| RFC 9308 | QUIC Applicability | September 2022 |
| Kühlewind & Trammell | Informational | [Page] |
This document discusses the applicability of the QUIC transport protocol,focusing on caveats impacting application protocol development and deploymentover QUIC. Its intended audience is designers of application protocol mappingsto QUIC and implementors of these application protocols.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9308.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
QUIC[QUIC] is a new transport protocol providing a number ofadvanced features. While initially designed for the HTTP use case, it providescapabilities that can be used with a much wider variety of applications. QUIC isencapsulated in UDP. QUIC version 1 integrates TLS 1.3[TLS13] toencrypt all payload data and most control information. The version of HTTP thatuses QUIC is known as HTTP/3[QUIC-HTTP].¶
This document provides guidance for application developers who want to usethe QUIC protocol without implementing it on their own. This includes generalguidance for applications operating over HTTP/3 or directly over QUIC.¶
In the following sections, we discuss specific caveats to QUIC's applicabilityand issues that application developers must consider when using QUIC as atransport for their applications.¶
QUIC uses UDP as a substrate. This enables userspace implementation and permitstraversal of network middleboxes (including NAT) without requiring updates toexisting network infrastructure.¶
Measurement studies have shown between 3%[Trammell16] and5%[Swett16] of networks block all UDP traffic, though thereis little evidence of other forms of systematic disadvantage to UDP trafficcompared to TCP[Edeline16]. This blocking implies that all applicationsrunning on top of QUIC must either be prepared to accept connectivity failureon such networks or be engineered to fall back to some other transportprotocol. In the case of HTTP, this fallback is TLS over TCP.¶
The IETF Transport Services (TAPS) specifications[TAPS-ARCH] describe a system with acommon API for multiple protocols. This is particularly relevant for QUIC asit addresses the implications of fallback among multiple protocols.¶
Specifically, fallback to insecure protocols or to weaker versions of secureprotocols needs to be avoided. In general, an application that implementsfallback needs to consider the security consequences. A fallback to TCP andTLS exposes control information to modification and manipulation in thenetwork. Additionally, downgrades to TLS versions older than 1.3, which isused in QUIC version 1, might result in significantly weakercryptographic protection. For example, the results of protocol negotiation[RFC7301] only have confidentiality protection if TLS 1.3 is used.¶
These applications must operate, perhaps with impaired functionality, in theabsence of features provided by QUIC not present in the fallback protocol. Forfallback to TLS over TCP, the most obvious difference is that TCP does notprovide stream multiplexing, and therefore stream multiplexing would need to beimplemented in the application layer if needed. Further, TCP implementationsand network paths often do not support the TCP Fast Open (TFO) option[RFC7413], whichenables sending of payload data together with the first control packet of a newconnection as also provided by 0-RTT session resumption in QUIC. Note thatthere is some evidence of middleboxes blocking SYN data even if TFO wassuccessfully negotiated (see[PaaschNanog]). And even if Fast Opensuccessfully operates end to end, it is limited to a single packet of TLShandshake and application data, unlike QUIC 0-RTT.¶
Moreover, while encryption (in this case TLS) is inseparably integrated withQUIC, TLS negotiation over TCP can be blocked. If TLS over TCP cannot besupported, the connection should be aborted, and the application then oughtto present a suitable prompt to the user that secure communication isunavailable.¶
In summary, any fallback mechanism is likely to impose a degradation ofperformance and can degrade security; however, fallback must not silentlyviolate the application's expectation of confidentiality or integrity of itspayload data.¶
QUIC provides for 0-RTT connection establishment. Though the same facilityexists in TLS 1.3 with TCP, 0-RTT presents opportunities and challenges forapplications using QUIC.¶
A transport protocol that provides 0-RTT connection establishment isqualitatively different from one that does not provide 0-RTT from the point of view of theapplication using it. Relative trade-offs between the cost of closing andreopening a connection and trying to keep it open are different; seeSection 3.2.¶
An application needs to deliberately choose to use 0-RTT, as 0-RTT carries arisk of replay attack. Application protocols that use 0-RTT require a profilethat describes the types of information that can be safely sent. For HTTP, thisprofile is described in[HTTP-REPLAY].¶
Retransmission or malicious replay of data contained in 0-RTT packets couldcause the server side to receive multiple copies of the same data.¶
Application data sent by the client in 0-RTT packets could be processed morethan once if it is replayed. Applications need to be aware of what is safe tosend in 0-RTT. Application protocols that seek to enable the use of 0-RTT needa careful analysis and a description of what can be sent in 0-RTT; seeSection 5.6 of [QUIC-TLS].¶
