Secured Socket Layered Virtual Private Networks (SSL-VPN) are very popular in today's secure network deployments. The wide adoption and the ease of setup of Layer 2 (L2) protocols, such as the Point to Point Protocol (PPP), in all major OS platforms, allows SSL-VPN vendors to choose PPP as the underlying encapsulation protocol. In particular, the SSL-VPN application module running on client devices tunnels Layer 3 (L3) data packets using PPP in a data stream over a SSL connection terminated on the network traffic management device, where it acts as tunnel endpoints and forward L3 data packets to the network traffic management device.
The stream of encapsulated data packets implements a High Level Data Link Control (HDLC) framing mechanism (or other similar liming mechanism) which identities the beginning and the end of each frame in the transmitted data stream. Typically the endpoint device removes the HDLC-like framing from each PPP frame before injecting verified IP data packets into the network stack. This process of removing the HDLC-like framing from the data packets when they are received as well as applying the HDLC-like framing to the data packets when sending them back to the client device is expensive. This is because the endpoint device is required to process every byte within the boundaries of the frame to calculate checksum and escape characters that are part of Asynchronous Control Character Map (ACCM), as negotiated during the PPP LCP stage (RFC 1662).
This process results in a substantial bottleneck in throughput performance on the endpoint device. It is also wasteful as HDLC-like framing is not necessary considering that data integrity is maintained by the SSL layer in the tunnel connection, and the link is not a serial line. Unfortunately, in most cases, the local processor on the client device produces a stream of packets with HDLC-like framing, such that the endpoint device is forced into performing the above computationally-intense processes.
What is needed is a system, method and software which modifies the data stream by removing expensive overhead in the data stream while still using the PPP layer to maintain integrity of the SSL-VPN tunnel connection and allow efficient processing oldie modified data stream.