| ▲ | dpeckett 10 hours ago | |||||||
I've recently spent a bunch of time working on a mesh networking project that employs CONNECT-IP over QUIC [1]. There's a lot of benefits for sure, mTLS being a huge one (particularly when combined with ACME). For general purpose, spoke and hub VPN's tunneling over QUIC is a no-brainer. Trivial to combine with JWT bearer tokens etc. It's a neat solution that should be used more widely. However there are downsides, and those downsides are primarily performance related. For a bunch of reasons, some just including poorly optimized library code, others involving relatively high message parsing/framing/coalescing/fragmenting costs, and userspace UDP overheads. On fat pipes today you'll struggle to get more than a few gbits of throughput @ 1500 MTU (which is plenty for internet browsing for sure). For fat pipes and hardware/FPGA acceleration use cases, google probably has the most mature approach here with their datacenter transport PSP [2]. Basically a stripped down per flow IPsec. In-kernel IPsec has gotten a lot faster and more scalable in recent years with multicore/multiqueue support [3]. Internal benchmarking still shows IPsec on linux absolutely dominating performance benchmarks (throughput and latency). For the mesh project we ended up pivoting to a custom offload friendly, kernel bypass (AF_XDP) dataplane inspired by IPsec/PSP/Geneve. I'm available for hire btw, if you've got an interesting networking project and need a remote Go/Rust developer (contract/freelance) feel free to reach out! 1. https://www.rfc-editor.org/rfc/rfc9484.html 2. https://cloud.google.com/blog/products/identity-security/ann... 3. https://netdevconf.info/0x17/docs/netdev-0x17-paper54-talk-s... | ||||||||
| ▲ | keepamovin 10 hours ago | parent [-] | |||||||
Is quic related to the Chrome implemented WebTransport? Seems pretty cool to have that in browser API. | ||||||||
| ||||||||