AusNOG 2023: A quick look at QUIC

APNIC
APNICAPNIC
A quick look at QUIC Geoff Huston AM APNIC Labs
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
QUIC is a mashup of TCP and TLS HTTP Multi-stream TLS Session Encryption TCP Data stream integrity Congestion Control HTTP QUIC Multi-stream Encryption Data stream integrity Congestion Control UDP IP HTTP/2 QUIC HTTP/3 e2e encrypted e2e encrypted
TCP is.. A transport protocol that constructs a reliable full duplex adaptive streaming service on top of an unreliable IP datagram service • Uses a coordinated state between the two end systems without any network intervention or mediation • Uses a sliding window to allow lost data to be resent • Uses ACK-clocking to regulate the sending behaviour to match network path capacity estimate
TCP isn’t… • Fully independent of the underlying platform’s transport services • Fully multi-stream (it has head-of-line blocking) • Fully multi-path (yes, MP-TCP exists, but there are some outstanding issues here!) • Address agile • Free from on-the-wire network intervention (TCP control parameters are sent in the clear) • Has e2e encryption as a second step / afterthought • Everything for everyone – it relies on the application to perform data framing and in-band control
QUIC is… Constructed upon a transport level framing protocol that offers applications access to the basic IP datagram services offered by IP through the use of UDP All other transport services (data integrity, session control, congestion control, encryption) are shifted upwards in the protocol stack towards the application. A host platform may provide a QUIC API as part of the host library, but the application can also provide its own QUIC service independent of the host
QUIC is… So much more than just “encrypted TCP over UDP” • Support for multi-stream multiplexing that avoids head-of-line blocking and exploits a shared congestion and encryption state • Faster - Combines transport and encryption setup exchange in a single 3-way exchange at session start, and supports fast reopen • Customisable - QUIC implementations can use individual flow controllers per flow • QUIC places its transport control fields inside the encryption envelope, so QUIC features minimal exposure to the network • Supports record and Remote Procedure Call service models as well as bit- streaming and datagram services
QUIC is address agile • NATs are potentially hostile to QUIC because of the outer UDP wrapper • A NAT may rebind a QUIC session (shift the externally visible address/port of a host during a session), as NATs are not generally aware of UDP streaming states • QUIC uses a persistent “connection ID” • If a host receives a QUIC frame with the same connection ID and a new source IP address / port it will send a challenge by way of a random value that should be echoed back. This is all performed within the e2e encryption envelope. That way a QUIC e2e session can map into new address/port associations on the fly
QUIC also… • Is IP fragmentation intolerant – QUIC uses PMTUD, or defaults to 1,200 octet UDP payloads • Never retransmits a QUIC packet – retransmitted data is sent in the next QUIC packet number – this avoids ambiguity about packet retransmission • Extends TCP SACK to 256 packet number ranges (up from 3 in TCP SACK) • Separately encrypts each QUIC packet – no inter-packet dependencies on decryption • May load multiple QUIC packets in a single UDP frame
QUIC flow structuring A QUIC connection is broken into “streams” which are reliable data flows – each stream performs stream-based loss recovery, congestion control, and relative stream scheduling for bandwidth allocation QUIC also supports unreliable encrypted datagram delivery
QUIC and Remote Procedure Calls • By associating each RPC request/reply with a new stream, QUIC can support asynchronous RPC transactions using reliable messaging • This can handle lost, mis-ordered and duplicated RPC messages without common blocking or throttling
QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks NAT Load Balancer Server A Server B Source Address A Source Address B NAT re-binding
QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks • If we really want large scale QUIC with front-end load balancing and if we still need to tolerate NATs then we will need to think about how the end point can share the connection ID state with its front-end load balancer, or how to terminate the QUIC session in the front-end and use a second session to a selected server
QUIC and DOS • Very little lies outside the encryption envelope in QUIC • Which means all incoming packets addressed to the QUIC port need to be decrypted • But the QUIC session uses symmetric crypto so the packet decode overhead is far smaller than an asymmetric crypto load for the same packet rate • It’s not the best answer, but it’s not disastrous either!
QUIC is: • A logical evolutionary step for transport services, providing more flexibility, faster connection setup, and a larger set of transport services • It’s what we should expect from a capable modern transport protocol!
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers (This second method requires a subsequent query in a distinct HTTP session to allow the client to use the Alt-Svc capability.)
Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers First Fetch Second Fetch
Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 * Oberlo.com
Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 • And Apple Safari is now supporting QUIC, using the DNS apln directive • So a QUIC-aware server platform should be seeing some 85% of its sessions using QUIC – right? * https://gs.statcounter.com/browser-market-share
Cloudflare’s Numbers Cloudflare reports a far lower level of QUIC use
APNIC’s QUIC measurement • We have configured a server to support QUIC sessions • We support both DNS and content triggers • The content trigger requires us to measure across multiple fetches within each measurement • Which means that we need to carefully set the HTTP/2 session keepalive timer to make this work as intended
Server Session Keepalive Timers • After much searching under many rocks we were advised that a server keepalive timer value of 1 second is too small, as the server drops the QUIC connection too aggressively and the browser client then drops back to using HTTP/2 • The default value of 65 seconds for the server keepalive interval seems to be too long • So we used a server keepalive value of 20 seconds…
QUIC Use Playing with keepalive parameters! First Fetch – mainly Safari clients Subsequent Fetches – mainly Chrome clients
QUIC Use – July 2023
National Filtering of QUIC?
National Filtering of QUIC?
Other Measures: Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
Measuring QUIC Performance In this test (between the same endpoints) over a Starlink circuit, TCP CUBIC underperforms badly, while TCP BBR and QUIC both perform reasonably well
Why is QUIC important? Because QUIC is fast Because QUIC encrypts everything • No visible transport control settings • No visible Server Name Indication in the crypto-setup • No visible traffic profile other than inter-packet timing • And if you use a MASQUE-based VPN then there no residual visibility! Because QUIC is an application capability • QUIC can interact with the platform through the UDP API, so all of QUIC can be implemented within the application. This gives the application more control over its service outcomes and reduces external dependencies
What does this mean for TCP? It’s not looking all that good for TCP’s prospects • QUIC not only does faster start up, but it supports multi-channel in a frictionless manner • QUIC resists network operator efforts to perform traffic shaping through direct manipulation of TCP control parameters • QUIC allows the application service provider to control the congestion behaviour of its sessions
What does this mean for TCP? Normally you would expect any transition from TCP to QUIC to take forever BUT: • QUIC gives benefit to adopters through more responsive web services • QUIC does a better job of hiding content, which is a benefit to the service operator • QUIC has fewer external dependencies • QUIC can be deployed on a piecemeal basis So it all may be over for TCP in a very small number of years!
What does this mean for the Internet? • IP was a network protocol that provided services to attached devices • The network service model used by IP was minimal • Packets may be dropped, fragmented, duplicated, corrupted and/or reordered on their path through the network • It’s left to the edge systems to recover from this network behaviour. • Efforts to expand the network’s role have foundered • QoS has just got nowhere! • Various forms of source-directed forwarding are resisted by network operators who want control over traffic engineering • Networks took up a role of defending the network resource against aggressive application behaviour • Some networks enabled user surveillance media network TCP Transport apps $$$
The new Networking Space And this is why QUIC is so interesting – it is pushing both network carriage and host platform into commodity roles in networking and allowing applications to effectively customize the way in which they want to deliver services and dominating the entire networked environment QUIC is the application’s view of what Transport should be! media network TCP Transport apps media network UDP Transport apps Internal Transport + session security $$$ QUIC and value transform in the network stack
What does this mean for the Internet? • The relationship between applications, hosts and networks has soured into mutual distrust and suspicion • The application now defends its integrity by wrapping up as much of the service transaction with encryption and indirection • QUIC (and MASQUE) is an intrinsic part of this process of wrapping up traffic in encryption and redirection • For the network operator there is little left to see • And I suspect that there is no coming back from here!
What can a Network Operator Do? • When all customer traffic is completely obscured and encrypted? • Traffic Shaping? • Regulatory Requirements for traffic interception? • Load Balancing / ECMP
The new Internet Space “What you can’t dominate, you commoditise*” • Vertically integrated service providers have faded away into history - the deregulated competitive service industry continues to specialize rather than generalize at every level • Carriage is no longer an inescapable monopoly - massively replicated content can be used as a substitute for many carriage service elements • Control over the platform is no longer control over the user. Operating systems have been pushed back into a basic task scheduling role, while functions are being absorbed into the application space * A related quote is Peter Thiel’s “Competition is for losers!”
Thanks!
1 von 41