In some cases, it might be sufficient to limit application data sent in 0-RTTto data that does not cause actions with lasting effects at a server. Initiating data retrieval or establishing configuration areexamples of actions that could be safe. Idempotent operations -- those for whichrepetition has the same net effect as a single operation -- might be safe.However, it is also possible to combine individually idempotent operations intoa non-idempotent sequence of operations.¶
Once a server accepts 0-RTT data, there is no means of selectively discardingdata that is received. However, protocols can define ways to reject individualactions that might be unsafe if replayed.¶
Some TLS implementations and deployments might be able to provide partial oreven complete replay protection, which could be used to manage replay risk.¶
Because QUIC is encapsulated in UDP, applications using QUIC must deal withshort network idle timeouts. Deployed stateful middleboxes will generallyestablish state for UDP flows on the first packet sent and keep state formuch shorter idle periods than for TCP.[RFC5382] suggests a TCP idleperiod of at least 124 minutes, though there is no evidence of widespreadimplementation of this guideline in the literature. However, short network timeout forUDP is well-documented. According to a 2010 study([Hatonen10]), UDP applications can assume that any NAT binding or otherstate entry can expire after just thirty seconds of inactivity.Section 3.5 of [RFC8085] further discusses keep-alive intervals for UDP: itrequires that there is a minimum value of 15 seconds, but recommends larger values, or that keep-alive is omitted entirely.¶
By using a connection ID, QUIC is designed to be robust to NAT rebinding after a timeout. However, this only helps if one endpoint maintainsavailability at the address its peer uses and the peer is the one to sendafter the timeout occurs.¶
Some QUIC connections might not be robust to NAT rebinding because the routinginfrastructure (in particular, load balancers) uses the address/port 4-tupleto direct traffic. Furthermore, middleboxes with functions other than addresstranslation could still affect the path. In particular, some firewalls do notadmit server traffic for which the firewall has no recent state for acorresponding packet sent from the client.¶
QUIC applications can adjust idle periods to manage the risk of timeout. Idleperiods and the network idle timeout are distinct from the connection idletimeout, which is defined as the minimum of either endpoint's idle timeoutparameter; seeSection 10.1 of [QUIC]. There are three options:¶
The first strategy is the easiest, but it only applies to certain applications.¶
Either the server or the client in a QUIC application can send PING frames askeep-alives to prevent the connection and any on-path state from timing out.Recommendations for the use of keep-alives are application specific, mainlydepending on the latency requirements and message frequency of the application.In this case, the application mapping must specify whether the client or serveris responsible for keeping the application alive. While[Hatonen10] suggeststhat 30 seconds might be a suitable value for the public Internet when a NATis on path, larger values are preferable if the deployment can consistentlysurvive NAT rebinding or is known to be in a controlled environment (e.g.,data centers) in order to lower network and computational load.¶
Sending PING frames more frequently than every 30 seconds over long idleperiods may result in excessive unproductive traffic in some situations andunacceptable power usage for power-constrained (mobile) devices. Additionally,timeouts shorter than 30 seconds can make it harder to handle transient networkinterruptions, such as Virtual Machine (VM) migration or coverage loss during mobility.See[RFC8085], especially Section3.5.¶
Alternatively, the client (but not the server) can use session resumptioninstead of sending keep-alive traffic. In this case, a client that wants to senddata to a server over a connection that has been idle longer than the server'sidle timeout (available from the idle_timeout transport parameter) can simplyreconnect. When possible, this reconnection can use 0-RTT session resumption,reducing the latency involved with restarting the connection. Of course, thisapproach is only valid in cases in which it is safe to use 0-RTT and when theclient is the restarting peer.¶
The trade-offs between resumption and keep-alives need to be evaluated on aper-application basis. In general, applications should use keep-alives only incircumstances where continued communication is highly likely;[QUIC-HTTP], forinstance, recommends using keep-alives only when a request is outstanding.¶
QUIC's stream multiplexing feature allows applications to run multiple streamsover a single connection without head-of-line blocking between streams. Streamdata is carried within frames where one QUIC packet on the wire can carry oneor multiple stream frames.¶
Streams can be unidirectional or bidirectional, and a stream may be initiatedeither by client or server. Only the initiator of a unidirectional stream cansend data on it.¶
Streams and connections can each carry a maximum of 262-1 bytes in each direction due to encoding limitations onstream offsets and connection flow control limits. In the presently unlikelyevent that this limit is reached by an application, a new connection wouldneed to be established.¶
