Introduction
QUIC is a modern, secure transport protocol built on UDP that replaces the classic TCP+TLS stack for many applications (notably HTTP/3). It delivers faster handshakes (0–1 RTT), per‑stream multiplexing without head‑of‑line blocking, connection migration (survives Wi‑Fi⇄4G/5G), and always‑on encryption (TLS 1.3). Downsides include operational visibility challenges, UDP middlebox issues, and higher CPU in some deployments. If you serve the web, enable HTTP/3 over QUIC on UDP/443 and test with curl –http3-only.

What is QUIC?
QUIC (Quick UDP Internet Connections) is an IETF‑standard, general‑purpose, connection‑oriented transport protocol that runs over UDP. It integrates TLS 1.3 for security, adds stream multiplexing and modern loss recovery, and exposes features (like 0‑RTT, connection migration, per‑stream flow control) directly at the transport layer.
- Transport: UDP (user‑space protocol, evolvable without kernel updates)
- Security: TLS 1.3 is baked in (encryption/authentication are mandatory)
- Primary user: HTTP/3 (the latest HTTP that rides on QUIC). QUIC is also used by other protocols like DNS over QUIC (DoQ) and MASQUE’s CONNECT‑UDP.
Where QUIC fits in the stack
| Application | HTTP/3, DoQ, WebTransport |
|---|---|
| Transport | QUIC (streams, datagrams) |
| Network | UDP / IP |
Think of QUIC as “TCP + TLS + HTTP/2 multiplexing, redesigned for UDP” with extra goodies (0‑RTT, migration, encrypted transport headers, etc.).
QUIC vs TCP(+TLS) vs HTTP/2 (at a glance)
| Aspect | TCP (+TLS 1.3) | HTTP/2 over TCP/TLS | QUIC (for HTTP/3) |
| Handshake | 1–2 RTT (TLS adds RTT) | Same as TCP/TLS | 0–1 RTT (0‑RTT on resumption) |
| Multiplexing | N/A | Yes, but subject to TCP HOL blocking | Yes, per‑stream without HOL |
| Header visibility | Transport headers visible | Visible (TCP) | Most headers encrypted |
| Connection migration | No (5‑tuple bound) | No | Yes (via Connection IDs) |
| Congestion control | Reno/CUBIC/Bbr in kernel | Same | QUIC‑specific (loss/ACK ranges, per‑PN space) |
| Extensibility | Slow (kernel) | Slow | Fast (user space, versioned) |
| Typical port | TCP/443 | TCP/443 | UDP/443 |
Key improvement: QUIC’s streams remove head‑of‑line blocking across independent requests: one lost packet only stalls its stream, not the whole connection.
How QUIC works
1) Packet types & wire image
- Long‑header packets during handshake (Initial, 0‑RTT, Handshake), carry Version and Connection IDs (CIDs).
- Short‑header packets for established data (smaller overhead).
- Connection IDs decouple connection identity from the 5‑tuple, enabling migration and load‑balancing behind NATs.
- Transport parameters negotiated in the handshake govern flow control, idle timeouts, etc.
2) Handshake & 0‑RTT in a nutshell

- First connection: 1 RTT to full security (absent loss).
- Resumption: client may send 0‑RTT app data immediately (replay‑safe use only).
- Optional Retry step validates client address to reduce amplification risk.
3) Streams, flow control, and priorities
- Bidirectional & unidirectional streams, each with its own offsets and per‑stream flow control, plus connection‑level limits.
- Application (e.g., HTTP/3) maps requests ↔ streams; independent streams avoid global stalls.
4) Loss detection & congestion control
- QUIC uses ACK ranges, packet number spaces (Initial/Handshake/1‑RTT), and a well‑specified recovery algorithm.
- Congestion control often mirrors TCP (CUBIC, BBR) but is defined at QUIC’s layer and evolves without kernel changes.
5) Connection migration & path validation
- Clients can switch networks (Wi‑Fi→LTE) without reconnecting; servers validate the new path (probing frames) before sending high‑rate data.
