Satellite Internet VSAT Broadband Satellite Internet Access Installed Anywhere By Skycasters

Faster secure network connections using satellite Internet access.

Summary 

This paper explains in relatively non-technical terms why VPN performance over satellite is sluggish when compared to the use of other applications across a space platform. It also presents a unique and powerful solution to these performance deficiencies.

Introduction 

Virtual Private Networks consist of two or more computers or networks of computers that communicate securely with each other across an unsecured or public network such as the Internet. VPNs are established by using compatible encryption and decryption hardware or software at each end of the connection. 

For various reasons, there is a constantly growing requirement from the business and government sectors to provide secure broadband data connections to their remote locations, including employee residences. 

Secure access at useful speed is not available with traditional dialup access and faster solutions are in ever increasing demand. While DSL and Cable Internet are clearly the most cost effective solutions, DSL and cable do not reach approximately one-third of the remote locations that seek broadband service.   

Two-way satellite Internet service is fast and reliable. It works very well for browsing, email, and most other Internet applications. In fact, reliability exceeds 99.8 %. The increasing need for broadband services combined with very affordable solutions is driving demand for satellite services across North America. However, until today VPN has typically had a much lower performance (>70% degradation) than traditional web browsing or email over the same satellite link due to factors discussed herein. 

Background 

In order to perform properly in conjunction with traditional terrestrial networks (Internet, intranet), satellite data networks must employ special techniques to deal with the increased latency caused by the 46,000 mile space segment of the connection. The increased latency is induced by the extra milliseconds required for data to travel the extra distance. While not related directly to speed , latency can cause a severe speed performance problem over satellite links if not handled properly.  

TCP/IP is the “language” of the Internet. It works by sending packets of data, and then waiting for acknowledgments of receipt. These acknowledgments signal the sender to transmit more packets. If an acknowledgement does not arrive in a timely manner, TCP assumes the packet was lost or discarded due to network congestion and the packet is resent. TCP then slows the speed at which packets are being sent in order to avoid retransmission. 

TCP works by starting a TCP/IP session slowly. Speed builds as the networks capacity to carry traffic is verified by the rate of the acknowledgments. This effect is known as slow-start. Since TCP was designed for terrestrial networks that have less latency than a satellite network, the longer satellite latency (720ms range) causes TCP to expect an acknowledgment before the round trip to the remote site can be completed. TCP interprets the additional satellite link latency as network congestion. If uncorrected, this effect causes all additional packets to be sent at the slow-start rate.  

In all current-generation satellite data networks IP acceleration (IP spoofing) compensates for the space-link transit time. Spoofing is accomplished by special equipment at the carrier’s main satellite hub site.  This equipment masquerades itself so as to appear as if it were the remote location, while acting as a relay or forwarder for data packets going to and from the remote satellite location. When the spoofing equipment receives Internet traffic destined for a remote satellite location, it acknowledges receipt of the packet so more data packets will follow immediately. In this manner, the latency is “hidden” because the acknowledgments are returned rapidly. As a result, TCP moves out of slow-start mode quickly and builds to the highest possible speed.

The acceleration equipment watches for real acknowledgements coming back from the remote site and suppresses them. If the acknowledgement is not received from the remote site, the system automatically re-sends the packet from its buffer.  Thus, satellite-connected sites communicate seamlessly with servers on the terrestrial Internet. 

In a VPN-over-satellite session, the packets are encrypted and, therefore, can only be acknowledged by the VPN client software at the remote site – not by the spoofing equipment. Spoofing is bypassed. Consequently, acknowledgments are delayed and the slow-start data rate remains in place during the entire session.  This results in substantial performance degradation. VPN over satellite may be approximately as fast dial-up, but is not the robust multi-user broadband experienced when web browsing or using email over the same satellite link.

The SuperVPN Solution

The new satellite-powered VPN service recently announced by Skycasters (in conjunction with Hughes Global Services) is called SuperVPN. This solution is not truly a VPN, but a hybrid VPN and PN (Private Network). It does not have the VPN-over-satellite performance limitations of it’s competitors because Skycasters securely connects its private satellite network directly to it’s customers headquarters network, eliminating the need to use a VPN across the space segment.

In the Skycasters SuperVPN secure network model, all data is doubly secured across the space link by both ASIC-based DES in addition to session-key encryption between the remote hardware (satellite modem) and the Skycasters routers and equipment collocated at the Hughes Network Systems satellite uplink center. This segment of the connection is therefore secure with or without added VPN technology.

Skycasters routes the secure traffic between its private satellite network and it’s customers’ headquarters network across a variety of customer-selected options including point-to-point T-1, Frame Relay PVC or VPN across the Internet. Since the Internet method is by far the least costly, it is the most popular. If the Internet method is chosen then it is important to note that in the SuperVPN  network configuration the VPN need only exist across the public Internet and not across the private satellite network. This completely avoids the performance problems of VPN-over-satellite because there is no VPN used across the satellite link.

As an option, split-tunneling at the Skycasters VPN router can allow non-secure traffic to directly access the Internet backbone at the Skycasters router, eliminating the need to unnecessarily backhaul this traffic to the headquarters router. Like all Skycasters applications, SuperVPN is designed to perform on the client side of a client-server connection. It should be noted that this service is not a transparent-LAN solution, although certain customizations may be employed to achieve nominal host-to-client connectivity.

