惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
A
About on SuperTechFans
IT之家
IT之家
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Blog — PlanetScale
Blog — PlanetScale
aimingoo的专栏
aimingoo的专栏
云风的 BLOG
云风的 BLOG
The GitHub Blog
The GitHub Blog
Vercel News
Vercel News
G
Google Developers Blog
J
Java Code Geeks
宝玉的分享
宝玉的分享
T
Tailwind CSS Blog
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
MyScale Blog
MyScale Blog
H
Heimdal Security Blog
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
S
Security @ Cisco Blogs
Latest news
Latest news
I
Intezer
L
Lohrmann on Cybersecurity
C
CXSECURITY Database RSS Feed - CXSecurity.com
月光博客
月光博客
T
Threatpost
博客园 - 【当耐特】
S
Schneier on Security
P
Privacy International News Feed
G
GRAHAM CLULEY
T
Tenable Blog
AWS News Blog
AWS News Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
雷峰网
雷峰网
博客园 - Franky
Engineering at Meta
Engineering at Meta
美团技术团队
S
Secure Thoughts
T
Troy Hunt's Blog
Microsoft Security Blog
Microsoft Security Blog
SecWiki News
SecWiki News
V
Visual Studio Blog
人人都是产品经理
人人都是产品经理
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cisco Talos Blog
Cisco Talos Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Martin Fowler
Martin Fowler
Webroot Blog
Webroot Blog
Google DeepMind News
Google DeepMind News
H
Hackread – Cybersecurity News, Data Breaches, AI and More

The Register

Shadow IT has given way to shadow AI. Enter AI-BOMs Zed team releases version 1.0 of Rust-built editor: Traditional editor and AI tool Microsoft boss tells investors the company is working to 'win back fans' What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia NASA boss: Make Pluto A Planet Again GitHub says sorry and vows to do better as uptime slips and devs complain Age checks could turn internet into an ID checkpoint, complains Proton CEO Microsoft gives your Word documents an AI co-author you didn’t ask for Datadog digs down into GPU efficiency as AI costs soar If malware via monitor cables is a matter of national security, this might be the gadget for you Thunderbird in hand worth 2 Outlooks as fresh FOSS fave and Firefox arrive Grafana offers AI assistant for free, warns users not to go mad Right to repair champ Framework punts modular 13in laptop with Core Ultra Series 3 France's 'Secure' ID agency probes breach as crooks claim 19M records Scotland Yard can keep using live facial recognition on Londoners, say judges UK tribunal sends £2B claim accusing Microsoft of overcharging for licensing to trial Nation-states want to cause harm, not just steal cash - stop handing your cyber defenses to the cheapest contractor Murder, she wrote: Ex-FBI chief wants some ransomware crims charged with homicide Phone-to-satellite use goes into orbit, growing 25% in 8 months macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets Anthropic bakes memory fixes into Bun 1.1.13 as developers complain of leaks The spaghettified DBMS chart that shows Oracle's crown is slowly slipping Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords FAA grounds Blue Origin's New Glenn as it probes missed satellite delivery 'mishap' AMD's Ryzen 9 9950X3D2 Dual Edition tested: Gratuitous overkill with a price to match AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account Crook claims to leak 'video surveillance footage' of companies Met police trials snoop tech platform in push to cuff more London shoplifters England's school phone ban gets teeth, just in time to bite no one Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul Panasonic creates device-locked QR codes to speed facial biometric capture Iran claims US used backdoors to knock out networking equipment during war NASA Inspector fears new spacesuits won’t be ready for Moon landing Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Trump-branded datacenter project fails to make itself great, again World's blandest man steps down from CEO job to spend more time in tastefully appointed home Chase got a spiff of $77 million to create one job with New York datacenter Scot becomes second Scattered Spider-linked crook to plead guilty in US You too can build a nuclear battery from junk you have lying around the house Schmoozebots: study finds flattery will get AI everywhere One of Europe's sovereign cloud picks may not be so-sovereign after all New Android development tool designed for robots, not humans AI is reshaping Britain's datacenter map away from London HP's remote desktop push retreats as Anyware heads for end of life 'Invisible mouse' made a mess of PC rebuild NASA working on ‘Big Bang’ upgrade to keep the Voyagers alive for longer Indonesia’s game rating system paused amid claims it leaked developer creds and glimpses of major new titles Just like phishing for gullible humans, prompt injecting AIs is here to stay Atlassian’s new data collection policy protects rich customers while AI eats the rest Intel eases reliance on TSMC with 'Merica-made Core Series 3 processors NASA gets the ball rolling on its part in Europe's jinxed Mars rover mission Attention data hoarders: Alexa loses its Plex appeal as voice feature gets canned Locked-out iPhone user tells The Reg that Apple is scrambling to fix character flaw passcode bug Would you like fries with that terminal? Capita won disastrous UK pensions gig after acing performance checks NodeWeaver says its perpetual licensing beats VMware’s perpetual price hikes Maine to pause big bit barns as local opposition spreads If you want into Anthropic's Claude club, you may have to show ID DuckDB uses RDBMS to tackle lakehouse 'small changes' issue Iran has something America can only dream of: cheap broadband Brussels tells Google to hand rivals its search crown jewels as privacy row brews Visual Studio 18.5 lands with AI debugging at a price Git identity spoof fools Claude into giving bad code the nod McGraw Hill linked to 13.5M-record data leak Microsoft announces product it doesn't want anyone to buy Obsolete Google nag drowns out vital bar information at Swedish concert hall Cops hand Motorola £25M to keep 2000-era radios alive Server-room lock was nothing but a crock Nobody knows how many CVEs Anthropic's Project Glasswing has actually found Allbirds shoe company moving to AI infra is the top 20-year-old Enlightenment E16 bug finally gets patched Bad teacher bots can leave hidden marks on model students Autovista blames ransomware for service disruption Networks not ready for the challenges of AI traffic Windows takes a crash dump after one McDonald's too many French cops free mother and son after crypto kidnapping US states can't account for datacenter tax breaks. Literally Salesforce debuts Headless 360 agentic platform Fission impossible: Uncle Sam wants nuclear power in space UK told its Big Tech habit is now a national security risk UKAEA lays out roadmap to take Britain closer to fusion Waymo's self-driving cars face their toughest test yet: London The only technology that died more times than VR is AI, and that seems to have worked out Boeing soars past Airbus for the first time in years Commvault has a Ctrl+Z for rogue AI agents Nvidia slaps forehead: AI, that's what quantum needs! Oracle taps Bloom for fuel cells to support datacenter binge GitHub recalls Phabricator with preview of Stacked PRs Physicist proposes two-button calculator Amazon pays $11.5B to satisfy satellite-envy while cowering in Musk's shadow No honor among thieves as 0APT threatens rival ransomware gang Krybit NASA insiders oddly relaxed about latest budget threats Microsoft raises UK Surface prices as RAM crisis reaches the checkout OpenAI CEO Sam Altman home attack suspect charged Microsoft kills off Outlook Lite as memory costs skyrocket UK state bank considers lengthening disastrous IT program Japan going back to the future by reviving its chip industry Windows Update: Torture chamber for seldom-used PCs Japanese rocket came unglued, causing mission fail Cloudflare rebuilds Wrangler CLI for broader API coverage
QUIC will soon be as important as TCP – but it's vastly different
2026-04-16 · via The Register

