What is QUIC – This new Google Protocol makes Firewalls Blind

QUIC (Quick UDP Internet Connections) is a new generation Internet protocol that speeds online web applications that are susceptible to delay, such as searching, video streaming etc., by reducing the round-trip time (RTT) needed to connect to a server.

By replacing TCP with UDP and encrypting most of its payload, QUIC reduces the time it takes to start viewing the content two to three times, while maintaining data security.

Although all these sound great, the proprietary encryption used in QUIC protocol causes headaches to security administrators who want to enforce application restrictions on their next-generation firewalls (more on this below).

QUIC was developed by Google (runs on Chrome & Opera) and was designed to compensate for HTTP/2 deficiencies, providing robust and strong encryption and reducing server / client handshake and packet loss. Currently more than 42% of Google’s traffic is using the QUIC protocol.

These are the most important technical features of QUIC:

• Exchange packets in steps to reduce data loss.
• Integrated congestion control mechanism.
• UDP Transport to avoid TCP head-of-line blocking.
• High security, similar to Transport Layer Service (TLS). QUIC is always encrypted and authenticated.
• Fix packet errors thus reducing retransmissions and delays (using FEC – Forward Error Correction).
• Link ID to reduce re-connections to mobile customers.
• Fast (0-RTT) connectivity similar to TLS Snapstart in conjunction with TCP Fast Open.

Chrome browsers have QUIC enabled by default and also by accessing a Google server (such as Youtube) the session is established using QUIC instead of the traditional TLS. Tests have shown that there is a 30% improvement in retransmissions on Google applications (such as Youtube) using QUIC.

In terms of network ports, QUIC uses UDP port 443 instead of TCP 443 which is used by traditional HTTPs (TLS).

Quick Tip

If you want to check that your Chrome browser and network connection uses QUIC, do the following:

1. Type the following on your Chrome URL toolbar: chrome://net-internals/#quic
2. Open a second browser tab and browse to youtube. The first tab will start capturing packets and show the QUIC live packets that are transferred to youtube.

QUIC Encryption causes problems in application visibility and control

Because QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), 3^rd generation firewalls that provide application control and visibility have a hard time now to control and restrict Google applications (such as Gmail, Youtube etc). There are some firewall vendors that suggest to block QUIC in order to gain back the required visibility and control to Google apps.

How to block Google Applications on your firewall

Cisco and Palo Alto for example recommend administrators to block UDP port 443 on the firewalls in order to force Chrome browsers to fall-back to regular TCP 443 connections instead of QUIC. Connectivity of the users will not be lost since the browser will silently fall-back to TLS (TCP443).

Therefore, if you want to block some Google applications on your next generation firewall (such as Youtube, Gmail etc) you will need to block UDP443 in order to block QUIC. Otherwise, the proprietary encryption used with QUIC will not allow the firewall to correctly identify Google applications and restrict them if needed.