and it’s a property inherent to packet-switched networks. When too many packets are sent, packets will collide with other packets and the packet loss rate will climb dramatically.
The congestion control mechanisms need to also make sure that they play well with other flows. Today’s congestion control mechanisms in TCP are outlined in detail in about 6,000 words in RFC 5681. The basic idea is that the sender side looks at the acknowledgments it gets back. This is a very tricky business and there are various tradeoffs to be made. Remember that the underlying IP packets can arrive out of order, not at all, or twice. The sender needs to estimate what the round-trip time is and use that to figure out if it should have received an acknowledgement already. Retransmitting packets is obviously costly, but not retransmitting causes the connection to stall for a while, and the load on the network is likely to be very dynamic. The TCP algorithms need to constantly adapt to the current situation.
The important thing to note is that a TCP connection is a very lively and flexible thing. Aside from the actual data flow, both ends constantly send hints and updates back and forth to continuously fine-tune the connection.
Because of this tuning, TCP connections that are short-lived can be very inefficient. When a connection is first created, the TCP algorithms still don’t know what the conditions of the network are. And toward the end of the connection lifetime, there’s less information flowing back to the sender, which therefore has a harder time estimating how things are moving along.
Above, we saw the first three segments between the client and the server. If we look at the remainder of the connection, it looks like this:
18:31:29.150955 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [P.], seq 1721092980:1721093065, ack 673593778, win 8235, options [nop,nop,TS val 743929773 ecr 1433256622], length 85
18:31:29.161213 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], ack 1721093065, win 7240, options [nop,nop,TS val 1433256633 ecr 743929773], length 0
The client at 10.0.1.6
sends the first segment with data length 85
(the HTTP request, 85 bytes). The ACK number is left at the same value, because no data has been received from the other end since the last segment.
The server at 23.63.125.15
then acknowledges the receipt of that data (but doesn’t send any data): length 0
. Since the connection is using Selective acknowledgments, the sequence number and acknowledgment numbers are byte ranges: 1721092980 to 1721093065 is 85 bytes. When the other end sends ack 1721093065
, that means: I have everything up to byte 1721093065.
This continues until all data has been sent:
18:31:29.189335 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673593778:673595226, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190280 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673595226:673596674, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190350 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673596674, win 8101, options [nop,nop,TS val 743929811 ecr 1433256660], length 0
18:31:29.190597 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673596674:673598122, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190601 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673598122:673599570, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190614 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673599570:673601018, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190616 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673601018:673602466, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190617 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673602466:673603914, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190619 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673603914:673605362, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190621 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673605362:673606810, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.190679 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673599570, win 8011, options [nop,nop,TS val 743929812 ecr 1433256660], length 0
18:31:29.190683 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673602466, win 7830, options [nop,nop,TS val 743929812 ecr 1433256660], length 0
18:31:29.190688 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673605362, win 7830, options [nop,nop,TS val 743929812 ecr 1433256660], length 0
18:31:29.190703 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673605362, win 8192, options [nop,nop,TS val 743929812 ecr 1433256660], length 0
18:31:29.190743 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673606810, win 8192, options [nop,nop,TS val 743929812 ecr 1433256660], length 0
18:31:29.190870 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [.], seq 673606810:673608258, ack 1721093065, win 7240, options [nop,nop,TS val 1433256660 ecr 743929773], length 1448
18:31:29.198582 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [P.], seq 673608258:673608401, ack 1721093065, win 7240, options [nop,nop,TS val 1433256670 ecr 743929811], length 143
18:31:29.198672 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673608401, win 8183, options [nop,nop,TS val 743929819 ecr 1433256660], length 0
Connection Termination
Finally the connection is torn down (or terminated). Each end will send a FIN flag to the other end to tell it that it’s done sending. This FIN is then acknowledged. When both ends have sent their FIN flags and they have been acknowledged, the connection is fully closed:
18:31:29.199029 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [F.], seq 1721093065, ack 673608401, win 8192, options [nop,nop,TS val 743929819 ecr 1433256660], length 0
18:31:29.208416 IP 23.63.125.15.80 > 10.0.1.6.52181: Flags [F.], seq 673608401, ack 1721093066, win 7240, options [nop,nop,TS val 1433256680 ecr 743929819], length 0
18:31:29.208493 IP 10.0.1.6.52181 > 23.63.125.15.80: Flags [.], ack 673608402, win 8192, options [nop,nop,TS val 743929828 ecr 1433256680], length 0
Note how on the second line, 23.63.125.15
sends its FIN, and at the same time acknowledges the other end’s FIN with an ACK (dot), all in a single segment.
HTTP — Hypertext Transfer Protocol
The World Wide Web of interlinked hypertext documents and a browser to browse this web started as an idea set forward in 1989 at CERN. The protocol to be used for data communication was the Hypertext Transfer Protocol, or HTTP. Today’s version isHTTP/1.1, which is defined in RFC 2616.
Request and Response
HTTP uses a simple request and response mechanism. When we enter http://www.apple.com/ into Safari, it send an HTTP request to the server atwww.apple.com
. The server in turn sends back a (single) response which contains the document that was requested.
There’s always a single request and a single response. And both requests and responses follow the same format. The first line is the request line (request) or status line (response). This line is followed by headers. The headers end with an empty line. After that, an empty line follows the optional message body.
A Simple Request
When Safari loads the HTML for http://www.objc.io/about.html, it sends an HTTP request to www.objc.io
with the following content:
GET /about.html HTTP/1.1
Host: www.objc.io
Accept-Encoding: gzip, deflate
Connection: keep-alive
If-None-Match: "a54907f38b306fe3ae4f32c003ddd507"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
If-Modified-Since: Mon, 10 Feb 2014 18:08:48 GMT
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9
Referer: http://www.objc.io/
DNT: 1
Accept-Language: en-us
The first line is the request line. It specifies the desired action: GET
. This is called the HTTP method. Next up the path of the resources that this action is supposed to be made on: /about.html
, and finally the HTTP version. In this case, we want to getthe document.
Next, we have 10 lines with 10 HTTP headers. These are followed by an empty line. There’s no message body in this request.
The headers have very varying purposes. They convey additional information to the web server. Wikipedia has a nice list of common HTTP header fields. The first Host: www.objc.io
header tells the server what server name the request is meant for. This mandatory request header allows the same physical server to serve multiple domain names.
Let’s look at a few common ones:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
This tells the server what media type Safari would like to receive. A server may be able to send a response in various formats. The text/html
strings are Internet media types, sometimes also known as MIME types or Content-types. The q=0.9
allows Safari to convey a quality factor which it associates with the given media types.Accept-Language
tells the server which languages Safari would prefer. Again, this lets the server pick the matching languages, if available.
Accept-Encoding: gzip, deflate
With this header, Safari tells the server that the response body can be sent compressed. If this header is not set, the server must send the data uncompressed. Particularly for text (such as HTML), compression rates can dramatically reduce the amount of data that has to be sent.
If-Modified-Since: Mon, 10 Feb 2014 18:08:48 GMT
If-None-Match: "a54907f38b306fe3ae4f32c003ddd507"
These two are due to the fact that Safari already has the resulting document in its cache. Safari tells the server only to send it if it has either changed since February 10, or if its so-called ETag doesn’t match a54907f38b306fe3ae4f32c003ddd507
.
The User-Agent
header tells the server what kind of client is making the request.
A Simple Response
In response to the above, the server responds with:
HTTP/1.1 304 Not Modified
Connection: keep-alive
Date: Mon, 03 Mar 2014 21:09:45 GMT
Cache-Control: max-age=3600
ETag: "a54907f38b306fe3ae4f32c003ddd507"
Last-Modified: Mon, 10 Feb 2014 18:08:48 GMT
Age: 6
X-Cache: Hit from cloudfront
Via: 1.1 eb67cb25620df959ba21a943fbc49ef6.cloudfront.net (CloudFront)
X-Amz-Cf-Id: dDSBgR86EKBemW6el-pBI9kAnuYJEaPQYEqGmBnilD12CbixCuZYVQ==
The first line is the so-called status line. It contains the HTTP version, followed by astatus code (304) and a status message.
