// MENU // 00:00 - The Problem with TCP 00:12 - Introducing//Robin Marx 02:12 - Clean Ship, Clean House//RFCs 03:25 - HTTP Semantics//QUIC//HTTP/3 04:17 - Why the Hell Do We Need HTTP/3? 05:05 - Why QUIC? 08:35 - QUIC & TLS Integration 10:02 - Why Use UDP? 13:50 - Replacing TCP with QUIC 14:28 - Summary So Far 15:22 - Stream Multiplexing 15:40 - Head-of-line blocking 18:40 - Why This Slows Things Down 19:29 - How QUIC Does It Differently 20:58 - TCP vs QUIC//Packet Handling 23:11 - HTTP/3 Prioritization 25:25 - Stats//QUIC Isn't Going Anywhere 26:30 - Firewalls are almost useless 27:20 - Firewalls Blocking QUIC? 28:04 - QUIC & Other Protocols? 29:20 - IPv4 & IPv6//Different for QUIC? 29:54 - Challenges for QUIC's Growth 30:43 - Connection Migration 33:33 - What About Hackers? 36:32 - How Do I Get To Use QUIC? 38:28 - Large Companies Adopting QUIC 39:09 - The Internet is Too Centralized? 40:02 - Header Compression 41:55 - Server Push 43:47 - Practical Examples with Wireshark 50:34 - Thank You & How to Contact Robin You better be aware of what just changed on the Internet. TCP is being replaced with QUIC. UDP is being used more and more instead of TCP. This affects your firewalls. It affects a lot of your network troubleshooting. HTTP/3 has been standardized. Everything is encrypted with QUIC - welcome to the new world of network troubleshooting and security. // Robin SOCIAL // Twitter: twitter.com/programmingart LinkedIn: www.linkedin.com/in/rmarx/ KZbin: kzbin.info/door/yqPrNfndJ7OPhPdYJG-mmQvideos // Robin's Blog articles // HTTP3 core concepts Part 1: www.smashingmagazine.com/2021/08/http3-core-concepts-part1/ HTTP3 core concepts Part 2: www.smashingmagazine.com/2021/08/http3-performance-improvements-part2/ HTTP3 core concepts Part 3: www.smashingmagazine.com/2021/09/http3-practical-deployment-options-part3/ // Chris Greer Videos // HTTPS Decryption with Wireshark: kzbin.info/www/bejne/fX6xgIdnlr-gepo Decrypting TLS, HTTP/2 and QUIC with Wireshark: kzbin.info/www/bejne/r6DHdZWdpKihgq8 // David SOCIAL // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal KZbin: kzbin.info // MY STUFF // www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com

So many years went by since I last educated myself with networking technologies. The way Robin breaks down this complicated issue is amazing, I was kinda bored when I saw that this video is almost an hour long, but at the end I didn't even notice it, it was great knowledge and was given in such a great way. Congrats to everyone, this was amazing.

One other issue that I did not hear brought up is how many firewall vendors suggest you block QUIC as it breaks many firewall web filtering methods. I covered this in my recent Web Filtering video and it's one of the reasons we choose the filter each endpoint instead of at the firewall for my clients.

A video I didn't asked but needed to watch. Thanks again to David Bombal and his team, and also the guest for this video. This interview/podcast (whatever you want to call it) is pure gold content.

Fantastic interview and talk. I wasn't aware of quic until now and the high level explanation was understandable and easy to follow. Big thanks for recording and putting out there

Presented exceedingly well. I wasn't aware of what was happening with QUIC, but the level of the discussion was perfect. Thank you.

Wow. Great talk. I haven't used any TCP/IP programming skills for 15 years, but listening to these guys brought everything back in seconds. Great to hear the IETF is still chugging along.

This is the best, most informative video on Quic that I have seen. I really enjoyed it and understood much more than I thought I would. Thanks!

Just wanted to say I appreciate all the small cuts/edits you made to make the video flow seamlessly. It made the long video very pleasant to watch.

