Secure Middlebox-Assisted QUIC

TL;DR

This paper proposes an enhancement to the QUIC protocol that allows selective exposure of information to middleboxes, enabling performance improvements in satellite networks without compromising security.

Contribution

It introduces a method for securely integrating middleboxes into QUIC connections by selectively exposing information, balancing performance and privacy.

Findings

Performance gains depend on round-trip time and loss rates.

Higher data transfer over a connection yields more benefits.

The approach maintains QUIC's security properties while enabling middlebox functionality.

Abstract

While the evolution of the Internet was driven by the end-to-end model, it has been challenged by many flavors of middleboxes over the decades. Yet, the basic idea is still fundamental: reliability and security are usually realized end-to-end, where the strong trend towards ubiquitous traffic protection supports this notion. However, reasons to break up, or redefine the ends of, end-to-end connections have always been put forward in order to improve transport layer performance. Yet, the consolidation of the transport layer with the end-to-end security model as introduced by QUIC protects most protocol information from the network, thereby eliminating the ability to modify protocol exchanges. In this paper, we enhance QUIC to selectively expose information to intermediaries, thereby enabling endpoints to consciously insert middleboxes into an end-to-end encrypted QUIC connection while preserving its privacy, integrity, and authenticity. We evaluate our design in a distributed Performance Enhancing Proxy environment over satellite networks, finding that the performance improvements are dependent on the path and application layer properties: the higher the round-trip time and loss, and the more data is transferred over a connection, the higher the benefits of Secure Middlebox-Assisted QUIC.