SEAMS: A Signaling Layer for End-Host-Assisted Middlebox Services

On-path network elements, such as NATs and firewalls, are an accepted commonality in today's networks. They are essential when extending network functionality and providing additional security. However, these so called middleboxes are not explicitly considered in the original TCP/IP-based network architecture. As a result, the protocols of the TCP/IP suite provide middleboxes with the same information about data flows as packet-forwarding routers. Yet, middleboxes typically perform complex functions within the network that require additional knowledge. Inferring this knowledge from observing the sparse information available in network packets requires these devices to base their decisions on ambiguous or forgeable data. In this paper, we first discuss problems arising from insufficient information and identify the resulting informational requirements of middleboxes. We then propose SEAMS, a signaling layer that provides middleboxes with descriptive and verifiable data flow contexts in addition to the IP address and port information that many middleboxes use today. Specifically, SEAMS enables middleboxes to request and use detailed information about the host, application, and user that is accessible at the communicating end hosts. This information can then be used to provide more secure and richer middlebox functions in home and enterprise network scenarios. Our evaluation shows that SEAMS is a feasible addition to TCP/IP-based networks and that it scales well in the presence of multiple on-path middleboxes.