A QUIC Overview
SMB over QUIC went GA on November 4th, 2021.
Microsoft mentioned this during their Ignite conference. At that moment, Ned Pyle, Principal Program Manager at Microsoft, demonstrated the technology’s capabilities, advantages and usability. Those who are familiar with and passionate about the SMB ecosystem, were not puzzled.
We have a demo of SMB over QUIC Android client. That demo attracts attention of people in the industry following the evolution of the SMB technology stack. In this article, we will discuss use cases and usability of SMB over QUIC protocol.
What is QUIC?
• QUIC is an IETF-standardized protocol that substitutes for TCP with an (initially) Internet-oriented UDP mechanism that improves performance and congestion.
• QUIC seeks to maintain TCP’s reliability & broad applicability.
• QUIC is always encrypted and requires TLS 1.3 with certificate authentication to establish the tunnel.
• Microsoft created MSQuic, their open-source implementation of the IETF QUIC transport protocol.
What are QUIC advantages?
QUIC assures to mitigate some of the disadvantages of TCP and HTTP2 when building cloud-scale web apps and services.
- QUIC decreases connection times over TLS• TLS 1.3 replaces the lengthy TCP TLS handshake and encryption key exchange with a single handshake.
- QUIC with UDP prevents the data transfer overhead of TCP.
- QUIC offers parallel streams of reliable and unreliable application data.
- QUIC offers better performance in case of data packet loss.
- When data packets are lost, HTTP/2 over TCP suffers from head-of-line blocking. If one data packet is lost, the receiving end waits to retrieve it. HOL blocking impacts the connection performance negatively as other streams are blocked while waiting for this.
- The QUIC protocol allows streams of data packets to reach their destination independently. As such, performance is a lot less impacted by data packet loss.
- An unreliable datagram extension to the QUIC protocol is in draft.
5. Connection reuse: server to client session ticket in TLS 1.3.
6. Easy connection migration (network changes) leads to more stable connections.
- When your network changes (IP address, port), your connection times out and needs to reestablish with TCP.
- QUIC uses “unique identifiers” to make connection migration smoother. Reestablishing these is done by sending a packet instead of establishing a new connection, even when your IP address changes.
7. Easy development encourages faster adoption
- QUIC can be implemented on the application level, making it easier and more flexible.
- TCP is part of the operating system kernel. Therefore, you are dependent on that implementation.
QUIC adoption challenges
Let’s briefly overview some critiques and challenges QUIC faces during adoption. First, people are not always aware of the benefits or are happy with how things are because they are less impacted by the drawbacks of TCP.
Performance concerns:
- QUIC doesn’t do 25Gbps yet today. But does it have to do so for current use cases? Of course, what is not possible today will be in the future. Take a look at Making MsQuic Blazing Fast – Microsoft Tech Community and see the work done on performance and offloads ( improvements in W2K22 like UDP Segmentation Offload (USO), UDP Receive Side Scaling, and improved UDP data paths.
- Inertia and FUD. A lot of old-school security appliances still cannot handle QUIC. The industry should address the challenges for QUIC with NAT/ECMP (4 Tuple vs. Connection ID)
- Security concerns of the TLS inspection need, app visibility & control.
- The risk of breaking DDOS detection and prevention (UDP); challenges to logging and reporting on search terms and viewing lists. Any open port in a firewall carries risk.
- QUIC has its own benefits due to TLS 1.3/HTTPS. Such features lead to specific architectural choices (connection resumption, 0-RTT).
- Most of these considerations are related to TLS 1.3 and the mandatory use of Perfect Forward Secrecy.
Despite all the above, the world is testing SMB over QUIC
SMB over QUIC
SMB over QUIC works over UDP/443, and both authentication and data transfer are always encrypted via TLS 1.3, as that’s what QUIC uses. As a result, you can securely use SMB over the internet without allowing TCP/445 through your firewalls. That is a big deal as most corporate security departments and ISPs block TCP/445 on their firewalls. A fact many users became aware of trying to access Azure file shares.
Without TCP/445 allowed on the firewall for internet traffic, a VPN connection is the only alternative to accessing SMB file shares on-premises or Azure. SMB over QUIC eliminates the need for a VPN in this scenario. On top of that, the experience for accessing file shares remains the same inside or outside your corporate network. Because of this, Microsoft likes to call SMB over QUIC SMB with an automatic TLS 1.3 built-in VPN.
We have been testing SMB over QUIC since it became available in a preview version of Windows Server 2022 Datacenter: Azure Edition.
Microsoft loves QUIC for SMB as the protocol concentrates on the user’s needs. Moreover, the protocol is secure and allows for easy network changes and more stable connections. SMB over QUIC while provides a transparent user experience no matter where the user works (no VPN required). Better yet, the benefits described above make sense from an engineering perspective while building cloud-capable and scalable services.
Challenges for the adoption of SMB over QUIC
We have already listed the challenges QUIC faces for adoption. But when it comes to SMB over QUIC, one of the significant challenges in adopting SMB over QUIC right now is not technical or political. It is the lack of client operating systems that support it. At the time of writing, only Windows 11 and Windows Server 2022 Datacenter Azure edition support SMB over QUIC. The latter only runs on Azure or Azure Stack HCI. Azure Files will support SMB over QUIC soon, but that does not fix the limited number of clients that support it.
