A QUIC(K) Way Through Your Firewall?
This work addresses network security challenges for firewall administrators by revealing vulnerabilities in stateful firewalls when handling QUIC traffic.
The paper investigated how the QUIC protocol's encryption of transport layer functions limits traditional firewalls, exposing them to UDP hole punching bypass attacks, while also demonstrating QUIC's robustness against censorship due to its encrypted design.
The QUIC protocol is a new approach to combine encryption and transport layer stream abstraction into one protocol to lower latency and improve security. However, the decision to encrypt transport layer functionality may limit the capabilities of firewalls to protect networks. To identify these limitations we created a test environment and analyzed generated QUIC traffic from the viewpoint of a middlebox. This paper shows that QUIC indeed exposes traditional stateful firewalls to UDP hole punching bypass attacks. On the contrary we show the robustness against censorship of QUIC through the encrypted transport layer design and analyze the capabilities to re-gain stateful tracking capabilities by deep packet inspection of the few exposed QUIC header fields.