Profile picture
Kevin Jones @vcsjones
, 27 tweets, 4 min read Read on Twitter
OK, let's do this. I guess for the next hour or so, I am going to tweet random crap about QUIC. First, for the uninitiated, QUIC is a network protocol, for the lack of a better term, is TLS and HTTP/2 over UDP.
I can think of a few reasons why UDP would be preferable. I think it makes multiplexing easier, and the draft RFC specifically calls out no need for compatibility with existing HTTP/TLS so as not to confuse old OSs or middleboxes.
TLS 1.3 is a great example where middleboxes forced compatibility changes to make it "look" like TLS 1.2 traffic so that middleboxes wouldn't block it because they didn't recognize the protocol.
So the TLS 1.3 spec includes things to make it look like TLS 1.2 and a bunch of people spent a lot of time trying to figure it out. Makes sense to start from something that doges that bullet... probably. I'm sure there's some fun cases.
QUIC's RFC for including TLS is separate but they seem very intertwined.
It would seem that QUIC in "plaintext" form is not meant to be a thing.
QUIC packets are numbered, and can be from 0..2^62-1. BUT, the first packet number does not start at 0, it starts at "The initial value for packet number MUST be selected randomly from a range between 0 and 2^32 - 1025"
If you run out of packet numbers, a QUIC endpoint just stops talking entirely. This seems suitable given that the RFC also indicates that the packet number (somehow) plays a roll in determining nonces for encryption. The details seems to be in the QUIC-TLS RFC.
QUIC depends entirely on TLS 1.3.
Ah see, the QUIC RFC kind of makes that coupling a little more clear: "
Rather than a strict layering, these two protocols are co-dependent:QUIC uses the TLS handshake; TLS uses the reliability and ordered delivery provided by QUIC streams."
Note that QUIC is just a transport protocol. It does not prescribe HTTP specifically. That occurs in a separate document. You could also, say, implement Remote Desktop over QUIC.
It wouldn't be a new protocol without a little drama. QUIC's latest seems to be the "spin bit" tools.ietf.org/html/draft-tra…
UDP does not offer anything "already there" like TCP for measuring latency by passive observation. Network carriers consider this important. QUIC encrypts everything, including ACK frames, time stamps, etc.
The proposal is to add a _single_ bit to the short header that flips, and passive network operators can measure time between the flip.
Some people really seem to dislike the idea of adding something to the protocol that doesn't do anything besides enable passive measuring.
In QUIC TLS - the TLS handshake itself is encrypted with AEAD_AES_128_GCM to prevent middleboxes from tampering with negotiation. Once the handshake is done, it switches to the cipher selected by TLS.

Man QUIC is like, super pissed off at middleboxes.
The AEAD nonce is an XOR of an IV and the incrementing QUIC transport packet number.

The IV is derived via HKDF.
The RFC specifically mentions a concern for packet reflection attacks. QUIC tries to mitigate this by padding the ClientHello packet to a certain size.

Also, the ClientHello needs to fit entirely in a single packet, so 1129 bytes.
I don't know why but the later part kind of gives me pause. 1,129 bytes seems like a lot, until it's not.
I seem to recall a few TLS implementations barfing when the ClientHello got too big.
The TLS part was the most interesting for me. Not because it does anything weird but because I just generally like that stuff. There is still a lot for me to dig in on actual QUIC. I skimmed that so I could read the TLS part first.
I guess, to ask myself, what makes QUIC "quick". A few thoughts...

TCP has all that gnarly slow start and congestion control. UDP drops packets and moves on.
QUIC can make certain assumptions. For example, an ACK frame is not necessary for all frame types, like the retry packet.
Next question is, how does a browser "know" a site supports QUIC for HTTP?
Basically, the browser (Chrome) starts off with a regular TCP connection. The server tells the client "hey buddy I support QUIC" via the Alt-Svc HTTP header or HTTP/2 frame. The browser can then decide to switch to QUIC based on the header.
Based on that, I don't believe it is possible to run a QUIC-only web server right now unless you use magic flags to force Chrome to connect to the site as QUIC and slip HTTP TCP entirely.
The Alt-Svc header includes the port, so you can run QUIC on any UDP port, not just 443. But nothing is stopping you from running QUIC on 443, too.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Kevin Jones
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @vcsjones see all

Profile picture
TIL: C# has a `strict` option. A csproj file specifying <Features>strict</Features>
Next thing you know, it'll have an Explicit and On Error feature option too.
So I had a look at all the neat things this flag does. First, without the flag, this does not emit any error at all.

lock (null)
{
}

with strict, this no longer compiles. (1/n tweets)
Read 8 tweets

Related threads

Profile picture
John Sipher, as he states, "The Steele info was just a starting point for professional investigators."

