AusNOG 2023: A quick look at QUIC

APNIC
APNICAPNIC
A quick look at QUIC Geoff Huston AM APNIC Labs
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
QUIC is a mashup of TCP and TLS HTTP Multi-stream TLS Session Encryption TCP Data stream integrity Congestion Control HTTP QUIC Multi-stream Encryption Data stream integrity Congestion Control UDP IP HTTP/2 QUIC HTTP/3 e2e encrypted e2e encrypted
TCP is.. A transport protocol that constructs a reliable full duplex adaptive streaming service on top of an unreliable IP datagram service • Uses a coordinated state between the two end systems without any network intervention or mediation • Uses a sliding window to allow lost data to be resent • Uses ACK-clocking to regulate the sending behaviour to match network path capacity estimate
TCP isn’t… • Fully independent of the underlying platform’s transport services • Fully multi-stream (it has head-of-line blocking) • Fully multi-path (yes, MP-TCP exists, but there are some outstanding issues here!) • Address agile • Free from on-the-wire network intervention (TCP control parameters are sent in the clear) • Has e2e encryption as a second step / afterthought • Everything for everyone – it relies on the application to perform data framing and in-band control
QUIC is… Constructed upon a transport level framing protocol that offers applications access to the basic IP datagram services offered by IP through the use of UDP All other transport services (data integrity, session control, congestion control, encryption) are shifted upwards in the protocol stack towards the application. A host platform may provide a QUIC API as part of the host library, but the application can also provide its own QUIC service independent of the host
QUIC is… So much more than just “encrypted TCP over UDP” • Support for multi-stream multiplexing that avoids head-of-line blocking and exploits a shared congestion and encryption state • Faster - Combines transport and encryption setup exchange in a single 3-way exchange at session start, and supports fast reopen • Customisable - QUIC implementations can use individual flow controllers per flow • QUIC places its transport control fields inside the encryption envelope, so QUIC features minimal exposure to the network • Supports record and Remote Procedure Call service models as well as bit- streaming and datagram services
QUIC is address agile • NATs are potentially hostile to QUIC because of the outer UDP wrapper • A NAT may rebind a QUIC session (shift the externally visible address/port of a host during a session), as NATs are not generally aware of UDP streaming states • QUIC uses a persistent “connection ID” • If a host receives a QUIC frame with the same connection ID and a new source IP address / port it will send a challenge by way of a random value that should be echoed back. This is all performed within the e2e encryption envelope. That way a QUIC e2e session can map into new address/port associations on the fly
QUIC also… • Is IP fragmentation intolerant – QUIC uses PMTUD, or defaults to 1,200 octet UDP payloads • Never retransmits a QUIC packet – retransmitted data is sent in the next QUIC packet number – this avoids ambiguity about packet retransmission • Extends TCP SACK to 256 packet number ranges (up from 3 in TCP SACK) • Separately encrypts each QUIC packet – no inter-packet dependencies on decryption • May load multiple QUIC packets in a single UDP frame
QUIC flow structuring A QUIC connection is broken into “streams” which are reliable data flows – each stream performs stream-based loss recovery, congestion control, and relative stream scheduling for bandwidth allocation QUIC also supports unreliable encrypted datagram delivery
QUIC and Remote Procedure Calls • By associating each RPC request/reply with a new stream, QUIC can support asynchronous RPC transactions using reliable messaging • This can handle lost, mis-ordered and duplicated RPC messages without common blocking or throttling
QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks NAT Load Balancer Server A Server B Source Address A Source Address B NAT re-binding
QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks • If we really want large scale QUIC with front-end load balancing and if we still need to tolerate NATs then we will need to think about how the end point can share the connection ID state with its front-end load balancer, or how to terminate the QUIC session in the front-end and use a second session to a selected server
QUIC and DOS • Very little lies outside the encryption envelope in QUIC • Which means all incoming packets addressed to the QUIC port need to be decrypted • But the QUIC session uses symmetric crypto so the packet decode overhead is far smaller than an asymmetric crypto load for the same packet rate • It’s not the best answer, but it’s not disastrous either!
QUIC is: • A logical evolutionary step for transport services, providing more flexibility, faster connection setup, and a larger set of transport services • It’s what we should expect from a capable modern transport protocol!
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers (This second method requires a subsequent query in a distinct HTTP session to allow the client to use the Alt-Svc capability.)
Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers First Fetch Second Fetch
Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 * Oberlo.com
Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 • And Apple Safari is now supporting QUIC, using the DNS apln directive • So a QUIC-aware server platform should be seeing some 85% of its sessions using QUIC – right? * https://gs.statcounter.com/browser-market-share
Cloudflare’s Numbers Cloudflare reports a far lower level of QUIC use
APNIC’s QUIC measurement • We have configured a server to support QUIC sessions • We support both DNS and content triggers • The content trigger requires us to measure across multiple fetches within each measurement • Which means that we need to carefully set the HTTP/2 session keepalive timer to make this work as intended
Server Session Keepalive Timers • After much searching under many rocks we were advised that a server keepalive timer value of 1 second is too small, as the server drops the QUIC connection too aggressively and the browser client then drops back to using HTTP/2 • The default value of 65 seconds for the server keepalive interval seems to be too long • So we used a server keepalive value of 20 seconds…
QUIC Use Playing with keepalive parameters! First Fetch – mainly Safari clients Subsequent Fetches – mainly Chrome clients
QUIC Use – July 2023
National Filtering of QUIC?
National Filtering of QUIC?
Other Measures: Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
Measuring QUIC Performance In this test (between the same endpoints) over a Starlink circuit, TCP CUBIC underperforms badly, while TCP BBR and QUIC both perform reasonably well
Why is QUIC important? Because QUIC is fast Because QUIC encrypts everything • No visible transport control settings • No visible Server Name Indication in the crypto-setup • No visible traffic profile other than inter-packet timing • And if you use a MASQUE-based VPN then there no residual visibility! Because QUIC is an application capability • QUIC can interact with the platform through the UDP API, so all of QUIC can be implemented within the application. This gives the application more control over its service outcomes and reduces external dependencies
What does this mean for TCP? It’s not looking all that good for TCP’s prospects • QUIC not only does faster start up, but it supports multi-channel in a frictionless manner • QUIC resists network operator efforts to perform traffic shaping through direct manipulation of TCP control parameters • QUIC allows the application service provider to control the congestion behaviour of its sessions
What does this mean for TCP? Normally you would expect any transition from TCP to QUIC to take forever BUT: • QUIC gives benefit to adopters through more responsive web services • QUIC does a better job of hiding content, which is a benefit to the service operator • QUIC has fewer external dependencies • QUIC can be deployed on a piecemeal basis So it all may be over for TCP in a very small number of years!
What does this mean for the Internet? • IP was a network protocol that provided services to attached devices • The network service model used by IP was minimal • Packets may be dropped, fragmented, duplicated, corrupted and/or reordered on their path through the network • It’s left to the edge systems to recover from this network behaviour. • Efforts to expand the network’s role have foundered • QoS has just got nowhere! • Various forms of source-directed forwarding are resisted by network operators who want control over traffic engineering • Networks took up a role of defending the network resource against aggressive application behaviour • Some networks enabled user surveillance media network TCP Transport apps $$$
The new Networking Space And this is why QUIC is so interesting – it is pushing both network carriage and host platform into commodity roles in networking and allowing applications to effectively customize the way in which they want to deliver services and dominating the entire networked environment QUIC is the application’s view of what Transport should be! media network TCP Transport apps media network UDP Transport apps Internal Transport + session security $$$ QUIC and value transform in the network stack
What does this mean for the Internet? • The relationship between applications, hosts and networks has soured into mutual distrust and suspicion • The application now defends its integrity by wrapping up as much of the service transaction with encryption and indirection • QUIC (and MASQUE) is an intrinsic part of this process of wrapping up traffic in encryption and redirection • For the network operator there is little left to see • And I suspect that there is no coming back from here!
What can a Network Operator Do? • When all customer traffic is completely obscured and encrypted? • Traffic Shaping? • Regulatory Requirements for traffic interception? • Load Balancing / ECMP
The new Internet Space “What you can’t dominate, you commoditise*” • Vertically integrated service providers have faded away into history - the deregulated competitive service industry continues to specialize rather than generalize at every level • Carriage is no longer an inescapable monopoly - massively replicated content can be used as a substitute for many carriage service elements • Control over the platform is no longer control over the user. Operating systems have been pushed back into a basic task scheduling role, while functions are being absorbed into the application space * A related quote is Peter Thiel’s “Competition is for losers!”
Thanks!
1 sur 41

AusNOG 2023: A quick look at QUIC

Télécharger pour lire hors ligne
Internet

APNIC Chief Scientist Geoff Huston examines QUIC and its impact on networking.

