HTTP/3 Connection Migration: Seamless Network Switching

Connection Migration in HTTP/3

Connection migration is one of HTTP/3's most unique features. It allows a QUIC connection to continue uninterrupted even when the client's IP address or port changes.

Why TCP Connections Break

A TCP connection is identified by a 4-tuple: (source IP, source port, destination IP, destination port). When any of these change — for example, when a laptop switches from Wi-Fi to Ethernet, or a phone switches from Wi-Fi to cellular — the TCP connection is instantly invalid.

The application must:

1. Detect the broken connection
2. Perform a new DNS lookup
3. Complete a new TCP handshake
4. Complete a new TLS handshake
5. Potentially re-authenticate
6. Retry any in-flight requests

This process typically takes 500ms-2s and results in visible loading stalls.

How QUIC Connection IDs Work

QUIC connections are identified by Connection IDs (CIDs), which are opaque values chosen by each endpoint. They are independent of the network path:

TCP connection identity:    192.168.1.5:54321 <-> 93.184.216.34:443
QUIC connection identity:   CID: 0xA1B2C3D4E5F6 (unrelated to IP)

When the client's IP changes, it sends a PATH_CHALLENGE frame from the new address. The server responds with PATH_RESPONSE. Once validated, traffic continues on the new path using the same Connection ID and encryption keys.

NAT Rebinding

Even without switching networks, NAT devices may reassign port mappings. QUIC handles this transparently through connection migration, while TCP connections would be silently broken.

Security

Connection migration includes path validation to prevent IP spoofing attacks. The server never sends data to a new address until the client proves it can receive packets there, using the PATH_CHALLENGE/PATH_RESPONSE exchange.