While Larry was producing most of the content for the "Request/Reponse" chapter for the next edition of our book, I took the lead on writing a section on QUIC, since I have closely followed its development.

Our expectation is that the role of QUIC will be about as important as that of TCP in the coming years, which means it warrants more substantial coverage than we provided in the last edition. So I dug a bit deeper into the bits and bytes of QUIC than I have previously, with a goal of bringing the coverage up to par with our TCP coverage. In addition to reading through the RFCs, I found lots of good information in the original QUIC design spec as well as some conference publications on the design and evaluation of SPDY (predecessor of HTTP/2) and QUIC.

One rather trivial thing that makes it harder for me to get to grips with QUIC is the fact that its RFCs (four of them, spanning hundreds of pages) lack pictures of the packet headers. The rationale for this, I believe, is that QUIC makes extensive use of fields that are variable in length and frequently not aligned on 32-bit boundaries, which makes packet header pictures a bit complicated and less tidy. I decided to have a go at drawing my own – here's one example, which I provide here in the hope that I'll hear from others who find it either useful or confusing.

The structure of packet headers in QUIC

The structure of packet headers in QUIC

For comparison, RFC 9000 represents this header as follows:

Long Header Packet {
Header Form (1) = 1,
Fixed Bit (1) = 1,
Long Packet Type (2), Type-Specific Bits (4),
Version (32),
Destination Connection ID Length (8),
Destination Connection ID (0..160),
Source Connection ID Length (8),
Source Connection ID (0..160), Type-Specific Payload (..),
}

Maybe I am just old-fashioned in liking to see packet headers when I am learning about a protocol. And I admit that the text version contains more information; e.g. it explains the Flags in detail. Feel free to let us know your preferences. (I guess we know what the "Wall of Text" reviewer thinks already!)

The use of variable-length fields pervades the protocol, in an effort to balance efficiency and future-proofness.

Both TCP and IP have a history of defining 32-bit fields that turned out not to be long enough; QUIC generally avoids that issue by allowing for fields to be very large, such as the 160-bit connection IDs in the packet header above.

At the same time, efficiency has been a concern throughout the design process for QUIC and HTTP/2, since the time to transfer small objects in HTTP is significantly impacted by the amount of header overhead. Hence the use of variable-length encodings that keep the fields small when the extra length isn't needed.