Streams can be independently opened and closed, gracefully or abruptly. Anapplication can gracefully close the egress direction of a stream by instructingQUIC to send a FIN bit in a STREAM frame. It cannot gracefully close the ingressdirection without a peer-generated FIN, much like in TCP. However, an endpointcan abruptly close the egress direction or request that its peer abruptly closethe ingress direction; these actions are fully independent of each other.¶
QUIC does not provide an interface for exceptional handling of any stream.If a stream that is critical for an application is closed, the application cangenerate error messages on the application layer to inform the other end and/orthe higher layer, which can eventually terminate the QUIC connection.¶
Mapping of application data to streams is application specific and described forHTTP/3 in[QUIC-HTTP]. There are a few general principles to apply whendesigning an application's use of streams:¶
If a QUIC receiver has opened the maximum allowed concurrentstreams, and the sender indicates that more streams are needed, itdoes not automatically lead to an increase of the maximum number ofstreams by the receiver. Therefore, an application should consider themaximum number of allowed, currently open, and currently used streams whendetermining how to map data to streams.¶
QUIC assigns a numerical identifier, called the stream ID, to each stream. Whilethe relationship between these identifiers and stream types is clearly definedin version 1 of QUIC, future versions might change this relationship for variousreasons. QUIC implementations should expose the properties of each stream(which endpoint initiated the stream, whether the stream is unidirectional orbidirectional, the stream ID used for the stream); applications should query forthese properties rather than attempting to infer them from the stream ID.¶
The method of allocating stream identifiers to streams opened by the applicationmight vary between transport implementations. Therefore, an application shouldnot assume a particular stream ID will be assigned to a stream that has not yetbeen allocated. For example, HTTP/3 uses stream IDs to refer to streams thathave already been opened but makes no assumptions about future stream IDs orthe way in which they are assigned (seeSection 6 of [QUIC-HTTP]).¶
Streams are meaningful only to the application; since stream information iscarried inside QUIC's encryption boundary, a given packet exposesno information about whichstream(s) are carried within the packet.Therefore, stream multiplexing is not intended to be used for differentiatingstreams in terms of network treatment. Application traffic requiring differentnetwork treatment should therefore be carried over different 5-tuples (i.e.,multiple QUIC connections). Given QUIC's ability to send application data inthe first RTT of a connection (if a previous connection to the same host hasbeen successfully established to provide the necessary credentials), the costof establishing another connection is extremely low.¶
Stream prioritization is not exposed to either the network or the receiver.Prioritization is managed by the sender, and the QUIC transport shouldprovide an interface for applications to prioritize streams[QUIC].Applications can implement their own prioritization scheme on top of QUIC: anapplication protocol that runs on top of QUIC can define explicit messagesfor signaling priority, such as those defined in[RFC9218] for HTTP. An application protocol can define rulesthat allow an endpoint to determine priority based on context or canprovide a higher-level interface and leave the determination to theapplication on top.¶
Priority handling of retransmissions can be implemented by the sender in thetransport layer.[QUIC] recommends retransmitting lost data before new data,unless indicated differently by the application. When a QUIC endpoint usesfully reliable streams for transmission, prioritization of retransmissions willbe beneficial in most cases, filling in gaps and freeing up the flowcontrol window. For partially reliable or unreliable streams,priority scheduling of retransmissions over data of higher-priority streamsmight not be desirable. For such streams, QUIC could either provide anexplicit interface to control prioritization or derive the prioritizationdecision from the reliability level of the stream.¶
QUIC streams enable ordered and reliable delivery. Though it is possible for animplementation to provide options that use streams for partial reliabilityor out-of-order delivery, most implementations will assume that data isreliably delivered in order.¶
Under this assumption, an endpoint that receives stream data might not makeforward progress until data that is contiguous with the start of a stream isavailable. In particular, a receiver might withhold flow control credit untilcontiguous data is delivered to the application; seeSection 2.2 of [QUIC].To support this receive logic, an endpoint will send stream data until it isacknowledged, ensuring that data at the start of the stream is sent andacknowledged first.¶
An endpoint that uses a different sending behavior and does not negotiate thatchange with its peer might encounter performance issues or deadlocks.¶
QUIC flow control (Section 4 of [QUIC]) provides a means of managing accessto the limited buffers that endpoints have for incoming data. This mechanism limitsthe amount of data that can be in buffers in endpoints or in transit on thenetwork. However, there are several ways in which limits can produce conditionsthat can cause a connection to either perform suboptimally or become deadlocked.¶