APNIC
APNICAPNIC

Recommandé

A Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdf par
A Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdfA Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdf
A Quick Look at QUIC, presentation for RIPE 85 by Geoff Huston.pdfAPNIC
220 vues34 diapositives
WebRTC DataChannels demystified par
WebRTC DataChannels demystifiedWebRTC DataChannels demystified
WebRTC DataChannels demystifiedVictor Pascual Ávila
106.5K vues41 diapositives
Introduction to QUIC par
Introduction to QUICIntroduction to QUIC
Introduction to QUICShuya Osaki
2.7K vues14 diapositives
QUIC protocol.pptx par
QUIC protocol.pptxQUIC protocol.pptx
QUIC protocol.pptxSHIVAMPANDEY138243
89 vues9 diapositives
Presentazione-Prelaurea_Alessandro-Nuzzi.pptx par
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxPresentazione-Prelaurea_Alessandro-Nuzzi.pptx
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxAlessandroNuzzi1
3 vues28 diapositives
Presentazione-Prelaurea_Alessandro-Nuzzi.pptx par
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxPresentazione-Prelaurea_Alessandro-Nuzzi.pptx
Presentazione-Prelaurea_Alessandro-Nuzzi.pptxAlessandroNuzzi1
2 vues28 diapositives

Contenu connexe

Similaire à AusNOG 2023: A quick look at QUIC

Future Internet protocols par
Future Internet protocolsFuture Internet protocols
Future Internet protocolsOlivier Bonaventure
877 vues53 diapositives
Innovation is back in the transport and network layers par
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layersOlivier Bonaventure
1.1K vues53 diapositives
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2 par
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Adam Dunkels
8.5K vues33 diapositives
Load Balancing 101 par
Load Balancing 101Load Balancing 101
Load Balancing 101HungWei Chiu
867 vues50 diapositives
Google QUIC par
Google QUICGoogle QUIC
Google QUICFelipe Rayel
8K vues18 diapositives
Presentazione Laurea Nuzzi Alessandro.pptx par
Presentazione Laurea Nuzzi Alessandro.pptxPresentazione Laurea Nuzzi Alessandro.pptx
Presentazione Laurea Nuzzi Alessandro.pptxAlessandroNuzzi1
3 vues13 diapositives

Similaire à AusNOG 2023: A quick look at QUIC(20)

