IPSecOPEP: IPSec over PEPs architecture, for secure and optimized communications over satellite links

Abstract

This paper presents a TCP/IP-based architecture (IPSecOPEP) to resolve the interoperability issue between PEPs (Performance Enhancing Proxies) and IPSec (Internet Protocol Security). Where this problem is due to the cryptographic protection of TCP header by IPSec ESP protocol, which prohibits TCP enhancing mechanisms to be performed by PEPs. The key idea of this solution is that IPSec devices can perform well as a bridge between end users and PEPs in such situations, because they can access to both TCP headers of original packets and IPSec headers of encrypted packets. By this way, IPSec devices can perform a simple mapping between original TCP headers and their corresponding IPSec headers to resolve the interoperability issue. In our proposed IPSecOPEP architecture, we add a new components to the standard TCP/IP stack for IPSec devices and PEPs proxies, to ensure cooperatively and transparently the interoperability between them, without affecting the security privacy and performance level in such situations. In fact, this solution doesn't need to exchange any secret information about IPSec-related security associations. Furthermore it doesn't imply the use of any additional headers to IPSec packets by the PEPs. However, IPSec devices should coordinate between end users and PEPs to ensure spoofing mechanism, to avoid slow start problem of a standard TCP. After that, PEPs can continue to apply other enhancing mechanisms over the satellite link. Hence, this solution presents a double advantages concerning both the security and the performance at once. Moreover, the components of this solution can be easily standardized, implemented, integrated and enabled, in IPSec and PEPs devices.