Satellite Internet by IP Satellite Systems

Broadband for a Connected World


Satellite VPN broadband satellite Internet

The Challenges of VPN and Satellite


The Problem
In order for a two-way satellite service to perform properly in conjunction with traditional terrestrial networks (Internet, Intranet), satellite data networks must employ special techniques to deal with the extra 44,600-mile (up to the satellita and back down) space segment of the connection. Even at speeds aproaching the speed of llight, the connection will have significant latency.


All data transmissions use Transmission Control Protocol (TCP) to ensure packet delivery without errors. At the beginiing of every data transmission, TCP enters a "slow start" mode. The server sends the first few packets of data, the “window size,” then waits for the receipient computer to reply with an acknowledgment that the packet has been received. TCP uses the timing of these packet acknowledgements coming back from the remote to determine how much Internet or network congestion may exist between the host and remote. The server sends some more packets and adjusts the transmit rate upwards each time until it reaches the maximum send rate that it thinks can be accomodated by the network and Internet congestion it thinks it is seeing. This is the send rate at which the remainder of the data transmission will be sent.


Unfortunately, TCP was developed prior to the wide-spread use and demand for secure satellite broadband connections. TCP does not understand the fundamental concept of "latency", and incorrectly interprets the natural satellite propogation delay in receiving the packet acknowledgement as network congestion rather than the latency that it is.


All satellite network operators provide TCP acceleration which is required to support basic TCP communications. Without this acceleration, the IP sessions would time out due to basic physics associated with the altitude of the satellite. This acceleration is commonly comprised of processors called Performance Enhancing Proxy Servers or PEP. All VSAT service providers have a similar process but all are unique to their network topology.


As data packets come across the public Internet (whether In-the Clear, or in a VPN) they pass through our teleport before being transmitted up to the satellite and down to your remote sites. As these data packets pass through our teleport, our PEP server sends a "spoofed" acknowledgement to the sending server, acknowledging the receipt of the data packet. Even while the data packets are still in transit through the space segment, the PEP server has told the sending server "Yes. I received that packet, there is a clear path.....send more packets quickly". This "spoofed" acknowledgement tricks or fools the sending server into thinking the packet has been received and acknowledged even while it is in transit, which causes the sending server to move out of "slow start" and transmit the data to us more quickly.


As a result, TCP rapidly builds the send rate to the highest practical speed. To prevent packets from being acknowledged twice, the spoofing equipment suppresses acknowledgments from the remote site. In this way, computers behind a satellite link communicate seamlessly and efficiently with servers on the terrestrial Internet.

This all works fairly well until a traditional IPSEC VPN is introduced. The VPN creates a secure encrypted protocol end to end between the VPN server and the client, effectively turning off the PEP server. In this case, the packet acknowledgements will actually come from the remote site on a long, slow 90,000 mile round trip of the packet from the server to the teleport, through the space segment to the satellite, down to the remote site where the acknowledgment is then sent back to the server on it's return trip.


The Solution

The Encore Networks BANDIT II (Broadband Access Network Device for Intelligent Termination) device uses Selective Layer Encryption. The Encore unit’s SLE encrypts only the data, leaving the IP and TCP headers accessible. With the headers accessible, the encrypted packets are compatible with all types of satellite modems and all methods of TCP acceleration.

The Results

In a three way test of a Cisco 1711 IPSec VPN vs. Encore Networks SLE VPN vs. In the Clear without VPN, the results were very clear. The Cisco IPSec VPN reduced the throughput of the connection by as much as 50% over either Encore Networks SLE VPN or In the Clear without VPN.


Click HERE to get information on Encore Networks VPN appliances


Satellite Internet VPN



Home | Satellite Solutions | Service Plans | Coverage Area | VPN | VoIP | De-Icing Systems | Request Information
Contact | Tech Support | Hardware & Installations | Resources | About | Site Map| Documents
Copyright 2007 IP Satellite Stytems