top | item 37590110

(no title)

dinartem | 2 years ago

That's a valid point about complex parsing. I remember being very concerned about adding unnecessary overhead to each packet during encapsulation.

As for the SG, it primarily authenticated the Xbox machine account using Kerberos and then maintained a security association, accepted heartbeats, authenticated and decrypted incoming ESP-UDP packets into IP packets that it forwarded to the backend servers. Responses from the backend would be encrypted, authenticated, and encapsulated before sending back to the Xbox. I don't think the SG had any knowledge of higher level connections running through it, such as TCP or HTTP, so it would not have manipulated HTTP headers as they passed through.

discuss

monocasa|2 years ago

Ok, cool. That's about what I figured at this point. Originally while REing the protocol I thought that it was holistically handling auth at that XSP layer, but then was surprised when a box would the identify it's XID to matchmaking as well, which should have been stored in the krb ticket to bootstrap that connection.

Thanks so much, I really appreciate your candor here!

courage|2 years ago

The SG had to do a few TCP-level things for NAT purposes like rewriting checksums, and it would sometimes synthesize a RST. No layer 7 processing at all

There was a low level protocol allowing backends to get some extra metadata about a connection