QASM: A Novel Framework for QUIC-Aware Stateful Middleboxes

TL;DR

This paper introduces QASM, a framework that enables stateful middleboxes to reliably track QUIC connections, overcoming encryption and migration challenges, with minimal performance impact.

Contribution

It presents a novel, generalized approach for middleboxes to maintain connection state in the presence of QUIC's encryption and migration features.

Findings

Preserves middlebox functionality with HTTP/3

Negligible performance overhead (< 5%)

Effective under high connection migration rates (up to 100 Hz)

Abstract

Stateful Middleboxes are integral part of enterprise and campus networks that provide essential in-network, security, and value-added services. These stateful middleboxes rely on precise network flow identification. However, the adoption of HTTP/3, which uses the QUIC protocol, poses significant challenges to the proper functioning of these devices. QUIC's encryption and connection migration features obscure flow semantics, disrupting middlebox visibility and functionality. We examine how QUIC disrupts middleboxes like Network Address Translators (NATs), Rate Limiters, Load Balancers, etc., and affects Kubernetes-based service deployments. To address these challenges, we propose a novel, generalized framework that enables stateful middleboxes to reliably track QUIC connections, even when the endpoints change their internet protocol (IP) address or port numbers. Our prototype implementation demonstrates that the proposed approach preserves middlebox functionality with HTTP/3 with negligible performance overhead (< 5%) on both throughput and latency, and works effectively even under high QUIC connection migration rates of up to 100 Hz.