Issues When Using IPsec Over Geosynchronous Satellite Links

Satellite based broadband data networks provide the means to convey large volumes of TCP traffic to individuals and organizations over an enormous geographic area. Satellite based networks can also convey data for countless types of applications. However they are vulnerable to eavesdropping like any other wireless network and may be just one of many networks that user data traverses, thus employing IPsec would appear to be a logical end-to-end security solution. However when IPsec is used, TCP headers may be encrypted. TCP can suffer from poor performance over networks with high latency, as is the case for geosynchronous satellite links. Performance enhancing proxies serve to optimize protocol performance over satellite links by examining transport layer (TCP) headers. Since IPsec obscures the TCP headers which proxies rely upon, the two technologies seem incompatible. This paper describes the salient points of TCP over satellite links, performance enhancing proxies, IPsec, and the issues with the combined use of these technologies. A tradeoff solution and its security implications are then presented.