Deadlocks in flow control are possible for any protocol that uses QUIC, thoughwhether they become a problem depends on how implementations consume data andprovide flow control credit. Understanding what causes deadlocking might helpimplementations avoid deadlocks.¶
The size and rate of updates to flow control credit can affectperformance. Applications that use QUIC often have a data consumer that readsdata from transport buffers. Some implementations might have independentreceive buffers at the transport layer and application layer. Consuming data does notalways imply it is immediately processed. However, a common implementation technique is to extend flow control credit to the sender by emitting MAX_DATAand/or MAX_STREAM_DATA frames as data is consumed. Delivery of these framesis affected by the latency of the back channel from the receiver to the datasender. If credit is not extended in a timely manner, thesending application can be blocked, effectively throttling the sender.¶
Large application messages can produce deadlocking if the recipient does notread data from the transport incrementally. If the message is larger than theflow control credit available and the recipient does not release additional flowcontrol credit until the entire message is received and delivered, a deadlockcan occur. This is possible even where stream flow control limits are notreached because connection flow control limits can be consumed by other streams.¶
A length-prefixed message format makes it easier for a data consumer to leavedata unread in the transport buffer and thereby withhold flow control credit. Ifflow control limits prevent the remainder of a message from being sent, adeadlock will result. A length prefix might also enable the detection of thissort of deadlock. Where application protocols have messages that might beprocessed as a single unit, reserving flow control credit for the entire messageatomically makes this style of deadlock less likely.¶
A data consumer can eagerly read all data as it becomes available in order tomake the receiver extend flow control credit and reduce the chances of adeadlock. However, such a data consumer might need other means for holding apeer accountable for the additional state it keeps for partially processedmessages.¶
Deadlocking can also occur if data on different streams is interdependent.Suppose that data on one stream arrives before the data on a second stream onwhich it depends. A deadlock can occur if the first stream is left unread,preventing the receiver from extending flow control credit for the secondstream. To reduce the likelihood of deadlock for interdependent data, thesender should ensure that dependent data is not sent until the datait depends on has been accounted for in both stream- and connection-level flowcontrol credit.¶
Some deadlocking scenarios might be resolved by canceling affected streams withSTOP_SENDING or RESET_STREAM. Canceling some streams results in the connectionbeing terminated in some protocols.¶
QUIC endpoints are responsible for communicating the cumulative limit of streamsthey would allow to be opened by their peer. Initial limits are advertised usingthe initial_max_streams_bidi and initial_max_streams_uni transport parameters.As streams are opened and closed, they are consumed, and the cumulative total isincremented. Limits can be increased using the MAX_STREAMS frame, but there is nomechanism to reduce limits. Once stream limits are reached, no more streams canbe opened, which prevents applications using QUIC from making further progress.At this stage, connections can be terminated via idle timeout or explicit close;seeSection 10.¶
An application that uses QUIC and communicates a cumulative stream limit mightrequire the connection to be closed before the limit is reached, e.g.,to stop the server in order to perform scheduled maintenance. Immediate connection closecauses abrupt closure of actively used streams. Depending on how an applicationuses QUIC streams, this could be undesirable or detrimental to behavior orperformance.¶
A more graceful closure technique is to stop sending increases tostream limits and allow the connection to naturally terminate once remainingstreams are consumed. However, the period of time it takes to do so is dependenton the peer, and an unpredictable closing period might not fit application oroperational needs. Applications using QUIC can be conservative with open streamlimits in order to reduce the commitment and indeterminism. However, beingoverly conservative with stream limits affects stream concurrency. Balancingthese aspects can be specific to applications and their deployments.¶
Instead ofrelying on stream limits to avoid abrupt closure, an application layer's gracefulclose mechanism can be used to communicate the intention to explicitly close theconnection at some future point. HTTP/3 provides such a mechanism using theGOAWAY frame. In HTTP/3, when the GOAWAY frame is received by a client, itstops opening new streams even if the cumulative stream limit would allow.Instead, the client would create a new connection on which to open furtherstreams. Once all streams are closed on the old connection, it can beterminated safely by a connection close or after expiration of the idle timeout(seeSection 10).¶