Future Internet protocols par Olivier Bonaventure
Future Internet protocolsFuture Internet protocols
Future Internet protocols
Olivier Bonaventure877 vues
Innovation is back in the transport and network layers par Olivier Bonaventure
Innovation is back in the transport and network layersInnovation is back in the transport and network layers
Innovation is back in the transport and network layers
Olivier Bonaventure1.1K vues
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2 par Adam Dunkels
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Building the Internet of Things with Thingsquare and Contiki - day 2 part 2
Adam Dunkels8.5K vues
Load Balancing 101 par HungWei Chiu
Load Balancing 101Load Balancing 101
Load Balancing 101
HungWei Chiu867 vues
Google QUIC par Felipe Rayel
Google QUICGoogle QUIC
Google QUIC
Felipe Rayel8K vues
Presentazione Laurea Nuzzi Alessandro.pptx par AlessandroNuzzi1
Presentazione Laurea Nuzzi Alessandro.pptxPresentazione Laurea Nuzzi Alessandro.pptx
Presentazione Laurea Nuzzi Alessandro.pptx
AlessandroNuzzi13 vues
HTTP/3 par Daniel Stenberg
HTTP/3HTTP/3
HTTP/3
Daniel Stenberg6K vues
Network protocols and vulnerabilities par G Prachi
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
G Prachi1.6K vues
Windows Communication Foundation (WCF) par Betclic Everest Group Tech Team
Windows Communication Foundation (WCF)Windows Communication Foundation (WCF)
Windows Communication Foundation (WCF)
Betclic Everest Group Tech Team6.5K vues
.NET Conf 2022 - Networking in .NET 7 par Karel Zikmund
.NET Conf 2022 - Networking in .NET 7.NET Conf 2022 - Networking in .NET 7
.NET Conf 2022 - Networking in .NET 7
Karel Zikmund64 vues
BWE in Janus par Lorenzo Miniero
BWE in JanusBWE in Janus
BWE in Janus
Lorenzo Miniero376 vues
2017_IMC_QUIC.pptx par Brian Zein
2017_IMC_QUIC.pptx2017_IMC_QUIC.pptx
2017_IMC_QUIC.pptx
Brian Zein5 vues
QUIC par Apache Traffic Server
QUICQUIC
QUIC
Apache Traffic Server888 vues
Quick QUIC Technical Update (2017) par Taisuke Yamada
Quick QUIC Technical Update (2017)Quick QUIC Technical Update (2017)
Quick QUIC Technical Update (2017)
Taisuke Yamada149 vues
20 QUIC Dissection Megumi Takeshita par Megumi Takeshita
20 QUIC Dissection Megumi Takeshita20 QUIC Dissection Megumi Takeshita
20 QUIC Dissection Megumi Takeshita
Megumi Takeshita4 vues
Multicast QUIC for video content delivery par Jisc
Multicast QUIC for video content deliveryMulticast QUIC for video content delivery
Multicast QUIC for video content delivery
Jisc3.9K vues
RIPE 80: Buffers and Protocols par APNIC
RIPE 80: Buffers and ProtocolsRIPE 80: Buffers and Protocols
RIPE 80: Buffers and Protocols
APNIC215 vues
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w... par VMworld
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...
VMworld 2014: Advanced Topics & Future Directions in Network Virtualization w...
VMworld1.1K vues
CoAP Talk par Basuke Suzuki
CoAP TalkCoAP Talk
CoAP Talk
Basuke Suzuki4.7K vues
Architecting Low Latency Applications Alberto Gonzalez par Alberto González Trastoy
Architecting Low Latency Applications Alberto GonzalezArchitecting Low Latency Applications Alberto Gonzalez
Architecting Low Latency Applications Alberto Gonzalez
Alberto González Trastoy16 vues

Plus de APNIC

IETF 118: Starlink Protocol Performance par
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
124 vues22 diapositives
HKNOG 12.0: RPKI Actions Required by HK Networks par
HKNOG 12.0: RPKI Actions Required by HK NetworksHKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK NetworksAPNIC
453 vues26 diapositives
KHNOG 5: RPKI Status Update par
KHNOG 5: RPKI Status UpdateKHNOG 5: RPKI Status Update
KHNOG 5: RPKI Status UpdateAPNIC
401 vues25 diapositives
KHNOG 5: APNIC Services par
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC ServicesAPNIC
414 vues15 diapositives
PITA Strategy Forum 2023: Internet resilience par
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilienceAPNIC
438 vues7 diapositives
SANOG 40: DDoS in South Asia par
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South AsiaAPNIC
350 vues52 diapositives

Plus de APNIC(20)

