RE: Re: Free S/wan over satellite

[David Klein <dklein () netscreen com>]

> From: Joseph S D Yao [mailto:jsdy () center osis gov]
> ...
> Not the window size problem I had thought, but this might explain it.
>
> But, why can't they play the same games with IPsec ESP 
> packets?  Aren't
> packets just packets?


All the TCP window size negotiation and TCP seq/ack numbers are encrypted
within the ESP header.  The point of encrypting and secure-hashing a packet
is so someone can't see the packet nor change the packet in transit.  This
would include your satellite provider.

IPSec ESP doesn't maintain a sliding window nor "replicate" the TCP seq/ack
numbers.  [Well, there are SPI numbers and there is a sequence number in the
ESP header but these are used for tunnel/SA identification and anti-replay.]
In an IP network, "maintaining the state of a connection" has always fallen
on the end-systems to do (via TCP).  Routers (dealing only with IP headers)
and VPN/IPSec gateways (dealing with IP and ESP headers) generally don't
care about this client-to-server "connection state".

Firewalls, NAT boxes, and Satellite gear tend to want to mess with IP and
TCP headers for security, enforcing state, hiding things, and in the case of
Satellites, tweaking/spoofing TCP headers to transparently overcome the
[standard TCP window size + long roundtrip delay] combo that negatively
effects throughput.  Just like a firewall can't see the TCP header nor
screen sessions/connections within an IPSec tunnel going through it, neither
can the Satellite terminals see nor muck with the TCP headers once they have
been tunneled (i.e., encapsulated and encrypted into an ESP header).

Dave Klein
Netscreen SE


> -----Original Message-----
> From: Joseph S D Yao [mailto:jsdy () center osis gov]
> Sent: Thursday, May 30, 2002 10:23 AM
> To: David Klein
> Cc: Ben Swanner; firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Re: Free S/wan over satellite
>
>
> On Thu, May 30, 2002 at 07:38:54AM -0700, David Klein wrote:
> > > On Fri, May 24, 2002 at 12:26:11PM -0500, Ben Swanner wrote:
> > > > Set up on Linux over vsat connection and speed dropped by a 
> > > > factor of ten.
> > > > Any ideas?
> >
> > IP-over-Satellite service providers do a couple of things 
> to overcome the
> > throughput issue related to the normal TCP window size 
> coupled with long
> > latency delays related to satellites.  Specifically, they 
> > 1) dip into the TCP header and increase the window size; and/or
> > 2) locally spoof TCP acks at the satellite terminal where the TCP
> > transmitter is.
> >
> > Item (1) will cause the TCP transmitter to send more 
> packets into the
> > network before stopping and waiting for acknowledgements.
> >
> > Item (2) will cause the TCP transmitter to think the 
> intended TCP receiver
> > has already received the packet it sent and so the TCP 
> transmitter will
> > continue sliding its TCP window along and transmitting more packets.
> >
> > Once you put TCP into IPSec ESP (or any encrypted packet), 
> they can't play
> > these games.  So now your real TCP window size comes into 
> play.  And with
> > the massive round-trip time associated with satellite 
> links, this means your
> > TCP transmitter blasts a few packets out (a normal TCP 
> window size worth)
> > and then effectively waits a while for the acks to come 
> back from the real
> > TCP receiver before sending more traffic.  
> >
> > Dave Klein
> > Netscreen SE
>
> Not the window size problem I had thought, but this might explain it.
>
> But, why can't they play the same games with IPsec ESP 
> packets?  Aren't
> packets just packets?
>
> -- 
> Joe Yao                               jsdy () center osis gov - 
> Joseph S. D. Yao
> OSIS Center Systems Support                                   EMT-B
> --------------------------------------------------------------
> ---------
>    This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards