The way I look at the major improvements in the two recent HTTP versions is:
HTTP/2 was needed to better utilize the bandwidth by keeping the TCP connection busy without silence period. That means instead of "request - RTT delay - response - RTT delay - request - RTT delay- response ..." we have "request - request - request - response - response - response ..." without pauses between responses. These pauses in HTTP/1.1 cause the congestion windows drop to initial value and slow start after each response. For HTTP/1.1 the workaround was to establish multiple TCP connections to fetch resources in parallel. This + using multiple domains for assets was best practice with HTTP/1.1 and is not needed (or even discouraged) with HTTP/2.
The above change has a drawback: for links with high latency and lower reliability a single packet loss is causing this whole pipline to stall. The cause is how TCP retransmission + congestion control works. This is in contrast to multiple HTTP/1.1 connections where just single connection would stall and take time to recover to full speed. This has bigger impact on performance in wireless connections and content like live video streaming so something that the world move to.
To fix that HTTP/2 moves congestion control to upper layer that understand what is transmitted. Loss of single packet no longer causes the whole pipeline stall, it affects only the resource for which the loss occurred.
This all is needed especially in mobile networks. In older times the a good CDN was used to put content close to the user (or at least terminate the TCP connection close to the user) lowering the round trip time, TLS handshake time. With mobile connections becoming more popular this doesn't work because the big delay is in the "last mile" - in mobile link. You just can't move the CDN's server closer to cut this latency.
Of course there are also other improvements like faster connection establishment (with TLS).
QUIC and http/3 address three problems in my mind:
a) multiplexed tcp of http/2 is tcp-in-tcp with its well known problems. tcp over udp is not so problematic
b) as a udp protocol, congestion control is user space controlled. There's been some work on congestion control lately, but it's difficult to explore that for client to server transfers with tcp
c) path mtu detection in the presence of icmp blackholes is still a mess, in 2021; a udp based protocol puts control of packtization into userland.
I think that's fairly factual, so here's the opinion part.
a) tcp-in-tcp problems could have been solved by just using tcp. http/2 without multiplexing still gives some benefits (explicit server shutdown indications are a big one for me; binary vs text and compression may help with data length, but framing may not)
b) plugable congestion control would make more sense here to me. A certain company behind quic also controls a widely deployed operating system, and could make it happen; although adoption is slow, so it would take longer than switching to quic for their sites.
c) turning on path mtu blackhole detection by default on that same company's mobile operating system would help here as well. A certain other mobile OS without a diverse hardware marketplace quickly discovers and responds to lost big packets by sending smaller packets.
By moving everything into the application, QUIC circumvents the extremely slow pace of innovation in operating systems' TCP stacks. Unlike userspace TCP, which requires elevated privileges such as CAP_NET_RAW on Linux, QUIC does not require any special privileges.
Head of line blocking in http/2, and performance/reliability on dodgy mobile connections. It's definitely getting to the point of diminishing returns, but given how widely http is used it does seem to justify the effort.
TCP HOLB is hardly diminishing returns; it’s the defining way in which HTTP/2 is not uniformly superior to HTTP/1.1—because of it, for a meaningful fraction of users, single-connection HTTP/2 behaves visibly worse than its primary competition, up-to-six-connection HTTP/1.1. (Lack of WebSockets support used to be another point, but that got fixed a year or two back.)
Some of the other benefits of HTTP/3 over HTTP/2, like the bypassing of TCP’s outmoded congestion control, are definitely more like diminishing returns.
HTTP2 always seemed like a great idea for the backend and a "meh" idea for the front end. On backend systems where networks and lines are mostly reliable and fast, HOLB is generally not a problem.
It's only when you start talking about connections outside a backend network that HTTP2's weaknesses start to show (specifically mobile networks).
I wouldn’t call it “meh”. For almost all sites, it’s at least a slight win for the significant majority of users; for most sites, it’s a moderately significant improvement for most users; for some sites, it’s a huge improvement for most users. Certainly high-latency, high-loss networks undermine its benefits, but it’s still generally a definite improvement over HTTP/1.1.
Besides what is already mentioned in sibling comments:
QUIC requires one less RTT for connection establishment than TCP+TLS, which reduces the time to first byte on new connections.
Besides this QUIC allows the client to migrate between different IP addresses and networks. This means that e.g. a download on a phone doesn't get interrupted if the user moves from cellular to WiFi.
Lots of resources are out there but essentially it expands http/2's multiplexed requests by building on top of UDP instead of TCP so it can ensure those requests don't block each other.
If you've got enough cynicism to decide the only beneficiaries of QUIC are just "adtech companies" then I suggest saving a little of that cycnicism to put scare quotes around that word "security" in the second half of your sentence.
If you have effective security neither TLS 1.3 nor QUIC change anything in that regard. But they probably do change things for you. This means you did not have effective security.
Those making appliances or software to deliver "security" would very much like you to blame the designers of QUIC or TLS 1.3 for the fact that their products are ineffective. It is as if the Carbolic Smoke Ball Company had tried to blame doctors for diagnosing Carlill with Influenza rather than accepting that, in fact, Carbolic Smoke Balls don't work and so they owe her £100 per their advertisement.
