2026-lee-quicstep

QUICstep: Evaluating connection migration based QUIC censorship circumvention

Seungju Lee, Mona Wang, Watson Jia, Qiang Wu, Henry Birge-Lee, Liang Wang, Prateek Mittal · Privacy Enhancing Technologies · 2026

canonical link →

Tags

censors: generic
techniques: http3-quic-block

findings extracted from this paper

As of October 2024, 22% (~220K) of Tranco top-1M domains support QUIC; of those, only 12.8% (~28K) are fully QUICstep-compatible (support IP-address migration). However, port-migration support grew 20% in 3 months (26,234 → 31,262 domains from August to late September 2024). Cloudflare hosts 74.6% of QUIC-supporting domains but only 0.2% support connection migration; if Cloudflare enabled it, 87.2% of QUIC-supporting domains would become compatible. Among QUIC-SNI-blocked domains in China (28,458 total), 2,404 (8.45%) support QUIC and 828 (34.4%) of those are QUICstep-compatible today.

§4.2, Table 1, Fig 3 deployment http3-quic-block cngeneric
QUICstep successfully circumvents the GFW's QUIC SNI censorship (active since April 2024) in live testing. Using an Alibaba VM in mainland China as client and an AWS instance in North Virginia as server, a native QUIC client was blocked after several fetches of youtube.com SNI, while QUICstep consistently succeeded across 50 consecutive fetches. 7 tiktokcdn.com subdomains that were QUIC-SNI blocked were also reliably accessible via QUICstep. The approach routes only QUIC long-header (handshake) packets through a WireGuard tunnel; all subsequent short-header (data) packets travel the native path.

§4.3.2, §3.2.3 evaluation http3-quic-blocksni-blockingdpi cn
A censor attempting to block QUICstep by dropping all QUIC connections that arrive without a preceding Initial/Handshake packet would cause significant collateral damage. Analysis of 24-hour campus traces (3,786,050 unique QUIC connections) found 29.1% (1,100,439 connections) lacked QUIC Initial or Handshake packets—representing legitimate connection migration from mobile handoffs and similar events. This high baseline rate means blanket "no handshake" blocking would disrupt roughly 1-in-3 QUIC connections unrelated to circumvention.

§5 (Blocking all QUIC connection migrated traffic) detection http3-quic-blocktraffic-shape cngeneric
QUICstep reduces proxy (handshake channel) traffic by a median of 93% across 100 tested domains compared to full VPN tunneling. For www.youtube.com specifically, proxy traffic dropped from 3.634 MB (full VPN) to 96 KB (QUICstep), a 97.4% reduction. Page load time improved by up to 84% versus full VPN. Performance gain is greatest when the handshake channel is bandwidth-limited (1–5 Mbps): QUICstep/VPN ratios of 0.07–0.09 at 1 Mbps, 0.34–0.46 at 5 Mbps from London to nearby proxies. Psiphon's free tier (2 Mbps) and Tor (~10 Mbps median) are both well within the bandwidth regime where QUICstep provides substantial gains.

§4.4.3, Fig 7, Table 2 evaluation http3-quic-block generic