RE: QPACK and the Static Table

Mike Bishop <> Wed, 23 May 2018 23:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1FB2F1273B1 for <>; Wed, 23 May 2018 16:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uM29kv2Si19g for <>; Wed, 23 May 2018 16:50:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A8974127077 for <>; Wed, 23 May 2018 16:50:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RdXpICy2+TvIOHj0Q4QoPXeD1Aa2cEzlhGatkNqFEcA=; b=hwqheSuCDGM8fgrhtfBrk+KNnu7HraoJJpT6Yfdgk6Z59mq8tkh4qJ+U+HwoNZXxFovXO4lrUsBO1TBAj9RPYF27EEw+VjO4YDCj/1DyMBFlw9s63ic9pxf95amM7HVoinuH9nkE8Ue7CcOkVhUPwER3vrCFYhnftoRwKFhE+ZE=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.776.11; Wed, 23 May 2018 23:50:52 +0000
Received: from ([fe80::3c18:f60d:11c1:143d]) by ([fe80::3c18:f60d:11c1:143d%13]) with mapi id 15.20.0776.015; Wed, 23 May 2018 23:50:52 +0000
From: Mike Bishop <>
To: Mark Nottingham <>
CC: HTTP Working Group <>, "" <>
Subject: RE: QPACK and the Static Table
Thread-Topic: QPACK and the Static Table
Thread-Index: AdPy6/ObcVQE/1QBQB2X+UF0YtinwQABH7WAAAAGeIA=
Date: Wed, 23 May 2018 23:50:51 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: [2601:600:8080:5a28:4940:a32d:2658:89dc]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1PR08MB1901; 7:EuqdaOtHu831YPcrOHP9GoXNFE5nDtOCK2F5/OsUxnjFLGa56UQGSxjMwUfvz5cyrRCgRO81YXTiLbscjflUKE4hQlh90TZop8NexUTVSE2UzDePot+c6nvxboVtM9f9PKtaCzwAdk10YX4ZYPElI/Z0jmIyl4DGM4zMxQZLgkR5E/mFhw028+/nx1zla2FAn1ef85p8bzmUHxT8PVrWvpdHMpH02tbhR6qemoO4srQ+zWeW82zcahumns/CmmxJ
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(5600026)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7027125)(7028125)(7023125)(2017052603328)(7153060)(7193020); SRVR:SN1PR08MB1901;
x-ms-traffictypediagnostic: SN1PR08MB1901:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(86561027422486)(64217206974132);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(2016111802025)(6072148)(6043046)(201708071742011)(7699016); SRVR:SN1PR08MB1901; BCL:0; PCL:0; RULEID:; SRVR:SN1PR08MB1901;
x-forefront-prvs: 06818431B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39830400003)(366004)(396003)(39380400002)(346002)(376002)(13464003)(199004)(189003)(305945005)(97736004)(4326008)(5250100002)(102836004)(8936002)(86362001)(74316002)(105586002)(476003)(6916009)(8676002)(2906002)(486006)(81166006)(11346002)(6506007)(186003)(81156014)(55016002)(59450400001)(68736007)(53546011)(446003)(14454004)(106356001)(5660300001)(6246003)(3660700001)(99286004)(6116002)(966005)(54906003)(229853002)(25786009)(46003)(74482002)(7736002)(9686003)(478600001)(53936002)(6306002)(3280700002)(7696005)(2900100001)(6436002)(316002)(76176011)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR08MB1901;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ug3EU3MufERfG8Smg62wvopUmAFdtdU/s3Xk0762lupxRTRuXkDDiOYPOdbjk9G3KTZEPS4BDI2uEKilwTnYRM2VXhNrOdCBlMdww5KC8zzgyTk1S+te7zSerG7I1o1fotz7AM7aOHJwk1R5wQvcHoQg6+kefC9vi3B82G1SQcs2adgh/XKYPICUrBVOfsBK
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 29656c8f-79eb-4dfe-c3ac-08d5c1080482
X-MS-Exchange-CrossTenant-Network-Message-Id: 29656c8f-79eb-4dfe-c3ac-08d5c1080482
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 May 2018 23:50:52.0495 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR08MB1901
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 23 May 2018 23:50:58 -0000

While I've tried to limit the bias introduced by their single browser and selection of sites, I share those concerns about using the HTTP Archive as a single source of data.  However, what I've heard from one HTTP API deployment and suspect is true across CDNs is that sharing request header values is problematic.

