While the evolution of the Internet was driven by the end-to-end model, it has been challenged by many flavors of middleboxes over the decades. Yet, the basic idea is still fundamental: reliability and security are usually realized end-to-end, where the strong trend towards ubiquitous traffic protection supports this notion. However, reasons to break up, or redefine the ends of, end-to-end connections have always been put forward in order to improve transport layer performance. Yet, the consolidation of the transport layer with the end-to-end security model as introduced by QUIC protects most protocol information from the network, thereby eliminating the ability to modify protocol exchanges. In this paper, we enhance QUIC to selectively expose information to intermediaries, thereby enabling endpoints to consciously insert middleboxes into an end-to-end encrypted QUIC connection while preserving its privacy, integrity, and authenticity. We evaluate our design in a distributed Performance Enhancing Proxy environment over satellite networks, finding that the performance improvements are dependent on the path and application layer properties: the higher the round-trip time and loss, and the more data is transferred over a connection, the higher the benefits of Secure Middlebox-Assisted QUIC.

翻译：尽管互联网的演进由端到端模型驱动，但几十年来各种中间盒不断挑战着这一范式。然而，其基本理念依然至关重要：可靠性与安全性通常通过端到端方式实现，而通用流量保护的强劲趋势也支撑着这一观点。然而，为提升传输层性能，人们始终在提出打破或重新定义端到端连接终点的理由。但QUIC引入的传输层与端到端安全模型的固化了大部分协议信息对网络的可见性，从而消除了修改协议交换的能力。本文通过增强QUIC协议，使其能选择性地向中间节点暴露信息，从而允许终端在保持隐私性、完整性和真实性的前提下，有意识地将中间盒插入端到端加密的QUIC连接中。我们在卫星网络环境下的分布式性能增强代理架构中评估了设计方案，发现性能提升取决于路径和应用层特性：往返时间与丢包率越高，且连接传输数据量越大，安全中间盒辅助的QUIC协议带来的收益越显著。