To facilitate IP routing between pods and services on different clusters, Submariner requires some sort of a point-to-point tunnel to be established between the connected clusters.

The Gateway Engine component deployed in each participating cluster is responsible for establishing tunnels to other clusters. The Gateway Engine has a pluggable architecture for the cable engine component that maintains the tunnels, with existing implementations include IPsec (using Libreswan), WireGuard (using wgctrl), and VXLAN (as an un-encrypted alternative).

QUIC is a new transport protocol for the internet, originally developed and used by Google, which is now in advanced standardization phases within the IETF. QUIC solves a number of transport-layer and application-layer problems experienced by modern web applications, while requiring little or no change from application writers. While QUIC itself is an L4 protocol (and is generally seen as an alternative to TCP), there are recent experiments that leverage the protocol to tunnel Ethernet frames or IP packets. This, practically, can provide an alternative to IPsec as used by Submariner.

QUIC includes encryption and authentication techniques (by reuse of TLS 1.3) and is intended to be widely used across the internet, making it unlikely to be filtered in many networks, in contrast with VPN protocols like e.g IPsec.

The purpose of this spike work is to further research QUIC, and tunneling IP inside QUIC in particular, as a potential cable-driver implementation for Submariner. Specific areas of interest are how QUIC behaves with firewall and NAT gateways, as seen in many of our existing customer networks.

References –

• Submariner’s Gateway Engine architecture: https://submariner.io/getting-started/architecture/gateway-engine/
• QUIC: A UDP-Based Multiplexed and Secure Transport (RFC 9000): https://datatracker.ietf.org/doc/rfc9000/
• Using TLS to Secure QUIC (RFC 9001): https://www.rfc-editor.org/rfc/rfc9001.html
• QUIC 101 by David Schinazi (Google): https://youtu.be/dQ5AND4DPyU
• QUIC resources on the Chromium Project: http://chromium.org/quic
• Tunneling Internet protocols inside QUIC (draft-piraux-quic-tunnel-01): https://datatracker.ietf.org/doc/html/draft-piraux-quic-tunnel-01