Every nanosecond matters online. Whether it’s a video buffering or a stock trade executing, latency can make or break an experience. Enter Quick User Datagram Protocol Internet Connections (QUIC): The lightning-fast, secure transport protocol reshaping how the internet moves data.
QUIC has gained traction but one stubborn challenge kept nagging at the industry’s top engineers: How do you load balance QUIC traffic efficiently without sacrificing security or scalability?
That question led us on a journey to do something no one had done before, to make QUIC load balancing work at line rate, inside a programmable switch, without sacrifices.
The Balancing Act Behind QUIC
QUIC powers much of today’s web traffic from Google Search to video streaming. It’s faster than Transmission Control Protocol (TCP), more secure, and resilient enough to keep your session alive even when your Internal Protocol (IP) address changes midstream.
That last part, coined connection migration, is great for users, but a nightmare for traditional 5-tuple load balancers, which rely on static IPs and ports to decide where to send data. Once a user switches networks or devices, those identifiers change, and the load balancer connects the session to a different server resulting in session termination.
The Internet Engineering Task Force’s (IETF) QUIC standard offered two imperfect fixes:
- A stateless approach that leaks internal server info, a security red flag.
- A stateful approach that requires constant server coordination, expensive and slow.
The industry needed something new, something secure, and something scalable. QUIC came to the rescue.
Enter QUIC-LB: A Smart, Secure Idea
The QUIC-LB draft proposed a brilliant middle ground: hide the server’s identity inside the QUIC Connection ID (CID) using encryption.
Each server encrypts its ID using Advanced Encryption Standard Electronic Codebook (AES-ECB), and only trusted components the load balancer and servers can decrypt it. That way:
- Outsiders can’t peek into your data center’s structure by monitoring the server-ids
- The load balancer can route packets securely
- Everything 'just works'
Elegant in theory. But in practice it’s a bewildering nightmare.
QUIC-LB expects the device at the edge to decrypt every packet in real time. That’s fine if you run it on servers, which is exactly what the IETF originally intended. But try doing that on a traditional switch? Forget it. No conventional switch has the horsepower to run full AES at 12.8 terabits per second, they simply aren’t built for that kind of cryptographic workload.
And that’s where Xsight Labs flips the script.
Xsight Labs didn’t force QUIC-LB into a switch; it built a switch capable of running what normally lives on servers. By making the switch itself highly programmable, Xsight Labs can implement the QUIC-LB logic directly in silicon achieving the massive throughput and ultra-low power consumption of a switch, while performing tasks normally reserved for software running on CPUs.
Turning Theory Into Throughput
Our engineers took their X2 programmable switch, a 12.8T masterpiece built for flexibility, and asked a simple question: 'What if we could make AES run at line rate?'
Our team implemented two prototypes:
- Baseline Mode: decrypts every packet (the hard way)
- Cached Mode: remembers previously decrypted IDs, skipping redundant work
The result?
Even the baseline hit an impressive 3.2 Tbps
And when caching kicked in, using a smart, hash-based memory engine, the switch soared to full line-rate performance at 12.8 Tbps with:
- No external servers
- No rerouting
- No compromises
Just pure, secure, programmable performance.
Smarter Caches, Faster Internet
The secret sauce wasn’t just the AES implementation, it was the cache.
By storing decrypted connection IDs, the switch avoided repetitive computation and doubled (sometimes tripled) throughput. Tests showed:
- Higher cache hit ratios = higher performance
- Advanced caching (like dual-hash lookups) achieved 100% hit rates
- Even with large caches, memory use stayed under 50% leaving headroom for scaling and new services
It wasn’t brute force that won here, it was elegant engineering that is only made possible by the X2.
The Road Ahead
Our implementation of QUIC-LB focused on long-lived connections, the steady heartbeat of modern data traffic. The next challenge is dynamic: millions of connections starting, ending, and migrating every second.
Future work will explore smarter cache replacement policies and adaptive strategies that keep pace even as the network churns. Techniques like multi-choice hashing and cuckoo algorithms are already on the drawing board.
The goal?
Make high-speed QUIC load balancing not just possible, but effortless no matter how the internet evolves to the millionth G.
Why This Breakthrough Matters
QUIC isn’t just another protocol, it’s the future of secured internet traffic.
And at Xsight Labs, our breakthrough shows that programmable switches can keep up securely, efficiently, and at scale, and in many cases match or outperform the server-based implementations QUIC-LB was originally designed for.
By offloading QUIC-LB from server to programmable switch, data centers can now:
- Slash power and cost Gbps
- Protect internal data center architecture from exposure
- Scale to millions of encrypted sessions, seamlessly
Since the first QUIC-LB RFC draft was published in 2021, engineers struggled to achieve scalability and low power because they relied on server-based implementations.
Xsight Labs broke this paradigm by running QUIC-LB directly on low-power, high-throughput programmable switches instead of traditional servers, achieving true line-rate performance without compromise.