More Web Proxy on the site http://driver.im/

research-article

Open access

A Quic(k) Security Overview: A Literature Research on Implemented Security Recommendations

Authors:

Stefan Tatschner,

Sebastian N. Peters,

Thomas NeweAuthors Info & Claims

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

Article No.: 55, Pages 1 - 8

https://doi.org/10.1145/3600160.3605164

Published: 29 August 2023 Publication History

All formats PDF

Abstract

Built on top of UDP, the relatively new QUIC protocol serves as the baseline for modern web protocol stacks. Equipped with a rich feature set, the protocol is defined by a 151 pages strong IETF standard complemented by several additional documents. Enabling fast updates and feature iteration, most QUIC implementations are implemented as user space libraries leading to a large and fragmented ecosystem. This work addresses the research question, “if a complex standard with a large number of different implementations leads to an insecure ecosystem?”. The relevant RFC documents were studied and “Security Consideration” items describing conceptional problems were extracted. During the research, 13 popular production ready QUIC implementations were compared by evaluating 10 security considerations from RFC9000. While related studies mostly focused on the functional part of QUIC, this study confirms that available QUIC implementations are not yet mature enough from a security point of view.

References

[1]

1980. User Datagram Protocol. RFC 768. https://doi.org/10.17487/RFC0768

Digital Library

[2]

Florian Adamsky, Syed Ali Khayam, Rudolf Jäger, and Muttukrishnan Rajarajan. 2012. Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver. In 2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery. 143–150. https://doi.org/10.1109/CyberC.2012.31

Digital Library

[3]

Richard J Aldrich and Athina Karatzogianni. 2020. Postdigital war beneath the sea? The Stack’s underwater cable insecurity. Digital War 1, 1 (2020), 29–35. https://doi.org/10.1057/s42984-020-00014-x

[4]

Mike Bishop. 2022. HTTP/3. RFC 9114. https://doi.org/10.17487/RFC9114

Digital Library

[5]

Konstantin Böttinger, Dieter Schuster, and Claudia Eckert. 2015. Detecting Fingerprinted Data in TLS Traffic. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (Singapore, Republic of Singapore) (ASIA CCS ’15). Association for Computing Machinery, New York, NY, USA, 633–638. https://doi.org/10.1145/2714576.2714595

Digital Library

[6]

Scott O. Bradner. 1997. Key words for use in RFCs to Indicate Requirement Levels. RFC 2119. https://doi.org/10.17487/RFC2119

Digital Library

[7]

Efstratios Chatzoglou, Vasileios Kouliaridis, Georgios Karopoulos, and Georgios Kambourakis. 2023. Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study", journal="International Journal of Information Security. 22, 2 (01 4 2023), 347–365. https://doi.org/10.1007/s10207-022-00630-6

Digital Library

[8]

Shan Chen, Samuel Jero, Matthew Jagielski, Alexandra Boldyreva, and Cristina Nita-Rotaru. 2021. Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC. Journal of Cryptology 34, 3 (24 May 2021), 26. https://doi.org/10.1007/s00145-021-09389-w

Digital Library

[9]

Xavier de Carné de Carnavalet and Paul C. van Oorschot. 2023. A Survey and Analysis of TLS Interception Mechanisms and Motivations. ACM Comput. Surv. (1 2023). https://doi.org/10.1145/3580522

Digital Library

[10]

Wesley Eddy. 2022. Transmission Control Protocol (TCP). RFC 9293. https://doi.org/10.17487/RFC9293

Digital Library

[11]

Sally Floyd, Dr. K. K. Ramakrishnan, and David L. Black. 2001. The Addition of Explicit Congestion Notification (ECN) to IP. RFC 3168. https://doi.org/10.17487/RFC3168

Digital Library

[12]

Christian Huitema, Sara Dickinson, and Allison Mankin. 2022. DNS over Dedicated QUIC Connections. RFC 9250. https://doi.org/10.17487/RFC9250