AusNOG 2023: A quick look at QUIC

Downloaden Sie, um offline zu lesen
Internet

APNIC Chief Scientist Geoff Huston examines QUIC and its impact on networking.

APNIC
APNICAPNIC

Recomendados

A Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdf von
A Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdfA Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdf
A Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdfAPNIC
220 views34 Folien
WebRTC DataChannels demystified von
WebRTC DataChannels demystifiedWebRTC DataChannels demystified
WebRTC DataChannels demystifiedVictor Pascual Ávila
106.5K views41 Folien
Introduction to QUIC von
Introduction to QUICIntroduction to QUIC
Introduction to QUICShuya Osaki
2.7K views14 Folien
QUIC protocol.pptx von
QUIC protocol.pptxQUIC protocol.pptx
QUIC protocol.pptxSHIVAMPANDEY138243
91 views9 Folien
Presentazione-Prelaurea_Alessandro-Nuzzi.pptx von
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxPresentazione-Prelaurea_Alessandro-Nuzzi.pptx
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxAlessandroNuzzi1
3 views28 Folien
Presentazione-Prelaurea_Alessandro-Nuzzi.pptx von
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxPresentazione-Prelaurea_Alessandro-Nuzzi.pptx
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxAlessandroNuzzi1
2 views28 Folien

Más contenido relacionado

Similar a AusNOG 2023: A quick look at QUIC

Future Internet protocols von
Future Internet protocolsFuture Internet protocols
Future Internet protocolsOlivier Bonaventure
877 views53 Folien
Innovation is back in the transport and network layers von
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layersOlivier Bonaventure
1.1K views53 Folien
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2 von
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Adam Dunkels
8.5K views33 Folien
Load Balancing 101 von
Load Balancing 101Load Balancing 101
Load Balancing 101HungWei Chiu
867 views50 Folien
Google QUIC von
Google QUICGoogle QUIC
Google QUICFelipe Rayel
8K views18 Folien
Presentazione Laurea Nuzzi Alessandro.pptx von
Presentazione Laurea Nuzzi Alessandro.pptxPresentazione Laurea Nuzzi Alessandro.pptx
Presentazione Laurea Nuzzi Alessandro.pptxAlessandroNuzzi1
3 views13 Folien

Similar a AusNOG 2023: A quick look at QUIC(20)

