TCP Fast Open (TFO)
A TCP extension that allows data to be sent in the initial SYN packet for repeat connections, eliminating one round trip from connection setup. Saves 50-300ms per connection on CDN edge requests.
Full Explanation
TCP Fast Open (RFC 7413) lets a client send application data in the very first SYN packet when reconnecting to a server it has visited before. Standard TCP requires a full three-way handshake (SYN, SYN-ACK, ACK) before any data flows. TFO cuts one round trip by piggybacking data on the SYN, and the server can start processing and responding immediately.
The mechanism uses a TFO cookie. On the first connection, the client includes a TFO option in the SYN. The server generates a cookie (encrypted identifier tied to the client IP) and returns it in the SYN-ACK. The client caches this cookie. On subsequent connections, the client includes both the cookie and application data in the SYN. The server validates the cookie and immediately processes the data without waiting for the handshake to complete.
For CDNs, TFO's value depends on the connection pattern. CDN edges that handle many short-lived HTTP/1.1 connections benefit the most because each new connection saves one RTT. If RTT to the nearest edge is 20ms, TFO saves 20ms per connection. For users further from the edge (100ms RTT to a regional PoP), the savings are more significant.
With HTTP/2 and HTTP/3, TFO's impact is reduced because these protocols multiplex requests over long-lived connections. You pay the connection setup cost once, then reuse it for many requests. But TFO still helps with the initial connection, especially on mobile networks where connections are frequently dropped and re-established.
Browser support for TFO has been mixed. Chrome supported it on Linux and Android. Firefox supported it on Linux. Safari has had macOS support. But Windows client support lagged for years, and some middleboxes (firewalls, NAT devices) strip unknown TCP options, breaking TFO. This spotty ecosystem has limited adoption compared to what was hoped.
On the server side, Linux has good TFO support. CDN providers can enable it with a sysctl flag. The server maintains a key to generate and validate cookies, rotating it periodically. Nginx, HAProxy, and other common CDN software support TFO as a listen option.
TFO has a subtle security consideration. The SYN+data can be replayed by an attacker who captures it. Unlike the normal handshake where the server's SYN-ACK proves liveness, a TFO SYN can be replayed to cause the server to process the same request multiple times. For idempotent requests (GET) this is harmless. For non-idempotent requests (POST), the application needs its own replay protection.
Examples
# Check if TFO is enabled on Linux
sysctl net.ipv4.tcp_fastopen
# net.ipv4.tcp_fastopen = 1
# 0 = disabled, 1 = client only, 2 = server only, 3 = both
# Enable TFO for both client and server
sudo sysctl -w net.ipv4.tcp_fastopen=3
# Make persistent
echo 'net.ipv4.tcp_fastopen=3' | \
sudo tee -a /etc/sysctl.d/99-tfo.conf
# Nginx: enable TFO on listen directive
server {
listen 443 ssl fastopen=256;
# 256 = max pending TFO connections in SYN queue
}
# Test TFO with curl
# First request (gets TFO cookie)
curl --tcp-fastopen https://example.com -o /dev/null -w \
'time_connect: %{time_connect}s\n'
# Second request (uses TFO, should be faster)
curl --tcp-fastopen https://example.com -o /dev/null -w \
'time_connect: %{time_connect}s\n'
# Check TFO statistics
cat /proc/net/tcp_fastopen_stats
# FastOpenActive: 150 (outgoing TFO SYNs)
# FastOpenPassive: 3200 (incoming TFO SYNs accepted)
# FastOpenFail: 12 (TFO cookies rejected)
# Verify TFO in packet capture
sudo tcpdump -i eth0 'tcp[13] & 2 != 0' -v | grep 'fastopen'Frequently Asked Questions
A TCP extension that allows data to be sent in the initial SYN packet for repeat connections, eliminating one round trip from connection setup. Saves 50-300ms per connection on CDN edge requests.
# Check if TFO is enabled on Linux
sysctl net.ipv4.tcp_fastopen
# net.ipv4.tcp_fastopen = 1
# 0 = disabled, 1 = client only, 2 = server only, 3 = both
# Enable TFO for both client and server
sudo sysctl -w net.ipv4.tcp_fastopen=3
# Make persistent
echo 'net.ipv4.tcp_fastopen=3' | \
sudo tee -a /etc/sysctl.d/99-tfo.conf
# Nginx: enable TFO on listen directive
server {
listen 443 ssl fastopen=256;
# 256 = max pending TFO connections in SYN queue
}
# Test TFO with curl
# First request (gets TFO cookie)
curl --tcp-fastopen https://example.com -o /dev/null -w \
'time_connect: %{time_connect}s\n'
# Second request (uses TFO, should be faster)
curl --tcp-fastopen https://example.com -o /dev/null -w \
'time_connect: %{time_connect}s\n'
# Check TFO statistics
cat /proc/net/tcp_fastopen_stats
# FastOpenActive: 150 (outgoing TFO SYNs)
# FastOpenPassive: 3200 (incoming TFO SYNs accepted)
# FastOpenFail: 12 (TFO cookies rejected)
# Verify TFO in packet capture
sudo tcpdump -i eth0 'tcp[13] & 2 != 0' -v | grep 'fastopen'Related CDN concepts include:
- Latency — The time delay between a request and the start of its response. For CDNs, it's …
- TCP (TCP) — Transmission Control Protocol. The reliable, ordered, connection-oriented transport protocol underneath HTTP/1.1 and HTTP/2. TCP's three-way …
- CWND (Congestion Window) (CWND) — The TCP sender-side limit on how much unacknowledged data can be in flight. Controls throughput …