A QUIC(K) Way Through Your Firewall?
Konrad Yuri Gbur, Florian Tschorsch
TL;DR
This paper analyzes QUIC's impact on firewall security, showing it can bypass traditional firewalls via UDP hole punching but also offers robustness against censorship due to encryption, with some vulnerabilities exposed through header inspection.
Contribution
It provides an empirical analysis of QUIC traffic, revealing both its potential to bypass firewalls and its resilience against censorship, highlighting new security considerations.
Findings
QUIC can bypass stateful firewalls via UDP hole punching
QUIC's encryption enhances censorship resistance
Some header fields can be inspected for tracking
Abstract
The QUIC protocol is a new approach to combine encryption and transport layer stream abstraction into one protocol to lower latency and improve security. However, the decision to encrypt transport layer functionality may limit the capabilities of firewalls to protect networks. To identify these limitations we created a test environment and analyzed generated QUIC traffic from the viewpoint of a middlebox. This paper shows that QUIC indeed exposes traditional stateful firewalls to UDP hole punching bypass attacks. On the contrary we show the robustness against censorship of QUIC through the encrypted transport layer design and analyze the capabilities to re-gain stateful tracking capabilities by deep packet inspection of the few exposed QUIC header fields.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInternet Traffic Analysis and Secure E-voting · Network Security and Intrusion Detection · Network Packet Processing and Optimization