VPN - Virtual Private Network
Virtual Private Networks are created by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. The VPN connection across the Internet is technically a wide area network (WAN) link between the sites. From a user perspective, the extended network resources are accessed in the same way as resources available from the private network hence the name “virtual private network”.
Two-way satellite Internet service is fast and reliable, and works very well for browsing, email, and most other Internet applications. However, many traditional VPN solutions have been known to decrease throughput of the connection by as much as 70% if used over a satellite link. At Mobil Satellite Technologies we offer several different ways to provide VPN encryption and security of data without compromising the performance of the satellite link.
Challenges of VPN Over Satellite
Satellites maintain their orbit just a little more than 23,000 miles above the earth. Even at speeds approaching the speed of light, there is a delay (measured in milliseconds) as data travels up to the satellite and back down to earth. These unavoidable end-to-end propagation delays range anywhere between 550ms-650ms to 1100ms to 1200ms, depending on the satellite network that you are operating on. These delays present a special technical challenge to satellite users who need to secure their data with a Virtual Private Network (VPN). While these delays do not affect web surfing or email performance, VPN applications that were not specifically designed for satellite networks will have difficulties staying connected, and will significantly degrade the throughput of a satellite connection.
The higher the latency is, the more impact you will see in overall network performance when using an IPsec VPN. Using an IPSEC VPN application over HughesNet will cause a 40%-75% reduction of the throughput of the connection. Using an IPSEC VPN over iDirect will still cause a significant reduction in performance, but not as bad. For a two-way satellite service to perform properly in conjunction with traditional terrestrial networks, two-way satellite networks all use special software to deal with the extra 23,000-mile distance of the connection that the data has to travel. Without this special software, the increased latency (the time required to traverse the space segment) means that the TCP protocol severely compromises link performance.
The Internet relies on the Transmission Control Protocol (TCP) to ensure packet delivery without errors. TCP works by sending a certain amount of data, then waits for the receiver to send an acknowledgment of receipt. If an acknowledgment does not arrive in a timely manner, TCP assumes the packet was lost (discarded due to a congested network) and resends it. When packets go unacknowledged, TCP also slows the send rate to reduce the perceived congestion and to minimize the need for re transmissions. TCP/IP sessions start out sending data very slowly in what is known as “slow start”, followed by a gradual ramp-up in speed as the rate of the acknowledgments verifies the network’s capacity to carry more traffic. TCOP reads the timing of the acknowledgements of the first sent packets and makes adjustments to the transmit rate to accommodate whatever network congestion it thinks it is “seeing”. The speed of the connection builds until the sending server detects packet loss from a lack of an acknowledgment. Unfortunately, TCP was created well before satellite Internet was popular, and it does not understand the concept of “latency”. TCP incorrectly interprets any delay in receiving the packet acknowledgements as network congestion. If uncorrected, this effect causes the network to send all additional packets at the slow-start rate and as a result the data packets do not ever reach their optimal transmit speed.
Satellite networks, due to the distance of geo-synchronous satellites above the equator, have latency in the 550ms to 1150ms range. Some satellite networks have higher round trip ping times than others, depending on the number of subscribers, number of network routers, network topography, available bandwidth, etc. Ground networks typically have round-trip latencies in the range of 35 to 100 ms. Two-way VSAT satellite networks all utilize a technique called TCP spoofing to compensate for the extra time required to pass through the space segment. As the data packets pass across the public Internet and through the satellite teleport, the special acceleration software acknowledges the receipt of the data packet back to the sending server, telling it that the packet has been received at the other end. This acknowledgement occurs while the data packet is still in transit through the space segment. When the real acknowledgement is received from the remote site it is suppressed at the teleport, as the packet has already been acknowledged using a “spoofed” header. This tricks the sending server to believe that the packet was received very quickly, stimulating TCP to move out of “slow start” and being sending the data packets very quickly. The data packets arrive at the teleport quickly, and are bounced off the bird and delivered to the remote site quickly.
IPsec VPNs not only encrypt the data portion of packets, they also encrypt the TCP packet header. As a result, many of the most popular IPsec VPNs accidentally defeat the modem TCP acceleration software because the modem cannot detect the TCP packet and will consequently pass the unrecognized packet over the space link as a “raw” packet. This situation requires that acknowledgments transit the space segment twice (over and back) and results in substantial performance degradation. The impact on performance increases as the latency rises.
Mobil Satellite Technologies offers a few very simple, proven solutions to overcome satellite latency problems when encryption is required.
Explore More From VPN
To overcome the challenges of VPN over satellite, we also offer a hybrid VPN solution called SatSecure VPN.
Providing the best hardware solutions for VPN over satellite internet connections through Cisco and Encore Networks.