UDP Proxying over HTTP [CONNECT-UDP]
defines a way to send datagrams through an HTTP proxy, where UDP is used to communicate
between the proxy and a target server. This can be used to proxy QUIC
connections [QUIC], since QUIC runs over UDP datagrams.¶
This document uses the term "target" to refer to the server that a client is
accessing via a proxy. This target may be an origin server hosting content, or
another proxy for cases where proxies are chained together.¶
This document extends the UDP proxying protocol to add signalling about QUIC
Connection IDs. QUIC Connection IDs are used to identify QUIC connections in
scenarios where there is not a strict one-to-one mapping between QUIC
connections and UDP 4-tuples (pairs of IP addresses and ports).¶
Once a proxy is aware of QUIC Connection IDs, it can reuse UDP 4-tuples between
itself and a target for multiple proxied QUIC connections.¶
For proxies that are themselves running on HTTP/3 [HTTP3], and thus
are accessed by clients over QUIC, QUIC Connection IDs can be used to treat
packets differently on the link between clients and proxies. New QUIC Connection IDs
can be assigned to perform transformations to the packets that allow for efficient
forwarding of packets that don't require full re-encapsulation and re-encryption
of proxied QUIC packets within datagrams inside the QUIC connection between
clients and proxies.¶
This document defines two modes for proxying QUIC connections, "tunnelled" and
"forwarded":¶
-
Tunnelled is the default mode for UDP proxying, defined in [CONNECT-UDP].
In this mode, packets in QUIC connection between the client and target are
encapsulated inside the QUIC connection between the client and proxy.
These packets use multiple layers of encryption and congestion control.¶
-
Forwarded is the mode of proxying added by this document. In this mode,
packets in the QUIC connection between the client and target are sent with dedicated
QUIC Connection IDs between the client and proxy, and use special-purpose
tranforms instead of full re-encapsulation and re-encryption.¶
QUIC long header packets between clients and targets MUST be proxied in tunnelled
mode. QUIC short header packets between clients and targets MAY be proxied in
forwarded mode, subject to negotiation between a client and a proxy.¶
Forwarded mode is an optimization to reduce CPU and memory cost to clients and
proxies and avoid encapsulation overhead for packets on the wire that reduce
the effective MTU (Maximum Transmission Unit). This makes it suitable for
deployment situations that otherwise relied on cleartext TCP
proxies, which cannot support QUIC and have inferior security and privacy
properties.¶
The properties provided by the forwarded mode are as follows:¶
-
All packets sent between the client and the target traverse through the proxy
device.¶
-
The target server cannot know the IP address of the client solely based on the
proxied packets the target receives.¶
-
Observers of either or both of the links between client and proxy and between
proxy and target are not able to learn more about the client-to-target
communication than if no proxy was used.¶
Forwarded mode does not prevent correlation of packets on the link between
client and proxy and the link between proxy and target by an entity that
can observe both links. The precise risks depend on the negotiated transform
(Section 5.3). See Section 8 for further discussion.¶
Both clients and proxies can unilaterally choose to disable forwarded mode for
any client-to-target connection.¶
The forwarded mode of proxying is only defined for HTTP/3 [HTTP3] and not
any earlier versions of HTTP.¶
QUIC proxies only need to understand the Header Form bit, and the connection ID
fields from packets in client-to-target QUIC connections. Since these fields
are all in the QUIC invariants header [INVARIANTS], QUIC proxies can
proxy all versions of QUIC.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174]
when, and only when, they appear in all capitals, as shown here.¶
This document uses the following terms:¶
-
Client: the client of all QUIC connections discussed in this document.¶
-
Proxy: the endpoint that responds to the UDP proxying request.¶
-
Target: the server that a client is accessing via a proxy.¶
-
Client-to-proxy 4-tuple: the UDP 4-tuple (client IP address, client UDP port,
proxy IP address, proxy UDP port) used to communicate between the client and
the proxy.¶
-
Proxy-to-target 4-tuple: the UDP 4-tuple (proxy IP address, proxy UDP port,
target IP address, target UDP port) used to communicate between the proxy and
the target.¶
-
Client Connection ID (CID): a QUIC Connection ID that is chosen by the client, and
is used in the Destination Connection ID field of packets from the target to
the client.¶
-
Target Connection ID (CID): a QUIC Connection ID that is chosen by the target, and
is used in the Destination Connection ID field of packets from the client to
the target.¶
-
Virtual Connection ID (VCID): a fake QUIC Connection ID chosen by the proxy
that is used on the client-to-proxy 4-tuple in forwarded mode.¶
-
Client VCID: a VCID used by the proxy to send forwarded packets from the target
to the client.¶
-
Target VCID: a VCID used by the client to send forwarded packets to the target
via the proxy.¶
-
Packet Transform: the procedure used to modify packets before they enter the
client-proxy link.¶