Networking & Protocols
0-RTT resumption and packet encryption
Crux QUIC''''s 0-RTT resumption lets clients piggyback data on the first packet — but without replay protection. Almost-full packet encryption eliminates passive sniffing and RST injection at the cost of operational opacity.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitA user revisits a site they visited yesterday. Their browser has a session ticket. QUIC sends the HTTP request in the very first packet — zero round trips — before the server even responds. But if an attacker intercepts and replays that first packet, the server will execute the request twice.
0-RTT resumption mechanics
On subsequent connections to the same server, the client can reuse a cached session ticket — a blob of encrypted TLS state the server issued at the end of the previous connection. The client includes this ticket in the ClientHello and attaches application data (0-RTT data) in the same Initial packet.
The server receives the Initial, decrypts the session ticket (which contains the resumption keys), and can immediately process the 0-RTT data — without waiting for a full handshake.
Latency: 0 RTT before the server processes the first request. On a 100 ms link, this is 100 ms saved on a reconnection — on top of the 100 ms already saved by the 1-RTT handshake vs. TCP+TLS.
The replay vulnerability
0-RTT data is encrypted with the session ticket’s symmetric key. An on-path attacker who captures the Initial packet can replay the entire packet to the server later. Because 0-RTT lacks TLS record-level replay protection, the server will receive and process the replayed request.
Concrete attack: Alice sends POST /api/transfer amount=5000 from=alice to=bob in 0-RTT. An attacker captures and replays the packet. The server executes the transfer twice: Alice loses 10,000 instead of 5,000.
The defense:
- Restrict 0-RTT to idempotent requests only. GET, HEAD, and safe operations are safe — replaying them produces the same result. POST, DELETE, and state-changing operations must wait for 1-RTT keys.
- 425 Too Early response. When the server forwards 0-RTT to an origin backend it includes an
Early-Data: 1header. The origin can respond425 (Too Early)forcing the client to retry after the full handshake (RFC 8470). - Session ticket isolation. Servers should not share session ticket keys across data centers — a ticket from Server A should only be valid on Server A. Short ticket lifetimes (1–24 hours) limit the replay window.
Trace it
1/5 Trace a QUIC 0-RTT attack and the defense.
1
Step 1 of 5
Client connects to server.example.com and receives a session ticket. Later it opens a new connection with 0-RTT data in ClientHello: POST /api/transfer amount=5000 from=alice to=bob.
The client and server negotiate the connection. The server sends Finished. The 0-RTT POST is on the wire, encrypted but without replay protection in the TLS record.
2
Locked
An on-path attacker captures the entire Initial packet containing the 0-RTT POST. What can the attacker do?
The attacker can replay the entire packet to the server. Because 0-RTT lacks TLS record-level replay protection, the server will receive and process the POST request again.
3
Locked
The server executes the same transfer twice. How does the server defend against this?
By rejecting the 0-RTT POST entirely OR accepting only idempotent requests (GET, HEAD) in 0-RTT. Non-idempotent requests in 0-RTT must wait for the 1-RTT keys and Finished message before processing, or be answered with 425 (Too Early) forcing a retry.
4
Locked
The server forwards the 0-RTT to an origin backend. What header must it include?
Early-Data: 1, signaling to the origin that this request came from 0-RTT. The origin can respond 425 (Too Early) forcing the client to retry after handshake, or accept it if the request is idempotent.
5
Locked
Can the attacker replay the same 0-RTT packet to a different server (example.com's backup replica)?
Yes, if both servers share the same session ticket key. This is why servers should NOT share session ticket keys across data centers — ticket keys should be short-lived, per-server, and rotated frequently.
✓ Traced.
Almost-full packet encryption
TCP headers are cleartext — source/dest IP, ports, sequence numbers are all visible to any observer. QUIC encrypts almost everything:
Long-form headers (handshake and Initial packets):
- Unencrypted: outermost 4 bytes (version + connection ID length) and the Connection ID itself.
- Encrypted: packet number, payload — using the appropriate level’s key.
Short-form headers (post-handshake packets):
- Carry only the connection ID and encrypted packet number + payload.
- Almost entirely opaque to observers.
Security consequences:
- An on-path attacker cannot inject RST packets — they cannot construct a valid encrypted packet without the 1-RTT key. TCP’s RST injection vulnerability is eliminated.
