Deploying Internet Protocol Security in satellite networks using Transmission Control Protocol Performance Enhancing Proxies

SUMMARY Applications that use the reliable Transmission Control Protocol (TCP) have a significant degradation over satellite links. This degradation is mainly a consequence of the congestion control algorithm used by standard TCP, which is not suitable for overcoming the impairments of satellite networks. To alleviate this problem, two TCP Performance Enhancing Proxies (PEPs) can be deployed at the edges of the satellite segment. Then these PEPs can use different mechanisms such as snooping, spoofing and splitting to achieve a better TCP performance. In general, these mechanisms require the manipulation of the Internet Protocol (IP) and TCP headers that generates a problem when deploying the standard IP security (IPsec) protocol. The security services that IPsec offers (encryption and/or authentication) are based on the cryptographic protection of IP datagrams, including the corresponding IP and TCP headers. As a consequence, these cryptographic protections of IPsec conflict with the mechanisms that PEPs use to enhance the TCP performance in the satellite link. In this article, we detail the reasons that cause this conflict, and we propose three different approaches to deploy IPsec in a scenario with TCP PEPs. Our proposals provide different trade‐offs between security and TCP performance in some typical scenarios that use satellite networks. Copyright © 2012 John Wiley & Sons, Ltd. In this article, we analyze the conflict between the cryptographic protections of Internet Protocol Security (IPsec) and the mechanisms that performance enhancement proxies (PEPs) use to enhance the transmission control protocol (TCP) performance in satellite links, and propose three different approaches to deploy IPsec in a scenario with TCP PEPs. These proposals provide different trade‐offs between security and TCP performance in some typical scenarios that use satellite networks.