Good Cop, Bad Cop: Forcing Middleboxes to Cooperate

The original Internet architecture offered a clean contract to endpoints: packets sent will be delivered unmodified 1 or dropped when there is congestion. The proliferation of middleboxes has broken this simple contract to the point where the service the Internet provides to endpoints is entirely unpredictable: • Reachability depends on fields in the packet header and even the payload, as firewalls strive to contain increasing levels of malicious traffic targeted at vulnerable endpoint software. • Packets can be modified en-route by boxes that understand the higher level protocol (either TCP or applevel) and optimize it. For instance, NATs support FTP by rewriting the IP address of the sender inside the TCP payload to match the address of the NAT. As the NAT’s IP address will likely have a different length, this forces NATs to also modify sequence and acknowledgment numbers. Other performance enhancing middleboxes are discussed in [1]. Firewalls not only drop all unknown protocols or extensions (e.g. SCTP [7], ECN [6]), but they also constrain reachability for traditional protocols: there is no guarantee that UDP or TCP outside ports 80/443 work through many networks including office, cellular or hotspots [3]. This pushes most apps to rely on tunneling to reliably get through networks. HTTP is a favourite amongst mobile apps, and it has even been touted as the new hourglass of the Internet [5]. However, tunneling adds framing overhead and the effect is quite pronounced when the tunneled traffic is UDP-like (e.g. VOIP): in such cases (useless) retransmissions and head-of-line blocking increase jitter and degrade app-performance. A minority of apps use adaptive tunneling to ensure reachability and the smallest possible overhead: for instance, Skype tries UDP, then TCP and finally HTTP or HTTPS. This approach is also suboptimal: certain middleboxes rate limit UDP tunnels to a level where Skype can check reachability but can’t make calls . Content-modifying middleboxes are more problematic: they optimize for known apps (e.g. FTP/HTTP) but can break apps that utilize the same port numbers as the known apps. For instance, HTTP parsers can reply with cached contents instead of forwarding the request to the server which can break end-to-end semantics of apps tunneling over HTTP. Because of this, apps are forced to tunnel over HTTPS, thus hiding their traffic from the operator. This outcome is suboptimal for all parties: mobiles spend more energy to encrypt and decrypt traffic (15% in our tests on a Galaxy Nexus) and the operator can’t see the traffic anymore and can’t protect its customers and network against attacks. Content modifying middleboxes also increase complexity in new protocols. Multipath TCP [2], a TCP extension that allows using multiple paths in a single TCP connection, includes a redundant checksum in the DSS option to ensure it