QUIC internals: prove it on the wire

Run an HTTP/3 (QUIC) server and a TCP/HTTP-2 baseline, and produce a wire-evidence report that demonstrates the unit's five core mechanisms and quantifies QUIC's CPU-vs-latency tradeoff — every claim backed by a capture, a trace, or a measurement.

• Stand up an HTTP/3 server with a production QUIC stack (Cloudflare quiche, nginx + HTTP/3, Caddy, or a Go/Rust QUIC library) and an equivalent HTTP/2-over-TLS baseline on the same host, both behind TLS 1.3 certificates.
• Capture a fresh QUIC handshake with qlog (RFC 9312) or a packet trace and annotate it: identify the Initial, Handshake, and 1-RTT packets, the CRYPTO frames, and prove the client sent stream data after exactly one round trip — then capture the TCP+TLS baseline and show it took two.
• Open at least three concurrent streams on one QUIC connection, inject ~1% packet loss on the path (tc netem or equivalent), and show in the trace that a STREAM frame loss on one stream stalls only that stream while the others keep delivering. Repeat over HTTP/2 and show all streams stall.
• Demonstrate connection migration: start a transfer, change the client's source address (rebind the socket or switch interface), and capture the same Connection ID arriving from the new address plus the server's PATH_CHALLENGE/PATH_RESPONSE exchange. Confirm the transfer continues without a new handshake.
• Enable 0-RTT resumption and demonstrate the replay risk: capture a 0-RTT Initial carrying a request, replay the captured packet, and show the server processing it twice. Then implement the defense (idempotent-only 0-RTT plus 425 Too Early for a non-idempotent route) and show the replay rejected.
• Benchmark CPU cost: drive both servers at a high bitrate on a fast loopback or LAN link, record QUIC's per-byte CPU and goodput against the TCP baseline, then enable UDP GSO and re-measure to quantify the recovery.
• Verify UDP-block fallback: drop UDP 443 on the path and confirm the client falls back to HTTP/2 over TCP (Alt-Svc racing or explicit fallback), measuring the added latency before TCP wins.

• An annotated handshake artifact (qlog or trace) showing QUIC at 1 RTT and TCP+TLS at 2 RTT to first application byte, with the round trips marked.
• A loss-injection comparison: a trace or metric proving QUIC stalls only the lost stream while HTTP/2 stalls all streams under the same loss, with the per-stream stall times reported.
• A migration capture showing one Connection ID across two source addresses plus the PATH_CHALLENGE/PATH_RESPONSE pair, and confirmation that no re-handshake occurred.
• A before/after for the 0-RTT defense: the replayed request executing twice without the guard, and rejected (or 425 Too Early) with it.
• A CPU-vs-goodput table: QUIC and TCP at the same bitrate, QUIC with and without UDP GSO, with the per-byte CPU overhead and the GSO recovery stated as percentages.
• A one-page deployment recommendation naming which paths (WAN/mobile vs fast LAN) should run QUIC versus TCP, justified by your own handshake, loss, and CPU numbers.