I'm a little drunk so please forgive me if I'm way off base here or if I'm ultimately describing a service that already exists.
Unless I'm mistaken, CloudFlare's services necessarily require they act as a MITM. Would it be possible or practical change the DDoS protection service such that it uses an agent on the customer's end (the CF customer) that relays relevant data to CF, instead of having CF MITM all data?
As it is now, we have:
End user <-> CF MITM to inspect packet data <-> CF Customer site
where CF uses the data discovered through MITM (and other metadata such as IP) to determine if the end user is a bad actor.
What if we, instead, had something like:
End user <-> CF TCP proxy <-> CF Customer site
^ |
| v
CF decision agent <-- CF metadata ingest
The CF captive portal would not work with this but they could still shut down regular ol boring TCP DDoSes.
You wouldn't be able to have any CDN caching, only transit of encrypted traffic. Which is fine, but all the major clouds have load balancers that already do this and have varying levels of included and paid DDoS protection.
Unless I'm mistaken, CloudFlare's services necessarily require they act as a MITM. Would it be possible or practical change the DDoS protection service such that it uses an agent on the customer's end (the CF customer) that relays relevant data to CF, instead of having CF MITM all data?
As it is now, we have:
where CF uses the data discovered through MITM (and other metadata such as IP) to determine if the end user is a bad actor.What if we, instead, had something like:
The CF captive portal would not work with this but they could still shut down regular ol boring TCP DDoSes.