Stateful Middleboxes are integral part of enterprise and campus networks that provide essential in-network, security, and value-added services. These stateful middleboxes rely on precise network flow identification. However, the adoption of HTTP/3, which uses the QUIC protocol, poses significant challenges to the proper functioning of these devices. QUIC's encryption and connection migration features obscure flow semantics, disrupting middlebox visibility and functionality. We examine how QUIC disrupts middleboxes like Network Address Translators (NATs), Rate Limiters, Load Balancers, etc., and affects Kubernetes-based service deployments. To address these challenges, we propose a novel, generalized framework that enables stateful middleboxes to reliably track QUIC connections, even when the endpoints change their internet protocol (IP) address or port numbers. Our prototype implementation demonstrates that the proposed approach preserves middlebox functionality with HTTP/3 with negligible performance overhead (< 5%) on both throughput and latency, and works effectively even under high QUIC connection migration rates of up to 100 Hz.

翻译：状态化中间件是企业与校园网络的核心组成部分，提供关键的网络内服务、安全服务及增值服务。这类状态化中间设备依赖于精确的网络流识别。然而，采用基于QUIC协议的HTTP/3对这些设备的正常运行构成了重大挑战。QUIC的加密与连接迁移特性掩盖了流语义，破坏了中间件的可见性与功能。本文研究了QUIC如何干扰网络地址转换器（NAT）、速率限制器、负载均衡器等中间件，并影响基于Kubernetes的服务部署。为应对这些挑战，我们提出了一种新颖的通用框架，使状态化中间件能够可靠地追踪QUIC连接，即使终端节点更改其互联网协议（IP）地址或端口号。我们的原型实现表明，所提方法在保持HTTP/3下中间件功能的同时，对吞吐量与延迟的性能开销可忽略不计（<5%），并且即使在高达100 Hz的QUIC连接迁移率下也能有效工作。