QUIC exposes an interface that provides multiple streams to the application;however, the application usually cannot control how data transmitted over thosestreams is mapped into frames or how those frames are bundled into packets.¶
By default, many implementations will try to pack STREAM frames from one or more streams into each QUIC packet, in order to minimizebandwidth consumption and computational costs (seeSection 13 of [QUIC]). If there is not enough dataavailable to fill a packet, an implementation might wait for a short time tooptimize bandwidth efficiency instead of latency. This delay can either bepreconfigured or dynamically adjusted based on the observed sending pattern ofthe application.¶
If the application requires low latency, with only small chunks of data tosend, it may be valuable to indicate to QUIC that all data should be sent outimmediately. Alternatively, if the application expects to use a specificsending pattern, it can also provide a suggested delay to QUIC for how long towait before bundling frames into a packet.¶
Similarly, an application usually has no control over the length of a QUICpacket on the wire. QUIC provides the ability to add a PADDING frame toarbitrarily increase the size of packets. Padding is used by QUIC to ensure thatthe path is capable of transferring datagrams of at least a certain size duringthe handshake (see Sections8.1 and14.1 of[QUIC]) and for path validationafter connection migration (seeSection 8.2 of [QUIC]) as well as for DatagramPacketization Layer PMTU Discovery (DPLPMTUD) (seeSection 14.3 of [QUIC]).¶
Padding can also be used by an application to reduce leakage ofinformation about the data that is sent. A QUIC implementation can expose aninterface that allows an application layer to specify how to apply padding.¶
QUIC recommends that endpoints signal any detected errors tothe peer. Errors can occur at the transport layer and the application layer.Transport errors, such as a protocol violation, affect the entire connection.Applications that use QUIC can define their own error detection and signaling(see, for example,Section 8 of [QUIC-HTTP]). Application errors can affect anentire connection or a single stream.¶
QUIC defines an error code space that is used for error handling at thetransport layer. QUIC encourages endpoints to use the most specific code,although any applicable code is permitted, including generic ones.¶
Applications using QUIC define an errorcode space that is independent of QUIC or other applications (see, forexample,Section 8.1 of [QUIC-HTTP]). The values in an application error codespace can be reused across connection-level and stream-level errors.¶
Connection errors lead to connection termination. They are signaled using aCONNECTION_CLOSE frame, which contains an error code and a reason field that canbe zero length. Different types of CONNECTION_CLOSE frames are used tosignal transport and application errors.¶
Stream errors lead to stream termination. These are signaled usingSTOP_SENDING orRESET_STREAM frames, which contain only an error code.¶
QUIC version 1 without extensions uses an acknowledgment strategyadopted from TCP (seeSection 13.2 of [QUIC]).That is, it recommends that every other packet is acknowledged.However, generating and processing QUIC acknowledgments consumes resourcesat a sender and receiver. Acknowledgments also incur forwarding costs andcontribute to link utilization, which can impact performance over sometypes of network.Applications might be able to improve overall performanceby using alternative strategies that reduce the rate of acknowledgments.[QUIC-ACK-FREQUENCY] describes an extension to signal the desireddelay of acknowledgments and discusses use cases as well as implications forcongestion control and recovery.¶
In general, port numbers serve two purposes: "first, they provide ademultiplexing identifier to differentiate transport sessions between the samepair of endpoints, and second, they may also identify the application protocoland associated service to which processes connect" (Section 3 of [RFC6335]). The assumptionthat an application can be identified in the network based on the port numberis less true today due to encapsulation and mechanisms for dynamic portassignments, as noted in[RFC6335].¶
As QUIC is a general-purpose transport protocol, there are no requirements thatservers use a particular UDP port for QUIC. For an application with a fallback to TCP that does not already have an alternate mapping to UDP, it is usually appropriate to register (if necessary) and use the UDP port number corresponding to the TCPport already registered for the application. For example,the default port for HTTP/3[QUIC-HTTP] is UDP port 443, analogous to HTTP/1.1or HTTP/2 over TLS over TCP.¶
Given the prevalence of the assumption in network managementpractice that a port number maps unambiguously to an application, theuse of ports that cannot easily be mapped to a registered service namemight lead to blocking or other changes to the forwarding behavior by networkelements such as firewalls that use the port number for applicationidentification.¶
Applications could define an alternate endpoint discovery mechanism to allowthe usage of ports other than the default. For example, HTTP/3 (Sections3.2 and3.3 of[QUIC-HTTP]) specifies the use of HTTP Alternative Services[RFC7838] for an HTTP origin to advertise the availability of an equivalentHTTP/3 endpoint on a certain UDP port by using "h3" as the Application-LayerProtocol Negotiation (ALPN)[RFC7301] token.¶
