Internet censors often rely on information in the first few packets of a connection to censor unwanted traffic. With the rise of the QUIC transport protocol, prior work has suggested the method of using QUIC connection migration to conceal the first few handshake packets using a different network path (e.g., an encrypted proxy channel). However, the use of connection migration for censorship circumvention has not been explored or validated in terms of feasibility or performance. We bridge this gap by providing a rigorous quantitative evaluation of this approach that we name QUICstep. We develop a lightweight, application-agnostic prototype of QUICstep and demonstrate that QUICstep is able to circumvent a real-world QUIC SNI censor. We find that not only does QUICstep outperform a fully encrypted channel in diverse settings, but also that it can significantly reduce traffic load for encrypted channel providers. We also propose using QUICstep as a tool for measuring QUIC connection migration support in the wild and show that support for connection migration is on the rise. While as of now QUIC and connection migration support is limited, we envision that QUICstep can be a useful tool for the future where QUIC is the de facto norm for the Internet.

翻译：互联网审查者通常依赖连接初始数据包中的信息来屏蔽不受欢迎的流量。随着QUIC传输协议的兴起，已有研究提出利用QUIC连接迁移机制，通过不同网络路径（例如加密代理通道）隐藏初始握手数据包的方法。然而，这种利用连接迁移进行审查规避的方法在可行性与性能方面尚未得到充分探索或验证。我们通过对此方法（命名为QUICstep）进行严格量化评估来填补这一空白。我们开发了轻量级、应用无关的QUICstep原型系统，并证明其能够成功规避现实世界中的QUIC SNI审查系统。研究发现，QUICstep不仅在多样化场景中性能优于全加密通道，还能显著降低加密通道提供商的流量负载。我们同时提出将QUICstep作为测量实际网络中QUIC连接迁移支持度的工具，数据显示对连接迁移的支持正在逐步增长。尽管目前QUIC及其连接迁移功能的支持范围仍有限，我们预见在QUIC成为互联网事实标准的未来，QUICstep将成为极具价值的实用工具。