Digital Library

[13]

Jana Iyengar and Ian Swett. 2021. QUIC Loss Detection and Congestion Control. RFC 9002. https://doi.org/10.17487/RFC9002

Digital Library

[14]

Jana Iyengar and Martin Thomson. 2021. QUIC: A UDP-Based Multiplexed and Secure Transport. RFC 9000. https://doi.org/10.17487/RFC9000

Digital Library

[15]

Mirja Kühlewind and Brian Trammell. 2022. Applicability of the QUIC Transport Protocol. RFC 9308. https://doi.org/10.17487/RFC9308

Digital Library

[16]

Mirja Kühlewind and Brian Trammell. 2022. Manageability of the QUIC Transport Protocol. RFC 9312. https://doi.org/10.17487/RFC9312

Digital Library

[17]

Robin Marx, Joris Herbots, Wim Lamotte, and Peter Quax. 2020. Same Standards, Different Decisions: A Study of QUIC and HTTP/3 Implementation Diversity. In Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC (Virtual Event, USA) (EPIQ ’20). Association for Computing Machinery, New York, NY, USA, 14–20. https://doi.org/10.1145/3405796.3405828

Digital Library

[18]

Robin Marx, Wim Lamotte, Jonas Reynders, Kevin Pittevils, and Peter Quax. 2018. Towards QUIC Debuggability. In Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC (Heraklion, Greece) (EPIQ’18). Association for Computing Machinery, New York, NY, USA, 1–7. https://doi.org/10.1145/3284850.3284851

Digital Library

[19]

Robin Marx, Luca Niccolini, Marten Seemann, and Lucas Pardue. 2023. Main logging schema for qlog. Internet-Draft draft-ietf-quic-qlog-main-schema-05. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-ietf-quic-qlog-main-schema/05/ Work in Progress.

[20]

Maxime Piraux, Quentin De Coninck, and Olivier Bonaventure. 2018. Observing the Evolution of QUIC Implementations. In Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC (Heraklion, Greece) (EPIQ’18). Association for Computing Machinery, New York, NY, USA, 8–14. https://doi.org/10.1145/3284850.3284852

Digital Library

[21]

Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://doi.org/10.17487/RFC8446

Digital Library

[22]

Eric Rescorla and Brian Korver. 2003. Guidelines for Writing RFC Text on Security Considerations. RFC 3552. https://doi.org/10.17487/RFC3552

Digital Library

[23]

David Schinazi and Eric Rescorla. 2022. Compatible Version Negotiation for QUIC. Internet-Draft draft-ietf-quic-version-negotiation-14. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-ietf-quic-version-negotiation/14/ Work in Progress.

[24]

Rob Sherwood, Bobby Bhattacharjee, and Ryan Braud. 2005. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS ’05). Association for Computing Machinery, New York, NY, USA, 383–392. https://doi.org/10.1145/1102120.1102170

Digital Library

[25]

Statista. 2023. Number of internet users worldwide from 2005 to 2022. https://www.statista.com/statistics/273018/number-of-internet-users-worldwide/

[26]

Randall R. Stewart, Mitesh Dalal, and Anantha Ramaiah. 2010. Improving TCP’s Robustness to Blind In-Window Attacks. RFC 5961. https://doi.org/10.17487/RFC5961

Digital Library

[27]

Martin Thomson. 2021. Version-Independent Properties of QUIC. RFC 8999. https://doi.org/10.17487/RFC8999

Digital Library

[28]

Martin Thomson and Cory Benfield. 2022. HTTP/2. RFC 9113. https://doi.org/10.17487/RFC9113

Digital Library

[29]

Martin Thomson and Sean Turner. 2021. Using TLS to Secure QUIC. RFC 9001. https://doi.org/10.17487/RFC9001

Digital Library

[30]

