QUIC: https on udp

My mind was just blown looking into curious traffic coming from my Android phone.  I'm seeing my UTM blocking port 443 UDP traffic.  That's odd, I wasn't aware there was such a thing.  Looking into it, the developers over at Google have been working on a high-speed web protocol that works on udp.  They are calling in QUIC.

 

What does this mean for network administrators?  The need to create rules addressing applications that use QUIC.

What about Sophos?  Perhaps the need to add support for QUIC in all of it's HTTP proxy and filtering sub-systems. 

 

09:07:19 Default DROP UDP  
10.1.3.1 : 38511
31.13.70.1 : 443
 
len=1263

 A challenge supporting this protocol is that standard proxies won't work.   UDP is a shoot-and-forget-it protocol so there is no connection.  The challenge here is that returning packets don't have a connection to traverse, they just have an ip address of the internet router.  Without port-forwarding rules, the packet won't reach the correct destination and this is no solution either as such rules only support one device per network.  This looks to be a horrible idea, but Google has rolled it out anyway.  I'm seeing it on the TuneIn streaming App for Android.  It's not clear if the challenges can be adequately managed.

 

More info here:  ma.ttias.be/.../

  • Yes, you want to block UDP 443 at the firewall.

    When Chrome detects a QUIC-capable server, it attempts to connect in this order.  I do not know how it identifies QUIC-enabled systems.

    1. Proxy settings (Standard Mode) with UDP 443
      By default, standard mode will block UDP 443, because it blocks all non-standard ports.   If you add UDP 443 to the Target Services list, the traffic will be allowed but will not be filtered.  So the process will proceed to step 2

    2. No proxy (transparent Mode) with UDP 443
      The Transparent Mode proxy does not intercept UDP 443, so the traffic will be handled by Firewall Rules.   If it is allowed, it will be unfiltered.   If it is blocked, the browser will connect using #3 or #4, and it will be filtered.

    3. Proxy Settings with TCP 443

    4. No proxy with TCP 443

    Chrome behaves perfectly well with UDP 443 blocked.   For our purposes, QUIC is a proxy-evasion tool which should not be ignored.

  • In reply to DouglasFoster:

    Agreed. HAve been blocking since I first saw the logs and reports of unrestricted chromebook usage.

    udp/443 = QUIC, and I think that fow control view can recognize QUIC and shape/throttle it, but don't quote me on that.

  • In reply to DouglasFoster:

    QUIC can be disabled via GPO, at least for the Chrome Version for Windows I used this.

    Computer Config > Admin Templates > Policies > Google > Allows QUIC Protocol

    Best regards 

    Alex 

  • In reply to DouglasFoster:

    Doug, what leads you to believe that when QUIC is added to 'Allowed Target Services', the traffic is not decrypted?

    Cheers - Bob

  • In reply to BAlfson:

    This is based on information I was given by Michael Dunn.   Not sure it was in the forum or in a private message exchange.