It's probably also fair to say that processing unaligned fields in software is much less of a concern now than it was on the computing hardware of the 1970s, so saving bytes on the wire now takes precedence over 32-bit alignment.

Those long connection IDs replace the way in which TCP connections are identified (source and destination IP addresses and TCP port numbers) with a single identifier that is unique from the perspective of the receiving host. That provides a handy starting point for enabling QUIC connections to survive a change of IP address, e.g., when a host switches from one network to another.

Because QUIC differs from TCP in many ways large and small and spans four RFCs, trying to describe its most important features feels a bit like the parable of the blind man and the elephant. One aspect that grabs my attention is the way the layering with TLS was redesigned in QUIC (previously discussed here ). Here is the picture we use to show this:

How layering with TLS was redesigned in QUIC

How layering with TLS was redesigned in QUIC

HTTP over TLS was a traditional layered approach: TCP gives you a reliable byte-stream; TLS provides a secure channel on top of TCP; and HTTP sends application data over that secure channel.

QUIC, by contrast, absorbs the record layer of TLS, with the TLS handshake setting up the secure channel and HTTP then getting to run over QUIC's secure channel directly. This more integrated approach has allowed for several round-trip times of connection establishment to be reduced to a single RTT, with the potential for application data to be sent in the first RTT. As I discussed a few months ago, 0-RTT data is a good example of a complex tradeoff between performance and security. Even without 0-RTT data, the redesigned layers of QUIC and TLS reduce the number of RTTs needed to get a secure channel established, thus providing a real performance benefit to the application.

Finally, A Protocol for RPC

The QUIC feature that I found myself focusing on this time around was the support of streams within a single connection. This is particularly relevant because Larry and I have chosen to place QUIC inside our chapter on Request/Response protocols.

As we have argued since our first edition, the request/response paradigm is not a good fit for a reliable byte-stream abstraction as provided by TCP. So while QUIC is usually presented as a transport protocol to improve performance of Web applications (which it is) we view it as the long-awaited answer to the question "where is the protocol for request/response applications?"

While the example of request/response that we have tended to use is remote procedure calls (RPC), many similar arguments apply for the retrieval of web pages. In particular, it's generally not required that the responses to a series of requests for objects come back in order; what is important is that they all get back quickly. Furthermore, HTTPS is not just a protocol for fetching web pages; it also underpins RPC protocols such as gRPC, further underscoring the need for the protocol stack under HTTP to be well tuned for RPC.

Streams are the primary mechanism making QUIC a better fit for request/response operations. When HTTP runs over TCP, the only way to allow one request to proceed independently of another is to open multiple parallel TCP connections.

With each connection running its own congestion control loop, the experience of congestion on one connection is not apparent to the other connections; each connection tries to figure out the appropriate amount of bandwidth to consume on its own, while competing with the others. And if HTTP runs over a single TCP connection, a single dropped packet blocks the entire progress of any requests in flight until that lost packet is retransmitted.

So QUIC allows for many streams within a single connection, and each stream can make progress independently from the others. A single packet loss only impacts the stream (or streams) whose data was in that packet. At the same time, QUIC can use that one packet loss to respond appropriately to congestion. Streams are provided by a mechanism that places Stream frames within packets, and the process of starting a stream is lightweight: either end of a connection can initiate a new stream by picking a new Stream Identifier and sending a frame with that ID and the first frame of data.

The way in which QUIC handles congestion and packet loss is worth a whole RFC (9002) and there are some interesting details in how QUIC differs from TCP, mostly in the way sequence numbers refer to packets, not bytes, and are never re-used, even for retransmissions. SACK is more expansive, allowing for more gaps in the set of acknowledged packets. But the default approach is very similar to that of TCP NewReno, while allowing for other options.

Boiling down hundreds of pages of RFCs to a section of a textbook means that inevitably we must skim over some details. I'm not even sure if our book on all of networking will be as long as the full set of QUIC RFCs. But having made the case since the 1990s for a third transport protocol that is neither UDP or TCP, we are pleased to finally have a candidate for that spot that seems to be gaining real traction in the Internet.

Of course there have been many other efforts to add to the TCP/UDP duopoly in the past, with SCTP being a valiant effort, but QUIC has a lot going for it. The team that has worked on it since 2012 has paid close attention to deployment considerations (which is why it runs over UDP—the duopoly lives on thanks to middleboxes). And with a lot of carefully considered design, QUIC has made a real difference to the performance of the web and of other applications needing request/response semantics. ®

Larry Peterson and Bruce Davie are the authors behind Computer Networks: A Systems Approach and the related Systems Approach series of books. All their content is open source and available for free on GitHub. You can find them on Mastodon, their newsletter right here, and past The Register columns here.