Skip to content

CONCEPT Cited by 1 source

UDP middlebox hostility

Definition

UDP middlebox hostility names the deployment friction QUIC / HTTP/3 inherit because the internet's network middleboxes — ISPs, enterprise firewalls, load balancers, CDNs, QoS engines — were tuned over decades around TCP and treat UDP as the exotic or adversarial case.

Zalando's 2024-06 post frames this as one of QUIC's four named operational costs:

"Networking infrastructure was monopolised by TCP so long that it introduced indirect dependencies on networking. ISP enforces different traffic routing policies for TCP vs UDP traffic, there are various in-the-network optimisation techniques such as Quality of Service, Active Queue Management that impacts on UDP." (Source: sources/2024-06-17-zalando-next-level-customer-experience-with-http3-traffic-engineering)

Concrete manifestations

The post cites Facebook's 2020 QUIC-rollout retrospective as the canonical catalogue of manifestations:

  • Client-side TCP heuristic — mobile clients have heuristics (e.g. "if TCP is working, stick with it") that must be re-tuned for QUIC.
  • Download-bandwidth estimation — client-side BW probes were built around TCP's ACK pacing; UDP-based probes differ and need re-calibration.
  • Linux-kernel UDP packet-processing bottleneck — the kernel's UDP receive path had not been optimised at the same aggressive level as TCP's, so at line-rate packet volumes, kernel CPU was a real ceiling; required batching APIs (recvmmsg / sendmmsg) or XDP / AF_XDP bypass.
  • New load-balancing policies — L4 LBs that hash on 4-tuple don't work for QUIC, which uses connection IDs; new LB logic is required (e.g. encoding routing prefix in the connection ID, or connection-ID-aware hashing).
  • New firewall policies — many enterprise firewalls block or throttle UDP/443 by default, suspecting it's DNS tunnelling or worse. HTTP/3 on UDP/443 is indistinguishable at L4 from rogue UDP.
  • QoS / AQM treatment — routers apply different AQM schedules (FIFO / CoDel / FQ-CoDel) to UDP than to TCP. QUIC flows can be queue-starved or, conversely, given too-much buffer.

Consequences

  • Mandatory HTTP/2 fallback. A production HTTP/3 rollout must still serve HTTP/2 over TCP; Zalando reports 1.8 % of users fall back to HTTP/1 and 61.6 % use HTTP/2 — collectively, a majority of clients are not on HTTP/3 at any given moment. See patterns/fallback-to-http2-on-udp-hostility.
  • Observability gap. UDP middleboxes don't produce the rich TCP-flow-log telemetry (SYN/RST counts, retransmits, window sizes) that ops teams rely on — making monitoring shape different. See concepts/http-3-probing-gap for the probing-tooling consequence at the client side.
  • Deployment coordination cost. Running HTTP/3 in production is not only a server change — it requires coordination with the ISP, the CDN, the L4/L7 LB vendor, and (for enterprise clients) the customer's firewall team.

Why middleboxes exist around TCP

The history: TCP stack + middleboxes co-evolved over 40 years. Features like NAT, SSL-intercepting firewalls, WAN accelerators (TCP splice, window scaling manipulation), DDoS scrubbers, and transparent caches all grew up reading and sometimes rewriting TCP headers. QUIC's header protection (encrypting packet numbers and fields) is deliberately incompatible with this — a feature from a protocol-design standpoint, a cost from a deployment-friction standpoint.

Seen in

Last updated · 501 distilled / 1,218 read