ALPN permits theclient and server to negotiate which of several protocols will be used on agiven connection. Therefore, multiple applications might be supported on asingle UDP port based on the ALPN token offered. Applications using QUICare required to register an ALPN token for use in the TLS handshake.¶
As QUIC version 1 deferred defining a complete version negotiation mechanism,HTTP/3 requires QUIC version 1 and defines theALPN token ("h3") to only apply to that version.So far, no single approach has been selected formanaging the use of different QUIC versions, neither in HTTP/3 nor in general.Application protocols that use QUIC need toconsider how the protocol will manage different QUIC versions.Decisions for those protocols might be informed by choices made by otherprotocols, like HTTP/3.¶
Some UDP protocols are vulnerable to reflection attacks, where an attacker isable to direct traffic to a third party as a denial of service. For example,these source ports are associated with applications known to be vulnerable toreflection attacks, often due to server misconfiguration:¶
Services might block source ports associated with protocols known to bevulnerable to reflection attacks to avoid the overhead of processing largenumbers of packets. However, this practice has negative effects onclients -- not only does it require establishment of a new connection but insome instances might cause the client to avoid using QUIC for that service fora period of time and downgrade to a non-UDP protocol (seeSection 2).¶
As a result, client implementations are encouraged to avoid using source portsassociated with protocols known to be vulnerable to reflection attacks. Notethat following the general guidance for client implementations given in[RFC6335], to use ephemeral ports in the range 49152-65535, has theeffect of avoiding these ports. Note that other source ports might bereflection vectors as well.¶
QUIC supports connection migration by the client. If the client's IP addresschanges, a QUIC endpoint can still associate packetswith an existing transport connection using the Destination Connection IDfield (seeSection 11) in the QUIC header.This supports cases where the address information changes, such as NAT rebinding, theintentional change of the local interface, the expiration of a temporaryIPv6 address[RFC8981], or the indication from the server of a preferredaddress (Section 9.6 of [QUIC]).¶
Use of a non-zero-length connection ID for the server is strongly recommended ifany clients are or could be behind a NAT. A non-zero-length connection ID isalso strongly recommended when active migration is supported. If a connectionis intentionally migrated to a new path, a new connection ID is used to minimizelinkability by network observers. The other QUIC endpoint uses theconnection ID to link different addresses to the same connectionand entity if a non-zero-length connection ID is provided.¶
The base specification of QUIC version 1 only supports the use of a singlenetwork path at a time, whichenables failover use cases. Path validation is required so that endpointsvalidate paths before use to avoid address spoofing attacks. Path validationtakes at least one RTT, and congestion control will also be reset after pathmigration. Therefore, migration usually has a performance impact.¶
QUIC probing packets, which can be sent on multiple paths at once, are used toperform address validation as well as measure path characteristics. Probingpackets cannot carry application data but likely contain padding frames.Endpoints can use information about their receipt as input to congestion controlfor that path. Applications could use information learned from probing to informa decision to switch paths.¶
Only the client can actively migrate in version 1 of QUIC. However, servers canindicate during the handshake that they prefer to transfer the connection to adifferent address after the handshake. For instance, this could be used to movefrom an address that is shared by multiple servers to an address that is uniqueto the server instance. The server can provide an IPv4 and an IPv6 address in atransport parameter during the TLS handshake, and the client can select betweenthe two if both are provided. SeeSection 9.6 of [QUIC].¶
QUIC connections are terminated in one of three ways: implicit idle timeout,explicit immediate close, or explicit stateless reset.¶
QUIC does not provide any mechanism for graceful connection termination;applications using QUIC can define their own graceful termination process (see,for example,Section 5.2 of [QUIC-HTTP]).¶
QUIC idle timeout is enabled via transport parameters. The client and serverannounce a timeout period, and the effective value for the connection is theminimum of the two values. After the timeout period elapses, the connection issilently closed. An application therefore should be able to configure its ownmaximum value, as well as have access to the computed minimum value for thisconnection. An application may adjust the maximum idle timeout for newconnections based on the number of open or expected connections since shortertimeout values may free up resources more quickly.¶
Application data exchanged on streams or in datagrams defers the QUIC idletimeout. Applications that provide their own keep-alive mechanisms willtherefore keep a QUIC connection alive. Applications that do not provide theirown keep-alive can use transport-layer mechanisms (seeSection 10.1.2 of [QUIC] andSection 3.2). However, QUIC implementationinterfaces for controlling such transport behavior can vary, affecting therobustness of such approaches.¶
