Satellite Internet VPN

Satellite Internet VPN, or Virtual Private Networks consist of two or more computers or networks of computers that communicate securely with each other across an unsecured or public network such as the Internet. Virtual Private Networks are established by using compatible encryption and decryption hardware or software at each end of the connection. For various reasons, there is an increasing demand for companies to create a secure business VPN and for governments to create secure VPN solutions.

Two-way satellite Internet service is fast and reliable. It works very well for browsing, email, and most other Internet applications. However satellite Internet VPN has typically had a much lower performance (>70% degradation) than traditional web browsing or email over the same satellite link. The effects of satellite Internet on VPN speeds are discussed herein.

VPN Background

In order to perform properly in conjunction with traditional terrestrial networks (Internet, intranet), satellite data networks must employ special techniques to deal with the increased latency caused by the 46,000-mile space segment of the connection. While not related directly to speed, latency can cause a severe speed performance problem over satellite links if not handled properly.

TCP/IP is the “language” of the Internet. It works by sending packets of data, and then waiting for acknowledgments of receipt. These acknowledgments signal the sender to transmit more packets. If an acknowledgement does not arrive in a timely manner, TCP assumes the packet was lost or discarded due to network congestion and the packet is resent. TCP then slows the speed at which packets are being sent in order to avoid retransmission.

TCP works by starting a TCP/IP session slowly. Speed builds as the networks capacity to carry traffic is verified by the rate of the acknowledgments. This effect is known as slow-start. Since TCP was designed for terrestrial networks that have less latency than a satellite network, the longer satellite latency (600-700ms range for the Skycasters network) causes TCP to expect an acknowledgment before the round trip to the remote site can be completed. TCP interprets the additional satellite link latency as network congestion. If uncorrected, this effect causes all additional packets to be sent at the slow-start rate.

In all current-generation satellite data networks IPtooltip acceleration (TCP acknowledgment spoofing) compensates for the space-link transit time. Spoofing is accomplished by special equipment at the carrier’s main satellite hub site. This equipment masquerades itself so as to appear as if it were the remote location, while acting as a relay or forwarder for data packets going to and from the remote satellite location. When the spoofing equipment receives destined for a remote satellite location, it acknowledges receipt of the packet so more data packets will follow immediately. In this manner, the latency is “hidden” because the acknowledgments are returned rapidly. As a result, TCP moves out of slow-start mode quickly and builds to the highest possible speed.

The acceleration equipment watches for real acknowledgements coming back from the remote site and suppresses them. If the acknowledgement is not received from the remote site, the system automatically re-sends the packet from its buffer. Thus, satellite-connected sites communicate seamlessly with servers on the terrestrial Internet.

In a VPN over satellite Internet, the packets are encrypted and, therefore, can only be acknowledged by the Virtual Private Network’s client software at the remote site – not by the acknowledgment spoofing equipment. Spoofing is bypassed. Consequently, acknowledgments are delayed and the slow-start data rate remains in place during the entire session. The satellite Internet VPN undergoes substantial performance degradation because of this. Satellite Internet speeds may be approximately as fast dial-up, but is not the robust multi-user broadband experienced when web browsing or using email over the same satellite link. This is a real VPN issue.

There are several solutions available to provide the security of the satellite Internet VPN, while maintaining speeds and the performance of the unencrypted link for your business Virtual Private Network.