QUIC is basically a way to create a protocol layer that will ignore firewalls. It's also trying to centralize and deanonymize the internet, as it will be used. If a protocol is dependent on TLS, you can decide that certain authorities are not valid. If you do this on a network level, you can totally control end points. And this is just the easy to explain thing about it. Many other people here are mentioning other problems. We didn't need an encrypted protocol layer. We just needed a tune up. Unfortunately, the Googles of the world have outsized influence at the IETF.

What a great video. So easily understandable, yet so informative. The questions were so thoughtful and I am so glad they were asked. It provided so much interesting detail. As someone who is just starting to learn QUIC this is a brilliant introduction on getting the big picture.

This is the thing I can't get my head around with the QUIC design decisions: Most header data is encrypted to prevent middleboxes from breaking future changes to QUIC. But this is precisely the reason why many firewalls block and will continue to block QUIC, the packets can't be inspected, logged and reported by firewall’s web protection features. This will straight up prevent the adoption in many use cases. I don't understand why slow adoption (it takes years for middleboxes to be replaced) isn't preferrable to impossibility of adoption (without leaving a gaping hole in your network's security).

This is a most succinct and on point video I've seen for a while and the same time being almost an hour long :)

Thank you David sir! these topics are really helpful, please do more of those interviews like these. Thank you for keeping me up with new topologies.

Holy smokes, this is amazingly in-depth and technical. Can't wait to see PCAPs using not only HTTP3 but when other protocols start filtering in, like SSH, as mentioned.

Thanks for this very precious explanation about QUIC, now I can explain much clearer to my boss why I am blocking QUIC for now 😂

I know I'm going to get back to this video very often in the future. Thanks David and Robin !

Robin does a great job with the details, RFC's, and in-depth look at QUIC. Super job!

Thanks David for making your content, I have been binge watching your videos for a few weeks now. and thank you Robin for breaking this down in an easy to understand way. My networking knowledge is very entry level/beginner and I was able to watch this video and make a nice large note in CherryTree to understand the basic of HTTP/QUIC, and have a nice reference to look back on. This will be extremely helpful when this topic comes up in my upcoming classes for cyber security. I will definitely be giving you a follow.

Kudos. You presented this in a way that even I could understand. Thanks for the illumination.

The stream id concept of Quic is surely a really strong point that will make this protocol replace TCP in a lots of applications. Nice video!

Great job David and Robin! Robin can explain the details around QUIC and H3 like nobody else. Don't just block QUIC for no reason. QUIC is here. It will continue to take over workload on web services on the internet. Instead, work to understand how it works and why it helps secure and optimize web apps and API's. Solid content David! 👏

This is the best video on QUIC I've seen. Thank you so much for posting this.

Great walk through enjoyed this one immensely. Thanks David. Concise and clear, great insight. Thanks Robin.

Fantastic content, David and Robin! Thanks for sharing it :D

Thanks David and Robin. What a wonderful insight its been. Robin explained it very clearly, when David asked the right question. Its exciting times to see new technologies emerging !!!

I just passed my CCNA exam with the huge help of your CCNA course. Thanks! But videos like this are also great, showing that it is essential to constantly learn in this industry Thank you for helping us!

This is really well explained, and very significant. Glad I stumbled across this.

Technical topic but it was explained very clearly. Well done.

Best video on explaining QUIC / HTTP/3. I think 1) Changing the title to something more explanatory and 2) Changing the thumbnail to something some serious (not "will your firewall become useless) might help people finding this excellent video! Thank you very much for the effort!

I am still new to networking, but the explanations are very clear...thanks so much David for your lovely videos

Great video David!! Robin is a genius, he explains all this subject in a very easy way to understand

Thanks for this. I can't wait for this to be integrated properly. I read the rfc's and I'm so nerdily excited

I love the way this was produced. Great care in focusing on the information and keeping un-needed stuff out of the way.

Thanks for the up-to-date content David!

I never bothered much with networking, I know TCP, UDP, basics of most low level protocols, have a general idea about the application level ones, but that's about it. This could still be followed by me, and contained a lot of great info. Good job, guys!