HTTP defines a list of status codes and their meanings. In this case, we’re receiving304, which means that the resource we requested hasn’t been modified.
The response doesn’t contain any body message. It simply tells the receiver: Your version is up to date.
Caching Turned Off
Let’s do another request with curl
:
% curl http://www.apple.com/hotnews/ > /dev/null
curl
doesn’t use a local cache. The entire request will now look like this:
GET /hotnews/ HTTP/1.1
User-Agent: curl/7.30.0
Host: www.apple.com
Accept: */*
This is quite similar to what Safari was requesting. This time, there’s no If-None-Match
header and the server will have to send the document.
Note how curl
announces that it will accept any kind of media format: (Accept: */*
).
The response from www.apple.com looks like this:
HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=424
Expires: Mon, 03 Mar 2014 21:57:55 GMT
Date: Mon, 03 Mar 2014 21:50:51 GMT
Content-Length: 12342
Connection: keep-alive
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
<head>
<meta charset="utf-8" />
and continues on for quite a while. It now has a response body which contains the HTML document.
The response from Apple’s server contains a status code of 200, which is the standard response for successful HTTP requests.
Apple’s server also tells us that the response’s media type is text/html; charset=UTF-8
. The Content-Length: 12342
tells us what the length of the message body is.
HTTPS — HTTP Secure
Transport Layer Security is a cryptographic protocol that runs on top of TCP. It allows for two things: both ends can verify the identity of the other end, and the data sent between both ends is encrypted. Using HTTP on top of TLS gives you HTTP Secure, or simply, HTTPS.
Simply using HTTPS instead of HTTP will give you a huge improvement in security. There are some additional steps that you may want to take, though, both of which will additionally improve the security of your communication.
TSL 1.2
You should set the TLSMinimumSupportedProtocol
to kTLSProtocol12
to requireTLS version 1.2 if your server supports that. This will make man-in-the-middle attacks more difficult.
Certificate Pinning
There’s little point in the data we send being encrypted if we can’t be certain that the other end we’re talking to is actually who we think it is. The server’s certificate tells us who the server is. Only allowing a connection to a very specific certificate is calledcertificate pinning.
When a client makes a connection over TLS to a server, the operating system will decide if it thinks the server’s certificate is valid. There are a few ways this can be circumvented, most notably by installing certificates onto the iOS device and marking them as trusted. Once that’s been done, it’s trivial to perform a man-in-the-middle attack against your app.
To prevent this from happening (or at least make it extremely difficult), we can use a method called certificate pinning. When then TLS connection is set up, we inspect the server’s certificate and check not only that it’s to be considered valid, but also that it is the certificate that we expect our server to have. This only works if we’re connecting to our own server and hence can coordinate an update to the server’s certificate with an update to the app.
To do this, we need to inspect the so-called server trust during connection. When anNSURLSession
creates a connection, the delegate receives a -URLSession:didReceiveChallenge:completionHandler:
call. The passedNSURLAuthenticationChallenge
has a protectionSpace
property, which is an instance of NSURLProtectionSpace
. This, in turn, has a serverTrust
property.
The serverTrust
is a SecTrustRef
object. The Security framework has various methods to query the SecTrustRef
object. The AFSecurityPolicy
from the AFNetworking project is a good starting point. As always, when you build your own security-related code, have someone review it carefully. You don’t want to have agoto fail;
bug in this part of your code.
Putting the Pieces Together
Now that we know a bit about how all the pieces (IP, TCP, and HTTP) work, there are a few things we can do and be aware of.
Efficiently Using Connections
There are two aspects of a TCP connection that are problematic: the initial setup, and the last few segments that are pushed across the connection.
