Networking & Protocols
QUIC internals: multiple-choice review
Crux Multiple-choice synthesis across the QUIC unit — user-space transport, stream independence, migration, the 1-RTT and 0-RTT handshake, encryption, and deployment CPU cost.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitSix questions that cut across the whole unit. Each mirrors a real decision — when QUIC wins, when TCP wins, and what the design buys and costs — not a definition to recite.
Goal
Confirm you can connect the pieces: why QUIC lives in user space, what stream independence and Connection IDs actually buy, where the 1-RTT and 0-RTT handshakes save and where 0-RTT bites, and why the same protocol that wins on mobile loses on a fast LAN.
Quiz
Completed
Two services both serve HTTP. One is an intercontinental API (small payloads, 120 ms RTT, ~1% mobile loss); the other streams 1 Gbps static assets to LAN clients. You can run HTTP/3 (QUIC) or HTTP/2 (TCP) on each. What is the right pairing and why?
Heads-up On a fast LAN QUIC's per-packet AES-GCM and user-space framing make CPU the bottleneck before the link fills; goodput falls ~45% and there is no head-of-line benefit on a near-lossless short path. Newer is not faster everywhere.
Heads-up On the 120 ms lossy API path the network, not CPU, is the bottleneck, so QUIC's overhead is invisible while its 1-RTT handshake and stream independence cut real latency. Overhead only bites where CPU saturates first.
Heads-up This inverts the tradeoff. QUIC helps where round trips and loss dominate (the API); TCP's kernel offload (kTLS, GSO, RSS) wins where you push bytes fast on a clean link (the LAN assets).
Quiz
Completed
An HTTP/2-over-TCP service and an HTTP/3-over-QUIC service both multiplex three concurrent responses. At 0.5% packet loss and 100 ms RTT, one packet carrying response B is dropped. What happens to responses A and C, and why?
Heads-up HTTP/2 multiplexes at the HTTP layer but rides one ordered TCP stream, so loss blocks all of it. QUIC moves multiplexing into the transport, giving each stream its own ordering — that is exactly the HoL fix the unit is about.
Heads-up HTTP/2 multiplexing cannot help: the blocking is at the TCP transport beneath it. Only QUIC, which owns the transport, can isolate streams under loss.
Heads-up QUIC retransmits only the lost STREAM frame for B; A and C are untouched and the connection never resets. Per-stream recovery is the entire point.
Quiz
Completed
A user walks out of the office; their phone hands off WiFi to LTE mid-download. The QUIC connection survives but TCP would have died. What carries the connection across the IP change, and what does the server do before trusting the new address?
Heads-up No new handshake happens. All stream, flow-control, and congestion state survive because the Connection ID — not the IP — identifies the session. A re-handshake would lose exactly that state.
Heads-up UDP packets still carry a source IP, and a blind switch would open a reflection-amplification vector. QUIC must validate the new path via PATH_CHALLENGE/PATH_RESPONSE and throttle to 3x until then.
Heads-up Keep-alives only stop an idle connection from timing out; they cannot preserve a connection whose 4-tuple changed. Connection-ID-based identity is what survives the migration.
Quiz
Completed
Your team enables 0-RTT resumption to shave a round trip off reconnects. A week later, finance reports occasional duplicate fund transfers. What is the mechanism and the correct fix?
Heads-up 0-RTT is encrypted with the session-ticket key; the attacker cannot read it. The flaw is that the same ciphertext can be replayed and re-processed — a replay, not a disclosure, problem.
Heads-up Disabling 0-RTT outright throws away the latency win it was enabled for. The standard fix is idempotency enforcement plus 425 Too Early, which keeps 0-RTT for safe requests.
Heads-up Congestion control has nothing to do with this. Duplicate transfers come from replayed 0-RTT early data executing a non-idempotent operation twice.
Quiz
Completed
After moving to HTTP/3, your network team complains that their packet-level dashboards (per-flow request counts, RTT histograms, slow-client detection) have gone dark, and they can no longer inject an RST to kill a misbehaving flow at the middlebox. How do you read this?
Heads-up QUIC deliberately encrypts almost the whole packet end to end; a passive monitor has no keys and is not meant to. The opacity is by design, not a config error.
Heads-up QUIC runs on UDP 443. The metadata is missing because it is encrypted, not because the port is hidden — changing ports changes nothing.
Heads-up Both are gone for the same reason: packet numbers and payload are encrypted, so neither request accounting nor a forged RST is possible without the key. Loss of RST injection is actually a security win.
Quiz
Completed
A colleague argues QUIC is strictly superior to TCP because 'it runs in user space, so it is faster.' Where is the reasoning wrong, and what does user-space placement actually buy?
Heads-up User-space QUIC adds syscalls (one sendmsg per datagram without GSO) and loses NIC crypto offload, so it is slower per byte. Its advantage is agility and HoL-free streams, not throughput.
Heads-up QUIC runs in user space by design — that is the source of both its CPU cost and its ability to evolve without kernel updates. The location is right; the 'faster' conclusion is what is wrong.
Heads-up QUIC encrypts more than TCP, not less — almost the entire packet, per packet. The CPU cost is higher, and the payoff is evolution speed and stream independence.
Recap
The unit resolves to one judgment call: QUIC trades CPU for latency and resilience. User-space placement buys evolvability (pluggable CC, no ossification) at 15–30% more CPU per byte; stream independence kills head-of-line blocking under loss; Connection IDs survive network migration with path validation and a 3x anti-amplification guard; the merged 1-RTT handshake saves a round trip and 0-RTT saves another at the price of replay (idempotent-only, 425 Too Early); near-full encryption stops RST injection and sniffing but blinds packet-level monitoring. Reach for QUIC on round-trip-bound, lossy, mobile paths — keep TCP where a fast clean link makes CPU the bottleneck.