As awareness of VSAT Systems satellite Internet access (www.vsat-systems.com) becomes more wide spread, demand for secure connections from remote locations to corporate local area networks continues to increase. The high latency inherent in geo-synchronous satellite connections has presented a significant obstacle to efficient virtual private network (VPN) connections over satellite.
Various solutions to carrying IP traffic over satellite have been proposed, but each one has had some limitation that prevented it from becoming widely adopted. Recently Encore Networks released their VSR-30 3DES VPN device, which offers most popular features of IPSEC appliances, but leaves IP header unencrypted. This feature makes VSR-30 attractive for satellite-based VPN applications because visible headers allow VSAT Systems to optimize throughput.
The Problem In order for a two-way satellite service to perform properly in conjunction with traditional terrestrial networks (Internet, Intranet), satellite data networks must employ special techniques to deal with extra 44,600-mile space segment of connection. Without those steps, increased latency, time required to traverse extra distance, means that TCP severely limits performance.
The Internet relies on Transmission Control Protocol (TCP) to ensure packet delivery without errors. TCP works by sending a certain amount of data, “window size,” then waiting for receiver to send an acknowledgment of receipt. With TCP, sender cannot transmit more data until it has received an acknowledgment. If an acknowledgment does not arrive in a timely manner, TCP assumes packet was lost (discarded due to network congestion) and resends it. When packets go unacknowledged, TCP also slows transmission rate to reduce congestion and to minimize need for retransmissions.
TCP/IP sessions start out sending data slowly. Speed builds as rate of acknowledgments verifies network’s capacity to carry more traffic. This is known as slow-start, followed by a ramp-up in speed. The speed of connection builds until sender detects packet loss from a lack of an acknowledgment. This allows TCP to achieve fastest practical data transfer rate for conditions present on network.
Terrestrial networks typically have round-trip latencies in range of 35 to 100 ms. Satellite networks, due to distance of geo-synchronous satellites above equator, require 550 ms or more. Some satellite connections have much higher latencies. Depending upon satellite hardware and subscription policy of service provider, latencies of 800 ms to as much at 2,000 ms or more can occur. TCP interprets additional satellite transit time as network congestion. If uncorrected, this effect causes network to send all additional packets at slow-start rate.
Current satellite data networks employ a technique referred to as TCP acceleration or IP spoofing to compensate for extra time required to transit space segment. Special equipment at carrier’s main satellite hub appears to terminate TCP session, so it appears to sender as remote location. In actuality device at satellite hub acts as a relay or forwarder between originating terrestrial location and remote satellite unit. When spoofing equipment receives Internet traffic destined for a remote satellite location, it immediately acknowledges receipt of packet to sender so more data packets will follow promptly. This way sender never experiences actual latency to remote site because acknowledgments return rapidly. As a result, TCP moves out of slow-start mode quickly and builds to highest practical speed.
To prevent packets from being acknowledged twice, spoofing equipment suppresses acknowledgments from remote site. In this way, computers behind a satellite link communicate seamlessly and efficiently with servers on terrestrial Internet.
IPsec VPNs not only encrypt data portion of packets, they also encrypt TCP port number and IP address of sender’s computer. (Think of TCP port as apartment number while IP address is that of building.) Consequently, only VPN software at remote site can decipher where packets originated and acknowledge receipt of data.
Popular IPsec VPNs, therefore, defeat TCP acceleration over satellite links because ground stations cannot adjust fields in header when those fields are encrypted. This situation requires that acknowledgments transit space segment twice (over and back) and results in substantial performance degradation. The impact on performance increases as latency rises. To determine effect of latency on performance and to measure effectiveness of an alternative VPN device, engineers at VSAT Systems transferred a variety of data files over a high-quality satellite link under controlled conditions and measured results.
Test Procedure The test compared transfer rates over a Cisco 1711 IPsec VPN and an Encore VSR-30 Selective Layer Encryption (SLE) appliance to each other and to speed of file transfers over open Internet (unencrypted). The data moved from remote to server, then from server to remote using FTP. Transfer rates were measured in kilobits per second (Kbps). The test utilized six different files to measure data transfers rates: 500 kilobyte, 5 megabyte, and 10 megabyte files in both compressible (text) and non-compressible (binary)forms.
Both Cisco and Encore equipment used 3DES encryption. However, Encore unit’s SLE encrypted only data, leaving IP and TCP headers accessible. With headers accessible, encrypted packets are compatible with all types of satellite modems and all methods of TCP acceleration.
The test transferred files between two similarly configured Free BSD computers containing three identical network cards. With three cards in each system, computers could multi-home and physically separate data. The resulting three data paths facilitated near simultaneous testing of two VPN circuits and unencrypted, clear connection.