An immediate close is signaled by a CONNECTION_CLOSE frame (seeSection 6). Immediate close causes all streams to become immediatelyclosed, which may affect applications; seeSection 4.5.¶
A stateless reset is an option of last resort for an endpoint that does not haveaccess to connection state. Receiving a stateless reset is an indication of anunrecoverable error distinct from connection errors in that there is noapplication-layer information provided.¶
QUIC exposes some information to the network in the unencrypted part of theheader either before the encryption context is established or because theinformation is intended to be used by the network. For more information onmanageability of QUIC, see[QUIC-MANAGEABILITY].QUIC has a long header thatexposes some additional information (the version and the source connection ID),while the short header exposes only the destination connection ID.In QUIC version 1, the long header is used during connection establishment,while the short header is used for data transmission in an establishedconnection.¶
The connection ID can be zero length. Zero-length connection IDs can bechosen on each endpoint individually and on any packet except the first packetssent by clients during connection establishment.¶
An endpoint that selects a zero-length connection ID will receive packets with azero-length destination connection ID. The endpoint needs to use otherinformation, such as the source and destination IP address and port number toidentify which connection is referred to. This could mean that the endpoint isunable to match datagrams to connections successfully if these values change,making the connection effectively unable to survive NAT rebinding or migrate toa new path.¶
QUIC supports a server-generated connection ID that is transmitted to the client duringconnection establishment (seeSection 7.2 of [QUIC]). Servers behind loadbalancers may need to change the connection ID during the handshake, encodingthe identity of the server or information about its load balancing pool, inorder to support stateless load balancing.¶
Server deployments with load balancers and other routing infrastructure need toensure that this infrastructure consistently routes packets to the serverinstance that has the connection state, even if addresses, ports, orconnection IDs change. This might require coordination between servers andinfrastructure. One method of achieving this involves encoding routinginformation into the connection ID. For an example of this technique, see[QUIC-LB].¶
If QUIC endpoints do not issue fresh connection IDs, then clients cannotreduce the linkability of address migration by using them.Choosing values that are unlinkable to an outside observerensures that activity on different paths cannot be trivially correlatedusing the connection ID.¶
While sufficiently robust connection ID generation schemes will mitigatelinkability issues, they do not provide full protection. Analysis ofthe lifetimes of 6-tuples (source and destination addresses as well as themigrated Connection ID) may expose these links anyway.¶
In the case where connection migration in a server pool is rare, it is trivialfor an observer to associate two connection IDs. Conversely, where every server handles multiple simultaneous migrations, even anexposed server mapping may be insufficient information.¶
The most efficient mitigations for these attacks are through network designand/or operational practices, by using a load-balancing architecture thatloads more flows onto a single server-side address, by coordinating thetiming of migrations in an attempt to increase the number of simultaneousmigrations at a given time, or by using other means.¶
QUIC provides a Retry packet that can be sent by a server in response tothe client Initial packet. The server may choose a new connection ID in thatpacket, and the client will retry by sending another client Initial packet withthe server-selected connection ID. This mechanism can be used to redirect aconnection to a different server, e.g., due to performance reasons or whenservers in a server pool are upgraded gradually and therefore may supportdifferent versions of QUIC.¶
In this case, it is assumed that all servers belonging to a certain pool areserved in cooperation with load balancers that forward the traffic based on theconnection ID. A server can choose the connection ID in the Retry packet suchthat the load balancer will redirect the next Initial packet to a differentserver in that pool. Alternatively, the load balancer can directly offer a Retryoffload as further described in[QUIC-RETRY].¶
The approach described inSection 4 of [RFC5077] for constructingTLS resumption tickets provides an example that can be also applied to validation tokens.However, the use of more modern cryptographic algorithms is highly recommended.¶
QUIC, as defined in[QUIC], has a single congestion controller andrecovery handler. This designassumes that all packets of a QUIC connection, or at least with thesame 5-tuple {dest addr, source addr, protocol, dest port, source port},that have the same Diffserv Code Point (DSCP)[RFC2475] willreceive similar network treatment since feedback about loss or delayof each packet is used as input to the congestion controller. Therefore,packets belonging to the same connection should use a single DSCP.Section 5.1 of [RFC7657] provides a discussion of Diffserv interactionswith datagram transport protocols[RFC7657] (in this respect, theinteractions with QUIC resemble those of Stream Control Transmission Protocol (SCTP)).¶
