A QUIC Overview
SMB over QUIC went GA on November 4th, 2021.
Microsoft mentioned this during their Ignite conference. At that moment, Ned Pyle, Principal Program Manager at Microsoft, demonstrated the technology’s capabilities, advantages and usability. Those who are familiar with and passionate about the SMB ecosystem, were not puzzled.
We have a demo of SMB over QUIC Android client. That demo attracts attention of people in the industry following the evolution of the SMB technology stack. In this article, we will discuss use cases and usability of SMB over QUIC protocol.
What is QUIC?
• QUIC is an IETF-standardized protocol that substitutes for TCP with an (initially) Internet-oriented UDP mechanism that improves performance and congestion.
• QUIC seeks to maintain TCP’s reliability & broad applicability.
• QUIC is always encrypted and requires TLS 1.3 with certificate authentication to establish the tunnel.
• Microsoft created MSQuic, their open-source implementation of the IETF QUIC transport protocol.
What are QUIC advantages?
QUIC assures to mitigate some of the disadvantages of TCP and HTTP2 when building cloud-scale web apps and services.
- QUIC decreases connection times over TLS• TLS 1.3 replaces the lengthy TCP TLS handshake and encryption key exchange with a single handshake.
- QUIC with UDP prevents the data transfer overhead of TCP.
- QUIC offers parallel streams of reliable and unreliable application data.
- QUIC offers better performance in case of data packet loss.
- When data packets are lost, HTTP/2 over TCP suffers from head-of-line blocking. If one data packet is lost, the receiving end waits to retrieve it. HOL blocking impacts the connection performance negatively as other streams are blocked while waiting for this.
- The QUIC protocol allows streams of data packets to reach their destination independently. As such, performance is a lot less impacted by data packet loss.
- An unreliable datagram extension to the QUIC protocol is in draft.
5. Connection reuse: server to client session ticket in TLS 1.3.
6. Easy connection migration (network changes) leads to more stable connections.
- When your network changes (IP address, port), your connection times out and needs to reestablish with TCP.
- QUIC uses “unique identifiers” to make connection migration smoother. Reestablishing these is done by sending a packet instead of establishing a new connection, even when your IP address changes.
7. Easy development encourages faster adoption
- QUIC can be implemented on the application level, making it easier and more flexible.
- TCP is part of the operating system kernel. Therefore, you are dependent on that implementation.
QUIC adoption challenges
Let’s briefly overview some critiques and challenges QUIC faces during adoption. First, people are not always aware of the benefits or are happy with how things are because they are less impacted by the drawbacks of TCP.
- QUIC doesn’t do 25Gbps yet today. But does it have to do so for current use cases? Of course, what is not possible today will be in the future. Take a look at Making MsQuic Blazing Fast – Microsoft Tech Community and see the work done on performance and offloads ( improvements in W2K22 like UDP Segmentation Offload (USO), UDP Receive Side Scaling, and improved UDP data paths.
- Inertia and FUD. A lot of old-school security appliances still cannot handle QUIC. The industry should address the challenges for QUIC with NAT/ECMP (4 Tuple vs. Connection ID)
- Security concerns of the TLS inspection need, app visibility & control.
- The risk of breaking DDOS detection and prevention (UDP); challenges to logging and reporting on search terms and viewing lists. Any open port in a firewall carries risk.
- QUIC has its own benefits due to TLS 1.3/HTTPS. Such features lead to specific architectural choices (connection resumption, 0-RTT).
- Most of these considerations are related to TLS 1.3 and the mandatory use of Perfect Forward Secrecy.
Despite all the above, the world is testing SMB over QUIC
SMB over QUIC
SMB over QUIC works over UDP/443, and both authentication and data transfer are always encrypted via TLS 1.3, as that’s what QUIC uses. As a result, you can securely use SMB over the internet without allowing TCP/445 through your firewalls. That is a big deal as most corporate security departments and ISPs block TCP/445 on their firewalls. A fact many users became aware of trying to access Azure file shares.
Without TCP/445 allowed on the firewall for internet traffic, a VPN connection is the only alternative to accessing SMB file shares on-premises or Azure. SMB over QUIC eliminates the need for a VPN in this scenario. On top of that, the experience for accessing file shares remains the same inside or outside your corporate network. Because of this, Microsoft likes to call SMB over QUIC SMB with an automatic TLS 1.3 built-in VPN.
We have been testing SMB over QUIC since it became available in a preview version of Windows Server 2022 Datacenter: Azure Edition.
Microsoft loves QUIC for SMB as the protocol concentrates on the user’s needs. Moreover, the protocol is secure and allows for easy network changes and more stable connections. SMB over QUIC while provides a transparent user experience no matter where the user works (no VPN required). Better yet, the benefits described above make sense from an engineering perspective while building cloud-capable and scalable services.
To be continued in the next article – SMB OVER QUIC Everywhere part II