We improved the performance of a userspace TCP stack in Go

Original Article ↗ Hacker News Discussion ↗

Motivation for a userspace TCP stack

  • Goal: end‑to‑end encryption and consistent behavior across laptops, VMs, containers, and bare metal.
  • Using the OS TCP stack plus a TUN device would require elevated permissions, which are hard or impossible to get in regulated / high‑security environments.
  • Userspace WireGuard over UDP + userspace TCP/IP gives each program its own virtual IP and full stack without needing privileged kernel features.

“Why not just use TLS / QUIC / normal sockets?”

  • Multiple commenters are confused why encryption must sit “under” TCP instead of using TLS or QUIC on standard sockets.
  • Others point out WireGuard‑style tunneling lets you speak arbitrary protocols (e.g., Postgres, Redis) across a single UDP tunnel without protocol‑specific gateways.
  • Some still find the justification unclear and suspect the solution targets a narrow use case.

Security and policy arguments

  • One side: userspace TCP/IP reduces kernel attack surface, confines bugs to a normal process, and avoids relying on the complex kernel TCP stack; only UDP is exposed.
  • Counterpoint: you still depend on kernel UDP, now plus a new TCP stack you must secure and maintain; overall complexity and attack surface may increase.
  • Debate over whether this “sidesteps” security policies or simply makes legacy Unix port‑privilege rules irrelevant in these scenarios.

Performance vs. kernel stack and gVisor

  • gVisor netstack is acknowledged as slower than the kernel; its aim is portability and security, not beating kernel performance.
  • The article’s optimizations (larger receive buffers, HyStart congestion control, blocking instead of dropping on full queues) are seen as solid engineering, but some call the whole approach “a solution looking for a problem.”
  • Long side‑thread debates gVisor’s broader performance trade‑offs (not specific to this product) vs. its benefits for secure multi‑tenant platforms.

Portability, APIs, and ecosystem

  • Advocates highlight that a Go‑based userspace stack works similarly on macOS, Linux, and inside containers without root.
  • Skeptics argue plain POSIX networking on unprivileged ports plus existing libraries would be simpler and more portable.
  • gVisor netstack’s API is described as volatile; integrating it requires accepting frequent breaking changes and in‑house networking expertise.