- Passive sniffing of stream contents is eliminated — all stream data is 1-RTT encrypted.
- Traffic analysis based on sequence numbers is impossible without decryption.
Operational consequence: tcpdump of QUIC traffic shows only opaque blobs. Network engineers cannot count HTTP requests per endpoint, identify slow clients, or detect misbehavior at the packet level without application-level instrumentation.
QUIC vs TCP: what is visible to a network observer
TCP (cleartext)
Source / Dest IP: visible
Source / Dest Port: visible
Sequence numbers: visible
SYN/FIN/RST flags: visible
TLS payload: encrypted (if TLS)
QUIC (post-handshake)
Source / Dest IP: visible (IP header)
UDP Port: visible
Connection ID: visible
Packet number: encrypted
Payload / stream data: encrypted
Quiz
Completed
In QUIC, why is 0-RTT data vulnerable to replay but TCP Fast Open (TFO) is not?
Heads-up 0-RTT is encrypted; the vulnerability is that the same ciphertext can be sent to the server twice.
Heads-up The replay protection issue is at the TLS layer, not the UDP or TCP transport layer.
Heads-up QUIC 0-RTT is safe for idempotent requests if the server enforces it and isolates session ticket keys.
Quiz
Completed
Why does QUIC's almost-full packet encryption break traditional network monitoring?
Heads-up QUIC typically uses port 443 (same as HTTPS). The issue is payload opacity, not unknown ports.
Heads-up tcpdump can capture QUIC packets; the issue is that their contents are encrypted and cannot be analyzed without decryption.
Heads-up QUIC packets are not compressed by default. The opacity comes from encryption, not compression.
Which RFC?
Completed
Which RFC standardizes the 425 (Too Early) HTTP response code and the Early-Data header used to protect against 0-RTT replay?
Edge cases
Comparing 0-RTT replay defence to TCP Fast Open: TCP Fast Open stores a cookie issued by the server, which includes a server-computed HMAC and TTL. The server validates the cookie at request time — if expired, TFO is rejected and a standard handshake is forced. This built-in temporal validation protects TFO from replay without application involvement. QUIC’s 0-RTT lacks this: the session ticket’s validity is controlled by the ticket lifetime, and within that lifetime the ciphertext can be replayed. This is why RFC 9001 mandates application-level idempotency enforcement rather than relying on TLS for replay protection.
- 0-RTT latency saving on reconnect
- 100 ms on 100 ms link
- 0-RTT replay risk
- any non-idempotent request
- Packet types with long headers
- Initial, 0-RTT, Handshake, Retry
- Packet types with short headers
- 1-RTT (post-handshake)
- TCP RST injection surface eliminated
- yes (no valid RST constructable)
- 01Explain why QUIC's 0-RTT is vulnerable to replay but TCP Fast Open is not.
- 02What is the 425 Too Early response code and when should an origin server send it?
- 03Why does QUIC's almost-full packet encryption break traditional packet-level network monitoring?
Recap
0-RTT resumption uses a cached session ticket to attach application data to the ClientHello — zero round trips for reconnected clients. The cost is replay vulnerability: an on-path attacker can capture and replay the 0-RTT ciphertext, executing non-idempotent operations twice. The defense is three-part: restrict 0-RTT to safe/idempotent requests, use the 425 Too Early mechanism for non-idempotent cases forwarded by proxies, and isolate session ticket keys per server to prevent cross-datacenter replay. QUIC’s almost-full packet encryption goes beyond what TLS alone provides: short-form headers encrypt packet numbers and all stream data, preventing RST injection attacks and making passive sniffing impossible. The trade-off is operational opacity — network engineers must instrument at the application layer rather than the packet layer.
