IPSec VPN systems are not able to benefit from the speed of broadband satellites
and instead behave as if the connection were over a good dial-up connection.
This performance problem is the result of two primary drivers:
|
| •
|
The first cause
of satellite’s difficulty with IPSec VPN systems is basic physics.
With Agristar Global Networks, a given packet of data from a remote
location is being redirected at the speed of light off a geosynchronous
satellite that is orbiting approximately 22,300 miles above the earth’s
equator. Data is therefore traveling a total roundtrip distance of
89,200 miles over the space segment, which causes a delay of about
125 milliseconds on each of the four legs of the space segment, or
500 milliseconds total. It's a long way to travel, but with geosynchronous
satellite systems being the only method for high-speed data delivery
in rural areas for the foreseeable future, it's an inherent component
of high-speed data transmission for rural networks. |
|
| •
|
The second cause
is the manner in which the Internet handles data delivery. TCP/IP
is the “language” of the Internet. It works by sending packets
of data and then waiting for acknowledgments of receipt. These acknowledgments
signal the sender to transmit more data. When acknowledgments return
slowly, TCP then slows the speed at which data is being sent in order
to avoid overloading a network that it assumes is already congested. |
|
TCP works by starting
a TCP/IP session slowly. Speed builds as the network’s capacity
to carry traffic is verified by the rate of the acknowledgments. This
process is known as “slow start.” Since TCP was designed
for terrestrial networks that have less latency than satellite, the
longer satellite latency (500ms range) causes TCP to expect an acknowledgment
before the round trip to the remote site can be completed. And because
TCP does not recognize that a satellite is involved, it operates as
if the satellite latency were caused by congestion. The end result
is that if this process is not compensated for, all packets over a
satellite network will be sent at the slow-start rate.
Satellite’s Data Acceleration Technology.
In all current-generation satellite data networks, TCP/IP acceleration
(referred to as “TCP spoofing”) is the process by which
this space segment transit time is mitigated. TCP spoofing is accomplished
by special equipment at the network operations center or NOC, that
appears to TCP as if it were the remote location while acting as a
relay or forwarder for data packets going to and from the actual remote
satellite location.
When the spoofing equipment in the NOC receives Internet traffic destined
for a remote satellite location, it acknowledges receipt of the packet
immediately on behalf of the remote site so that more data packets
will immediately follow. The spoofing equipment also watches for real
acknowledgements coming back from the remote site and suppresses them.
In this manner, the latency is “hidden” by disguising the
remote site as part of a typical terrestrial network and sending acknowledgments
rapidly back. As a result, TCP moves out of slow-start mode quickly
and builds to the highest possible speed.
The Problem with Satellite and IPSec VPN.
In an IPSec VPN over satellite session, the packets are encrypted
and therefore can only be acknowledged by the actual VPN client software
at the remote site – not by the acceleration equipment at the
NOC. The spoofing technology is thus not used which results in the
package acknowledgments being delayed. TCP assumes the delay means
that the network is congested and so the slow-start data rate remains
in place during the entire session. This translates to substantial
performance degradation. IPSec VPN over satellite is often faster
than dial-up, but it is not a robust multi-user broadband experience.
Agristar Global Networks' Accelerated VPN
Option.
Our solution is not a true VPN, but a hybrid VPN and PN (Private Network).
This configuration does not have the VPN-over-satellite performance
limitations of typical client-server VPN applications. With our Private
Network solution, all data is secured across the space link between
the remote site and the NOC by 3DES encryption and is therefore secure
with or without added VPN technology. The NOC connects this secure
traffic to a company’s main corporate server across a variety
of terrestrial connection options including point-to-point T-1 or
a VPN tunnel on the Internet.
Agristar Global Networks' Private Network solution completely avoids
the performance problems of VPN-over-satellite because there is no
traditional VPN being used over the satellite portion of the connection,
thus enabling the acceleration technology in the NOC to be fully utilized. |
|
back
to top
