←back to thread

QUIC is not quick enough over fast internet

(arxiv.org)
306 points carlos-menezes | 8 comments | 19 Oct 24 21:04 UTC | HN request time: 1.294s | source | bottom
1. 10000truths ◴[19 Oct 24 22:35 UTC] No.41891318[source]
TL;DR: Nothing that's inherent to QUIC itself, it's just that current QUIC implementations are CPU-bound because hardware GRO support has not yet matured in commodity NICs.

But throughput was never the compelling aspect of QUIC in the first place. It was always the reduced latency. A 1-RTT handshake including key/cert exchange is nothing to scoff at, and the 2-RTT request/response cycle that HTTP/3-over-QUIC offers means that I can load a blog page from a rinky-dink server on the other side of the world in < 500 ms. Look ma, no CDN!

replies(1): >>41891384 #
2. o11c ◴[19 Oct 24 22:48 UTC] No.41891384[source]
There's also the fact that TCP has an unfixable security flaw - any random middleware can inject data (without needing to block packets) and break the connection. TLS only can add Confidentiality and Integrity, it can do nothing about the missing Availability.
replies(2): >>41891453 #>>41891651 #
3. suprjami ◴[19 Oct 24 23:01 UTC] No.41891453[source]
What does that have to do with anything here? This post is about QUIC performance, not TCP packet injection.
replies(1): >>41891674 #
4. ChocolateGod ◴[19 Oct 24 23:30 UTC] No.41891651[source]
> There's also the fact that TCP has an unfixable security flaw - any random middleware can inject data (without needing to block packets) and break the connection

I am unsure how this is a security flaw of TCP? Any middleman could block UDP packets too and get the same effect, or modify UDP packets in an attempt to cause the receiving application to crash.

replies(1): >>41891976 #
5. o11c ◴[19 Oct 24 23:35 UTC] No.41891674{3}[source]
"Accept worse performance in order to fix security problems" is a standard tradeoff.
replies(1): >>41892201 #
6. o11c ◴[20 Oct 24 00:39 UTC] No.41891976{3}[source]
In order to attack UDP, you have to block all routes through which traffic might flow. This is hard; remember, the internet tries to be resilient.

In order to attack TCP, all you have to do is spy on a single packet (very easy) to learn the sequence number, then you can inject a wrench into the cogs and the endpoints will reject all legitimate traffic from each other.

replies(1): >>41893618 #
7. suprjami ◴[20 Oct 24 01:34 UTC] No.41892201{4}[source]
QUIC was invented to provide better performance for multiplexed HTTP/3 streams and the bufferbloat people love that it avoids middlebox protocol interference.

QUIC has never been about "worse performance" to avoid TCP packet injection.

Anybody who cares about TCP packet injection is using crypto (IPSec/Wireguard). If performant crypto is needed there are appliances which do it at wirespeed.

8. jeroenhd ◴[20 Oct 24 07:28 UTC] No.41893618{4}[source]
That's only true if you use the kernel TCP stack. You can replicate the slow QUIC stack and do everything in user mode to get control back over what packets you accept (i.e. reject any that don't fit your TLS stream).