Setup
The connection setup can be very time consuming. As mentioned above, TCP needs to do a three-way handshake. There’s not a lot of data that needs to be sent back and forth. But, particularly when on a mobile network, the time a packet takes to travel from one host (a user’s iPhone) to another host (a web server) can easily be around 250 ms – a quarter of a second. For a three-way handshake, we’ll often spend 750 ms just to establish the connection, before any payload data has been sent.
In the case of HTTPS, things are even more dramatic. With HTTPS we have HTTP running on top of TLS, which in turn runs on top of TCP. The TCP connection will still do its three-way handshake. Next up, the TLS layer does another three-way handshake. Roughly speaking, an HTTPS connection will thus take twice as long as a normal HTTP connection before sending any data . If the round-trip time is 500 ms (250 ms end-to-end), that adds up to 1.5 seconds.
This setup time is costly, regardless of if the connection will transfer a lot or just a small amount of data.
Another aspect of TCP affects connections on which we expect to transfer a larger amount of data. When sending segments into a network with unknown conditions, TCP needs to probe the network to determine the available capacity. In other words: it takes TCP a while to figure out how fast it can send data over the network. Only once it has figured this out can it send the data at the optimal speed. The algorithm that is used for this is called slow-start. On a side note, it’s worth pointing out that the slow-start algorithm doesn’t perform well on networks with poor data link layer transmission quality, as is often the case for wireless networks.
Tear Down
Another problem arises toward the end of the data transfer. When we do an HTTP request for a resource, the server will keep sending TCP segments to our host, and the host will respond with ACK messages as it receives the data. If a single packet is lost along the way, the server will not receive an ACK for that packet. It can therefore notice that the packet was lost and do what’s called a fast retransmit.
When a packet is lost, the following packet will cause the receiver to send an ACKidentical to the last ACK it sent. The receiver will hence receive a duplicate ACK. There are several network conditions that can cause a duplicate ACK even without packet loss. The sender therefore only performs a fast retransmit when it receives three duplicate ACKs.
The problem with this is at the end of the data transmission. When the sender stops sending segments, the receiver stops sending ACKs back. And there’s no way for the fast-retransmit algorithm to detect if a packet is lost within the last four segments being sent. On a typical network, that’s equivalent to 5.7 kB of data. Within the last 5.7 kB, the fast retransmit can’t do its job. If a packet is lost, TCP has to fall back to a more patient algorithm to detect packet loss. It’s not uncommon for a retransmit to take several seconds in such a case.
Keep-Alive and Pipelining
HTTP has two strategies to counter these problems. The simplest is called HTTP persistent connection, sometimes also known as keep-alive. HTTP will simply reuse the same TCP connection once a single request-response pair is done. In case of HTTPS, the same TLS connection will be re-used:
open connection
client sends HTTP request 1 ->
<- server sends HTTP response 1
client sends HTTP request 2 ->
<- server sends HTTP response 2
client sends HTTP request 3 ->
<- server sends HTTP response 3
close connection
The second step is to use HTTP pipelining, which allows the client to send multiple requests over the same connection without waiting for the response from previous requests. The requests can be sent in parallel with responses being received, but the responses are still sent back to the client in the order that the requests were sent – it’s still a first-in-first-out principle.
Slightly simplified, this would look like:
open connection
client sends HTTP request 1 ->
client sends HTTP request 2 ->
client sends HTTP request 3 ->
client sends HTTP request 4 ->
<- server sends HTTP response 1
<- server sends HTTP response 2
<- server sends HTTP response 3
<- server sends HTTP response 4
close connection
Note, however, that the server may start sending the response at any time, and doesn’t have to wait until all requests have been received.
With this, we’re able to use TCP in a more efficient way. We’re now only doing the handshake at the very beginning, and since we keep using the same connection, TCP can do a much better job of using the available bandwidth. The TCP congestion control algorithms will also do a much better job. Finally, the problem with the fast retransmit failing to work on the last four segments will only affect the last four segments of the entire connection, and not the last four segments of each request-response, as before.
The improvements of using HTTP pipelining can be quite dramatic over high-latency connections – which is what you have when your iPhone is not on Wi-Fi. In fact, there’s been some research that suggests that there’s no additional performance benefit to using SPDY over HTTP pipelining on mobile networks.
