Slashdot Mirror

← Back to Stories (view on slashdot.org)

QUIC: Google's New Secure UDP-Based Protocol

Posted by Soulskill on from the set-for-a-twelve-year-beta-test dept.

New submitter jshurst1 writes "Google has announced QUIC, a stream multiplexing protocol running over a new variation of TLS, as well as UDP. The new protocol offers connectivity with a reduced number of round trips, strong security, and pluggable congestion control. QUIC is in experiment now for Chrome dev and canary users connecting to Google websites."

9 of 97 comments (clear)

  1. Re:Don't trust 'em by K.+S.+Kyosuke · · Score: 4, Informative

    I have serious doubts in ANY new network tech not having backdoors of some sort.

    Oh, come on. This is a network protocol. Sure, protocols *can* have flaws, but it's a very long stretch from being forced to run an unknown binary. Just implement it on your own if you're paranoid enough.

    --
    Ezekiel 23:20
  2. Re:Don't trust 'em by SolarCanine · · Score: 4, Insightful

    What exactly can be hidden in an open protocol specification that will compromise your personally sensitive data? By design, a protocol has to be something that people can actually implement to be useful - the payloads you send via that protocol are up to you (based on your choices of which pieces of software to use, etc.)

  3. Re:Don't trust 'em by brunes69 · · Score: 5, Informative

    Maybe if you would RTFA instead of pontificating, you would have found that the reference QUIC implementation is already open source, the specification is open, the wire specification is open, the whole thing is open. If you don't trust Google's implementation then roll your own.

  4. Re:Don't trust 'em by brunes69 · · Score: 4, Informative

    They are not doing their own crypto.... they are using TLS. Again, please read the actual documents.

  5. Re:The always-present question for UDP by Anonymous Coward · · Score: 3, Insightful

    How do you stop a denial of service attack if both sides aren't required to maintain the overhead of the connection

    How do you stop it if someone does not bother to respect the rate limiter? You are assuming that someone doing something bad is going to play by the rules.

  6. Re:The always-present question for UDP by Wesley+Felter · · Score: 3, Interesting

    QUIC uses an equivalent of SYN cookies to prevent some kinds of DoS. It also uses packet reception proofs to prevent some ACK spoofing attacks that TCP is vulnerable to. Overall it looks even better than TCP.

    As for encryption, Google gives two reasons. They intend to run HTTP over QUIC and Google services are encrypted by default; it's more efficient for QUIC itself to implement encryption than to layer HTTP over TLS over QUIC. The other reason is that middleboxes do so much packet mangling that encryption is the only way to avoid/detect it.

  7. Re:Because TCP is broken? by Bengie · · Score: 4, Informative

    TCP has some major issues with congestion control that isn't playing well with buffer-bloat. The Internet is bursty in nature. TCP takes too long to ramp-up. It is acutally easier on infrastructure to burst 10MB over one second than to stream it over 10 seconds.

    There are a lot of write-ups on issues with TCP, but one of the big issues that is starting to become a problem as speeds increase but latency is staying fixed, is the congestion control. Because TCP starts off slow and ramps up, it tends not to make use of available bandwidth. Un-used bandwidth is bad. The other issue is current TCP uses packet-loss to decide when to back off. The issue this creates is packet-loss tends to affect a lot of connections at the same time. You get this synchronization where lots of computers experiencing packet-loss all at the same time, so they all back-off at the same time. Suddenly the route is under-utilized. All of the connections start building up again until the route is over-utilized, then they all back-off at the same time.

    This issue alone could possible cause large portions of the Internet to fail. It has happened in the past and the variables are getting to be similar again. Essentially you're left with a large portion of the Internet routes in a constant violent swing between over-utilized and under-utilized.

    You get this issue where the average utilization is low, but packet-loss and jitter is high. Relatively speaking.

    There is a lot of theory on how to fight these issues, but the only real way to figure this out is to actually test these theories on the large scale. A protocol that rides on top of UDP and runs in the application is the perfect place to test this. If something goes wrong, you just disable it. You can't do that with most OSs TCP stacks.

  8. QUIC is more like TCP in these ways, exception to by raymorris · · Score: 4, Insightful

    > Please, if you can't use SSL+TCP for text chat and keep it real time

    They could have, but QUIC is "better" for their use cases. In many ways, it's like an improved version of TCP. It runs on top of UDP simply
    because routers, firewalls, etc. often only speak TCP and UDP. From the FAQ:

    > it is unlikely to see significant adoption of client-side TCP changes in less than 5-15 years. QUIC allows us to test and experiment with new ideas,
    > and to get results sooner. We are hopeful that QUIC features will migrate into TCP and TLS if they prove effective.

    > You can outright lose data. Your packets can arrive out of order. It's okay with video data where a hiccup only makes a few missing pixels,
    > but with text, that's a terrible idea.

    Unless of course the protocol you're running over UDP handles that stuff, just like TCP handles that stuff.
    Normally, it's a bad idea to use UDP to run a protocol that has in-order packets, guaranteed delivery, etc. because TCP already gives you that.
    Why re-invent TCP? Unless you're going to spend a few million dollars on R&D to make your UDP-based protocol actually be better than TCP,
    you should just use TCP.

    That "unless you're going to spend a few million dollars on R&D" is the key here. Google DID make the investment, so the protocol actually does
    work better for the particular use than TCP does.

  9. Re:Don't trust 'em by Stonefish · · Score: 3, Insightful

    It's "like" TLS, as in "its none dairy but it tastes just like milk".
    Google's reason for doing this is to lower their costs associated with better security. This creates a 3 way instead of a 5 way exchange for the security protocol setup. Fewer connections less load on their stuff and less stuff they have to buy.

    The security landscape is littered with security implementations which tried improve existing protocols. Just type in the terms WAP and security for a story on how to take a secure starting point SSL and bugger it.
    Another is Microsoft's introduction of PKINIT for keberos, kerberos is a proveably security protocol which is limitied by the entropy in a users password, MS "fixed" this with PKINIT however they initroduced replay attach vectors precisely because they wanted fewer exchanges. BTW google seems to have done a better job in this regard +1 for google, -1 for MS.