2018 Jan25 Quic Sferlin Slide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 20

Quick UDP Internet Connections

(QUIC)
Simone Ferlin
[email protected]
draft-ietf-quic-transport-latest
https://quicwg.github.io/base-drafts/draft-ietf-quic-transport.html

A First Look at QUIC in the Wild, PAM 2018


https://arxiv.org/pdf/1801.05168.pdf

Taking a Long Look at QUIC, ACM IMC 2017


https://mislove.org/publications/QUIC-IMC.pdf
References
for this Multipath QUIC, ACM CoNEXT 2017
presentation https://multipath-quic.org/conext17-deconinck.pdf

The QUIC Transport Protocol: Design and Internet-Scale


Deployment, ACM SIGCOMM 2017
• https://static.googleusercontent.com/media/research.google.co
m/en//pubs/archive/46403.pdf
• https://conferences.sigcomm.org/sigcomm/2017/files/program/t
s-5-1-QUIC.pdf
Why QUIC?

• Improve performance and latency of web applications


• Most web applications running with HTTP and TCP and TLS (HTTPS).
• Keep the idea of flow and congestion control from TCP.
• It provides at least a connection-oriented, reliable and in-order byte stream.
• It enables stream multiplexing (similar to HTTP/2) to optimize for latency.

• Improve security with end-to-end encryption by default and full encryption.


• Still with TLS/SSL, but avoiding TLS’s handshake delay inflation.

• Overcome slow adoption with code in user-space


• No full system updates needed (code inside your browser).
• The transport layer with only UDP and TCP is difficult to update.

• Overcome slow updates and ubiquitous devices, i.e. middleboxes


• TCP is often affected and it became incredibly difficult to propose extensions:
Is it Still Possible to Extend TCP?, M. Honda et al., ACM IMC 2011.
Where is QUIC?

User-space

Kernel-space
Where is QUIC?

User-space

Kernel-space
Some QUICk remarks

• QUIC’s first implementation appeared around 2012 in Chromium


• Standardisation group established in 2016
• QUIC-WG: https://datatracker.ietf.org/wg/quic).

• QUIC was and still is an experimental protocol


• Approximately 9 versions update since 2015.

• It accounts for 2.6% to 9.1% of the Internet’s traffic


• Looking at the addresses, this share is dominated by Google with up to 42.1%.
• Only 0.06% to 0.1% of .com, .net, .org domains are QUIC enabled.
• Only 1.6% to 2.44% of these domains present a valid certificate.
Measuring QUIC: Handshake

- client sends an incomplete client hello (CHLO) message.

server responds with a reject (REJ):


- server config, e.g. Diffie-Hellman public value.
- certificate chain authenticating the server.
- authenticated-encryption block with the client’s public IP.
Measuring QUIC: Handshake

client:
- after a complete CHLO, it is in possession of initial keys for
the connection and free to send data to the server.
Measuring QUIC: Handshake

If the handshake is successful, the server returns with a


server hello (SHLO).
- both server and client switch to send packets encrypted
with the forward-secure keys.
Measuring QUIC: Handshake

If the handshake is successful, the server returns with a


server hello (SHLO).

In future connections the client can cache the previous


negotiations and start from here.
Measuring QUIC: Handshake

If the handshake is successful, the server returns with a


server hello (SHLO).

In future connections the client can cache the previous


negotiations and start from here.

QUIC’s provides two levels of secrecy:


- initial client data is encrypted using initial keys (TLS).
- subsequent data encrypted with forward-secure keys.
Measuring QUIC: Little more inside packets…

1. CHLO:
- Connection ID (CID)
- QUIC version, e.g. Q039.

2. Find a common supported version:


Measuring QUIC: A little more inside packets…

3. CHLO (again…)

4. REJ with some information


(3. and 4. may repeat multiple times until
all required data is available)
- Signed Server Config (SCFG), Source Address
Token (STK), supported ciphers, key exchange
algorithms with public values, and certificates.
Measuring QUIC: A little more inside packets…

5. Client can issue another CHLO with


enough information to establish a
connection

6. The server acknowledges CHLO with a


successful connection establishment SHLO
with further key/value-pairs enabling to
fully utilize the connection.
Good reference for packet format: draft-ietf-quic-transport-latest

QUIC Packets
Long Header

Long headers are sent prior to the completion of version negotiation and
establishment of 1-RTT keys.

Few unencrypted public fields: Few flags, Connection ID (CID), Packet Number
(PKN) and encrypted payload.
Why is some info is not encrypted?
Good reference for packet format: draft-ietf-quic-transport-latest

QUIC Packets
Short Header

The short header can be used after the version and 1-RTT keys are negotiated.
Measuring QUIC:

Wireshark…
Measuring QUIC: Setup and QUIC-Go
1. Go v1.9 Installation
based on https://medium.com/@patdhlk/how-to-install-go-1-9-1-on-ubuntu-16-04-ee64c073cd79

cd /tmp
wget https://storage.googleapis.com/golang/go1.9.1.linux-amd64.tar.gz
tar xfz go1.9.1.linux-amd64.tar.gz
sudo mv go /usr/local
Measuring QUIC: Setup and QUIC-Go
2. Testing QUIC-Go

mkdir ~/go
cd ~/go
/usr/local/go/bin/go get github.com/lucas-clemente/quic-go
cd ~/go/src/github.com/lucas-clemente/quic-go
/usr/local/go/bin/go get -t -u ./...

Disable verification of server certificate in client – we need a cert, since it is always encrypted. (use the one bundled with quic-go instead)
nano internal/handshake/crypto_setup_client.go
- err = h.certManager.Verify(h.hostname)
+ err = nil // h.certManager.Verify(h.hostname)

Fetch test data


mkdir /tmp/quic-data
cd /tmp/quic-data
wget https://www.example.org
Measuring QUIC: Setup and QUIC-Go
Provider, e.g. GET to the Internet

Amazon EC2 instance


Wireless and/or wired link

3. Start Server (defaults to port 6121) - start the server in your Amazon EC2 instance or for testing on 127.0.0.1.
cd ~/go/src/github.com/lucas-clemente/quic-go
/usr/local/go/bin/go run example/main.go -www /tmp/quic-data

4. Start Client locally, e.g. 127.0.0.1


cd ~/go/src/github.com/lucas-clemente/quic-go
/usr/local/go/bin/go run example/client/main.go https://localhost:6121/

You might also like