IETF 118: Starlink Protocol Performance par APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC124 vues
HKNOG 12.0: RPKI Actions Required by HK Networks par APNIC
HKNOG 12.0: RPKI Actions Required by HK NetworksHKNOG 12.0: RPKI Actions Required by HK Networks
HKNOG 12.0: RPKI Actions Required by HK Networks
APNIC453 vues
KHNOG 5: RPKI Status Update par APNIC
KHNOG 5: RPKI Status UpdateKHNOG 5: RPKI Status Update
KHNOG 5: RPKI Status Update
APNIC401 vues
KHNOG 5: APNIC Services par APNIC
KHNOG 5: APNIC ServicesKHNOG 5: APNIC Services
KHNOG 5: APNIC Services
APNIC414 vues
PITA Strategy Forum 2023: Internet resilience par APNIC
PITA Strategy Forum 2023: Internet resiliencePITA Strategy Forum 2023: Internet resilience
PITA Strategy Forum 2023: Internet resilience
APNIC438 vues
SANOG 40: DDoS in South Asia par APNIC
SANOG 40: DDoS in South AsiaSANOG 40: DDoS in South Asia
SANOG 40: DDoS in South Asia
APNIC350 vues
SANOG 40: RPKI in South Asia par APNIC
SANOG 40: RPKI in South AsiaSANOG 40: RPKI in South Asia
SANOG 40: RPKI in South Asia
APNIC351 vues
RenasCON 2023: Learning from honeypots par APNIC
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
APNIC426 vues
IGF 2023: DNS Privacy par APNIC
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
APNIC428 vues
MNSEC Conference 2023: Mining Bots par APNIC
MNSEC Conference 2023: Mining BotsMNSEC Conference 2023: Mining Bots
MNSEC Conference 2023: Mining Bots
APNIC421 vues
VNIX-NOG 2023: IPv6 Deployment in government networks par APNIC
VNIX-NOG 2023: IPv6 Deployment in government networksVNIX-NOG 2023: IPv6 Deployment in government networks
VNIX-NOG 2023: IPv6 Deployment in government networks
APNIC427 vues
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids par APNIC
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalidsVNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
VNIX-NOG 2023: State of RPKI in APAC - Cleaning up invalids
APNIC422 vues
SGNOG 10: IPv6 Insights in South East Asia par APNIC
SGNOG 10: IPv6 Insights in South East AsiaSGNOG 10: IPv6 Insights in South East Asia
SGNOG 10: IPv6 Insights in South East Asia
APNIC416 vues
mnNOG 5: Open source SD-WAN par APNIC
mnNOG 5: Open source SD-WANmnNOG 5: Open source SD-WAN
mnNOG 5: Open source SD-WAN
APNIC482 vues
mnNOG 2023: State of IPv6 in Mongolia par APNIC
mnNOG 2023: State of IPv6 in MongoliamnNOG 2023: State of IPv6 in Mongolia
mnNOG 2023: State of IPv6 in Mongolia
APNIC933 vues
mnNOG 2023: On GEOs, LEOs and Starlink par APNIC
mnNOG 2023: On GEOs, LEOs and StarlinkmnNOG 2023: On GEOs, LEOs and Starlink
mnNOG 2023: On GEOs, LEOs and Starlink
APNIC495 vues
AusNOG 2023: RPKI and whois updates par APNIC
AusNOG 2023: RPKI and whois updatesAusNOG 2023: RPKI and whois updates
AusNOG 2023: RPKI and whois updates
APNIC566 vues
APrIGF 2023: Sustainability of Complementary Connectivity Initiatives par APNIC
APrIGF 2023: Sustainability of Complementary Connectivity InitiativesAPrIGF 2023: Sustainability of Complementary Connectivity Initiatives
APrIGF 2023: Sustainability of Complementary Connectivity Initiatives
APNIC607 vues
APAN 56: APNIC Report par APNIC
APAN 56: APNIC Report APAN 56: APNIC Report
APAN 56: APNIC Report
APNIC293 vues
2023 NCIT: Introduction to Intrusion Detection par APNIC
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC172 vues

Dernier

Building trust in our information ecosystem: who do we trust in an emergency par
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
85 vues18 diapositives
WEB 2.O TOOLS: Empowering education.pptx par
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptxnarmadhamanohar21
15 vues16 diapositives
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf par
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
9 vues12 diapositives
Sustainable Marketing par
Sustainable MarketingSustainable Marketing
Sustainable MarketingTheo van der Zee
9 vues50 diapositives
UiPath Document Understanding_Day 2.pptx par
UiPath Document Understanding_Day 2.pptxUiPath Document Understanding_Day 2.pptx
UiPath Document Understanding_Day 2.pptxRohitRadhakrishnan8
282 vues21 diapositives
AI Powered event-driven translation bot par
AI Powered event-driven translation botAI Powered event-driven translation bot
AI Powered event-driven translation botJimmy Dahlqvist
16 vues31 diapositives

Dernier(20)