I know it's an oft-repeated comment here but it does bear repeating: is it really a good idea to keep writing these libraries dealing with complex untrusted user supplied data in C?
A good reason is that if you want interop with other languages, C is still the lingua franca of ABIs. All scripting languages have a way to interact with C through some form of FFI mechanism. I guess you could write it in Rust and maintain C bindings to it, but that would be painful.
Not really. We wrote a content-addressable-storage backup solution in rust[0], and one consumer is QEMU for doing backups of VMs, so we expose C bindings of our rust code[1] and use them in QEMU[2], effectively having rust async stuff handled by QEMU co-routine library. It wasn't exactly complicate or the like, required a bit of "plumbing code" but that's OK.
Allowing to get (relatively) easy C bindings is a goal and feature of rust, at least the project itself provides and maintains the rust-bindgen crate[3][4].
Having a bit bigger and slightly complex project like a backup server done in rust is such a relief compared to C or similar languages. Good speed, fast start up times like C but refactoring is really a breeze lots of safety is guaranteed and more time can be spent on fixing the semantic bugs.
What sort of architecture are you envisioning where you'd need HTTP3 and Rust can't build for it?
Once you get a microcontroller fast enough to handle Http3, you are talking about well known platforms (such as ARM, MIPS, x86). All of which are supported by Rust and LLVM.
Keeping in mind that I needed to write code against node 0.13 because it was the last version of node supporting floating point emulation when there is no hardware fpu, I was surprised to learn what kind of trash is out there running the internet. There is list of supported architectures of the software in question and though I don't remember it in details, I'm sure that there were items in it that I couldn't find in the rust tables.
:) sounds like bcm4709. Funnily, rust wouldn't have a problem there, that's specifically a node problem because their JIT doesn't handle software FPUs. LLVM does.
I'm fairly confident in saying any place you can run any node version, you can run rust.
I guess there is an audience for this stuff, among embedded systems developers or whatever, but after a brief look at the project it doesn't strike me as a project written with the care needed for C libraries. It is severely under-documented, for starters. For example, the word "thread" does not appear anywhere.
because it doesn't use threads? The library is intended to be used inside an eventloop. I think the same also applies for other typical transport libraries - e.g. HTTP/2 or TLS ones.
> Not sure why one would choose this over QUICHE.
I think there are certainly reasons. lsquic seems a lot more optimized than quiche and most other libraries out there. It makes use of some pretty clever datastructures (e.g. https://github.com/litespeedtech/lsquic/blob/master/src/libl...), and likely has a drastically lower rate of heap allocations than other implementations. Some of those things - like the use of intrusive linked lists - are unfortunately not that easy to apply in Rust.
I wouldn't be suprised if lsquic outperforms various other implementations - and if that's important to users it might be a reason to choose it (but as always: measure for your use-case).
I personally also think Rust is the way to go for system level code. But I wouldn't dismiss a project for not using Rust. And this one at least has a fair set of unit-tests, so it looks to me a lot more sane than a lot of other C based projects.
I had an issue using quiche as a dependency via JNI and it was a blocker (I've moved on). The event would lose its reference and segfault; I was unable to track it to an actual cause in the debugger; lots of time wasted.
If you develop commercial embedded software and need to be able to develop safety critical software there is no contest: C and Ada are the two best tools. Obviously you limit the coding to subset of C. MISRA C for example.
You can buy commercial tools for C and Ada that do static analysis only your source-code way past anything that you get from other languages. You can prove the absence of run time errors. No divisions by zero, no sudden application termination etc.
If you write safety critical code, you don't do dynamic memory allocation or unrestricted recursion anyway. The strengths that Rust has in memory allocation are irrelevant. Running out of memory or unlimited recursion are errors.
But lots of the vulnerable C code we have in the world today was written by very experienced C developers, so I don't know that's a particularly strong argument
You must remember, a LOT of C code was written back in a time when the Internet was a more trusting environment. Lots of developers didn't even comprehend that there'd be malicious actors.
The point stands, if you're an experienced developer in one particular language then of course you will write in that language.
> You must remember, a LOT of C code was written back in a time when the Internet was a more trusting environment. Lots of developers didn't even comprehend that there'd be malicious actors.
Hackers were a well established thing in the 80s, with its origin "phreaking" being even older than that, so no it wasn't a naïve time when everybody though all just had the best interest possible in mind. Note also that not all crashes and breakages are intended and result of a malicious actor, or do you now argue that human entry errors just did not happen back then?
Further, most code today does not come from that era but rather originated from 90s to 2000s, with not even much of that being still around in that form.
> The point stands, if you're an experienced developer in one particular language then of course you will write in that language.
1. That's the first time you make that point, the original reply of yours has no argument whatsoever, so nothing "still stands".
2. If you're really an experienced developer in one particular language then you are aware of its shortcomings and will also look closely for languages addressing them without adding other disadvantages. Everything else would be just short-sighted, which isn't really a good virtue to have as experienced developer.
3. How comes that new code written by highly experienced developers, e.g., working on OS kernels, with a massive testing effort still let slip through buffer overflows, use after free, integer underflows, etc. etc.?