When communication with a server, RFC 2616 recommends using two connections when HTTP pipelining is enabled. According to these guidelines, this will result in the best response times and avoid congestion. There’s no performance benefit to additional connections.
Sadly, there are still some servers that don’t support pipelining. You should try to enable it, however, and check if your particular server does support it. Chances are, it does. But because some servers don’t, HTTP pipelining is turned off by default forNSURLSession
. Make sure to set HTTPShouldUsePipelining
to YES
on theNSURLSessionConfiguration
if you’re able to use pipelining.
Timeout
We have all used apps while being on a slow network. Many of these apps give up after a timeout, say 15 seconds. That is really bad app design. It’s probably good to give the user feedback and say, “Hey, your network seems to be slow. This may take some time.” But as long as there’s a connection, even if it’s bad, TCP ensure that the request will make it to the other end and that the response will make it back. It may just take a while.
Or look at it another way: If we’re on a slow network, the request-response round-trip time may take 17 seconds to complete. If we’re stopping after 15 seconds, the user will be unable to perform the desired action if he or she is patient. If the user is on a slow network, he or she will know that things will take a while (we’ll send a notification), and if the user is willing to be patient, we shouldn’t prevent him or her from using the app.
There’s a misconception that restarting the (HTTP) request will fix the problem. That is not the case. Again, TCP will resend those packets that need resending on its own.
The right approach is this: When we send off a URL request, we set a timer for 10 seconds. Once we get the response back, we invalidate the timer. If the timer fires before we get the response back, we’ll show some UI: “Please be patient, the network appears to be slow right now.” Depending on the app, we might want to give the user an option to cancel the action. But we shouldn’t make that decision for the user.
Caching
Note how in our first example, we send a:
If-None-Match: "a54907f38b306fe3ae4f32c003ddd507"
line to the server, letting it know that we already have a resource locally and only want the server to send the resource to us if it has a newer version. If you’re building your own communication with your server, try to make use of this mechanism. It can dramatically speed up communication if used correctly. The mechanism is calledHTTP ETag.
Going to extremes, remember: “The fastest request is the one never made.” When sending a request to a server, even on a very good network, requesting a small amount of data, and a very fast server, you’re unlikely to have a response back in less than 50 ms. And that’s just one request. If there’s a way for you to create that data locally in 50 ms or less, don’t make that request.
Cache resources locally whenever you think that they’ll stay valid for some time. Check the Expires
header or rely on the caching mechanisms of NSURLSession
by using the default NSURLRequestUseProtocolCachePolicy
.
Summary
Sending a request over HTTP with NSURLSession
is very straightforward. But there are a lot of technologies involved in making that request. Knowing how those pieces work will allow you to optimize the way you’re using HTTP requests. Our users expect apps that perform well under any condition. Understanding how IP, TCP, and HTTP work makes it easier to deliver on those expectations.
reference:http://www.objc.io/issue-10/ip-tcp-http.html
IP, TCP, and HTTP--reference的更多相关文章
- [转帖]IP /TCP协议及握手过程和数据包格式中级详解
IP /TCP协议及握手过程和数据包格式中级详解 https://www.toutiao.com/a6665292902458982926/ 写的挺好的 其实 一直没闹明白 网络好 广播地址 还有 网 ...
- boost::asio::ip::tcp实现网络通信的小例子
同步方式: Boost.Asio是一个跨平台的网络及底层IO的C++编程库,它使用现代C++手法实现了统一的异步调用模型. 头文件 #include <boost/asio.hpp> 名空 ...
- Socket(套接字) IP TCP UDP HTTP
Socket(套接字) 阮老师的微博 (转)什么是套接字(Socket)? 应用层通过传输层进行数据通信时,TCP和UDP会遇到同时为多个应用程序进程提供并发服务的问题.多个TCP连接或多个应用程序进 ...
