Firewall Wizards mailing list archives
RE: Re: Free S/wan over satellite
From: David Klein <dklein () netscreen com>
Date: Thu, 30 May 2002 08:57:22 -0700
From: Joseph S D Yao [mailto:jsdy () center osis gov] ... Not the window size problem I had thought, but this might explain it. But, why can't they play the same games with IPsec ESP packets? Aren't packets just packets?
All the TCP window size negotiation and TCP seq/ack numbers are encrypted within the ESP header. The point of encrypting and secure-hashing a packet is so someone can't see the packet nor change the packet in transit. This would include your satellite provider. IPSec ESP doesn't maintain a sliding window nor "replicate" the TCP seq/ack numbers. [Well, there are SPI numbers and there is a sequence number in the ESP header but these are used for tunnel/SA identification and anti-replay.] In an IP network, "maintaining the state of a connection" has always fallen on the end-systems to do (via TCP). Routers (dealing only with IP headers) and VPN/IPSec gateways (dealing with IP and ESP headers) generally don't care about this client-to-server "connection state". Firewalls, NAT boxes, and Satellite gear tend to want to mess with IP and TCP headers for security, enforcing state, hiding things, and in the case of Satellites, tweaking/spoofing TCP headers to transparently overcome the [standard TCP window size + long roundtrip delay] combo that negatively effects throughput. Just like a firewall can't see the TCP header nor screen sessions/connections within an IPSec tunnel going through it, neither can the Satellite terminals see nor muck with the TCP headers once they have been tunneled (i.e., encapsulated and encrypted into an ESP header). Dave Klein Netscreen SE
-----Original Message----- From: Joseph S D Yao [mailto:jsdy () center osis gov] Sent: Thursday, May 30, 2002 10:23 AM To: David Klein Cc: Ben Swanner; firewall-wizards () nfr com Subject: Re: [fw-wiz] Re: Free S/wan over satellite On Thu, May 30, 2002 at 07:38:54AM -0700, David Klein wrote:On Fri, May 24, 2002 at 12:26:11PM -0500, Ben Swanner wrote:Set up on Linux over vsat connection and speed dropped by a factor of ten. Any ideas?IP-over-Satellite service providers do a couple of thingsto overcome thethroughput issue related to the normal TCP window sizecoupled with longlatency delays related to satellites. Specifically, they 1) dip into the TCP header and increase the window size; and/or 2) locally spoof TCP acks at the satellite terminal where the TCP transmitter is. Item (1) will cause the TCP transmitter to send morepackets into thenetwork before stopping and waiting for acknowledgements. Item (2) will cause the TCP transmitter to think theintended TCP receiverhas already received the packet it sent and so the TCPtransmitter willcontinue sliding its TCP window along and transmitting more packets. Once you put TCP into IPSec ESP (or any encrypted packet),they can't playthese games. So now your real TCP window size comes intoplay. And withthe massive round-trip time associated with satellitelinks, this means yourTCP transmitter blasts a few packets out (a normal TCPwindow size worth)and then effectively waits a while for the acks to comeback from the realTCP receiver before sending more traffic. Dave Klein Netscreen SENot the window size problem I had thought, but this might explain it. But, why can't they play the same games with IPsec ESP packets? Aren't packets just packets? -- Joe Yao jsdy () center osis gov - Joseph S. D. Yao OSIS Center Systems Support EMT-B -------------------------------------------------------------- --------- This message is not an official statement of OSIS Center policies.
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Free S/wan over satellite Ben Swanner (May 24)
- Re: Re: Free S/wan over satellite Chuck Swiger (May 25)
- Re: Re: Free S/wan over satellite Marcus J. Ranum (May 26)
- Re: Re: Free S/wan over satellite Dave Piscitello (May 27)
- Re: Re: Free S/wan over satellite Joseph S D Yao (May 30)
- <Possible follow-ups>
- RE: Re: Free S/wan over satellite David Klein (May 31)
- Re: Re: Free S/wan over satellite Joseph S D Yao (May 31)
- RE: Re: Free S/wan over satellite David Klein (May 31)
- Re: Re: Free S/wan over satellite Chuck Swiger (May 25)