While some organizations are upgrading fast to Windows 11, most of the world still runs Windows 10 and will do so for some time. While Microsoft might backport SMB over QUIC to Windows 10, they have announced no such plans for now. Also, remember that servers are often an SMB client themselves, but even Windows Server 2022 does not support it, let alone Windows Server 2019.
However, SAMBA will undoubtedly support SMB over QUIC, both client and server. So that will offer a solution to a part of the Linux world when it becomes available.
That still leaves a significant void in the world of mobile clients and non-Linux operating systems. Many of these devices run either Apple iOS Android. Imagine the number of potential use cases and customers you gain by developing an SMB over QUIC client for mobile devices. In that context, the Ignite demo makes a lot of sense. Android represents many business users and applications using either smartphones or tablets. That is precisely the audience Visuality Systems is targeting. You will be able to leverage their JNQ™ library for this.
Use cases
While REST APIs and object storage show tremendous opportunity and adoption, file systems are far from death. Quite the contrary, Azure’s ongoing investment in their Azure Files PAAS offering proves this. We also see SMB3 improving release after release.
QUIC has a bright future and is growing steadily. SMB over QUIC is precisely what the file system needs to keep delivering value in the cloud era.
Mobile applications and embedded systems are everywhere, and IoT is showing explosive growth in nearly every market segment across the globe. Cloud subscription-based solutions are growing and will only increase with the continued rollout of better internet connectivity via 5G. From manufacturing, monitoring, supply chain, robotics, and logistics to gaming, e-health, and autonomous systems for driving, and flying, they will benefit from ever better internet connectivity. Those ecosystems are enormous and growing. Secure and easy access to file shares without needing a VPN is of significant importance in this market, which is what SMB over QUIC delivers. Visuality Systems opens up the ability to use SMB over QUIC from any device or OS.
Showtime!
Let’s take a look at the offerings of Visuality Systems. While doing so, we will also show you some screenshots for our lab work with a CLI bases file manager demo Java app!
YNQ™
YNQ™ is Visuality Systems’ embedded SMB brand name. This library allows SMB Server and SMB Client connectivity developed for non-Windows embedded systems for interoperability with Windows-based machines. Both the YNQ™ client and the server will have SMB over QUIC support available. Now “embedded systems” are something you should interpret liberally. It also supports Apple iOS for its iPad tablets and iPhone smartphones. So this library allows developing client applications with SMB over QUIC that run on iOS. It also provides a system driver for non-Windows operating systems.
YNQ™ is designed with the flexibility to integrate into virtually any environment, be it an operating system, a CPU, or a compiler. YNQ™ file sharing enables multiple embedded devices to browse each other’s SMB shared folders remotely and to read, write, edit, copy, delete and update each other’s files. These operations do not require transferring the entire file to/from the device’s local disk or memory, which is highly efficient.
JNQ™
Several systems running in my lab do not support SMB over QUIC natively. For example, even the most recent versions of operating systems like Windows Server 2022 and 2019, Windows 10, and Ubuntu 20.04 and 21.04 have no SMB over QUIC support. Yet, thanks to a demo application Visuality Systems has built for demo purposes. I can access Windows file shares on Window Server Datacenter Azure Edition via SMB over QUIC from those client systems.
The demo application leverages its Java SMB Client
(JNQ SMB client library). You can use this library with all major Java implementations, such as Oracle’s Java, OpenJDK, and IBM’s Java). In addition, JNQ™ provides SMB file and data sharing client functionality to any Java application ( Java 1.5 or higher).
Take a look at the screenshots below. You can see me using file shares on a Windows Server 2022 Datacenter Azure edition via SMB over QUIC from any Linux and Windows operating systems that do not have native support for SMB over QUIC.
The screenshot below shows running a test app built with the JNQ SMB client library on Ubuntu ANY LINUX OS. 21.04 Desktop edition. I can create files and folders, read and write files and navigate to folders. I used Ubuntu in the lab, but it works with any Linux distro.
We have the same application running on Windows 10, allowing us to access the file share over SMB over QUIC. It would run on Windows 8 or Windows 7 and Windows 11, for that matter. The application uses the Visuality Systems library and is not dependent on the capabilities of the SMB client in the operating system.
Applications that leverage the SMB libraries from Visuality Systems open up many more operating systems and platforms to the benefits of secure file share access over the internet via SMB over QUIC. As a final example, let’s look at Android. Below you see screenshots from Visuality Systems’ File Manager.
It works with both TCP and QUIC. That’s right; we have SMB over QUIC from Android phones or tablets. You can either use the system’s DNS or specify custom DNS settings.
Linux system driver
What if you could get an SMB client as a system driver?
One you can install on any Linux system, for example. What if that driver supports SMB over QUIC? Well, that would mean you could install it on a Linux host and access a file share via SMB over QUIC straight from your Ubuntu Nautilus file manager. Guess what? Visuality Systems are working on SMB over QUIC support for their driver. Imagine the possibilities!
