Wow, that’s a lot of text and it’s all really informative and clear. Make sure you read to the end, because the ‘word of caution’ bit is really important. This is also one of the big wins of QUIC over TLS. With TLS, you have a message-oriented protocol (each chunk that you send is encrypted with an authenticated encryption mechanism), over a stream protocol (TCP sends arbitrary streams), over a packet-based protocol (IP sends data in discrete packets). When you receive an IP packet, you get some fragment of a TCP stream, which is then a part of a TLS message. You may have to buffer multiple packets before you get to the MAC and know that it’s safe to forward the decrypted data to the consumer (this sucks for embedded devices, where RAM is limited). With QUIC, the encryption layer is sending UDP datagrams, each of which fits in one IP packet (unless fragmentation occurs, but even then you have an integer number of packets per datagram, not packets containing the end of one message and the start of the next). Each datagram has a separate MAC and so can be processed as soon as it arrives and, even if packets within a stream arrive in the wrong order and you have to buffer them, you are bounded in the number that you need to buffer (and ones from other streams within the QUIC connection can be decrypted and forwarded independently).