Future Internet protocols von Olivier Bonaventure
Future Internet protocolsFuture Internet protocols
Future Internet protocols
Olivier Bonaventure877 views
Innovation is back in the transport and network layers von Olivier Bonaventure
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layers
Olivier Bonaventure1.1K views
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2 von Adam Dunkels
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Adam Dunkels8.5K views
Load Balancing 101 von HungWei Chiu
Load Balancing 101Load Balancing 101
Load Balancing 101
HungWei Chiu867 views
Google QUIC von Felipe Rayel
Google QUICGoogle QUIC
Google QUIC
Felipe Rayel8K views
Presentazione Laurea Nuzzi Alessandro.pptx von AlessandroNuzzi1
Presentazione Laurea Nuzzi Alessandro.pptxPresentazione Laurea Nuzzi Alessandro.pptx
Presentazione Laurea Nuzzi Alessandro.pptx
AlessandroNuzzi13 views
HTTP/3 von Daniel Stenberg
HTTP/3HTTP/3
HTTP/3
Daniel Stenberg6K views
Network protocols and vulnerabilities von G Prachi
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
G Prachi1.6K views
Windows Communication Foundation (WCF) von Betclic Everest Group Tech Team
Windows Communication Foundation (WCF)Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF)
Betclic Everest Group Tech Team6.5K views
.NET Conf 2022 - Networking in .NET 7 von Karel Zikmund
.NET Conf 2022 - Networking in .NET 7.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7
Karel Zikmund64 views
BWE in Janus von Lorenzo Miniero
BWE in JanusBWE in Janus
BWE in Janus
Lorenzo Miniero377 views
2017_IMC_QUIC.pptx von Brian Zein
2017_IMC_QUIC.pptx2017_IMC_QUIC.pptx
2017_IMC_QUIC.pptx
Brian Zein5 views
QUIC von Apache Traffic Server
QUICQUIC
QUIC
Apache Traffic Server888 views
Quick QUIC Technical Update (2017) von Taisuke Yamada
Quick QUIC Technical Update (2017)Quick QUIC Technical Update (2017)
Quick QUIC Technical Update (2017)
Taisuke Yamada149 views
20 QUIC Dissection Megumi Takeshita von Megumi Takeshita
20 QUIC Dissection Megumi Takeshita20 QUIC Dissection Megumi Takeshita
20 QUIC Dissection Megumi Takeshita
Megumi Takeshita5 views
Multicast QUIC for video content delivery von Jisc
Multicast QUIC for video content deliveryMulticast QUIC for video content delivery
Multicast QUIC for video content delivery
Jisc3.9K views
RIPE 80: Buffers and Protocols von APNIC
RIPE 80: Buffers and ProtocolsRIPE 80: Buffers and Protocols
RIPE 80: Buffers and Protocols
APNIC215 views
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w... von VMworld
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...
VMworld1.1K views
CoAP Talk von Basuke Suzuki
CoAP TalkCoAP Talk
CoAP Talk
Basuke Suzuki4.7K views
Architecting Low Latency Applications Alberto Gonzalez von Alberto González Trastoy
Architecting Low Latency Applications Alberto GonzalezArchitecting Low Latency Applications Alberto Gonzalez
Architecting Low Latency Applications Alberto Gonzalez
Alberto González Trastoy16 views

Más de APNIC

IETF 118: Starlink Protocol Performance von
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
244 views22 Folien
HKNOG 12.0: RPKI Actions Required by HK Networks von
HKNOG 12.0: RPKI Actions Required by HK NetworksHKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK NetworksAPNIC
466 views26 Folien
KHNOG 5: RPKI Status Update von
KHNOG 5: RPKI Status UpdateKHNOG 5: RPKI Status Update
KHNOG 5: RPKI Status UpdateAPNIC
401 views25 Folien
KHNOG 5: APNIC Services von
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC ServicesAPNIC
414 views15 Folien
PITA Strategy Forum 2023: Internet resilience von
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilienceAPNIC
438 views7 Folien
SANOG 40: DDoS in South Asia von
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South AsiaAPNIC
350 views52 Folien

Más de APNIC(20)

