IPSEC over satellite links: a new flow identification method

Acknowledgment based transport protocols such as TCP have low performance in satellite links, which are characterized by high latencies and high bit error rates. Low performance of TCP in satellite links is due to the fact that TCP packet losses are assumed to be the cause of congestion in the network, which turns out to be an invalid assumption for satellite links. TCP performance enhancing proxies (PEPs) are widely used to overcome the limitations of TCP over satellite links. However, when end-to-end security mechanisms, such as IPSEC, are used, TCP PEP mechanisms can not be used. IPSEC encrypts and/or authenticates the packet header fields that the PEP needs to read or modify. We propose a novel mechanism to integrate IPSEC with TCP PEPs. In our approach, a cryptographic hash of flow identification information is generated and stored in the IP header. The TCP sequence number is also stored in the IP header. Using the hash value and sequence numbers, the PEP is able to match packets and corresponding acknowledgements to regulate the flow. This approach is applicable to PEP mechanisms that need read access to the IP and TCP headers