While the evolution of the Internet was driven by the end-to-end model, it has been challenged by many flavors of middleboxes over the decades. Yet, the basic idea is still fundamental: reliability and security are usually realized end-to-end, where the strong trend towards ubiquitous traffic protection supports this notion. However, reasons to break up, or redefine the ends of, end-to-end connections have always been put forward in order to improve transport layer performance. Yet, the consolidation of the transport layer with the end-to-end security model as introduced by QUIC protects most protocol information from the network, thereby eliminating the ability to modify protocol exchanges. In this paper, we enhance QUIC to selectively expose information to intermediaries, thereby enabling endpoints to consciously insert middleboxes into an end-to-end encrypted QUIC connection while preserving its privacy, integrity, and authenticity. We evaluate our design in a distributed Performance Enhancing Proxy environment over satellite networks, finding that the performance improvements are dependent on the path and application layer properties: the higher the round-trip time and loss, and the more data is transferred over a connection, the higher the benefits of Secure Middlebox-Assisted QUIC.

翻译：尽管互联网的演进由端到端模型驱动，但数十年来这一模型一直受到各类中间盒的挑战。然而，其基本理念仍具根本性：可靠性与安全性通常通过端到端方式实现，而普遍流量保护这一强烈趋势正是对此理念的支撑。但为了提升传输层性能，人们始终提出各种理由试图打破或重新定义端到端连接的端点。然而，QUIC协议引入的传输层与端到端安全模型整合机制，将大多数协议信息对网络层屏蔽，从而消除了修改协议交互的能力。本文对QUIC进行增强，使其能选择性向中间节点暴露信息，使端点能够在保护QUIC连接隐私性、完整性与真实性的前提下，有意识地插入中间盒。我们在卫星网络的分布式性能增强代理环境中评估了该设计，发现性能提升取决于路径与应用层特性：往返时延越高、丢包率越大、单连接传输数据量越多，安全中间盒辅助QUIC的效益越显著。