TCP Fast OPEN – Citrix NetScaler

TCP Fast Open (TFO) is a TCP mechanism that enables speedy data exchange between a client and a server during TCP’s initial handshake. By using the TFO mechanism, you can reduce an application’s network latency by the time required for one full round trip, which significantly reduces the delay experienced in short TCP transfers.

So how does it work? This picture describes it alot better!

Source: http://image.slidesharecdn.com/devconf2014-kernelnetworkingwalkthrough-140304102610-phpapp01/95/devconf-2014-kernel-networking-walkthrough-16-638.jpg?cb=1393929597

It is important however that we need to have a supported client and a supported server to make this feature work. This feature was introduced in NetScaler 11.1 as it just needs some configuration to be able to work properly.

This can be done by adjusting a TCP Profile with the TCP Fast Open value

image

We can also define how long the TCP cookie should be used, by default this is set to zero (Which is defined in the TCP parameters on the NetScaler

image

After this setting is configured we need to enable TCP fast open for Microsoft Edge. Note that this feature is not enabled by default. Microsoft wrote a blog about TCP fast open earlier this year –> https://blogs.windows.com/msedgedev/2016/06/15/building-a-faster-and-more-secure-web-with-tcp-fast-open-tls-false-start-and-tls-1-3/

But not everything is well documented in the blogpost! first of you need to have 1607 build to get suppor for TCP fast open in the Windows Kernel. If you have TCP fast open you can see that enabled by using this command

netsh interface tcp show global (You will see TCP fast open) if you do not see it present you need to update your Windows 10.

image

To enable TCP fast open  in Edge you need to open Microsoft Edge (Using build 14352 or higher) and type

about:flags

Then scroll down and enable TCP fast open, then restart the browser.

image

Next we need to test this that it is working! by default in Microsoft Edge  it ONLY WORKS UNDER HTTPS/TLS it makes sense but it is not documented.

Here we can see from WireShark the client request going to the web-server
(10.217.215.153 = Windows 10 client, 10.217.215.223 = NetScaler Virtual Server)

image

And here I can see the NetScaler responding with the Cookie

image

And here we can see that the client uses the TCP Open Cookie for second request

image

So voila! So will this small chance improve web performance? No yet! There are still a number of ISP which blocks the TCP Fast Open cookie header in TCP (ref: https://www.simula.no/file/conext2015pdf/download) which means that it falls back to regular TCP and then triggers a TCP retransmission.

But for those that have TCP fast open enabled on their web-servers, as seen here implementing TCP fast open will allow for fast download of websites

Source: https://aeckert93.files.wordpress.com/2014/06/screen-shot-2014-06-02-at-10-41-48-pm.png

Leave a Reply

Scroll to Top