1. Performance assessment of the MASQUE extension for
proxying scenarios in the QUIC transport protocol
Anno accademico 2022-2023
DIPARTIMENTO DI INGEGNERIA E ARCHITETTURA
Corso di Laurea in Ingegneria Elettronica e Informatica
Curriculum Reti & IoT
Laureando
Alessandro Nuzzi
Relatori
Prof. Alberto Bartoli
Prof. Martino Trevisan
2. Context
• The web relies on many protocols to enable communication and
information sharing across the Internet
• HTTP and TCP are the predominant protocols
• The new QUIC (Quick UDP Internet Connections) transport protocol is
on the rise across the world for many applications
• Features to overcome TCP limitations
• More than 40% of traffic for most popular applications
3. Problem introduction
• Proxies are very common devices in the web infrastructure
• Intermediaries between clients and servers
• QUIC features limit proxies ability to inspect traffic
• QUIC traffic seen as potentially unknown or malicious
• Traffic delayed or dropped
• Need for new proxying technologies that allow HTTP to create tunnels
for proxying QUIC
4. MASQUE
Multiplexed Application Substrate over QUIC Encryption
• Working group formed in June 2020
• Supports proxying UDP and IP over HTTP
• Using QUIC DATAGRAMS with HTTP/3 (RFC 9297)
• CONNECT-UDP (RFC 9298)
• Provides privacy guarantees
• Hiding client IP address from the target server
• Obfuscating traffic destination from client network provider
• Can perform network translation or DNS resolution
5. Thesis objectives
• Evaluate the performance of the MASQUE proposal in proxying
scenarios
• Several network conditions
• Comparison with traditional HTTP/TCP proxies
• Scenarios in which MASQUE usage could be beneficial
6. Testing environment
• Docker-based emulation
• Client, server and proxy containers
• Traffic control and network conditions with tc
• Additional delay, bandwidth limit, packet loss
• Automation with Bash scripts
• Execution of repetitive or complex operations
7. Methodology
• Client requesting a constant-sized file via HTTP GET
• File requested to target server, either through proxy or not
• Transfer time measured
• Four categories
• Without proxy: TCP with TLS and QUIC
• With proxy: TCP with TLS and MASQUE
• Simulated network conditions
• Bandwidth limit, additional delay, packet loss
8. Experiments
• A full test is made of four experiments, one for each category
• Data summary for each measurement
• Mean, median, standard deviation, quartiles...
• Several measurement campaigns
• Bandwidth of 10Mbps, 100Mbps and 1Gbps, no packet loss, 0ms to 200ms delay
• Packet loss from 0% to 5%, 10ms delay, 100Mbps bandwidth
9. Results
• Traditional TCP+TLS with proxy
has the best performance
• In presence of a proxy, TCP+TLS
uses two end-to-end independent
connections
• More efficiency
• Apart from an initial gap, QUIC
and MASQUE have relatively small
difference
• QUIC and MASQUE outperform
TCP+TLS without proxy with
higher bandwidth
10. Results (II)
• MASQUE has similar
performance as QUIC, but
outperforms it with bigger files
• QUIC has very good
performance in low bandwidth,
high latency and lossy links
11. Limitations and future work
• MASQUE early development stage
• Existing implementations are not yet stable
• Need for analysing new or enhanced MASQUE implementations
• Experiments only with single HTTP requests
• Need to evaluate performance of complex web pages
• And other applications: video streaming, mail, etc.
• Need for finding root causes reason of the performance gaps
• Possibility of using more sophisticated network conditions
12. Conclusions
• Overall modest performance cost associated with the employment of MASQUE
in proxying scenarios that already use QUIC
• Adopting MASQUE to achieve its privacy guarantees comes at a reasonable
performance expense
• MASQUE can be a good choice in several contexts
• IoT devices
• Companies handling sensitive data
• Developing protocols with encryption and privacy promises involves a
performance trade-off