QUIC (Quick UDP Internet Connections) is a transport protocol that has the goal of replacing TCP and TLS.
QUIC was oroginally developed at Google and then later adopted by the IETF. The IETF version has long diverged from the original Google version and is considered a new protocol.
Notes
- QUIC connections fail to be negotatied around 8% of the time.
One of the main goals of QUIC is to provide a secure-by-default transport protocol, through things like authentication and encryption that is handled by the transport protocol itself rather than at a higher level like TLS.
QUIC keeps the TLS handshake messages while replacing the record layer with its own framing format. The same three-way handshake you get with TCP is done on QUIC.
QUIC connections are automaticaly authenticated and encrypted and only require a single round trip.
Additionally QUIC also encrypts connection metadata meaning middle-boxes cannot interfere with connections. Encrypting this metadata means no middlebox can correlate activity other than the endpoints in the connection.
QUIC provides support for multiplexing such that different HTTP streams can in turn be mapped to different QUICK transport streams.
It is structured that the same QUIC connection is shared, but streams are independent meaning packet loss only affects one stream.
Typical NATs can precicely manage the lifetime of NAT bindings. With QUIC this is not yet possible, this is because NAT routers currently do not understand QUIC, so they will fallback on default UDP flows. These often use arbitrary timesouts which could affect long-running connections.
QUIC has a feature called connection migration, which allows QUIC endpoints to migrate connections to different IP addresses at will. This means a mobile client can migrate a connection from celular data to Wifi when a network becomes available.
QPACK allows Header compression, this cannot work the same as HTTP/2s HPACK due to the way QUIC streams work. An additionaly stream is created to send QPACK table updates and another to acknowledge these updates.
UDP-based protocols are susceptible to reflection attacks. To mitigate this, QUIC provides source-address verification, this means a server can be sure a client is not spoofing IP addresses. The downside is that this mitigation increases the initial handshake from a single round-trip to tow.
Juho Snellman said that the encrpyion of layer 4 headers provides no meaningful privacy or security benefits. Instead the goal is to break middleboxes. They do this because they believe TCP cannot evolve due to these middle boxes. TCP protocol extensions have to jump through a lot of hurdles to reduce the damage that can be caused by middleboxes.
Middleboxes serve a criticle role, crippling them isn't a great idea. But even if this were not the case, readable headers enable troubleshooting.