[dinartem]

That's a valid point about complex parsing. I remember being very concerned about adding unnecessary overhead to each packet during encapsulation.

As for the SG, it primarily authenticated the Xbox machine account using Kerberos and then maintained a security association, accepted heartbeats, authenticated and decrypted incoming ESP-UDP packets into IP packets that it forwarded to the backend servers. Responses from the backend would be encrypted, authenticated, and encapsulated before sending back to the Xbox. I don't think the SG had any knowledge of higher level connections running through it, such as TCP or HTTP, so it would not have manipulated HTTP headers as they passed through.

[monocasa]

Ok, cool. That's about what I figured at this point. Originally while REing the protocol I thought that it was holistically handling auth at that XSP layer, but then was surprised when a box would the identify it's XID to matchmaking as well, which should have been stored in the krb ticket to bootstrap that connection.

Thanks so much, I really appreciate your candor here!

[courage]

The SG had to do a few TCP-level things for NAT purposes like rewriting checksums, and it would sometimes synthesize a RST. No layer 7 processing at all

There was a low level protocol allowing backends to get some extra metadata about a connection