Telecommute with satellite internet and VPN
As the cost of consumer satellite systems and bandwidth drops lower and lower, Internet access becomes more widespread and the demand for secure connections from remote worker locations to Company headquarters or branches is increasing.
More and more companies are now embracing telecommuting but is satellite internet able to support it? The answer is, Yes. However, this article will explain what you need to know to successfully implement VPN the most common method of enabling telecommuting. The major consideration with satellite connectivity is high latency or round-trip time (RTT), it’s a long way to space and back. Historically, satellite latency has presented a significant obstacle to achieve efficient VPN (Virtual Private Network) connections over satellite but the below article will explain how this is no longer the case and what steps should be taken to minimise its impact.
The Problem with VPN Over Satellite
For a Two-way satellite service to perform properly in conjunction with traditional terrestrial networks, two-way satellite networks must employ special software to deal with the extra 23000-mile space distance of the connection. Without this software, the increased latency (the time required to traverse the space segment) means that the TCP protocol severely limits link performance.
The Internet relies on the Transmission Control Protocol (TCP) to ensure packet delivery without errors. TCP works by sending a certain amount of data, then waits for the receiver to send an acknowledgement of receipt. With TCP, the sender cannot transmit more data until it has received an acknowledgement. If an acknowledgement does not arrive in a timely manner, TCP assumes the packet was lost (discarded due to a congested network) and resends it. When packets go unacknowledged, TCP also slows the send rate to reduce the perceived congestion and to minimise the need for re-transmissions.
TCP/IP sessions start out sending data slowly. Speed builds as the rate of the acknowledgements verifies the network's capacity to carry more traffic. This is known as slow-start, followed by a ramp-up in speed. The speed of the connection builds until the sender detects packet loss from a lack of an acknowledgement.
Ground networks typically have round-trip latencies in the range of 35 to 100 ms. Satellite networks, due to the distance of geo-synchronous satellites above the equator, require 650 ms or more. Some satellite connections have much higher RTT. The TCP protocol interprets the additional satellite RTT as network congestion. If uncorrected, this effect causes the network to send all additional packets at the slow-start rate.
Current two-way satellite networks employ a technique referred to as TCP spoofing to compensate for the extra time required to pass through the space segment. Special software on the satellite modem appears to terminate the TCP session, so it appears to the sender as the remote location. In reality the satellite modem is acting as a forwarder between the originating PC or host and the remote site. When the modem receives Internet, traffic destined for a location, it immediately acknowledges receipt of the packet to the sender so more data packets will follow quickly. This way the sender never experiences the actual higher satellite latency to the remote site because acknowledgements return to the sender at LAN speed. As a result, TCP moves out of slow-start mode quickly and builds to the highest link send speed.
IPsec VPNs not only encrypt the data portion of packets; they also encrypt the TCP packet header. Popular IPsec VPNs, therefore, defeat the modem TCP acceleration software because the modem cannot detect the TCP packet and will consequently pass the unrecognised packet over the space link as a "raw" packet. This situation requires that acknowledgements transit the space segment twice (over and back) and results in substantial performance degradation. The impact on performance increases as the latency rises.
There are many products in the market to overcome this issue. They use many techniques, but a common approach is to convert the TCP packet to UDP before the packet is presented to the satellite modem. UDP packets do not require acknowledgements’ and are therefore “pushed” over the satellite link at full throughput. These solutions are generally end to end solutions with a hardware device or software at both ends of the connection that will unpack the received UDP packet and reconvert to TCP before passing onto the LAN.
A new form of VPN connection has recently appeared on the market: SSL VPNs. These new VPNs are based on the Secure Sockets Layer (SSL), the protocol that safeguards the world of e-commerce; the VPNs are quickly becoming a leading option for remote access. Using HTTPS ports, the application can be recognised by the TCP spoofing software and therefore spoofed to full data throughput.
For further details and advice concerning satellite VPN connectivity please contact our sales team on sales@freedomsat.co.uk detailing your requirements and we will be pleased to offer our recommendations.