TCP IP Over Satellite - Yi Zhang
TCP IP Over Satellite - Yi Zhang
TCP IP Over Satellite - Yi Zhang
Yi Zhang
G27525863
1. Introduction
Satellite communications have numerous advantages over terrestrial data
connections including mobility, network topology, and the “anywhere and everywhere”
benefit of global coverage. These advantages come at the price of increased data transit
times and low security level. There are two problems in particular handicap satellite links
for data applications [1]:
• Throughput limitation. TCP senders cannot exceed the rate at which the receiver
can acknowledge receipt of packets--satellite latency effectively caps standard
TCP throughput per session (RFC-793).
• Security. Transmissions from satellites are available to anyone with a suitable
receiver.
Separate solutions for each problem have been available for years. Manipulation
of TCP header fields with a Performance Enhancing Proxy (PEP) server can fool the end
points into increasing the throughput on a satellite connection. Encryption of the data
defeats interceptions off the air. However, standard IPsec encryption of the IP packet
hides the fields in the TCP header and so prevents an acceleration proxy from changing
them. Therefore, an end user had to make a choice and compromise on what is more
important, throughput or security. This paper will discuss these two problems in details
and give solutions for each problem.
4.1. VPNs
VPNs encrypt a company’s data traffic when traveling over the public Internet so
that the data streams cannot be easily intercepted and viewed. VPNs also authenticate the
data to ensure it has not been altered while in transit across the Internet. A VPN between
two sites constitutes a private connection (across a public network) through which data
can securely pass between hosts at the two sites.
VPNs operate in two modes [2], as shown in Figure 4, tunnel and transport. When
a data packet enters into a tunnel mode VPN connection, the whole data packet (TCP
header and payload) is encrypted and given a new header, thereby the original packet
becomes the encrypted payload of a new VPN tunnel packet.
In transport mode, only the payload of the original data packet is encrypted; the
original TCP packet header becomes the new header and remains unencrypted. Transport
mode is fundamentally less secure than tunnel mode because the data header of the
original packet is still used, i.e. the source and destination IP addresses of the two hosts
are still used, and all the TCP session data remains in clear text in the header when
traveling over the Internet.
Figure 4 VPN Tunnel Mode vs. VPN Transport Mode
Tunnel mode VPNs have become the corporate security standard because of the
superior security features [2]. By completely concealing (through encryption) the original
data packet header and payload, the packet is impervious to the “man in the middle”
attacks used to intercept, record and retransmit TCP sessions as the packets traverse the
public Internet. With the header of the original data packet fully encrypted, no
information can be obtained about the original TCP session running between the client
and server. In transport mode, only the original payload is encrypted and the header is left
unencrypted and subject to the prying eyes of a would be attacker. As such, transport
mode VPNs are seldom used because they do not meet companies’ security criteria for
modern wide area networks.
Figure 5 Conflicts Between VPNs and TCP Acceleration in the Satellite Modem
This solution comprises an acceleration or PEP that is operated by the user, rather
than embedded within the hub. Again, There are many providers of this technology, some
implement a client/server pair as software and hardware, others implement a hardware
gateway pair; the solution chosen depends upon the configuration required at the remote
site (single PC or LAN).
5. Conclusions:
Due to the nature of TCP transmissions, any performance increases achieved by
the various acceleration methods are offset by serious compromises in data security.
Fundamental incompatibilities arise when one attempts to operate conventional VPN
devices over satellite links, due to the nature of TCP acceleration techniques commonly
used for broadband satellite connections. VPNs may not function at all, security is
compromised through the use of transport mode VPNs, and/or the lack of TCP
acceleration can degrade application performance over satellite links so as to be unusable.
6. Reference
[1] High Performance VPN Solutions Over Satellite Networks,
http://www.virgintechnologies.com/downloads/WP_VPNs_over_satellite.pdf
[2] TCP/IP over Satellite: Optimization vs. Acceleration, Todd J. Anderson, PhD, End II End
Communications, Inc.-White Paper
[3] TCP/IP Performance over Satellite Links, Craig Partridge and Timothy J. Shepard.
[4] Cisco Accelerated Internet over Satellite Solution,
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/solution_overview_c07-
525404_ps2797_Products_White_Paper.html
[5] V. Jacobson, R. Braden, and D. Borman, TCP Extensions for High Performance, May 1992, RFC
1323.
[6] M. Allman and D. Glover, Enhancing TCP over satellite channels using standard mechanisms,
Technical report, NASA Lewis, 1998
[7] TCP/IP Over Satellite, Marc Emmelmann,
[8] Speedguide, http://www.speedguide.net/articles.php?category=52
[9] Microsoft, http://www.microsoft.com/technet/itsolutions/network/deploy/depovg/tcpip2k.mspx
[10] IETF, http://www.ietf.org/rfc/rfc2760.txt
[11] Using VPN (Virtual Private Networks) over Satellite, http://www.sonet.at/dsdsl-vpn/dsdsl-
vpn.htm