Building trust in our information ecosystem: who do we trust in an emergency par Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat85 vues
WEB 2.O TOOLS: Empowering education.pptx par narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar2115 vues
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf par RIPE NCC
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC9 vues
Sustainable Marketing par Theo van der Zee
Sustainable MarketingSustainable Marketing
Sustainable Marketing
Theo van der Zee9 vues
UiPath Document Understanding_Day 2.pptx par RohitRadhakrishnan8
UiPath Document Understanding_Day 2.pptxUiPath Document Understanding_Day 2.pptx
UiPath Document Understanding_Day 2.pptx
RohitRadhakrishnan8282 vues
AI Powered event-driven translation bot par Jimmy Dahlqvist
AI Powered event-driven translation botAI Powered event-driven translation bot
AI Powered event-driven translation bot
Jimmy Dahlqvist16 vues
childcare.pdf par fatma alnaqbi
childcare.pdfchildcare.pdf
childcare.pdf
fatma alnaqbi14 vues
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ... par Prof. Marcus Renato de Carvalho
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...
OMS: Diretrizes para um controle da promoção comercial dos ditos substitutos ...
Prof. Marcus Renato de Carvalho88 vues
Existing documentaries (1).docx par MollyBrown86
Existing documentaries (1).docxExisting documentaries (1).docx
Existing documentaries (1).docx
MollyBrown8613 vues
PORTFOLIO 1 (Bret Michael Pepito).pdf par brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04107 vues
Serverless cloud architecture patterns par Jimmy Dahlqvist
Serverless cloud architecture patternsServerless cloud architecture patterns
Serverless cloud architecture patterns
Jimmy Dahlqvist17 vues
informing ideas.docx par MollyBrown86
informing ideas.docxinforming ideas.docx
informing ideas.docx
MollyBrown8612 vues
DU Series - Day 4.pptx par UiPathCommunity
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunity94 vues
Audience profile.pptx par MollyBrown86
Audience profile.pptxAudience profile.pptx
Audience profile.pptx
MollyBrown8612 vues
zotabet.pdf par zotabetcasino
zotabet.pdfzotabet.pdf
zotabet.pdf
zotabetcasino6 vues
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 par Infosec train
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
Infosec train7 vues
information par khelgishekhar
informationinformation
information
khelgishekhar7 vues
google forms survey (1).pptx par MollyBrown86
google forms survey (1).pptxgoogle forms survey (1).pptx
google forms survey (1).pptx
MollyBrown8614 vues
UiPath Document Understanding_Day 3.pptx par UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity95 vues
Is Entireweb better than Google par sebastianthomasbejan
Is Entireweb better than GoogleIs Entireweb better than Google
Is Entireweb better than Google
sebastianthomasbejan10 vues

