RE: Re: Free S/wan over satellite

[David Klein <dklein () netscreen com>]

> On Fri, May 24, 2002 at 12:26:11PM -0500, Ben Swanner wrote:
> > Set up on Linux over vsat connection and speed dropped by a 
> > factor of ten.
> > Any ideas?

IP-over-Satellite service providers do a couple of things to overcome the
throughput issue related to the normal TCP window size coupled with long
latency delays related to satellites.  Specifically, they 
1) dip into the TCP header and increase the window size; and/or
2) locally spoof TCP acks at the satellite terminal where the TCP
transmitter is.

Item (1) will cause the TCP transmitter to send more packets into the
network before stopping and waiting for acknowledgements.

Item (2) will cause the TCP transmitter to think the intended TCP receiver
has already received the packet it sent and so the TCP transmitter will
continue sliding its TCP window along and transmitting more packets.

Once you put TCP into IPSec ESP (or any encrypted packet), they can't play
these games.  So now your real TCP window size comes into play.  And with
the massive round-trip time associated with satellite links, this means your
TCP transmitter blasts a few packets out (a normal TCP window size worth)
and then effectively waits a while for the acks to come back from the real
TCP receiver before sending more traffic.  

Dave Klein
Netscreen SE
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards