Cloudflare QUIC Boosts SASE Proxy Speed
Alps Wang
Mar 6, 2026 · 1 views
QUIC Revolutionizes SASE Performance
Cloudflare's blog post details a substantial upgrade to their SASE client's proxy mode, moving from a WireGuard-based L3 tunnel with smoltcp to a direct L4 proxying approach leveraging QUIC. The core innovation lies in bypassing the inefficient L4-to-L3 conversion, which was a performance bottleneck, especially for media-heavy applications. By using QUIC streams with HTTP/3's CONNECT method, traffic remains at Layer 4, eliminating the overhead and limitations of smoltcp's TCP implementation. This directly translates to tangible benefits like doubled download/upload speeds and reduced latency, as validated by internal testing. The architectural shift is noteworthy for its pragmatic application of QUIC beyond its initial web transport use case, demonstrating its versatility in secure network access scenarios. The emphasis on native QUIC benefits, such as advanced congestion and flow control, further underscores the technical sophistication of this redesign. The article also clearly articulates the user-facing advantages, particularly for scenarios involving coexistence with legacy VPNs, high-bandwidth application partitioning, and developer workflows utilizing SOCKS5. The readiness of the feature and the clear call to action for users to update their clients are also commendable.
However, while the performance gains are compelling, the article could benefit from more detailed benchmarks and real-world use-case comparisons beyond internal testing. While they mention doubled speeds and reduced latency, quantifying these improvements across various network conditions and application types would provide even greater confidence. Additionally, a deeper dive into the security implications of this new QUIC-based proxying, particularly in relation to potential QUIC-specific vulnerabilities or advanced threat vectors, would be valuable for security-conscious readers. The reliance on MASQUE as part of QUIC for IP packet proxying is mentioned, but a more explicit explanation of how this contributes to the overall zero-trust architecture and security posture would enhance the article's depth. The deprecation of WireGuard for proxy mode is a significant change, and understanding any potential edge cases or migration considerations for existing deployments would be beneficial. Despite these minor points, the article represents a significant technical achievement and a valuable advancement for SASE clients seeking to balance security with user experience.
Key Points
- Cloudflare has rebuilt its SASE client's proxy mode to utilize QUIC, moving away from a WireGuard-based L3 tunnel with
smoltcp. - The new approach enables direct L4 proxying using QUIC streams and HTTP/3 CONNECT, eliminating performance bottlenecks from L4-to-L3 conversion.
- Benefits include doubled download/upload speeds, significantly reduced latency, and leveraging native QUIC features like advanced congestion control.
- This upgrade significantly improves user experience for scenarios involving VPN coexistence, high-bandwidth application partitioning, and developer tools using SOCKS5.
- The performance improvements are available with Cloudflare One Client version 2025.8.779.0 and above.
Related Articles
Comments (0)
No comments yet. Be the first to comment!