Communications service providers face the continual task of designing high performance and secure networks. The emergence of Virtual Private Networks (VPNs) has provided network users with secure communications to their private network from remote sites. A private network is a network that allows multiple locations of a network to privately communicate; that is, to the exclusion of unauthorized users. In the past, private networks were implemented by using “leased line” communications circuits, as shown in FIG. 18. Private sites 1801, 1803, 1805, 1807 are interconnected by leased lines 1809, which are typically dedicated circuits supplied by a service provider. Within each of the sites 1801, 1803, 1805, 1807, multiple hosts are connected to the leased lines 1809 via a router. Security of the leased lines 1809 is ensured mainly by wire-tapping laws and the integrity of the service provider that supplies the leased lines.
By contrast, a virtual private network (VPN) permits an enterprise to communicate securely across a public network in such a way that the public network operates as one or more private communications links. FIG. 19 is a diagram of a conventional VPN, in which multiple private network sites 1901, 1903, 1905, 1907 are connected to a public network 1917, such as the Internet or a carrier's Internet Protocol (IP) internetwork. The packets originating from one private network site to another are encrypted and often cryptographically authenticated to provide security. In particular, the packets that are forwarded from one individual site to another are encrypted and carried in the payload of one or more packets traversing the public network. This placing of packets within another packet is referred to as tunneling. A VPN tunnel refers to two sites that securely exchange packets with one another by carrying encrypted versions of those packets within other packets using an agreed upon set of encryption algorithms and keys. With respect to routing within the Virtual Private Network, a tunnel operates, in concept, like the leased lines of the private network of FIG. 18.
Each private network site 1901, 1903, 1905, 1907 has a VPN server 1909, 1911, 1913, 1915, which performs the tunneling of VPN packets along with the associated cryptographic functions. A VPN client 1919 has the capability to establish a secure connection with any one of the VPN servers 1909, 1911, 1913, 1915.
Virtual private networks are attractive because the cost of one connection per site to a public network (which may be needed in order for the site's users to access hosts on the public network) is more economical than a leased line type connection into a private network. In addition, given today's security concerns, users are finding VPNs to be a reliable security solution, in large part, because VPN protocols (such as IPSEC) provide significantly higher security using advanced encryption technology than what is supplied by conventional private networks. VPN tunnels do not allow the service providers to view the packets within the VPN tunnel; in contrast, “leased line” service providers can examine the data carried over the leased line.
For interoperability reasons, private networks are often implemented using the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite. However, this popular protocol suite possesses a number of drawbacks. The performance short-comings relate to the TCP protocol itself, which was designed during the infancy of data communications in which the data network were unreliable. These drawbacks include TCP Slow Start, TCP Connection Establishment, limited Maximum Window Size, Go-Back-N ARQ (Automatic Repeat Request), and Discarded Packet Congestion Control. TCP Slow Start is a congestion avoidance algorithm that limits TCP throughput on connections that have recently been established. TCP Connection Establishment has the drawback of requiring a full-round trip prior to allowing user data to flow. The default maximum window size (which is typically 64 KB) limits peak throughput of a TCP connection. The lost packet recovery algorithm uses a Go-Back-N scheme, which has significant negative performance impact when operating on a high-bandwidth delay connection. In addition, most TCP/IP networks handle congestion by discarding packets, which results in very inefficient Go-Back-N retransmissions; and the TCP implementations severely restrict their window sizes on discovering packet loss, thereby severely reduces throughput.
Furthermore, TCP operates relatively inefficiently, with respect to bandwidth utilization. These inefficiencies include Excessive ACK (Acknowledgement) Packets, and lack of compression. Most TCP implementations provide a TCP ACK for either every received TCP segment or for every other TCP received segment. The ACK traffic, thus, consumes a significant amount of bandwidth. Furthermore, because TCP does not provide data compression, greater bandwidth is needed. The above performance hindrances are particularly pronounced over high-bandwidth high-delay networks, such as geosynchronous communication satellite networks and over highly asymmetric networks.
Accordingly, there is a clear need for improved approaches for enhancing the performance of private networks to support secure communications. There is also a need for an approach to selectively provide performance enhancing functions in a secure environment. There is also a need to minimize development and implementation costs. There is also a further need to interoperate with existing standards and protocols.
Some Example Embodiments
The present invention addresses the above stated needs by providing an approach for integrating Virtual Private Network (VPN) and network acceleration techniques (e.g., Performance Enhancing Proxying (PEP) functions) in which a VPN tunnel can be segmented to selectively provide PEP functionality. A PEP peer can include any combination of the following components: a routing module, a buffer management module, an event management module, a parameter management module, a Transmission Control Protocol (TCP) spoofing kernel, a backbone protocol kernel, a prioritization kernel, a path selection kernel, and a data compression kernel. PEP peers can establish a PEP connection to support the PEP function for any portion of the VPN tunnel, particularly, the portion that traverses a high latency network. This approach advantageously supports secure communications, while enabling a service provider to implement the PEP function and VPN function independently throughout the network, thereby reducing costs and improving flexibility.