I thought Steele was a professional investigator? Or Fusion GPS? Isn't that what they're meant to do: investigate?

But instead they handed out their information to everybody.
Let's face the facts. They handed out the dossier to multiple intelligence agencies around the world, they handed it out to various news agencies around America, they handed it out to random people at random times. They didn't actually care who took it.
How many professional investigators does it take to get to the bottom of the dossier?

Hell, the first memo was written on June 20, 2016. So it's been over two years now and these "professional investigators" still have fuck all, but sure, the narrative is the most important.
Read 11 tweets
Profile picture
Ugh. I will be receiving this article for the foreseeable future, and while I love yelling at people for sending me dumb shit, I have things to do. In an effort to save time, I present

ONE DEGREE OF TRANSLATIONAL FREEDOM DOES NOT A BLOWJOB MAKE

A THREAD

motherboard.vice.com/en_us/article/…
First off, this article itself is not the problem, and I'm always a fan of @samleecole's work, especially when it's about me. I'll be addressing the whitepaper that is the topic of the article, posted below. The article is a good summary of the paper. autoblow.com/bjpaper/
I will also fully admit that, with this thread, I am absolutely falling into the marketing trap of Very Intelligent E-Commerce Inc.

I wish I was good at *anything* as Brian Sloan is at making men drool all over their own cocks via spurious technical claims.
Read 82 tweets
Profile picture
✝️❤️🇺🇸THREAD ~ Ready for church? I have this Sunday's church notes all ready to share. Pastor was on his game again this week. He gave us a lot of great help to get through what's sure to be another bizarre, stressful, and exciting week. Last tweet will say "end thread". Let's go
(2) We here in Georgia, welcomed guests from Panama City, who were displaced. We cheered for them, I hope our singing today filled them w hope. Pastor, while retired, is still connected to disaster relief & shared they estimate 15 yr recovery for Michael, was 12 for Katrina (next
(3) By recovery, he means long-term disaster relief that takes care of people for years, after what he referred to as the "sexy phase" of a disaster ends. When first responders go home, people have to adjust to "new normal". Healing begins, churches commit to years of aid (next)
Read 21 tweets
Profile picture
I remember that day so clearly. I was on surveillance about an hour out when my mom called me about the first plane, then all of a sudden the second plane hit. I told her I loved her and I had to go. I followed a line of NJSP all the way up the turnpike

foxnews.com/opinion/2018/0…
What usually took me an hour to an hour & a half took me about 35-40 minutes. I got into the FBI Newark Office & got brought up to speed when we were told a plane was taken that originated out of Newark airport. I think after being told that, we were all in shock.
You see, we had 2 NK JTTF members scheduled to be on that flight. One INS Agent & one FBI Agent. Then my SSA’s phone rang. The two had switched their flights the night before. They were pretty shaken. Our large conference room became our command post.
Read 20 tweets
Profile picture
"Trump told one ally this week that he wanted 'to brand' the informant a 'spy,' believing the more nefarious term would resonate more in the media and with the public...Trump escalated his efforts to discredit that investigation Wednesday," calling it “MAJOR spy scandal.”

Link>
via apnews.com/23b9456c12484b…
"He tweeted: 'Look how things have turned around on the Criminal Deep State. They go after Phony Collusion with Russia, a made up Scam, and end up getting caught in a major SPY scandal the likes of which this country may never have seen before! What goes around, comes around!'”
Read 15 tweets
Profile picture
There are people who need cheering up. So I am going to do some cheering up, but in a novel, mixed way. Meaning, I am going to tweet random butterfly photos of mine, and also tell y'all a true story.
cc.@US_Vote, @ElectionBabe
Some of you, may think us blokes have it easy, at least when we're young, energetic, & brain-deficient. Nothing is further from the truth for many of us blokes. Now y'all will hear The Truth. An embarrassing saga of the truth, but a funny one. Very.
My photo again.
Australia. BIG place. Lots of mines, quarries. All dusty, dirty, hot work. Picture to yourself a young, innocent bloke who has just got his indie shotfirer's licence (if new 2 this, see ). Prefers not to work in more mines, BECAUSE ()
Read 15 tweets

Trending hashtags

#UL #WhoNeedsYourYes #warranties #cryptocurrency #MAGA #search #tarot #NEC #readingswithroo #TRON #welp #Belfast #repealthe8th #KAG #Bot #BEP #FindStephenCullinan #Galway #JCT #StephenCullinan #Protocol #onthechain #Stephen #NEC4 #Yes

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!