AusNOG 2023: A quick look at QUIC

  • 1. A quick look at QUIC Geoff Huston AM APNIC Labs
  • 2. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
  • 3. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me!)
  • 4. QUIC is a mashup of TCP and TLS HTTP Multi-stream TLS Session Encryption TCP Data stream integrity Congestion Control HTTP QUIC Multi-stream Encryption Data stream integrity Congestion Control UDP IP HTTP/2 QUIC HTTP/3 e2e encrypted e2e encrypted
  • 5. TCP is.. A transport protocol that constructs a reliable full duplex adaptive streaming service on top of an unreliable IP datagram service • Uses a coordinated state between the two end systems without any network intervention or mediation • Uses a sliding window to allow lost data to be resent • Uses ACK-clocking to regulate the sending behaviour to match network path capacity estimate
  • 6. TCP isn’t… • Fully independent of the underlying platform’s transport services • Fully multi-stream (it has head-of-line blocking) • Fully multi-path (yes, MP-TCP exists, but there are some outstanding issues here!) • Address agile • Free from on-the-wire network intervention (TCP control parameters are sent in the clear) • Has e2e encryption as a second step / afterthought • Everything for everyone – it relies on the application to perform data framing and in-band control
  • 7. QUIC is… Constructed upon a transport level framing protocol that offers applications access to the basic IP datagram services offered by IP through the use of UDP All other transport services (data integrity, session control, congestion control, encryption) are shifted upwards in the protocol stack towards the application. A host platform may provide a QUIC API as part of the host library, but the application can also provide its own QUIC service independent of the host
  • 8. QUIC is… So much more than just “encrypted TCP over UDP” • Support for multi-stream multiplexing that avoids head-of-line blocking and exploits a shared congestion and encryption state • Faster - Combines transport and encryption setup exchange in a single 3-way exchange at session start, and supports fast reopen • Customisable - QUIC implementations can use individual flow controllers per flow • QUIC places its transport control fields inside the encryption envelope, so QUIC features minimal exposure to the network • Supports record and Remote Procedure Call service models as well as bit- streaming and datagram services
  • 9. QUIC is address agile • NATs are potentially hostile to QUIC because of the outer UDP wrapper • A NAT may rebind a QUIC session (shift the externally visible address/port of a host during a session), as NATs are not generally aware of UDP streaming states • QUIC uses a persistent “connection ID” • If a host receives a QUIC frame with the same connection ID and a new source IP address / port it will send a challenge by way of a random value that should be echoed back. This is all performed within the e2e encryption envelope. That way a QUIC e2e session can map into new address/port associations on the fly
  • 10. QUIC also… • Is IP fragmentation intolerant – QUIC uses PMTUD, or defaults to 1,200 octet UDP payloads • Never retransmits a QUIC packet – retransmitted data is sent in the next QUIC packet number – this avoids ambiguity about packet retransmission • Extends TCP SACK to 256 packet number ranges (up from 3 in TCP SACK) • Separately encrypts each QUIC packet – no inter-packet dependencies on decryption • May load multiple QUIC packets in a single UDP frame
  • 11. QUIC flow structuring A QUIC connection is broken into “streams” which are reliable data flows – each stream performs stream-based loss recovery, congestion control, and relative stream scheduling for bandwidth allocation QUIC also supports unreliable encrypted datagram delivery
  • 12. QUIC and Remote Procedure Calls • By associating each RPC request/reply with a new stream, QUIC can support asynchronous RPC transactions using reliable messaging • This can handle lost, mis-ordered and duplicated RPC messages without common blocking or throttling
  • 13. QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks NAT Load Balancer Server A Server B Source Address A Source Address B NAT re-binding
  • 14. QUIC and Load Balancing • This assumes that a front-end load balancer is capable of performing load balancing on UDP flows using the UDP connection 5-tuple • If the remote end performs NAT rebinding the load balancer will be thrown by this shift, and it has no direct visibility into the e2e session to uncover the connection ID • Using UDP to carry sustained high-volume streams may not match the internal optimisations used in server content delivery networks • If we really want large scale QUIC with front-end load balancing and if we still need to tolerate NATs then we will need to think about how the end point can share the connection ID state with its front-end load balancer, or how to terminate the QUIC session in the front-end and use a second session to a selected server
  • 15. QUIC and DOS • Very little lies outside the encryption envelope in QUIC • Which means all incoming packets addressed to the QUIC port need to be decrypted • But the QUIC session uses symmetric crypto so the packet decode overhead is far smaller than an asymmetric crypto load for the same packet rate • It’s not the best answer, but it’s not disastrous either!
  • 16. QUIC is: • A logical evolutionary step for transport services, providing more flexibility, faster connection setup, and a larger set of transport services • It’s what we should expect from a capable modern transport protocol!
  • 17. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
  • 18. Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers (This second method requires a subsequent query in a distinct HTTP session to allow the client to use the Alt-Svc capability.)
  • 19. Triggering QUIC in HTTP Use the DNS to trigger QUIC: • Set up an HTTPS record for each server name, with value: alpn=“h3” Use content-level controls to trigger QUIC: • Add Alt-Svc: h3=“:443” to the HTML headers First Fetch Second Fetch
