[edwhitesell]

It's different because a load balancer will send your initial HTTPS request to one application server, but when you're switching protocols (to UDP) you'll then want that traffic directed the same place. Or need some way to share session data across multiple app servers.

You could handle it with some kind of cookie/token that enables the LB to route to the right place, but that opens a whole bunch of other complicated logic too.

Whereas if the UDP application/server were able to handle it independently of HTTP(S), you wouldn't need any of that.

[geofft]

Either I'm not following you or I'm being unclear - it doesn't matter what HTTPS server the load balancer sends it to, all that you need is a reply saying "Yes, in general, sending UDP to my IP on this port is fine with me." You don't need to send it any other application-level data, and frankly the load balancer itself could send that static reply. So you don't care what application server it's sent to.

And once you have that permission, you never need to make an HTTPS connection again.

What you do care is that your actual application traffic, such as your login session, and your UDP traffic have some way of being associated with each other, but you have that problem regardless of how the client (whether it's a browser client or a normal desktop/mobile app) gets permission to send UDP.

As an example, the user could visit example.com, load some HTML and JS, send a request to login.example.com, get a session key, send a single HTTPS request to data.example.com exactly once, and then send UDP to data.example.com protected by that session key. You never send HTTPS to data.example.com again; from this point onwards you only send UDP. Coordination between your HTTPS login server and your UDP data server is no different in this model from the native app model.

[edwhitesell]

I think we're on the same page. My point was I think it's too complicated to do all of those steps (and likely more) just to "switch" to UDP. You could instead make all of that part of the Web UDP application, which is no less complicated, but then you are removing one step of switching applications/protocols midway through.

I guess what I'm trying to say is UDP could work, but I think trying to bootstrap the initial connection/session info with HTTP is probably going to be FAR more trouble than it's worth.

[mrmoka]

UDP over IPv4 and IPv6 has source IP and source Port in header. This can be used for sticky routing through Load Balancers.

[edwhitesell]

Sure, but in this context, unless you are able to use the same source port for TCP and UDP (and likely from the load balancer to the application server too) you'll still need another way to identify a client/session when switching from TCP to UDP.

Doing that with NAT is even trickier. Take a look at the way some firewalls need to configure a DMZ for gaming, or SIP for some examples.

[jandrese]

I'd like to point out that getting SIP through firewalls is a massive headache even today. If you're embedding connection information into a control channel, then the firewall needs to do DPI to figure out what is a valid communication stream vs. some attacker. And then people start encrypting the control channel and it's game over unless you can hook your firewall up to whatever the controlling software is or your firewall is super fancy and can MITM the control channel traffic because you've installed the cert chain on the firewall.