IETF 118: Starlink Protocol Performance von APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC244 views
HKNOG 12.0: RPKI Actions Required by HK Networks von APNIC
HKNOG 12.0: RPKI Actions Required by HK NetworksHKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK Networks
APNIC466 views
KHNOG 5: RPKI Status Update von APNIC
KHNOG 5: RPKI Status UpdateKHNOG 5: RPKI Status Update
KHNOG 5: RPKI Status Update
APNIC401 views
KHNOG 5: APNIC Services von APNIC
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC Services
APNIC414 views
PITA Strategy Forum 2023: Internet resilience von APNIC
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilience
APNIC438 views
SANOG 40: DDoS in South Asia von APNIC
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South Asia
APNIC350 views
SANOG 40: RPKI in South Asia von APNIC
SANOG 40: RPKI in South AsiaSANOG 40: RPKI in South Asia
SANOG 40: RPKI in South Asia
APNIC351 views
RenasCON 2023: Learning from honeypots von APNIC
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
APNIC428 views
IGF 2023: DNS Privacy von APNIC
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC429 views
MNSEC Conference 2023: Mining Bots von APNIC
MNSEC Conference 2023: Mining BotsMNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining Bots
APNIC423 views
VNIX-NOG 2023: IPv6 Deployment in government networks von APNIC
VNIX-NOG 2023: IPv6 Deployment in government networksVNIX-NOG 2023: IPv6 Deployment in government networks
VNIX-NOG 2023: IPv6 Deployment in government networks
APNIC429 views
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids von APNIC
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
APNIC424 views
SGNOG 10: IPv6 Insights in South East Asia von APNIC
SGNOG 10: IPv6 Insights in South East AsiaSGNOG 10: IPv6 Insights in South East Asia
SGNOG 10: IPv6 Insights in South East Asia
APNIC416 views
mnNOG 5: Open source SD-WAN von APNIC
mnNOG 5: Open source SD-WANmnNOG 5: Open source SD-WAN
mnNOG 5: Open source SD-WAN
APNIC482 views
mnNOG 2023: State of IPv6 in Mongolia von APNIC
mnNOG 2023: State of IPv6 in MongoliamnNOG 2023: State of IPv6 in Mongolia
mnNOG 2023: State of IPv6 in Mongolia
APNIC933 views
mnNOG 2023: On GEOs, LEOs and Starlink von APNIC
mnNOG 2023: On GEOs, LEOs and StarlinkmnNOG 2023: On GEOs, LEOs and Starlink
mnNOG 2023: On GEOs, LEOs and Starlink
APNIC496 views
AusNOG 2023: RPKI and whois updates von APNIC
AusNOG 2023: RPKI and whois updatesAusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updates
APNIC566 views
APrIGF 2023: Sustainability of Complementary Connectivity Initiatives von APNIC
APrIGF 2023: Sustainability of Complementary Connectivity InitiativesAPrIGF 2023: Sustainability of Complementary Connectivity Initiatives
APrIGF 2023: Sustainability of Complementary Connectivity Initiatives
APNIC607 views
APAN 56: APNIC Report von APNIC
APAN 56: APNIC Report APAN 56: APNIC Report
APAN 56: APNIC Report
APNIC293 views
2023 NCIT: Introduction to Intrusion Detection von APNIC
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC172 views

Último

𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 von
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲Infosec train
9 views6 Folien
Marketing and Community Building in Web3 von
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3Federico Ast
12 views64 Folien
PORTFOLIO 1 (Bret Michael Pepito).pdf von
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdfbrejess0410
8 views6 Folien
We see everywhere that many people are talking about technology.docx von
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docxssuserc5935b
6 views2 Folien
Building trust in our information ecosystem: who do we trust in an emergency von
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
98 views18 Folien
DU Series - Day 4.pptx von
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptxUiPathCommunity
100 views28 Folien

Último(11)

𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 von Infosec train
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
Infosec train9 views
Marketing and Community Building in Web3 von Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast12 views
PORTFOLIO 1 (Bret Michael Pepito).pdf von brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04108 views
We see everywhere that many people are talking about technology.docx von ssuserc5935b
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docx
ssuserc5935b6 views
Building trust in our information ecosystem: who do we trust in an emergency von Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat98 views
DU Series - Day 4.pptx von UiPathCommunity
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunity100 views
How to think like a threat actor for Kubernetes.pptx von LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views
UiPath Document Understanding_Day 3.pptx von UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity103 views
Is Entireweb better than Google von sebastianthomasbejan
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan12 views
information von khelgishekhar
informationinformation
information
khelgishekhar8 views
WEB 2.O TOOLS: Empowering education.pptx von narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2116 views

