Transport and application layer protocol provides end-to-end connectivity for clients and servers, but conveys limited or even no information to a middlebox, such as Policy and Charging Control (PCC) system, between the client and server. However, PCC needs to authenticate the client-server traffic so that it can perform the basic functionality, i.e., charging the client. Due to lack of traffic authentication capability in transport and application layer protocol, state-of-the-art PCC adopts Deep Packet Inspection (DPI) to understand client-server communication and decide whether to charge a client. However, in this draft, we show that current transport layer protocol(TCP) and application layer(HTTP, TLS) protocol cannot meet the need of traffic authentication, i.e., the user can modify the packet and by pass the ISP PCC to have free ride. Due to the existence of the aforementioned free-riding attacks, we believe that Transport and application layer protocol needs to provide traffic authentication capability to a middlebox. In this draft, we describe free-riding attacks and present requirements for providing traffic authentication.