When multiplexing multiple flowsover a single QUIC connection, the selected DSCP value should be the oneassociated with the highest priority requested for all multiplexed flows.¶
If differential network treatment is desired,e.g., by the use of different DSCPs, multiple QUICconnections to the same server may be used. In general, it isrecommended to minimize the number of QUIC connections to the same server toavoid increased overhead and, more importantly, competing congestion control.¶
As in other uses of Diffserv,when a packet enters a network segment that does not support the DSCP value,this could result in the connection not receiving the network treatmentit expects. The DSCP value in this packet could also be remarked as thepacket travels along the network path, changing the requested treatment.¶
Versioning in QUIC may change the protocol's behavior completely, exceptfor the meaning of a few header fields that have been declared to be invariant[QUIC-INVARIANTS]. A version of QUICwith a higher version number will not necessarily provide a better servicebut might simply provide a different feature set. As such, an application needsto be able to select which versions of QUIC it wants to use.¶
A new version could use an encryption scheme other than TLS 1.3 or higher.[QUIC] specifies requirements for the cryptographic handshake as currentlyrealized by TLS 1.3 and described in a separate specification[QUIC-TLS]. This split is performed to enablelightweight versioning with different cryptographic handshakes.¶
The "QUIC Versions" registry established in[QUIC] allows forprovisional registrations for experimentation. Registration, also ofexperimental versions, is important to avoid collision. Experimentalversions should not be used long-term or registered as permanent to minimizethe risk of fingerprinting based on the version number.¶
QUIC version 1 does not specify a version negotiation mechanism in the basespecification, but[QUIC-VERSION-NEGOTIATION] proposes anextension that provides compatible version negotiation.¶
This approach uses a three-stage deployment mechanism, enablingprogressive rollout and experimentation with multiple versions acrossa large server deployment. In this approach, all servers in the deploymentmust accept connections using a new version (stage 1) before any serveradvertises it (stage 2), and authentication of the new version (stage 3)only proceeds after advertising of that version is completely deployed.¶
SeeSection 5 of [QUIC-VERSION-NEGOTIATION] for details.¶
[RFC9221] specifies a QUIC extension to enable sendingand receiving unreliable datagrams over QUIC. Unlike operating directly overUDP, applications that use the QUIC datagram service do not need to implementtheir own congestion control, per[RFC8085], as QUIC datagrams arecongestion controlled.¶
QUIC datagrams are not flow controlled, and as such data chunks may be droppedif the receiver is overloaded. While the reliable transmission service of QUICprovides a stream-based interface to send and receive data in order overmultiple QUIC streams, the datagram service has an unordered message-basedinterface. If needed, an application-layer framing can be used on top toallow separate flows of unreliable datagrams to be multiplexed on one QUICconnection.¶
This document has no actions for IANA; however, note thatSection 8recommends that an application that has already registered a TCP port but wants to specify QUIC as a transport should register a UDP port analogous to their existing TCP registration.¶
See the security considerations in[QUIC] and[QUIC-TLS]; the securityconsiderations for the underlying transport protocol are relevant forapplications using QUIC. Considerations on linkability, replay attacks,and randomness discussed in[QUIC-TLS] should be taken into account whendeploying and using QUIC.¶
Further, migration to a new address exposesa linkage between client addresses to the server and may expose this linkagealso to the path if the connection ID cannot be changed or flows canotherwise be correlated. When migration is supported, this needs to beconsidered with respective to user privacy.¶
Application developers should note that any fallback they use when QUIC cannotbe used due to network blocking of UDP should guarantee the same securityproperties as QUIC. If this is not possible, the connection should fail toallow the application to explicitly handle fallback to a less-securealternative. SeeSection 2.¶
Further,[QUIC-HTTP] provides security considerations specific to HTTP.However, discussions such as on cross-protocol attacks, traffic analysisand padding, or migration might be relevant for other applications using QUICas well.¶
Special thanks to Last Call reviewersChris Lonvick andInes Robles.¶
This work was partially supported by the European Commission under Horizon 2020grant agreement no. 688421 Measurement and Architecture for a MiddleboxedInternet (MAMI) and by the Swiss State Secretariat for Education, Research, andInnovation under contract no. 15.0268. This support does not imply endorsement.¶
The following people have contributed significant text to or feedbackon this document:¶