6) QUIC Datagrams (unreliable mode)
- Optional DATAGRAM frames provide unreliable, unordered delivery alongside reliable streams — perfect for real‑time media or game state where occasional loss is okay.
HTTP/3 on top of QUIC (what changes from HTTP/2)
- Same HTTP semantics (methods, status codes) with a new mapping over QUIC.
- QPACK replaces HPACK to avoid head‑of‑line blocking on header compression.
- Optional features like server push exist but are often disabled in practice.
- Negotiated via ALPN (e.g., h3), typically on UDP/443.
Real‑world use cases
- Web & CDNs: Faster first page load and better tail latency thanks to 0/1‑RTT and stream isolation.
- Video streaming & live events: Robustness under variable mobile networks; datagrams help for near‑real‑time metadata.
- Conferencing & gaming: Combine reliable streams (control) with datagrams (media, state). WebTransport over HTTP/3 exposes this to browsers.
- Mobile apps: Connection migration keeps downloads/streams alive across Wi‑Fi⇄cell handoffs.
- DNS over QUIC (DoQ): Encrypted, high‑performance DNS transport; reduced head‑of‑line blocking vs TCP‑based DoT.
- MASQUE / CONNECT‑UDP: Securely tunnel UDP (e.g., QUIC‑over‑QUIC for VPN‑like use cases, gaming traffic through corporate networks).
Advantages
- Lower latency: 0‑RTT/1‑RTT handshakes; fewer round trips to start sending.
- No cross‑stream HOL blocking: Packet loss only stalls the affected stream.
- Mobility: Connection migration via CIDs.
- Security by default: TLS 1.3 mandatory; most transport metadata encrypted (better privacy).
- Extensibility: Versioned protocol in user space; features evolve faster (e.g., QUIC v2, datagrams).
- Load balancing friendliness: CIDs support stateless rerouting across servers.
Disadvantages / operational caveats
- Observability: Encrypted transport headers reduce what passive tools can see; you’ll rely more on qlog, perf counters, or key logs in the lab.
- UDP path issues: Some middleboxes throttle or block UDP; need firewall and DoS tuning on UDP/443.
- CPU overhead: User‑space stacks can cost more CPU vs mature kernel TCP, though GSO/GRO and modern stacks mitigate this.
- 0‑RTT risks: Replay‑able data; only use where safe (idempotent GETs, etc.).
- PMTUD/fragmentation: Be mindful of MTU; tune QUIC max datagram size and enable GSO on servers.
Deploying HTTP/3 (QUIC) quickly
Example: NGINX (1.25+)
# /etc/nginx/nginx.conf (snippets)
http {
# Enable QUIC/HTTP3 tuning (optional, version‑specific directives)
# http3_max_concurrent_streams 1024;
# http3_stream_buffer_size 1024k;
# quic_gso on; # if supported
# quic_retry on; # address validation to curb amplification
}
# Server block
server {
listen 443 ssl http2; # HTTP/2 (TCP)
listen 443 quic reuseport; # HTTP/3 (QUIC over UDP)
ssl_certificate /etc/ssl/certs/your.crt;
ssl_certificate_key /etc/ssl/private/your.key;
ssl_protocols TLSv1.3; # HTTP/3 requires TLS 1.3
ssl_early_data on; # allow 0‑RTT (use carefully)
add_header Alt-Svc 'h3=":443"; ma=86400'; # advertise H3
add_header QUIC-Status "$http3"; # simple observability
location / { root /var/www/html; index index.html; }
}
Don’t forget:
- Open UDP/443 on firewalls/load balancers.
- Existing certs work (no special “QUIC certificate”).
- Keep HTTP/2 (TCP) as a fallback for paths where UDP is blocked.
Quick testing & verification
Command‑line
# Force HTTP/3 only (will fail if H3 unsupported)
curl --http3-only -I https://your-domain.example
# Prefer H3 but allow fallback
curl --http3 -I https://your-domain.example
# Verbose with timing
curl --http3-only -v https://sanchitgurukul.xyz
Browser
- Most modern browsers use HTTP/3 by default when the server advertises it (via Alt‑Svc and ALPN).