  • 20. Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 * Oberlo.com
  • 21. Setting Expectations • Chrome has a dominant share of browser instances - roughly, some 65%* • And Chrome has been supporting a switch to QUIC via the Alt-Svc directive since 2020 • And Apple Safari is now supporting QUIC, using the DNS apln directive • So a QUIC-aware server platform should be seeing some 85% of its sessions using QUIC – right? * https://gs.statcounter.com/browser-market-share
  • 22. Cloudflare’s Numbers Cloudflare reports a far lower level of QUIC use
  • 23. APNIC’s QUIC measurement • We have configured a server to support QUIC sessions • We support both DNS and content triggers • The content trigger requires us to measure across multiple fetches within each measurement • Which means that we need to carefully set the HTTP/2 session keepalive timer to make this work as intended
  • 24. Server Session Keepalive Timers • After much searching under many rocks we were advised that a server keepalive timer value of 1 second is too small, as the server drops the QUIC connection too aggressively and the browser client then drops back to using HTTP/2 • The default value of 65 seconds for the server keepalive interval seems to be too long • So we used a server keepalive value of 20 seconds…
  • 25. QUIC Use Playing with keepalive parameters! First Fetch – mainly Safari clients Subsequent Fetches – mainly Chrome clients
  • 26. QUIC Use – July 2023
  • 29. Other Measures: Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
  • 30. Today I want to talk about.. • What QUIC is • How much QUIC is out there • Why QUIC is so interesting (to me)
  • 31. Network Traffic Volume Presentation to RIPE 86: The New Encrypted Protocol Stack and How to Deal with it – Bart van de Velde, Cisco
  • 32. Measuring QUIC Performance In this test (between the same endpoints) over a Starlink circuit, TCP CUBIC underperforms badly, while TCP BBR and QUIC both perform reasonably well
  • 33. Why is QUIC important? Because QUIC is fast Because QUIC encrypts everything • No visible transport control settings • No visible Server Name Indication in the crypto-setup • No visible traffic profile other than inter-packet timing • And if you use a MASQUE-based VPN then there no residual visibility! Because QUIC is an application capability • QUIC can interact with the platform through the UDP API, so all of QUIC can be implemented within the application. This gives the application more control over its service outcomes and reduces external dependencies
  • 34. What does this mean for TCP? It’s not looking all that good for TCP’s prospects • QUIC not only does faster start up, but it supports multi-channel in a frictionless manner • QUIC resists network operator efforts to perform traffic shaping through direct manipulation of TCP control parameters • QUIC allows the application service provider to control the congestion behaviour of its sessions
  • 35. What does this mean for TCP? Normally you would expect any transition from TCP to QUIC to take forever BUT: • QUIC gives benefit to adopters through more responsive web services • QUIC does a better job of hiding content, which is a benefit to the service operator • QUIC has fewer external dependencies • QUIC can be deployed on a piecemeal basis So it all may be over for TCP in a very small number of years!
  • 36. What does this mean for the Internet? • IP was a network protocol that provided services to attached devices • The network service model used by IP was minimal • Packets may be dropped, fragmented, duplicated, corrupted and/or reordered on their path through the network • It’s left to the edge systems to recover from this network behaviour. • Efforts to expand the network’s role have foundered • QoS has just got nowhere! • Various forms of source-directed forwarding are resisted by network operators who want control over traffic engineering • Networks took up a role of defending the network resource against aggressive application behaviour • Some networks enabled user surveillance media network TCP Transport apps $$$
  • 37. The new Networking Space And this is why QUIC is so interesting – it is pushing both network carriage and host platform into commodity roles in networking and allowing applications to effectively customize the way in which they want to deliver services and dominating the entire networked environment QUIC is the application’s view of what Transport should be! media network TCP Transport apps media network UDP Transport apps Internal Transport + session security $$$ QUIC and value transform in the network stack
  • 38. What does this mean for the Internet? • The relationship between applications, hosts and networks has soured into mutual distrust and suspicion • The application now defends its integrity by wrapping up as much of the service transaction with encryption and indirection • QUIC (and MASQUE) is an intrinsic part of this process of wrapping up traffic in encryption and redirection • For the network operator there is little left to see • And I suspect that there is no coming back from here!
  • 39. What can a Network Operator Do? • When all customer traffic is completely obscured and encrypted? • Traffic Shaping? • Regulatory Requirements for traffic interception? • Load Balancing / ECMP
  • 40. The new Internet Space “What you can’t dominate, you commoditise*” • Vertically integrated service providers have faded away into history - the deregulated competitive service industry continues to specialize rather than generalize at every level • Carriage is no longer an inescapable monopoly - massively replicated content can be used as a substitute for many carriage service elements • Control over the platform is no longer control over the user. Operating systems have been pushed back into a basic task scheduling role, while functions are being absorbed into the application space * A related quote is Peter Thiel’s “Competition is for losers!”