Thank you for this technical awareness video. I was totally unaware of these changes. David Bombal keeping it real and relevant

Superb presentation / interview. Very interesting, clearly explained, and very nice work on the editing too!

This is a wonderful educational video! Accessible yet deep, an hour just flew by. Excellent and of course incredibly well-placed presenter on the effort being described! Great editing (which must have taken a fair amount of work) to place & remove the video heads where and as needed, slowly zoom focus to parts of diagrams & provide insets etc. to just be seamless - and with out toooo much “cuteness” inserts of stock clips for levity. Thoughtful chapter marks making a long video easy to revisit. Just really great. Subscribed!

Informative. Brilliant work as always!

Great job by Robin Marx explaining a complicated topic.

What a nice video! Amazing content! Congrats to both of you! Thanks for sharing!

This is very interesting and Robin Marx is a very capable at conveying the information. Very impressive! Thanks a lot for the info!

Thank you, as a System and Network Administrator, learned a lot for future planning !

Excellent presentation of a highly complex topic, thank you.

Another great video David. It's obvious you put in the time to book relevant guests. 👍

Awesome creation david. You are one of the best technical host too as..It was almost like whenever I would ask a question to myself while watching the video ... david would ask it to the guest. Instant gratification I must say. You are my new guru ..towards my newfound passion ... cheers .. big fan already.

Thank David and your guest. Great video

Great breakdown of info and great interview. Thanks!

Just last week I had an exam for the course Multimedia Networks (studying computer science) and HTTP2/3 / QUIC was a major part of the exam. Happy to see my Professor chose some VERY up to date topics to teach us. Also some of the graphics you guys used were used in my lectures :D

Great explanation of HTT3/QUIC. Thank you.

I love the new format of the channel. wow!

Super nice video! Insane to see what kind of thought goes into designing a new, backwards-compatible protocol standard :)

About 25 years ago I filed for patent on what eventually became "push technology" (The name of the company was PointCast). The patent has long since expired but the concept lives on. I am personally thrilled to have server push as part of the http3 quik standard as it will eventually be deployed everywhere and therefore likely make my original IP one of the most utilized patents worldwide. The only one that is likely to be more ubiquitous is the original csma/cd by Dr Rober Metcalfe (who was my boss at 3com) (and of course TCP by Vinton Cerf). Both of them will be horrified that a mere mortal such as yours truly should even be mentioned next to their names. But I personally am thrilled as it will make me completely insufferable when i mention i t to all of my friends :)

Excellent in-detail presentation and discussion.

Learning about connection migration alone is worth the watch. So much of this will affect how I do my job going forward.

Wow, Robin spoke great in this, I was able to completely follow along and actually learn something

Great video and excellent information, as usual. Cheers.

Worth listening made some notes of it. The thing that i like about this video or channel in general is the perspective and the big picture behind any new emerging tech Thanks David Sir

This is an excellent video, very informative. Thank you!

This was very informative. Thanks guys.

Very interesting. Thank you for this interview.

Great video... very interesting conversion, lots of information

Very interesting and absolutely essential for everyone in web tech to know!

Great Video overall. However the connection ID stuff is a bit contradictory. First you explain, that the connection id is one of very few unencrypted fields in the header, so load balancer and middle boxes can keep the connection persistent even if IPs / Ports change due to the connection migration feature. However the next part explains, that the migrated connection uses a totally different set of connection IDs that have been negotiated previously through the encrypted channel. So how do the load balancers know (as they can't view the encrypted traffic) what to do with the post connection migration connection IDs? For any load balancer this just looks like a 100% new connection!

So... "Trust us, this is secure" (TM)

Thank you for the excellent video!

Exciting stuff! And easy to follow along. Great video! Liked + Subbed

incredible talk! tanks for sharing

Fantastic talk. I learned a lot, thanks!

Fantastic video! Keen to see more like this one David! :D

Great video, thanks David!

Awesome interview and even awesome explainations. I approve this message. 😁

Loved the Video Thanks David !