Authentication
NTLMv2 and Kerberos
Visuality Systems’ libraries support both NTLMv2 and Kerberos. In an Active Directory environment, like on a corporate network, when a domain controller is reachable, Kerberos is available, so that’s what the client uses to authenticate to the file server when accessing the file share. That is the preferred and safest way. When a domain controller and Kerberos are not available, NTLMv2 will be tried and used when possible (if not blocked/disabled).
For example, when a client on the internet has no line of sight to a domain controller, it leverages NTLMv2. That entire process is secured and encrypted inside the QUIC TLS 1.3 AES-128/256 encrypted tunnel. So it is safe from harvesting.
Tip: An easy way to see where and when NTLM comes into play is to audit it via a group policy. It allows you to see when NTLM authentication occurs from what client in the Microsoft-Windows-NTLM/Operational event log on your domain controllers.
Kerberos support & KDC Proxy Server Support
If you want to complicate a security discussion in a meeting with a Chief Information Security Officer, you should mention your solution requires NTLMv2. I’m sure many organizations still have it enabled in their environment, out of necessity. The sky won’t fall on your head when you set it up correctly. But from a technology debt perspective and in organizations that continuously raise the security bar, it is not a message that will make a CISO smile. As a result, many are working on reducing or, when possible, removing NTLMv2 in their environments. For SMB over QUIC to succeed in these environments, it needs to address this. Hence SMB over QUIC can leverage Kerberos not just on the corporate network when it has a line of sight to a domain controller. No, sir, it can use Kerberos over the internet when you leverage a KDC proxy. You can access that KDC proxy over HTTPS/443.
In Windows, you can configure a client to try and use a KDC proxy when it cannot find a domain controller. Additionally, custom-written applications leveraging a library from Visuality Systems can leverage a KDC proxy in the future, as they are working on implementing support for this. Awesome right? Secure SMB file share access over the internet thanks to QUIC, and you get to leverage Kerberos as well.
The future looks bright
An interesting thing to note is that Azure Files also support Kerberos authentication. When you can provide a KDC proxy yourself, either on-premises or as IAAS in Azure, it allows you to leverage Kerberos over the internet when accessing files shares in such use cases. When Azure Files supports SMB over QUIC in the future, you are ready to roll! As long as the device is supported, let’s see what becomes possible in the future. But with the tools we have right now, we can expose file shares via SMB over QUIC to any SMB client application that supports it. For this to work, the device needs to be Domain-join joined. That is possible with Linux. But even when your device is not AD DS domain joined, you may still be able to leverage AD credentials for authentication. If your machine has a line of sight to a domain controller or a KDC Proxy server is in place, and the client supports Kerberos.
When looking into the future, we should not forget what is possible already. SMB over QUIC in Windows Server 2022 Datacenter: Azure Edition can be combined with Azure Files and Azure File Sync to expose all your data in Azure files via SMB over QUIC. You can do the same on-premises when running Windows Server 2022 Datacenter: Azure Edition on Azure Stack HCI. It also allows for creative hybrid solutions. Via Azure File Sync, you can have all your on-premises file data stored and protected in Azure Files. By having Azure File Sync set up for Windows Server 2022 Datacenter: Azure Edition in Azure IAAS, you can expose all that file data, previously only available over a VPN to on-premises, safely over the internet via SMB over QUIC today. Look at the image below. In such a hybrid design, solutions built with Visuality Systems’ JNQ and YNQ libraries can access file data via SMB over QUIC from nearly any device!
On-premises, hybrid, or public cloud in Azure, Visuality Systems will add many more options for users, applications, and systems to consume file data via SMB over QUIC. As a result, just about any industry, from pharmaceutical to banking and insurance, over IoT and robotics in manufacturing and logistics, to autonomous systems, services/daemons, and end-users, can benefit from these solutions.
SMB over QUIC potential
There is a vast market and much potential for SMB over QUIC. However, developing and growing that market would be easier and faster if more SMB over QUIC clients were available. We need more clients within the Windows OS world and other platforms, especially mobile ones. That is precisely what Visuality Systems is offering. By doing so, they enable anyone to leverage SMB over QUIC in their applications and help grow that market. The only limit here is your imagination.
Just think about the possibilities for users and applications to access Azure file shares or file shares on Windows Server 2022 Datacenter Azure edition securely over the internet using SMB over QUIC. As we stated before, file shares are not dead. On the contrary, they are essential to many existing and new applications and solutions. For example, even containers, the development world’s current favorite poster child, leverages SMB file shares for access to storage needed to persist data. Opening up that data via SMB over QUIC, securely but more convenient, is precisely the aim and purpose of Visuality Systems’ products. In that sense, this is totally in line with Microsoft’s vision for SMB over QUIC. But even better, they are opening up SMB over QUIC outside of the limited number of supported Microsoft clients. They are the pioneers, blazing a path for others to use and create applications.
Didier Van Hoye, Technology Strategist & Microsoft MVP