Security Enabling Intermediary-Based Services

Wireless carriers are evolving from providing basic Internet connectivity (a "dumb-pipe" to offering imtermediary-based services and performance optimization to engance users' experiences, including TCP performance improvements, multimedia packet filtering, header compression and prevention of denial-if-service (DoS) attackes. These services need the assistance of intermediate nodes placed in the carrier's network between communicating end-points. However, in the presence of an end-to-end security mechanism such as IPsec, it is impossible to offer such services without fully compromising end-to-end security. We propose a new architecture to enable intermediary-based services for wireless mobile users while maintaining an acceptable level of end-to-end security. As a part of our architecture, we present a new IPsec option called Encapsulating Security Variable Payload (ESVP). We identify several important isues related to the architecture and discuss methods for addressing them.