CloudflareA QUICker SASE client: re-building Proxy Mode
Read Full ArticleSummary
The article outlines the challenges faced by security teams when implementing proxy modes in SASE environments, particularly the performance issues associated with traditional TCP implementations. It details the transition from a WireGuard-based architecture to a QUIC-based solution, highlighting the benefits of direct L4 proxying. By leveraging QUIC and HTTP/3, the new architecture eliminates the inefficiencies of smoltcp and improves user experience through enhanced congestion control and flow management. The improvements lead to significant increases in download and upload speeds while reducing latency, making it particularly beneficial for high-bandwidth applications and environments requiring zero trust security.
Key Learnings
- 1The transition from L3 to L4 proxying using QUIC can drastically improve performance by eliminating unnecessary translation layers.
- 2Utilizing HTTP/3's capabilities allows for better handling of modern web traffic and enhances user experience in high-demand scenarios.
- 3The architectural shift not only improves speed but also allows for fine-tuning of QUIC parameters to optimize performance in various environments.
- 4By removing reliance on smoltcp, the new implementation benefits from modern TCP features that enhance overall network efficiency.
- 5The update specifically addresses common use cases in zero trust environments, ensuring security does not come at the cost of performance.
Who Should Read This
Senior Network Engineers and Security Architects optimizing SASE solutions for performance and security in enterprise environments.
Test Your Knowledge
What are the specific performance limitations of using smoltcp in a SASE proxy environment?
How does the architectural shift to QUIC improve congestion control compared to traditional TCP implementations?
What trade-offs were considered when deciding to deprecate WireGuard in favor of QUIC for proxy mode?
In what scenarios might the new QUIC-based proxy mode still face performance challenges?
How can the parameters of QUIC be tuned to optimize performance for different types of web traffic?
What implications does the shift to direct L4 proxying have on the overall security posture of a zero trust environment?
Topics
More articles about TCP
Explore TCP engineering →QUIC at Snapchat - Snap Engineering
The article discusses Snapchat's implementation of the QUIC protocol to improve network performance for its users. QUIC, developed by Google, serves as a replacement for the traditional TCP+TLS+HTTP2...
How to build your own VPN, or: the history of WARP
The article outlines the development of WARP, a mobile-first performance and security application by Cloudflare, which utilizes Linux's networking stack to create a high-performance VPN. It details...
Measuring characteristics of TCP connections at Internet scale
This article explores the characteristics of TCP connections on a global scale, particularly focusing on data collected from Cloudflare's CDN. It discusses the significance of understanding...
BGP zombies and excessive path hunting
The article delves into the phenomenon of BGP zombies, which are routes that persist in the Default-Free Zone despite being withdrawn, causing operational issues for network operators. It explains...
Fresh insights from old data: corroborating reports of Turkmenistan IP unblocking and firewall testing
The article discusses the recent unblocking of over 3 billion IP addresses in Turkmenistan and the implications of this event on internet traffic and firewall behavior. It leverages historical data...
More from Cloudflare Engineering
View Cloudflare engineering blogs →Complexity is a choice. SASE migrations shouldn’t take years.
The article emphasizes the shift in the cybersecurity landscape regarding SASE migrations, arguing that complexity is a choice rather than an inevitability. It showcases how Cloudflare's SASE...
Active defense: introducing a stateful vulnerability scanner for APIs
The article introduces Cloudflare's new stateful vulnerability scanner designed specifically for APIs, addressing the limitations of traditional defensive security measures. It highlights the...
Fixing request smuggling vulnerabilities in Pingora OSS deployments
The article addresses critical HTTP/1.x request smuggling vulnerabilities identified in the Pingora open source framework, particularly when deployed as an ingress proxy. It outlines the nature of...
From the endpoint to the prompt: a unified data security vision in Cloudflare One
The article outlines Cloudflare One's evolution in data security, emphasizing a unified approach that encompasses protection in transit, visibility and control at rest, and enforcement in use. It...
How Automatic Return Routing solves IP overlap
The article discusses how Automatic Return Routing (ARR) addresses the challenges of IP address overlap in enterprise networks, particularly in scenarios involving mergers, extranet connections, and...