Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
geoctl 16 hours ago

QUIC isn't really about the web, it's more of a TCP+TLS replacement on top of UDP. You can build your own custom L7 on top of QUIC.

AnthonyMouse 6 hours ago | parent | next [-]

QUIC uses Web PKI and TLS. TLS is not a simple protocol and the main reason to use it over something simpler is if you need it to be compatible with something else that already uses it, like HTTPS.

bb88 15 hours ago | parent | prev | next [-]

You can build a custom L7 on top of anything, really. I think my favorite was tcp/ip over printers and webcams.

The question is what does QUIC get you that UDP alone does not? I don't know the answer to that. Is it because firewalls understand it better than native wireguard over UDP packets?

zamadatix 14 hours ago | parent | next [-]

Mostly because WireGuard (intentionally) didn't bother with obfuscation https://www.wireguard.com/known-limitations/

> WireGuard does not focus on obfuscation. Obfuscation, rather, should happen at a layer above WireGuard, with WireGuard focused on providing solid crypto with a simple implementation. It is quite possible to plug in various forms of obfuscation, however.

This comment https://news.ycombinator.com/item?id=45562302 goes into a practical example of QUIC being that "layer above WireGuard" which gets plugged in. Once you have that, one may naturally wonder "why not also have an alternative tunnelling protocol with <the additional things built into QUIC originally listed> without the need to also layer Wireguard under it?".

Many design decisions are in direct opposition to Wireguard's design. E.g. Wireguard (intentionally) has no AES and no user selectable ciphers (both intentionally), QUIC does. Wireguard has no obfuscation built in, QUIC does (+ the happy fact when you obfuscate traffic by using it then it looks like standard web traffic). Wireguard doesn't support custom authentication schemes, QUIC does. Both are a reasonable tunneling protocol design, just with different goals.

bb88 14 hours ago | parent [-]

I think maybe it's easier for an adversarial network admin to block QUIC altogether.

zamadatix 14 hours ago | parent | next [-]

The hope with QUIC is encrypted tunnels that look and smell like standard web traffic are probably first in the list of any allowed traffic tunneling methods. It works (surprisingly) a lot more often than hoping an adversarial network/security admin doesn't block known VPN protocols (even when they are put on 443). It also doesn't hurt that "normal" users (unknowingly) try to generate this traffic, so opening a QUIC connection on 443 and getting a failure makes you look like "every other user with a browser" instead of "an interesting note in the log".

I.e. the advantage here is any% + QUIC%, where QUIC% is the additional chances of getting through by looking and smelling like actual web traffic, not a promise of 100%.

danielheath 3 hours ago | parent | prev [-]

Blocking QUIC blocks a sizeable fraction of the web

remexre 14 hours ago | parent | prev [-]

Encryption and reliable transport.

zamadatix 14 hours ago | parent | next [-]

You really don't want reliable transport as a feature of the tunnel unless you are _intimately_ familiar with what all of the tunneled traffic is already doing for reliable transport.

The net result of two reliable transports which are unaware of each other is awful.

bb88 14 hours ago | parent | prev [-]

I probably should have clarified that question.

What does QUIC get you that TCP over Wireguard over UDP does not?

nine_k 15 hours ago | parent | prev [-]

Where is DNS on top of QUIC? Asking unironically.

geoctl 14 hours ago | parent | next [-]

There is actually. A way more interesting re-implementation of a popular L7 is SSH over QUIC. SSH has to implement its own mutual authentication and transport embedded in the protocol implementation since it operates on top of plaintext TCP, but with QUIC you can just offload the authentication (e.g. JWT bearer tokens issued by IdPs verified at L7 or automatically via mTLS x509 certs) and transport parts to QUIC and therefore have a much more minimal implementation.

sigwinch 29 minutes ago | parent | next [-]

I feel like fans of `mosh` would run with this.

frumplestlatz 8 hours ago | parent | prev [-]

“Offloading” authentication onto complex web tech isn’t really a feature unless you already need to be operating in the web space for some other reason.

maxloh 10 hours ago | parent | prev | next [-]

It is already there. It is called DNS over HTTP/3 (DoH3).

jiveturkey 14 hours ago | parent | prev [-]

That's DoQ, RFC 9250.