AusNOG 2023: A quick look at QUIC

  • 1. A quick look at QUIC Geoff Huston AM APNIC Labs
  • 2. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
  • 3. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
  • 4. QUIC is a mashup of TCP and TLS HTTP Multi-stream TLS Session Encryption TCP Data stream integrity Congestion Control HTTP QUIC Multi-stream Encryption Data stream integrity Congestion Control UDP IP HTTP/2 QUIC HTTP/3 e2e encrypted e2e encrypted
  • 5. TCP is.. A transport protocol that constructs a reliable full duplex adaptive streaming service on top of an unreliable IP datagram service • Uses a coordinated state between the two end systems without any network intervention or mediation • Uses a sliding window to allow lost data to be resent • Uses ACK-clocking to regulate the sending behaviour to match network path capacity estimate
  • 6. TCP isn’t… • Fully independent of the underlying platform’s transport services • Fully multi-stream (it has head-of-line blocking) • Fully multi-path (yes, MP-TCP exists, but there are some outstanding issues here!) • Address agile • Free from on-the-wire network intervention (TCP control parameters are sent in the clear) • Has e2e encryption as a second step / afterthought • Everything for everyone – it relies on the application to perform data framing and in-band control
  • 7. QUIC is… Constructed upon a transport level framing protocol that offers applications access to the basic IP datagram services offered by IP through the use of UDP All other transport services (data integrity, session control, congestion control, encryption) are shifted upwards in the protocol stack towards the application. A host platform may provide a QUIC API as part of the host library, but the application can also provide its own QUIC service independent of the host
  • 8. QUIC is… So much more than just “encrypted TCP over UDP” • Support for multi-stream multiplexing that avoids head-of-line blocking and exploits a shared congestion and encryption state • Faster - Combines transport and encryption setup exchange in a single 3-way exchange at session start, and supports fast reopen • Customisable - QUIC implementations can use individual flow controllers per flow • QUIC places its transport control fields inside the encryption envelope, so QUIC features minimal exposure to the network • Supports record and Remote Procedure Call service models as well as bit- streaming and datagram services
  • 9. QUIC is address agile • NATs are potentially hostile to QUIC because of the outer UDP wrapper • A NAT may rebind a QUIC session (shift the externally visible address/port of a host during a session), as NATs are not generally aware of UDP streaming states • QUIC uses a persistent “connection ID” • If a host receives a QUIC frame with the same connection ID and a new source IP address / port it will send a challenge by way of a random value that should be echoed back. This is all performed within the e2e encryption envelope. That way a QUIC e2e session can map into new address/port associations on the fly
  • 10. QUIC also… • Is IP fragmentation intolerant – QUIC uses PMTUD, or defaults to 1,200 octet UDP payloads • Never retransmits a QUIC packet – retransmitted data is sent in the next QUIC packet number – this avoids ambiguity about packet retransmission • Extends TCP SACK to 256 packet number ranges (up from 3 in TCP SACK) • Separately encrypts each QUIC packet – no inter-packet dependencies on decryption • May load multiple QUIC packets in a single UDP frame
  • 11. QUIC flow structuring A QUIC connection is broken into “streams” which are reliable data flows – each stream performs stream-based loss recovery, congestion control, and relative stream scheduling for bandwidth allocation QUIC also supports unreliable encrypted datagram delivery
  • 12. QUIC and Remote Procedure Calls • By associating each RPC request/reply with a new stream, QUIC can support asynchronous RPC transactions using reliable messaging • This can handle lost, mis-ordered and duplicated RPC messages without common blocking or throttling
  • 13. QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks NAT Load Balancer Server A Server B Source Address A Source Address B NAT re-binding
  • 14. QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks • If we really want large scale QUIC with front-end load balancing and if we still need to tolerate NATs then we will need to think about how the end point can share the connection ID state with its front-end load balancer, or how to terminate the QUIC session in the front-end and use a second session to a selected server
  • 15. QUIC and DOS • Very little lies outside the encryption envelope in QUIC • Which means all incoming packets addressed to the QUIC port need to be decrypted • But the QUIC session uses symmetric crypto so the packet decode overhead is far smaller than an asymmetric crypto load for the same packet rate • It’s not the best answer, but it’s not disastrous either!
  • 16. QUIC is: • A logical evolutionary step for transport services, providing more flexibility, faster connection setup, and a larger set of transport services • It’s what we should expect from a capable modern transport protocol!
  • 17. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
  • 18. Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers (This second method requires a subsequent query in a distinct HTTP session to allow the client to use the Alt-Svc capability.)
  • 19. Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers First Fetch Second Fetch
  • 20. Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 * Oberlo.com