The SuperVPN Network

The Skycasters SuperVPN high-performance secure solution allows the customer to establish dedicated leased-line or  point-to-point VPN across the Internet to connect their headquarters network with Skycasters private satellite gateway at the Hughes facility in Germantown, MD. In the illustration below, an IPSec VPN secures the traffic while it passes over the public Internet to and from the customer’s headquarters location and the Skycasters satellite gateway equipment. The traffic between the satellite uplink center and the remote satellite sites traverses the already-secure private satellite network. 

SuperVPN  VPN Segment

Since the Skycasters VSAT-powered  satellite network is itself a private network, the point-to-point VPN connection only has to be made across the Internet (the public portion of the data path).

The point-to-point VPN configuration connects dedicated Skycasters routers and equipment at the Hughes uplink center to a Skycasters provided router located at the customer’s headquarters network.  A permanent VPN session is established across the Internet between the Skycasters private network and the customers network, and all designated data traffic is sent through the established connection.  In the SuperVPN scenario, the remote site computers do not require a VPN client to be installed.  Also, since the encrypted private data is not tunneled end-to-end, it allows much greater speeds to be achieved by taking advantage of the performance-enhancing IP spoofing technologies. As mentioned previously, these performance enhancing characteristics are disabled when using VPN service across the space-segment, so confining the VPN to only the portion of the transmission where it is needed dramatically increases performance.

SuperVPN  Space Segment

Skycasters VSAT Conditional Access utilizes encryption technology to protect the various services against unauthorized access on the satellite downlink. Conditional access provides privacy by protecting multimedia streams and digital file transmissions to a site (email, file transfers, etc) and preventing transmissions from being intercepted by any site except those designated by Skycasters.

The VSAT NOC (Network Operations Center) individually encrypts each multimedia stream or package with a unique session key. Access to a stream or package is controlled by the NOC’s only making its session key available in usable form to individually authorized VSAT receivers. The NOC passes to a VSAT remote unit its session keys in a scrambled format only usable by that specific receiver. Each remote includes a tamper–resistant hardware crypto–facility (secure ASIC) in which unique key material has been stored during the manufacturing process. The crypto–facility is only capable of decrypting with session key material created by the NOC especially for the crypto–facility. As such, the receiver is only capable of decrypting the appropriate satellite services, and no other receiver can decrypt the service unless intentionally enabled by the NOC as part of a broadcast or multicast application.

The NOC utilizes the Digital Encryption Standard (DES) with 56-bit key length as the bulk encryption algorithm over DVB (Digital Video Broadcast). Triple–DES with 112-bit key length is used within the key– distribution algorithms. There is no encryption algorithm required for the upstream data going to the NOC/VPN router at the satellite uplink center because the upstream channels (inroutes) are inherently secure based on their method of operation. Inroutes use a Time Division Multiple Access (TDMA) method of access and transmission, which means that multiple VSAT transmitters are all using the same inroute or set of inroutes for transmission. Transmissions occur in almost random bursts on the inroutes and the TDMA time-slot assignments of the transmissions are controlled via the receive/downlink channel, so compromise of outroute security would be necessary in order to compromise inroute security.

SuperVPN Network Security – Terrestrial Segment (Internet)

All traffic across the Internet between the Skycasters VPN routers at the satellite uplink center and the customer’s headquarters location is secured by IPSec. Using the latest IPSec VPN technology, Skycasters is one of the first networks (satellite or terrestrial) to fully implement 3DES-CBC data encryption. Skycasters currently uses SHA-1, developed by the US National Security Agency for messaging security, and uses 3DES-CBC (Triple Digital Encryption Standard) for data encryption.

The result is that customers will connect to the Skycasters SuperVPN private satellite network with the security level of a dedicated private network, while using the Internet at a fraction of the leased line cost. Skycasters main VPN routers are collocated in the VSAT NOC facility and mediate all access between the Skycasters private satellite network and the Internet, leased lines and other satellite networks. These routers, in a fully redundant configuration, are capable of providing wire-speed Internet VPN to > 40,000 simultaneous VPN sessions at speeds of up to 40 Gbps.

Limitations of VPN over Satellite 

Most regular Internet applications like email and web browsing perform very well over satellite, delivering high speed service similar to DSL or Cable. There are some known issues with certain applications which are expanded upon below.

The VSAT service is asymmetrical, meaning that 80% of the bandwidth is allocated towards download traffic and 20% is allocated for uploads. For this reason, VSAT does not support applications that require a high-speed upload such as web hosting at the remote site or 2-way video conferencing. Applications that are affected by high latency may have problems. Satellite latency in the range of 720ms - 1500 ms can be expected. These latency affected applications include interactive gaming, VoIP, and non-TCP/IP applications. Even though the satellite latency can be hidden from TCP/IP, applications themselves can be affected by latency.

Shared folders or drive mapping via NetBIOS will not perform properly over any satellite connection. Shared folders can be used by creating a directory using an application such as Microsoft Internet Information Server (free, and included in Windows 2000 and NT), Apache or other web front-end.  SQL server applications need to be set up the same way for the same reasons. Any application that is compatible with a HTML front-end will perform better over satellite when set up in this fashion. Generally, any application that requires client software loaded at the remote site can have problems with latency unless adjustments are made at both the client and server end. These types of applications need to be evaluated individually by checking with the manufacturer to determine the effects of latency on the particular application.

Conclusion

Skycasters innovative and unique satellite VPN solution solves the VPN-over-satellite performance problems while maintaining the highest levels of security. The solution provides unprecedented cost effectiveness for networks with as few as one remote satellite site. Skycasters VPN over satellite runs more than twice as fast as comparable satellite VPN services. Hardware-based encryption including ASIC session-key and DES insure that the space segment is fully secure. IPSec VPN across the Internet keeps the terrestrial segment fully secure.