John Lampe wrote on 2024-06-24 10:48:
On Mon, Jun 24, 2024 at 1:19 PM Paul Vixie
<[email protected]
<mailto:[email protected]>> wrote:
I've blocked UDP in every edge network I've operated since the late
1980s because it could be used to facilitate firewall bypass in the
style of quic. I might not be alone. Quic is something I'll expect
my ALG to use, because it's a great thing.
Many (most?) large govt agencies are just blocking it outright on the
firewall. THe same with large corporations. I feel like security tooling
may not be up to snuff and it's easier to just force the connection over
TLS...simpler for sure...
i think a lot of current protocol/software developers are ready to move
to a post-national post-corporate world where only end users hold sway,
and they see no reason to negotiate with those of us who dis-want that.
to that community, DoH and QUIC and ECH are necessary, desirable, and
inevitable. some have told me to "just secure your (my) endpoints".
i predict that the next equilibrium will be that secure private networks
will only allow off-net traffic for their own servers (dns, webproxy,
etc) and will force all other off-net traffic (IoT, end users) through
on-net proxies where traffic can be inspected. some countries will have
to relax their employee/employer surveillance laws to reach that state.
to return to the topic at hand, i think "why isn't QUIC growing?" is a
non-sequitur because there's no noncontroversial reason why it should.
QUIC is a well engineered protocol which is deploying smoothly so far.
but since its motives include activism, it will never be universal.
--
P Vixie
