QUICstep: Evaluating connection migration based QUIC censorship circumvention

TL;DR

This paper investigates QUICstep, a lightweight, application-agnostic approach to circumvent QUIC censorship by migrating the handshake through a separate channel using QUIC connection migration. It presents a practical prototype, demonstrates real-world circumvention of QUIC SNI censorship (including GFW deployments), and quantifies the performance benefits relative to a full VPN, showing substantial reductions in handshake-channel load and potential page-load improvements. The work also measures the current state of QUIC and connection-migration support in the wild, documenting rising but uneven adoption across major providers and CDNs, and proposes QUICstep as a tool for assessing migration readiness in the wild. Additionally, the paper discusses potential attacks, deployment challenges, and directions for standardization and wider integration into usable censorship-circumvention deployments, highlighting QUICstep’s relevance as QUIC becomes the Internet’s de facto transport. Overall, QUICstep offers a practical path to efficient censorship circumvention in a QUIC-first Internet, with measurable performance gains and a scalable method to gauge migration readiness on the web.

Abstract

Internet censors often rely on information in the first few packets of a connection to censor unwanted traffic. With the rise of the QUIC transport protocol, prior work has suggested the method of using QUIC connection migration to conceal the first few handshake packets using a different network path (e.g., an encrypted proxy channel). However, the use of connection migration for censorship circumvention has not been explored or validated in terms of feasibility or performance. We bridge this gap by providing a rigorous quantitative evaluation of this approach that we name QUICstep. We develop a lightweight, application-agnostic prototype of QUICstep and demonstrate that QUICstep is able to circumvent a real-world QUIC SNI censor. We find that not only does QUICstep outperform a fully encrypted channel in diverse settings, but also that it can significantly reduce traffic load for encrypted channel providers. We also propose using QUICstep as a tool for measuring QUIC connection migration support in the wild and show that support for connection migration is on the rise. While as of now QUIC and connection migration support is limited, we envision that QUICstep can be a useful tool for the future where QUIC is the de facto norm for the Internet.

Figures (9)

• Figure 1: An illustration of QUIC connection migration. Before the server can receive data from the client on the new network path, it must be validated. The server can cache recent path validations, preventing the need to perform them every time a network migration occurs.
• Figure 2: This figure demonstrates our adversary model and how QUICstep can be leveraged to circumvent censorship. (a) demonstrates an adversary capable of monitoring, blocking or disrupting client traffic based on plaintext sensitive fields that may be associated with HTTPS requests. (b) illustrates the architecture of QUICstep under this adversary model. Finally, (c) demonstrates, at a high level, the full set of network requests performed by QUICstep.
• Figure 3: Number of websites that support (a) QUIC and (b) port migration from daily Tranco top 1M websites from August 3, 2024 to November 13, 2024. Support for port migration increased sharply around late September, 2024.
• Figure 4: Page load time of QUICstep and VPN connections for 100 different domains. Client in London, handshake channel provider in Ohio with a maximum throughput of 5 Mbps. QUICstep generally provides shorter page load time compared to VPN.
• Figure 5: CDF of time to first byte (in milliseconds) from 100 fetches of www.youtube.com with the client located in London and proxies located in Ohio, Ireland, Seoul with proxies' maximum throughput limited to 5 Mbps. QUICstep performance is comparable to the VPN connection.