TCP has several significant limitations, including
• A three-way handshake is required for all connections, even between previously connected hosts.
• Multiple TCP sessions, each requiring a three-way handshake, are required to carry multiple data streams, as shown in Figure
• TCP does not automatically encrypt data. A second protocol, such as Transport Layer Security (TLS), must encrypt data with TCP.
• Because the TCP header is not encrypted, the inner workings of TCP are transparent to middleboxes. Some network devices modify TCP header fields while processing packets, making it hard to modify the TCP specifications.
Note
Chapter 20, “Security Tools, ” considers data encryption in more detail.
Google initially deployed Quick UDP Internet Connections (QUIC) through its web browser, and across Google servers, in 2012.
The IETF began working on Internet standards for QUIC in 2013. Some key points about QUIC include
• QUIC uses the same sliding window flow control mechanism as TCP.
• QUIC sessions can carry multiple streams of data rather than just one.
• The entire QUIC header and data are carried inside a UDP
packet. Routers, switches, and other network middleboxes do not “see” QUIC packets, only UDP packets.
The unique part of QUIC is the session connection process.
Figure 14-13 compares TCP’s session connection process with TLS encryption to QUIC’s session connection process.
Figure 14-13 TCP, Encryption, and QUIC Session Connection Processes
From top to bottom of the diagram, the arrows show which direction each kind of data is sent (client to server or server to client). The previous section on TCP session setup discussed the SYN, SYN-ACK, and ACK used by TCP. QUIC’s Init is similar to TCP’s SYN, and QUIC’s Fin is similar to TCP’s ACK.
The remaining information relates to encryption, including
• The certificate contains information about the host.
• The key contains a key used to encrypt data carried over this session.
• The cipher describes or sets the algorithm used to encrypt data carried over this session.
QUIC initializes a session in fewer steps by combining some steps and eliminating overlapping steps.
QUIC assigns a nonce, or a unique identifier, to the session during session setup. If a client connects to a server using TCP to retrieve some information, disconnects, and reconnects a few minutes later, the entire TCP three-way handshake must be repeated. If the client connects using QUIC, it can supply the nonce from a previous session and pick up where it left off.
Identifying Flows
Figure 14-14 shows a packet with both IP and TCP headers.
Figure 14-14 A Packet with IP and TCP Headers
There are five identifiers in Figure 14-14:
• Source address
• Destination address
• Protocol number
• Source port
• Destination port
This set of five identifiers is unique for any session between two hosts on a network. This set of identifiers, often called the five tuples, is used to identify, log, and track sessions.
Path MTU Discovery
In Figure 14-15, host A would like to send a packet to server E.
Figure 14-15 Path MTU Discovery
If A sends a packet 4000 octets long, router B must fragment the packet (as described earlier in this chapter) or drop the packet.
Even if router B decides to fragment the packet, C will receives a packet too large to transmit to D, so D will either need to fragment the packet again or drop the packet.
As noted in the previous discussion of fragmentation in this chapter, few routers support fragmentation, and IPv6 does not even provide the fields needed for routers to fragment packets.
Even if fragmentation is available, it would be better for host A to send packets that can be forwarded through the entire network without modification.
It is possible for host A to discover the largest packet it can send to E if
• Each device that discards a packet sends an ICMP
Fragmentation Needed error for IPv4 packets or an ICMP Packet Too Big error for IPv6 packets.
• Host A receives these ICMP error message packets and reduces the size of the packets it sends.
The process of routers sending ICMP messages when a packet cannot be forwarded because it is too large and the source host adjusting the size of the packets it sends is called Path MTU Discovery (PMTUD). Some routers—and other middleboxes—are configured so they do not send ICMP errors when a packet is dropped, so PMTUD does not always work.