Connected lessons
appears again in258
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- The journey of a request: seven stops from socket to responsejunior
- Accept and parse: from kernel queue to a typed requestmiddle
- Routing and middleware: choosing what runs, and in what ordermiddle
- Handler and response: from business logic to bytes on the wiremiddle
- Streaming and backpressure: when the client reads slower than you writesenior
- Timeouts and tail latency: budgets, deadlines, and the fan-out trapsenior
- Middleware and DI: the two patterns that shape every backendjunior
- Writing middleware: signatures, next(), and the three framework modelsmiddle
- Inversion of control: how dependencies reach a classmiddle
- DI scopes and lifecycles: singleton, request, transientmiddle
- DI as a testing seam: fakes, mocks, and the boundary that matterssenior
- DI containers in production: resolution graphs, circular deps, and when not tosenior
- Blocking vs non-blocking I/O: two ways to waitjunior
- The event loop: one thread, ordered phasesmiddle
- What blocks the loop: CPU work and sync callsmiddle
- Offloading CPU work: worker threads and the libuv poolmiddle
- Backpressure and bounded concurrencysenior
- Throughput under load: tail latency and saturationsenior
- Why pool: the cost of creating a connectionjunior
- Pool sizing: why bigger is not fastermiddle
- Acquisition and timeouts: the wait queue is the real latency dialmiddle
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Retry strategies: backoff, jitter, and thundering herdmiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Timer accuracy, throttling, and idle workmiddle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- Service worker lifecycle and cache strategiesmiddle
- Service worker edge cases: version skew, durability, and navigation trapssenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- LCP: four phases, one dominant costmiddle
- INP: input delay, processing, presentationmiddle
- CLS: why layout shifts happen and how to stop themmiddle
- Lab vs field: why the two disagree and how to use eachmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- Normal forms, denormalization, and why schemas stickmiddle
- JSONB, arrays, and when a side table winsmiddle
- Heap storage, TOAST, and column alignmentsenior
- Schema integrity: deferral, versioning, and production failure modessenior
- Relational vs document, wide-column, graph, and key-valuesenior
- What an index is and how it speeds up queriesjunior
- The leading-column rule and composite index designmiddle
- Partial, expression, and covering indexesmiddle
- Index types: GIN, GiST, BRIN, Hash, Bloom, and HOT updatesmiddle
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- Index design exercise: full-text search strategysenior
- EXPLAIN and execution plans: what the planner decides and whyjunior
- Scan types: Seq, Index, Bitmap, Index-Onlymiddle
- Join algorithms and the row-estimate cascademiddle
- pg_statistic, ANALYZE, and production observabilitymiddle
- Extended statistics: fixing correlated-column estimate failuressenior
- Plan cache, cost-constant tuning, and planner internalssenior
- Production failure modes and plan stabilitysenior
- MVCC: why readers and writers never wait for each otherjunior
- Row versions and snapshots: the on-disk mechanicsmiddle
- HOT updates and isolation levels: what you gain and what you paymiddle
- Vacuum and bloat: keeping the storage tax boundedmiddle
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- What a schema migration is and why it replaces ad-hoc DDLjunior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Expand-contract: zero-downtime for breaking schema changesmiddle
- Advisory locks, migration tools, and deploy coordinationsenior
- Migration failure taxonomy and production disciplinesenior
- Why sharding exists: the single-Postgres ceilingjunior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Partitioning vs sharding: same word, two different thingsmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Schema-based sharding and multi-tenancy alternativessenior
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- What the three signals are: logs, metrics, and tracesjunior
- Metrics and cardinality: the cost model of a time-series databasemiddle
- Logs and volume: the cost model of structured loggingmiddle
- Traces and sampling: the cost model of distributed tracingmiddle
- Join keys and exemplars: making the three signals composemiddle
- Observability 2.0: wide events and the cost shiftsenior
- Failure modes and engineering practice: cardinality budgets, PII, and samplingsenior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- Log levels and alert routingmiddle
- Sampling strategies and log costmiddle
- PII redaction and log injectionsenior
- Trace context propagation in logssenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- OTel signals, Semantic Conventions, and the OTLP wire formatmiddle