According to one aspect of the present invention, a method of providing secure communication services is disclosed. The method includes supporting a secure tunnel from a source node over a network to a destination node, wherein the nodes are external to the network. The method also includes establishing a connection that supports a mechanism for enhancing performance of the network for a portion of the secure tunnel that traverses the network. According to another aspect of the present invention, a network device for supporting security in a communications network is disclosed. The device includes a security peer configured to support a secure tunnel from a source node over a network to a destination node, wherein the nodes are external to the network. The device also includes a network performance peer configured to establish a connection for enhancing performance of the network for a portion of the secure tunnel that traverses the network. According to another aspect of the present invention, a network device for supporting security in a communications network is disclosed. The device includes means for supporting a secure tunnel from a source node over a network to a destination node, wherein the nodes are external to the network. The device also includes means for establishing a connection for enhancing performance of the network for a portion of the secure tunnel that traverses the network. According to another aspect of the present invention, a method of providing a virtual private network (VPN) service over a high latency network is disclosed. The method includes establishing a VPN tunnel over the network. Additionally, the method includes selectively establishing a connection over a segment of the VPN tunnel, wherein the connection supports performance enhancing proxying functions to minimize impact of the latency of the network. According to yet another aspect of the present invention, a method of providing secure communication services is disclosed. The method includes establishing a plurality of secure segments along a common communication path traversing a network. The method also includes establishing a connection that supports a mechanism for enhancing performance of the network, wherein the connection exists between two of the secure segments.
Further, in accordance with example embodiments of the present invention a method of providing secure communication services is disclosed. The method comprises establishing a secure data tunnel from a source node to a destination node via a plurality of secure segments across a data communications network. The method further comprises establishing a data path via the secure data tunnel, wherein the data path supports a performance enhancing mechanism that improves performance of data communications over the data path. The performance enhancing mechanism multiplexes data packet flows from the source node for transmission over the data path, and performs one or more of connection startup latency reduction, acknowledgment message spoofing, window sizing adjustment, compression and selective retransmission. According to a further example embodiment, the establishment of the data path via the secure data tunnel comprises determining that the data packet flows are to be carried via a secure connection, determining that the plurality of secure segments across the data communications network are functioning properly, and establishing the data path via the secure data tunnel and initiating the performance enhancing mechanism. By way of example, the secure data tunnel may consist of a virtual private network (VPN) tunnel formed by the plurality of secure segments across the data communications network. By way of further example, at least one of the data packet flows may be generated in accordance with transmission control protocol (TCP)/Internet protocol (IP) data communications protocols. By way of further example, the data path may comprise a plurality of data sub-paths, wherein each data sub-path corresponds to a different priority level configured to carry data packets of the respective priority level—wherein each data packet flow may be assigned to a one of the sub-paths based on one or more predetermined priority assignment rules. The predetermined priority assignment rules, for example, may be based on criteria corresponding to the data packet flows, wherein the criteria comprise one or more of destination IP address, source IP address, source port number, destination port number, user datagram protocol (UDP) source port number, UDP destination port number, type of service (TOS), and data type. By way of further example, the capacity of the data path is apportioned between the data sub-paths based on one or more predetermined priority capacity assignment rules.
Further, in accordance with example embodiments of the present invention an apparatus comprises a security peer configured to establish a secure data tunnel from a source node to a destination node via a plurality of secure segments across a data communications network, and a network performance peer configured to establish a data path via the secure data tunnel, and to operate a performance enhancing mechanism. The performance enhancing mechanism is configured to multiplex data packet flows from the source node for transmission over the data path, and to improve performance of data communications over the data path. By way of example, the performance enhancing mechanism is configured to improve performance of data communications over the data path by performing one or more of connection startup latency reduction, acknowledgment message spoofing, window sizing adjustment, compression and selective retransmission. According to a further example embodiment, the establishment of the data path via the secure data tunnel comprises determining that the data packet flows are to be carried via a secure connection, determining that the plurality of secure segments across the data communications network are functioning properly, and establishing the data path via the secure data tunnel and initiating the performance enhancing mechanism. By way of example, the secure data tunnel may consist of a virtual private network (VPN) tunnel formed by the plurality of secure segments across the data communications network. By way of further example, at least one of the data packet flows may be generated in accordance with transmission control protocol (TCP)/Internet protocol (IP) data communications protocols. By way of further example, the data path may comprise a plurality of data sub-paths, wherein each data sub-path corresponds to a different priority level configured to carry data packets of the respective priority level—wherein each data packet flow is assigned to a one of the sub-paths based on one or more predetermined priority assignment rules. The predetermined priority assignment rules, for example may be based on criteria corresponding to the data packet flows, wherein the criteria comprise one or more of destination IP address, source IP address, source port number, destination port number, user datagram protocol (UDP) source port number, UDP destination port number, type of service (TOS), and data type. By way of further example, the capacity of the data path may be apportioned between the data sub-paths based on one or more predetermined priority capacity assignment rules.
Still other aspects, features, and advantages of the present invention are readily apparent from the following detailed description, simply by illustrating a number of particular embodiments and implementations, including the best mode contemplated for carrying out the present invention. The present invention is also capable of other and different embodiments, and its several details can be modified in various obvious respects, all without departing from the spirit and scope of the present invention. Accordingly, the drawing and description are to be regarded as illustrative in nature, and not as restrictive.