Thanks for explaining this... awesome vid!

Awesome content David!

That is some seriously interesting and fun sounding stuff to learn and understand :)

This was a well edited video!

All I can think about while listening to this new implementation is.... the number of exploits that will come about. The more things change the more they stay the same.

Excellent presentation.

And all these years I grew up learning "Disable or Block QUIC protocol to force Google Chrome web browsers to use TLS/SSL and guarantee a proper SSL inspection".

thanks for another great video David. awesome stuff

Bro, This channel is just an insane treasure

this is intense but managed to get my aging head around the next gen protocols with the fantastic explanation

Nice work, thank you.

Great information about Quick, thank you.

Bigger problem here! First of, thank you for a wonderful interview! All SSO(single sign on) and most web based access control solutions are not compatible with QUICK. So most banks, internally and on customer side applications will not work with this. Many other big corporation applications will also break. We will have to run in parallel with HTTP2 for dacades before the industry will adapt. Mostly due to the huge funds required to update all the products.

Nice explanation and useful topic to know/learn

The challenge with QUIC is that since there are multiple file streams in one request, ad servers can't be blocked as with TCP since the ad stream may be embedded in a single QUIC request to the FQDN of the main web server. Google and MSFT serve ads from "inside the house" so that tools to block ads based upon FQDN are now bypassed since the ads are just another stream inside the initial QUIC request. That's Evil.

Since QUIC relies on UDP, how are reflection attacks addressed? The packets are huge, compared to TCP handshakes where you can mitigate such attacks from the start. UDP lacks that handshake, isn't that dangerous?

Very eye opening experience

Thanks for the Vid David and Robin great content as usual. Quick question for anyone, I am a little new to networking, but if you could encrypt headers so to bypass middle box "interrogation/interpretation" could an attacker not do the same with malware packets or "bad" packets (as in encrypt the malware so that the firewall will pass it through?). thanks for your responses.

great video, it explains a very complex topic in a simple to follow way. a bit too much meme'ing imho but otherwise perfect. would love to see a deep-dive video about the security implications (firewalling, ssl decrption, etc).

Hello Mr David thanks for the video.

I've already had problems with users of 4K video streams served over QUIC. It would appear some ISPs are either rate limiting or can't handle the large volume of UDP traffic. This results in stuttering video that won't buffer that's basically impossible to diagnose due to the encrypted protocol and being served from CDNs. I think the corps have not given any thought to the real world implications of this change in production environments. It only serves to increase traceability. Its possible to roam TCP connections over an ipsec VPN using mobike and nat-t while still allowing traffic to be inspected and firewalled.

I am excited about QUIC but totally anticipate existing firewall / traffic monitoring vendors to block it because it does make their solution useless. As others have pointed out too, it does also allow for malicious traffic to use QUIC for nefarious purposes - well, I guess the vendors can look for weird usage patterns in the amount of QUIC traffic going out but that's about it, given the absolute majority of the payload, including the headers, is encrypted. What I did want to point out though is that I would imagine QUIC to be susceptible to DDOS attacks and other "common TCP attacks". Basically, with QUIC, traffic is either allowed or blocked, meaning the burden of processing the packets is on the destination server, NOT the routers in between. So I theorize that you can basically bring down a server to an halt by: a) replaying valid packets (sending a valid payload) b) sending long invalid packets (sending an invalid payload) I would imagine both of these would cause a considerable amount of load on the destination server given they wouldn't be blocked by the providers themselves and would be allowed to reach the destination before being interpreted - in fact, I would even go as far as to say that "all the TCP denial of service attacks we've seen over the last 40+ years will be applicable to this" given the server will have the burden of validating ALL traffic at destination. Are there built-in protections against this, David Bombal or Robin Marx? Given the header information is inside the encrypted payload, I don't think there is a way around this?

Fascinating update. Thank you Will other protocols (FTP/SFTP/SMTP/TFTP/DNS) be updated as well?

Great content ❤️

Excellent video, thanks!

Sir david bombal i respect and like your videos you are great👍