Nice! You did a great job on the protocol. Probably my only complaint on the XSP side of things is the fact that you have to do relatively complex parsing of the XSP packets before you can get to the point of verifying the signature of the packet. Seems like all of the corner cases were handled well in the implementation on the boxes, but as someone who does auth/cryptography in my day job, it kind of gives me the heebie-jeebies.
Do you know if the auth side was carried into deeper parts of the backend? So like, did the SG decorate incoming connections with the auth information as they made their way to the different services? There seemed to be more auth information than I expected in headers on some of those HTTP calls into services like matchmaking.
That's a valid point about complex parsing. I remember being very concerned about adding unnecessary overhead to each packet during encapsulation.
As for the SG, it primarily authenticated the Xbox machine account using Kerberos and then maintained a security association, accepted heartbeats, authenticated and decrypted incoming ESP-UDP packets into IP packets that it forwarded to the backend servers. Responses from the backend would be encrypted, authenticated, and encapsulated before sending back to the Xbox. I don't think the SG had any knowledge of higher level connections running through it, such as TCP or HTTP, so it would not have manipulated HTTP headers as they passed through.
Ok, cool. That's about what I figured at this point. Originally while REing the protocol I thought that it was holistically handling auth at that XSP layer, but then was surprised when a box would the identify it's XID to matchmaking as well, which should have been stored in the krb ticket to bootstrap that connection.
Thanks so much, I really appreciate your candor here!
The SG had to do a few TCP-level things for NAT purposes like rewriting checksums, and it would sometimes synthesize a RST. No layer 7 processing at all
There was a low level protocol allowing backends to get some extra metadata about a connection
Do you know if the auth side was carried into deeper parts of the backend? So like, did the SG decorate incoming connections with the auth information as they made their way to the different services? There seemed to be more auth information than I expected in headers on some of those HTTP calls into services like matchmaking.