  • 21. Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 • And Apple Safari is now supporting QUIC, using the DNS apln directive • So a QUIC-aware server platform should be seeing some 85% of its sessions using QUIC – right? * https://gs.statcounter.com/browser-market-share
  • 22. Cloudflare’s Numbers Cloudflare reports a far lower level of QUIC use
  • 23. APNIC’s QUIC measurement • We have configured a server to support QUIC sessions • We support both DNS and content triggers • The content trigger requires us to measure across multiple fetches within each measurement • Which means that we need to carefully set the HTTP/2 session keepalive timer to make this work as intended
  • 24. Server Session Keepalive Timers • After much searching under many rocks we were advised that a server keepalive timer value of 1 second is too small, as the server drops the QUIC connection too aggressively and the browser client then drops back to using HTTP/2 • The default value of 65 seconds for the server keepalive interval seems to be too long • So we used a server keepalive value of 20 seconds…
  • 25. QUIC Use Playing with keepalive parameters! First Fetch – mainly Safari clients Subsequent Fetches – mainly Chrome clients
  • 26. QUIC Use – July 2023
  • 29. Other Measures: Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
  • 30. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
  • 31. Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
  • 32. Measuring QUIC Performance In this test (between the same endpoints) over a Starlink circuit, TCP CUBIC underperforms badly, while TCP BBR and QUIC both perform reasonably well
  • 33. Why is QUIC important? Because QUIC is fast Because QUIC encrypts everything • No visible transport control settings • No visible Server Name Indication in the crypto-setup • No visible traffic profile other than inter-packet timing • And if you use a MASQUE-based VPN then there no residual visibility! Because QUIC is an application capability • QUIC can interact with the platform through the UDP API, so all of QUIC can be implemented within the application. This gives the application more control over its service outcomes and reduces external dependencies
  • 34. What does this mean for TCP? It’s not looking all that good for TCP’s prospects • QUIC not only does faster start up, but it supports multi-channel in a frictionless manner • QUIC resists network operator efforts to perform traffic shaping through direct manipulation of TCP control parameters • QUIC allows the application service provider to control the congestion behaviour of its sessions
  • 35. What does this mean for TCP? Normally you would expect any transition from TCP to QUIC to take forever BUT: • QUIC gives benefit to adopters through more responsive web services • QUIC does a better job of hiding content, which is a benefit to the service operator • QUIC has fewer external dependencies • QUIC can be deployed on a piecemeal basis So it all may be over for TCP in a very small number of years!
  • 36. What does this mean for the Internet? • IP was a network protocol that provided services to attached devices • The network service model used by IP was minimal • Packets may be dropped, fragmented, duplicated, corrupted and/or reordered on their path through the network • It’s left to the edge systems to recover from this network behaviour. • Efforts to expand the network’s role have foundered • QoS has just got nowhere! • Various forms of source-directed forwarding are resisted by network operators who want control over traffic engineering • Networks took up a role of defending the network resource against aggressive application behaviour • Some networks enabled user surveillance media network TCP Transport apps $$$
  • 37. The new Networking Space And this is why QUIC is so interesting – it is pushing both network carriage and host platform into commodity roles in networking and allowing applications to effectively customize the way in which they want to deliver services and dominating the entire networked environment QUIC is the application’s view of what Transport should be! media network TCP Transport apps media network UDP Transport apps Internal Transport + session security $$$ QUIC and value transform in the network stack
  • 38. What does this mean for the Internet? • The relationship between applications, hosts and networks has soured into mutual distrust and suspicion • The application now defends its integrity by wrapping up as much of the service transaction with encryption and indirection • QUIC (and MASQUE) is an intrinsic part of this process of wrapping up traffic in encryption and redirection • For the network operator there is little left to see • And I suspect that there is no coming back from here!
  • 39. What can a Network Operator Do? • When all customer traffic is completely obscured and encrypted? • Traffic Shaping? • Regulatory Requirements for traffic interception? • Load Balancing / ECMP
  • 40. The new Internet Space “What you can’t dominate, you commoditise*” • Vertically integrated service providers have faded away into history - the deregulated competitive service industry continues to specialize rather than generalize at every level • Carriage is no longer an inescapable monopoly - massively replicated content can be used as a substitute for many carriage service elements • Control over the platform is no longer control over the user. Operating systems have been pushed back into a basic task scheduling role, while functions are being absorbed into the application space * A related quote is Peter Thiel’s “Competition is for losers!”