HTTP/3 needs us (and other people) to make firewall changes

June 4, 2021

The other day, I had a little realization:

Today I realized that the growing enabling of HTTP/3 means that we need to allow UDP 443 through our firewalls (at least outbound), not just TCP 443. Although in the mean time, blocking it shields our users from any HTTP/3 issues. (Which happen.)

Like many places, our network layout has firewalls in it, in fact quite a lot of them. We have a perimeter firewall, of course, then we have firewalls between our internal subnets, our wireless network has a firewall, and our VPN servers have their own set of firewall rules. All of our firewalls have restrictions on outbound traffic, not just inbound traffic.

For obvious reasons, all of our firewalls allow outbound traffic to TCP port 443 (and port 80, and a number of others). However, some of them don't allow outbound traffic to UDP port 443, because there's been no protocol that used that. Until now. HTTP/3 uses QUIC, which runs over UDP, and so it thus generates traffic to UDP port 443. Right now any such traffic is probably not getting through.

Google's Chrome has enabled HTTP/3 (and QUIC) for some time, Firefox enabled HTTP/3 by default in Firefox 88, and Microsoft Edge has also had it for a while (Apple's Safari has yet to enable it by default). All of those browsers will now be sending traffic to UDP port 443 under the right circumstances, or at least trying to; while our firewalls block that traffic, they're not getting very far. I don't know how HTTP/3 implementations behave here, but I wouldn't be surprised if this creates at least a little bit of a slowdown.

(Of course this may shield people from a great deal of slowdown if HTTP/3 appears to work more.)

We're not the only places who are going to need to update firewalls to enable outbound UDP port 443, of course. But I suspect that Google (the originators of the whole QUIC idea) has studied this and determined that there are fewer firewall blocks in the way than I might expect.

Eventually we may also want to enable inbound UDP to port 443, so that people can run web servers that support HTTP/3. But that will probably take much longer, because server support is apparently rather lacking right now (based on the Wikipedia list). So far most of the web servers we run don't even have HTTP/2 enabled yet, for various reasons.

Written on 04 June 2021.
« New versions of Bash (and readline) default to special handling of pasting into the shell (or other programs)
The case of the very old If-Modified-Since HTTP header »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jun 4 23:54:52 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.