Peng Wang, Carmine Bianco, Janne Riihijärvi, and Marina Petrova. 2018. Implementation and Performance Evaluation of the QUIC Protocol in Linux Kernel. In Proceedings of the 21st ACM International Conference on Modeling, Analysis and Simulation of Wireless and Mobile Systems (Montreal, QC, Canada) (MSWIM ’18). Association for Computing Machinery, New York, NY, USA, 227–234. https://doi.org/10.1145/3242102.3242106

Digital Library

Cited By

Tatschner SPeters SHeinl MSpecht TNewe T(2024)ParsEval: Evaluation of Parsing Behavior using Real-world Out-in-the-wild X.509 CertificatesProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3669935(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3669935
Joarder YFung C(2024)Exploring QUIC Security and Privacy: A Comprehensive Survey on QUIC Security and Privacy Vulnerabilities, Threats, Attacks, and Future Research DirectionsIEEE Transactions on Network and Service Management10.1109/TNSM.2024.345785821:6(6953-6973)Online publication date: Dec-2024
https://doi.org/10.1109/TNSM.2024.3457858
Simpson AAlshaali MTu WAsghar M(2024)Quick UDP Internet Connections and Transmission Control Protocol in unsafe networks: A comparative analysisIET Smart Cities10.1049/smc2.12083Online publication date: 17-May-2024
https://doi.org/10.1049/smc2.12083

Index Terms

A Quic(k) Security Overview: A Literature Research on Implemented Security Recommendations
1. Networks
  1. Network properties
    1. Network security
      1. Web protocol security
  2. Network protocols
    1. Transport protocols
2. Security and privacy
  1. Formal methods and theory of security
    1. Security requirements
  2. Network security
    1. Web protocol security

Recommendations

Overview of Mobile IPv6 Security
ISMS '12: Proceedings of the 2012 Third International Conference on Intelligent Systems Modelling and Simulation

Mobile IP enables a mobile node to be recognized via a single IP address even though the node may travel from one network to another. Despite reposition between different networks, connectivity at different positions is attained continuously with no ...
ECN with QUIC: Challenges in the Wild
IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

TCP and QUIC can both leverage ECN to avoid congestion loss and its retransmission overhead. However, both protocols require support of their remote endpoints and it took two decades since the initial standardization of ECN for TCP to reach 80% ECN ...
A QUIC Implementation for ns-3
WNS3 '19: Proceedings of the 2019 Workshop on ns-3

Quick UDP Internet Connections (QUIC) is a recently proposed transport protocol, currently being standardized by the Internet Engineering Task Force (IETF). It aims at overcoming some of the shortcomings of TCP, while maintaining the logic related to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

August 2023

1440 pages

ISBN:9798400707728

DOI:10.1145/3600160

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2023

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

ALPAKA

Conference

ARES 2023

ARES 2023: The 18th International Conference on Availability, Reliability and Security

August 29 - September 1, 2023

Benevento, Italy

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
788
Total Downloads

Downloads (Last 12 months)665
Downloads (Last 6 weeks)54

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Tatschner SPeters SHeinl MSpecht TNewe T(2024)ParsEval: Evaluation of Parsing Behavior using Real-world Out-in-the-wild X.509 CertificatesProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3669935(1-9)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3669935
Joarder YFung C(2024)Exploring QUIC Security and Privacy: A Comprehensive Survey on QUIC Security and Privacy Vulnerabilities, Threats, Attacks, and Future Research DirectionsIEEE Transactions on Network and Service Management10.1109/TNSM.2024.345785821:6(6953-6973)Online publication date: Dec-2024
https://doi.org/10.1109/TNSM.2024.3457858
Simpson AAlshaali MTu WAsghar M(2024)Quick UDP Internet Connections and Transmission Control Protocol in unsafe networks: A comparative analysisIET Smart Cities10.1049/smc2.12083Online publication date: 17-May-2024
https://doi.org/10.1049/smc2.12083

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents