A Deep Dive on SMB over QUIC File Sharing

SMB over QUIC is a relatively new, promising file-sharing technology that, given the advancement of cloud deployments, remote work, and zero-trust architectures, has a good chance of eventually replacing traditional SMB (Server Message Block) as the standard file-sharing method. SMB was initially developed in 1983 at IBM, and following Microsoft’s adoption and development in 1987, it is still well around.

It overcomes many hurdles of conventional SMB over TCP by utilising the QUIC (Quick UDP Internet Connections) transport layer network protocol. QUIC is the technology where HTTP/3, the third major version of the Hypertext Transfer Protocol (HTTP), is based to achieve its faster loading times.

Below, we discuss the QUIC protocol and how SMB over QUIC builds on it to overcome challenges experienced by traditional SMB. We will also review deployment scenarios where the technology can best serve us and shed some light on potential deployment vulnerabilities and mitigation strategies.

_{HTTP Evolution, licensed under CC BY-SA, Available at: [https://commons.wikimedia.org/wiki/User_talk:Sedrubal, CC BY-SA 4.0, https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons]}

The QUIC Protocol

The QUIC protocol was designed by Jim Roskind at Google in 2012 and is currently developed by the IETF (Internet Engineering Task Force) and Google. Standardised in IETF RFC 9000, it operates over UDP. It is designed to improve network performance for connection-oriented applications by establishing multiplexed connections that allow multiple data streams to talk to endpoints independently, thus eliminating the Head-of-Line (HoL) blocking issue. This makes packet loss less significant to the reliability of the connection. It integrates with TLS 1.3 encryption, ensuring data security in transit while reducing latency using a single handshake: 1-RTT (One Round Trip Time) and 0-RTT (Zero Round Trip Time) resumption if the client reconnects to the same server.

_{HTTP/2 is built on top of TCP, while QUIC is built on top of UDP. Based on UDP, QUIC eliminates the Head-of-Line (HoL) blocking, thus improving performance. (Source: varialhosting.com)}

QUIC is used among popular software, technologies and services such as Google Chrome, Microsoft Edge, Mozilla Firefox and Apple’s Safari for browsing, Content Delivery Networks (CDNs), YouTube, and Netflix to provide a smoother and more reliable streaming experience even in high-latency networks or low-bandwidth connections. It is also used in 5G networks, messaging apps such as Whats App and Facebook Messenger and gaming for a better multiplayer experience (as a gamer, I just can’t stand lagging!). As of January 2025, QUIC is used by 8.6% of all websites.

💡Below are the key advantages of QUIC from a network standpoint:

Connection Migration: QUIC makes it possible for connections to move between network interfaces, enhancing reliability and user experience, especially for mobile users.
Multiplexing: QUIC lowers latency and increases efficiency by allowing several data streams to be transmitted over a single connection.
Congestion Control: QUIC integrates proactive congestion control mechanisms that can predict and adapt to network conditions, resulting in faster and more reliable data transfer.
0-RTT: In certain cases, QUIC can resume connections with 0-Round Trip Time (0-RTT), thus drastically cutting down on the time required to establish a new connection.

_{Our Browser’s Developer Tools view quickly shows us the protocol used to access a website. In this case, we visited Cloudflare’s website, and the protocol used was h3, which stands for HTTP/3.}

🛡️Adherence to ZTA (Zero Trust Architecture) and the CIA (Confidentiality, Integrity, Availability) Triad

From a security standpoint, SMB over QUIC inherently addresses key principles of ZTA, including the requirements for secure, authenticated and least-privilege access to resources regardless of the network’s perceived security:

_{SMB over QUIC and Zero-Trust-Architecture (ZTA)}

It also satisfies the CIA Triad principles with encrypted connections using TLS 1.3 (Confidentiality) by default, built-in cryptographic integrity checks and stream isolation to prevent data manipulation (Integrity), and resilient connections with recovery mechanisms (Availability):

_{SMB over QUIC and the CIA (Confidentiality, Integrity, Availability) Triad}

UNIX Adoption and the Samba Project

We couldn’t discuss widespread adoption without SMB over QUIC being available in UNIX environments. The news coming in this direction is good. We read that the German Sovereign Tech Fund (STF) plans to advance Samba by funding the Samba Project. Part of this advancement will be the integration of, you guessed it, SMB over QUIC. It will do that as part of its “Milestone Group 5: SMB over QUIC”. Here are the Milestone specifics:

5.1 SMB over QUIC: Generic support of the Linux kernel driver (ETA: 2025-02-19)
5.2: SMB over QUIC: Inject QUIC support into socket_wrapper (ETA: 2025-03-13)
5.3 SMB over QUIC: Native userspace QUIC driver (ETA: 2025-04-04)
5.4 SMB over QUIC: SMB2_TRANSPORT_CAPABILITIES negotiation (ETA: 2025-08-23)

Visuality Systems latest YNQ 2.0.0 SMB client also supports SMB over QUIC via its QUIC add-on.

Reception and Real-world Applications

Despite being secure at its core and the perks it brings, adoption is relatively low, while the community shows cautious optimism. Besides not yet being widely supported in UNIX environments, this is also due to deployment challenges, the most prominent of which is the requirement to run Windows Server 2025 or Windows Server 2022 Datacenter: Azure Edition and Windows 11 clients. That means legacy infrastructure may lack support for SMB over QUIC, necessitating upgrades that can strain IT budgets, which is a no-go for many.

On the bright side, several industries and sectors could greatly benefit from SMB over QUIC, including but not limited to the following:

Maritime Shipping Companies:

SMB over QUIC could greatly facilitate ship communications, aiding seafarers in completing daily tasks seamlessly. The newest satellite solutions offering low-latency coverage, such as SpaceX Starlink, could boost performance even in remote locations. This could become a combination that would enable capabilities like never before.

Examples

//Remote Maintenance and Diagnostics: Vessels can share operational logs and diagnostics to their HQ for real-time analysis.

//Document and Compliance Management: Ships can securely download updated compliance documents, certifications, or legal records.

_{Vessels aboard can access operational data at an acceptable performance using SMB over QUIC, even when making use of low-latency links such as satellite internet.}

Remote and Hybrid Teams

SMB over QUIC allows distributed teams to access shared files safely without a VPN while guaranteeing an acceptable performance even on high-latency networks.

Examples

//Consulting firms: Employees working remotely can access client information from any location.

//Media Production Companies: Teams collaborate on massive media files with lower latency.

Office Headquarters and Branches

Businesses with a presence in geographically dispersed offices can share data without requiring VPN or MPLS.

Examples

//Retail Chains: Branches share inventory and sales data.

//Manufacturing Firms: Various teams exchange CAD files.

Mobile Workforce Operations

Businesses with field-based workers use SMB over QUIC to securely access files over public Wi-Fi or 4G/5G.

Examples

//Energy and Utilities: Field engineers viewing technical schematics.

//Healthcare Providers: Mobile clinics accessing patient records.

_{Field engineers access sensitive data in real-time using SMB over QUIC flexibly and securely.}

Security Challenges

I won’t make it to the news saying there is no silver bullet solution in cybersecurity, but it is always important to mention it. This technology, too, could also be prone to security challenges. However, we can overcome most of them by taking good care of our deployments.

UDP-Based Attacks (High Threat Level)

Because QUIC uses UDP, it is vulnerable to Distributed Denial of Service (DDoS) assaults, such as reflection and amplification. Such attacks could overwhelm deployments and render them unavailable.

Mitigation:

-Deploy Anti-DDoS Services such as Cloudflare to absorb and filter malicious traffic before it reaches your servers.

-Implement Ingress Filtering (BCP38) where applicable

-Apply rate-limiting on your firewall to drop malformed packets or requests exceeding expected thresholds.

Authentication Vulnerabilities (High Threat Level)

Credential theft or abuse against NTLM (NT LAN Manager) or Kerberos.

Mitigation:

-Use multi-factor authentication (MFA).

-Disable NTLM and audit Kerberos configurations.

TLS Configuration Issues (Moderate Threat Level)

Problematic TLS setups, such as outdated cyphers or neglected certificate revocations, could enable Man-in-the-middle (MITM) attacks or eavesdropping.

Mitigation:

-Enforce modern cyphers like AES-GCM and regularly audit your TLS configurations using tools like sslscan, which is available on many distros and GitHub.

-Certificate Management and implementing automated revocation checks could also help.

Traffic Analysis Risks (Low Threat Level)

Attackers could conduct traffic analysis to reveal metadata and patterns; however, this would hardly allow them to access the actual file content.

Mitigation:

-Use padding to obscure file sizes and metadata (although this could introduce a slight performance overhead)

-Combine with network obfuscation to further mask activity (only in rare cases, as that’s a bit of an extreme measure since it can affect SMB performance and availability, plus could raise issues related to Confidentiality and Integrity).

A Final Word

SMB over QUIC represents a step forward, addressing traditional SMB shortcomings and advancing and securing file-sharing architecture. However, as with every deployment, there is no one-size-fits-all. IT pros should always take good care of each deployment’s aspects to avoid security or operational pitfalls.

Time will tell if SMB over QUIC will replace traditional SMB as the new standard in file-sharing. Today’s pace, demands, and widespread HTTP/3 adoption all indicate that SMB over QUIC will eventually prevail over a solution built at a different time and age when even the idea of sharing files and printers relatively easily was groundbreaking.