- Auto-instrumentation and manual spans: the 80/20 of OTelmiddle
- The OTel Collector: receivers, processors, exporters, and deployment patternsmiddle
- Sampling strategies: head, tail, and parent-basedmiddle
- Vendor neutrality, eBPF instrumentation, the Operator, and browser/serverless OTelsenior
- Operating the OTel Collector: reliability, version skew, failure modes, and governancesenior
- RED and USE: two checklists, one triage disciplinejunior
- Instrumenting RED in Prometheus: counters, histograms, and cardinality disciplinemiddle
- USE on Linux: CPU, memory, disk, network, and PSImiddle
- Golden signals, dashboard layout, and service mesh auto-REDmiddle
- Cardinality as a cost driver: labels, PII, exemplars, and samplingmiddle
- Native histograms, SLO tie-in, and production failure patternsmiddle
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Choosing SLIs and SLO targets: ratios, not feelingsmiddle
- Multi-window multi-burn-rate alerting: why AND beats ORmiddle
- Error budget policy, latency SLOs, and composite journeysmiddle
- Iceberg SLIs, composite SLO math, and SLA vs SLOsenior
- Production SLO failures, self-observability, security, and the big picturesenior
- Flame graphs: reading the picture that shows where time goesjunior
- Sampling vs instrumentation profiling: why 99 Hz wins in productionmiddle
- Profile types: CPU, memory, off-CPU, mutex — which one to reach formiddle
- Continuous profiling: always-on flame graphs with eBPF and trace-id correlationmiddle
- How flame graphs are built from samples, and the production workflows that use themmiddle
- Linux perf, eBPF internals, PGO, and the limits of samplingsenior
- Profiling in production: security, war stories, OTel profiles, and the infrastructure designsenior
- The debugging funnel: SLO → RED → trace → profilejunior
- OTel architecture: one SDK, four signals, one wire formatmiddle
- Cost discipline: keeping observability under 5% of infra spendmiddle
- The incident loop: from pager to postmortem to preventionmiddle
- Scale, security, and the ROI of observable systemssenior
- Why profile first: measure where time actually goesjunior
- Amdahl''''s law and self-time: the ceiling on every speedup you can shipmiddle
- The measurement loop: microbench, macrobench, prod profile, observer effectmiddle
- Reading flame graphs: shapes, per-language profilers, and the 60-second scanmiddle
- Statistical baselines: why one run is not a measurementmiddle
- Profiler history and microbenchmark pitfalls: Knuth to GWPsenior
- Hardware counters, cold-start profiles, and profile securitysenior
- Continuous profiling at scale: costs, CI gates, trace correlation, and anti-patternssenior
- What makes a hot path: symptom vs causejunior
- Five shapes of hotspot: CPU, alloc, cache, lock, syscallmiddle
- Reading parent and child chains: where to apply the fixmiddle
- JIT deopt, the fix-and-verify loop, and PR-time profilingmiddle
- Hardware counters and Intel TMA: sub-category diagnosissenior
- False sharing and native-bridge hot pathssenior
- Hot paths in production: security, tail latency, and tooling lineagesenior
- Memory hierarchy: why the same O(N) loop can be 17x slowerjunior
- Row-major vs column-major: access order and the 9x gapjunior
- Cache lines, struct layout, and false sharingmiddle
- Branch prediction and branchless codemiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Hardware prefetcher, TLB, and memory-level parallelismsenior
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC basics: what the runtime taxes you forjunior
- GC algorithms: generational, concurrent, and per-runtimemiddle
- GC tradeoffs: pause, throughput, heap — and object poolingmiddle
- GC tuning: pacing, heap shape, and allocation observabilitymiddle
- GC internals: tri-color invariant, write barriers, and per-runtime deep-divessenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- N+1: one logical operation, many round-tripsjunior
- Fix families: JOIN, IN, preload, and DataLoadermiddle
- Detecting N+1: query logs, APM traces, and CI gatesmiddle
- DataLoader: batching across resolver treesmiddle
- Cross-protocol N+1: HTTP fan-out and Redis MGETmiddle
- N+1 at scale: pool exhaustion, plan changes, and denormalisationsenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- What a bundle actually costs: download, parse, compile, executejunior
- Core Web Vitals: LCP, INP, and CLSmiddle
- Code splitting: route-level, component-level, vendor splittingmiddle
- Tree shaking and compression: removing what you don''''t usemiddle
- Third-party scripts: the silent budget killermiddle
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior
- What OAuth is and why passwords are not the answerjunior
- Authorization code flow with PKCEmiddle
- ID token validation and JWKS cache managementmiddle
- Refresh token rotation and scope-based least privilegemiddle
- Sender-constrained tokens: DPoP and mTLSsenior
- OAuth in production: audience attacks, observability, and real failuressenior