Maybe if we locally applied the filtering of not sharing values unless a single value represents more than 5% of header occurrences, that would be sufficiently anonymized for folks to be willing to share.

-----Original Message-----
From: Mark Nottingham <> 
Sent: Wednesday, May 23, 2018 4:48 PM
To: Mike Bishop <>
Cc: HTTP Working Group <>;
Subject: Re: QPACK and the Static Table

Hey Mike,

My .02 (I also left some notes in the PR) -

The static table is most useful on request headers, so that's what we should be focusing on. If it were me, I'd drop all of the response header fields except the most common ones (say 10 or so), and focus on request headers.

In fact, I'd look at paring down the number of entries in total for *just* the initial requests on a connection -- putting too many things in the static table might influence how implementations emit other headers, and that's not the intent here.

The HTTP Archive is a bit problematic; not only is it focused on "big" sites (albeit a lot of them), but it's also AIUI pretty homogenous on the client side, so it's not going to be very representative for request headers.

I think it would be better to get a sample of request headers seen by a couple of sites, a CDN or two, and at least one "HTTP API" type deployment, and see where that leads -- if we can find someone willing to do the work.


> On 24 May 2018, at 9:16 am, Mike Bishop <> wrote:
> Wanted to get a sense of the affected working groups on two issues in QPACK (header compression for HTTP/QUIC).
> Rather than indexing the tables together and having the static table at 1-61, QPACK uses a bit to indicate static vs. dynamic.  Since the field is seven bits long, the performance is comparable for the dynamic table (you can access 63 entries in one byte, 190 in two), but you can increase the size of the static table without hurting the dynamic table.  As a result, we’re building a fresh static tablebased on queries against HTTPArchive data.
> The key question that has come up in a couple venues:  What real-world headers do we want to artificially remove from what the data shows, and what headers not seen by HTTP Archive do we want to force in anyway?
> So far, we’ve:
> 	• forced in pseudo-headers because the Archive doesn’t capture them and they would otherwise be absent
> 		• :path, :authority, :method
> 	• deleted values presumed biased by the test configuration:
> 		• Server: (various vendors)
> 		• User-Agent
> 		• Accept-Language: en-us, en;q=0.9
> 		• Content-Length: 531
> 			• I still wonder exactly why that’s so common….
> 		• P3p: policyref=””….
> 		• Origin:
> 		• Alt-Svc for various versions of gQUIC
> 		• …the list goes on
> 	• deleted headers prohibited by HTTP/QUIC and HTTP/2
> 		• Transfer-Encoding: chunked
> 	• Reordered to put headers you’re likely to name-reference at the front, especially if you’re unlikely to add them to the dynamic table
> The question is whether we should also backfill headers which HTTP Archive wouldn’t see, delete headers we wish people wouldn’t use, and/or insert the ones we hope they eventually will.  Some candidates:
> 	• Add Alt-Svc entry for HTTP/QUIC with QUIC v1
> 	• Add X-Forwarded-For
> 	• Don’t add X-Forwarded-For, but do add Forwarded
> 	• Remove Expires to incent the use of Cache-Control
> 	• Collapse the “Content-Type: <thingey>” and “Content-Type: <thingey>; charset=utf-8” entries together
> 		• …but which one to keep?
> 	• Add Content-Encoding and/or Accept-Encoding entries for zstd
> There’s an endless parade of bikesheds here.  As Martin has pointed out, this will never be perfect, so the goal is “good enough and keep going.”  Any strong feelings about any of these before we merge it?
> Also, there’s been some discussion of a mechanism for selecting one of several static tables at the start of a connection.  In that case, the spec would probably define three tables (client headers, server headers [for servers that don’t push], combined [for servers that push]) and enable future RFCs to define others for targeted scenarios (proxies, video playback, IoT, etc.).  How much does that interest folks?

Mark Nottingham