The current Internet architecture tightly bundles several functions into the Transport Layer, all of which were originally intended to operate "end-to-end" between hosts. Some of these functions however, such as endpoint naming and congestion control, have proven of great importance to the requirements of network operators to control and optimize traffic crossing their networks, leaving network operators no choice but to deploy middleboxes such as firewalls, network address translators (NATs), and performance enhancing proxies (PEPs) that break end-to-end transport connections into shorter segments. In doing so these middleboxes break TCP's end-to-end reliability semantics and prevent widespread deployment of end-to-end network-layer security mechanisms such as IPsec.
We are developing a new transport service architecture that decomposes "true" end-to-end transport functions such as reliable packet delivery and security from middlebox-relevant functions such as endpoint naming and congestion control. This decomposition enables a new type of middlebox we call a flow middlebox to interact with the latter functions without interfering with the former, thereby addressing this tension in a clean architectural framework. Flow middleboxes can interact with both new transports and applications designed according to our architecture, and legacy transport and application endpoints via application-aware logic. Endpoints that are modified to implement only the end-to-end functions and to interact with Flow Middleboxes designed according to our architecture will receive the greatest benefits, although our architecture also supports and can benefit legacy endpoints.