Scaling the performance of modern TLS middleboxes with mmTLS

Abstract

Modern security-monitoring TLS middleboxes play a critical role in fighting against the abuse by encrypted network traffic. Unfortunately, a TLS middlebox often suffers from huge computational overhead as it must translate and relay the encrypted traffic from one endpoint to the other. We observe that a simple TLS proxy drops the throughput of end-to-end TLS sessions by 69% to 78%. What is worse is that recent works on security enhancement of a TLS middlebox levy even more computational tax. In this paper, we present mmTLS, a scalable TLS middlebox architecture that significantly improves the traffic monitoring performance. mmTLS eliminates the traffic relaying cost as it operates on a single end-to-end TLS session by secure session key sharing. This approach is not only beneficial to performance but it also guarantees end-to-end TLS properties except for confidentiality. To detect illegal content modification, mmTLS supplements a TLS record with a private tag whose key is kept secret only to TLS endpoints. We find that the extra overhead for private tag generation and verification is minimal when augmented with the first tag generation. Our evaluation shows that mmTLS outperforms the nginx TLS proxy in the split-connection mode by a factor of 2.8 to 63.5, and achieves 133 Gbps of traffic relaying throughput.