- boost::asio::ip::tcp中几个重要类型
typedef basic_stream_socket socket; 流式套接字,提供同/异步发送接收数据,连接,绑定,设置套接字选项等功能 对于socket中的connect()方法,它只针对某一 ...
- IP TCP HTTP Socket的区别
网络由下往上分为 物理层.数据链路层.网络层.传输层.会话层.表示层和应用层. 通过初步的了解,我知道IP协议对应于网络层,TCP协议对应于传输层,而HTTP协议对应于应用层, 三者从本质上来说没有可 ...
- IP,TCP,UDP Checksum校验
IP数据报的校验: IP数据报只需要对数据头进行校验,步骤如下: 将接收到的数据的checksum字段设置为0 把需要校验的字段的所有位划分为16位(2字节)的字 把所有16位的字相加,如果遇到进位, ...
- C winpcap 网络抓包 并获取IP TCP 协议的相关信息
以太网协议分析函数: void ethernet_protocol_packet_handle (u_char *argument, const struct pcap_pkthdr *packet_ ...
- [TCP/IP] TCP的传输连接管理
1.连接建立=>数据传输=>连接释放 2.主动发起连接的是客户端,被动接受连接的是服务器 3.三次握手 客户端 ==> SYN是1同步 ,ACK确认标志是0,seq序号是x ==&g ...
- 以太网,IP,TCP,UDP数据包分析【转】
原文地址:http://www.cnblogs.com/feitian629/archive/2012/11/16/2774065.html 1.ISO开放系统有以下几层: 7 应用层 6 表示层 5 ...
随机推荐
- 如何在Fedora 22上面配置Apache的Docker容器
在这篇文章中,我们将会学习关于Docker的一些知识,如何使用Docker部署Apache httpd服务,并且共享到Docker Hub上面去.首先,我们学习怎样拉取和使用Docker Hub里面的 ...
- windows下执行build_native.sh报权限问题
编辑build_native.sh 在前面加上 chmod 777 -R ./*
- Make the “Check out” function available in the office document opened with Document ID link
I found a solution to make the “Check out” function available in the office document opened with Doc ...
- Spark相比Hadoop MapReduce的特点
(1)中间结果输出 基于MapReduce的计算引擎通常会将中间结果输出到磁盘上,进行存储和容错. 出于任务管道承接的考虑,当一些查询翻译到MapReduce任务时,往往会产生多个Stage, ...
- Spark RDD概念学习系列之RDD的创建(六)
RDD的创建 两种方式来创建RDD: 1)由一个已经存在的Scala集合创建 2)由外部存储系统的数据集创建,包括本地文件系统,还有所有Hadoop支持的数据集,比如HDFS.Cassandra.H ...
- 【MySql】在Linux下安装MySql数据库
[参数环境] 1.Host OS:Win7 64bit 2.VM: VMware 11.1.0 3.Client OS:CentOS 6 4.系统中已安装的openssl版本: openssl-1.0 ...
- [转]比较 Rational Unified Process (RUP) 和 Microsoft Solutions Framework (MSF)
文档选项 将此页作为电子邮件发送 级别: 初级 Sandra Sergi Santos, 软件工程专家, IBM 2007 年 6 月 15 日 本文来自于 Rational Edge:Micro ...
- linux du命令: 显示文件、目录大小
介绍:du命令用于显示指定文件(夹)在磁盘中所占的空间信息.假如指定的文件参数实际上是一个目录,就要计算该目录下的所有文件.假如 没有提供文件参数,执行du命令,显示当前目录内的文件占用空间信息. 语 ...
- C++11对象构造的改良
[C++11对象构造的改良] C++03中一个构造函数无法构造另一个构造函数,因为A()实际上意味着生成一个临时对象,存在语音混淆.详情请看参考2. C++11中允许直接在初始化列表中调用其它的构造函 ...
- 理解js闭包(一)
@(编程) 闭包(closure)是Javascript语言的一个难点,也是它的特色,很多高级应用都要依靠闭包实现. 一.变量的作用域 要理解闭包,首先必须理解Javascript特殊的变量作用域. ...