QUIC and Fusion SMB 

Heya folks, it’s Ned Pyle again with news: QUIC is coming to Fusion SMB. 

SMB over QUIC adds security and connectivity to cloud computing and storage platforms. Fusion SMB is state-of-the-art for Linux file servers, and SMB over QUIC is as cutting edge as it gets. Let’s talk about it. 

What is QUIC? 

QUIC is a transport protocol. Its designers seek to solve problems with TCP discovered over 50 years.  

• Always encrypt – You don’t enable encryption in QUIC, it’s always on. Besides the obvious safety, it stops protocol ossification. Middlebox devices prevent protocols from evolving because they often don’t understand new but valid behaviors. New QUIC features work because they happen inside encrypted tunnels. 

• Require TLS 1.3 – This dramatically strengthens transport security, with strong crypto keys and cipher algorithms, perfect forward secrecy, and encrypting all handshake messages after the Server Hello. Arguably, it should be called “TLS 2.0” 

• UDP-based – QUIC improves performance on unreliable networks with parallel flow-controlled streams; if an error occurs in a stream, the other streams continue independently. It encrypts UDP packets individually, unlike TCP which typically uses a byte stream. QUIC also adds the reliability, congestion control, and error correction that UDP lacks. 

• Handshake reduction – QUIC minimizes the connection process. This matters more to chatty web traffic than long-running SMB data transfers but highlights the new philosophy: TCP was designed for reliable delivery on air-gapped military networks in the 1970s: 

QUIC is the basis of HTTP/3, which runs on 35% of the world’s websites and growing at 5% annually. QUIC’s not the future – it’s now.  

Trivia item 1: Despite what you may have heard, QUIC is not an acronym. 

The value of SMB over QUIC

SMB over QUIC is a VPN without headaches. It works on networks that often block port 445 over TCP – such the Internet and DMZs. You can use SMB over QUIC inside a network for added safety, but also at the edge of your network, in cloud tenants, and as a hybrid solution joining everything together. Because QUIC is just a different transport, applications and users require no new code or training. QUIC traffic is on UDP/443 by default, making scenarios like on-prem client connections to AWS EC2 instances a snap. 

But QUIC also adds security that’s superior to SMB 3’s built-in encryption. Consider this scenario: 

A client is connecting to a share called “TV” on the “Media-PP09” file server in a post-production editing studio. Out of the box, there’s no encryption; if the client is Windows 11 24H2, SMB will sign by default – meaning the data is safe from tampering and credential relay attacks – but nothing more. 

If we require SMB encryption from the client using Group Policy, PowerShell, or mapping commands, we add data privacy: 

Notice the caveats. Since TCP itself isn’t encrypted, privacy is application layer and the user’s own session key derives the encryption key. This means the user’s auth is before SMB encryption starts and is only as strong as the user’s password. With Kerberos, the shared secret is never involved directly with SMB, the session key comes from the Authentication Service Request and AES-256. But NTLM is very vulnerable because the so-called “password hash” – the result of the challenge response – is actually on the wire in order to encrypt and it uses weak HMAC-MD5 cryptography. 

When we add QUIC, security improves dramatically: TLS 1.3 uses a certificate with strong modern cryptography to create a tunnel. QUIC encrypts the entire SMB conversation, keeping even NTLM safe between the client and server for SMB authorization. Nothing changes for the user or application – they don’t get additional prompts or steps. It’s just like a VPN, without the setup, training, and cost: 

You can see why Microsoft finally deprecated NTLM! Kerberos doesn’t have NTLM’s architectural problems, has much stronger cryptography, and supports mechanism other than passwords. Microsoft, Apple, and Linux will all end this legacy chapter by supporting Local KDC and IAKerb, as shown in this talk. Hey, I know that guy!  

Trivia item 2: Before I was the owner of SMB 3 and architect of SMB over QUIC at Microsoft, I worked on Active Directory. 

The reveal 

But enough theory – let’s see it work! Here’s a demo of our SMB over QUIC preview: 

Tuxera is the forefront for Linux SMB  

When Microsoft originally released SMB over QUIC, they restricted it to Azure. My final move before leaving was to include it in Windows Server 2025. The genie is out of the bottle and broad interest in QUIC has naturally skyrocketed. 

It’s worth a reminder that Tuxera is a Microsoft patent licensee, which brings legal safeguards to all our customers, unlike the GPLv3-based Samba. But that license program also encourages us to quickly follow Microsoft’s SMB innovations.

As soon as QUIC was universally available for Windows, we decided to build a version for Linux. Just like we did with every other SMB 3 feature over the past decade. Tuxera keeps Fusion SMB state-of-the-art.

Coming soon 

SMB over QUIC helps organizations with their high security threat scenarios, like medical research and post-production media. It also brings flexibility to difficult networking situations, like hybrid cloud and mobile users.  

Tuxera will have Fusion SMB over QUIC production ready and released by the end of the year. We will show off our preview release live at SC25 this November in St Louis – I hope to see you there. 

Ned Pyle, Enterprise Storage Technical Officer, Tuxera 

Find out more about Tuxera Fusion SMB on the product page.