Packet capture
# Capture QUIC/HTTP/3 traffic to a file
sudo tcpdump -i any udp port 443 -w quic.pcapng
Open in Wireshark, use display filters like quic or http3.
Decrypt in the lab (for learning, never in prod):
- Set SSLKEYLOGFILE=/path/to/keys.log in the client’s environment (or browser).
- In Wireshark: Preferences → Protocols → TLS → (Pre‑)Master‑Secret log filename → point to keys.log.
- Re‑capture; Wireshark can dissect QUIC/HTTP/3 payloads.
Example: Observe stream multiplexing
- Enable HTTP/3 on a test site.
- In DevTools → Network, load a page with many assets.
- Note multiple requests (streams) over one QUIC connection. If a packet drops, only some streams stall; others continue.
Example: Connection migration demo (mobile)
- Start a large download/stream to a phone on Wi‑Fi.
- Turn off Wi‑Fi to fall back to 4G/5G.
- With QUIC, the transfer often continues seamlessly using a new path (same QUIC connection, different 5‑tuple), validated by the server.
Beyond HTTP: QUIC for DNS and UDP tunneling
- DoQ (DNS‑over‑QUIC): Encrypts DNS with QUIC; avoids TCP head‑of‑line issues; typically on UDP/853.
- MASQUE / CONNECT‑UDP: Tunnels arbitrary UDP inside HTTP/3 using HTTP Datagrams and QUIC DATAGRAM frames — useful for secure UDP‑heavy apps and “QUIC‑over‑QUIC”.
Best practices (ops)
- Enable both TCP/443 and UDP/443; monitor adoption before forcing H3.
- Tune MTU (e.g., start with 1200–1400B datagrams) and enable NIC offloads (GSO/GRO).
- Rate‑limit Initial packets and consider Retry to mitigate amplification.
- Export qlog/perf metrics from your QUIC stack for visibility.
- Canary the rollout, watch error budgets and latencies by network type (mobile vs wired).
Troubleshooting cheatsheet
- Users on old/locked‑down networks: UDP blocked → they’ll fall back to HTTP/2 (TCP).
- High CPU on edge: Check offloads, stack version, crypto library; consider BBR or tuned CUBIC.
- Intermittent 0‑RTT failures: App not idempotent or servers out of sync for tickets → disable 0‑RTT for those endpoints.
- Random disconnects with NATs: Increase idle timeout, ensure NAT keep‑alives.
- Wireshark shows little: Provide TLS key log in lab, or use qlog from your stack.
Summary
QUIC modernizes transport for today’s web and mobile reality. By pairing secure, low‑RTT handshakes with per‑stream multiplexing and connection migration, it delivers tangible performance and reliability improvements—especially on flaky or mobile networks. Start by enabling HTTP/3 over QUIC on UDP/443, keep HTTP/2 as fallback, and instrument your deployment for visibility. For DNS privacy/performance, explore DoQ; for advanced tunneling, look at MASQUE.
Useful commands (copy‑paste)
# Force HTTP/3 only
curl --http3-only -I https://example.com
# Capture QUIC
sudo tcpdump -i any udp port 443 -w quic.pcapng
# Wireshark display filters
quic
http3
# Environment (Linux/macOS) for TLS key logs in lab
export SSLKEYLOGFILE=$HOME/keys.log
Glossary
- CID (Connection ID): Identifier that lets QUIC move across paths/NATs.
- 0‑RTT: Send early data on session resumption (replay‑able; use carefully).
- QPACK: Header compression for HTTP/3 that avoids HOL blocking.
- Datagrams: Unreliable QUIC frames for real‑time use cases.
- MASQUE: IETF work to proxy/tunnel UDP over HTTP/3 (e.g., CONNECT‑UDP).
🔹Useful Links
https://www.wireshark.org/docs/relnotes
https://sanchitgurukul.com/basic-networking
https://sanchitgurukul.com/network-security
Your feedback matters
Was this post helpful?
Discover more from
Subscribe to get the latest posts sent to your email.
