Communications service providers face the continual task of designing high performance and secure networks. The emergence of Virtual Private Networks (VPNs) has provided network users with secure communications to their private network from remote sites. A private network is a network that allows multiple locations of a network to privately communicate; that is, to the exclusion of unauthorized users. In the past, private networks were implemented by using “leased line” communications circuits, as shown in FIG. 18. Private sites 1801, 1803, 1805, 1807 are interconnected by leased lines 1809, which are typically dedicated circuits supplied by a service provider. Within each of the sites 1801, 1803, 1805, 1807, multiple hosts are connected to the leased lines 1809 via a router. Security of the leased lines 1809 is ensured mainly by wire-tapping laws and the integrity of the service provider that supplies the leased lines.
Contrast, a virtual private network (VPN) permits an enterprise to communicate securely across a public network in such a way that the public network operates as one or more private communications links. FIG. 19 is a diagram of a conventional VPN, in which multiple private network sites 1901, 1903, 1905, 1907 are connected to a public network 1917, such as the Internet or a carrier's Internet Protocol (IP) internetwork. The packets originating from one private network site to another are encrypted and often cryptographically authenticated to provide security. In particular, the packets that are forwarded from one individual site to another are encrypted and carried in the payload of one or more packets traversing the public network. This placing of packets within another packet is referred to as tunneling. A VPN tunnel refers to two sites that securely exchange packets with one another by carrying encrypted versions of those packets within other packets using an agreed upon set of encryption algorithms and keys. With respect to routing within the Virtual Private Network, a tunnel operates, in concept, like the leased lines of the private network of FIG. 18.
Each private network site 1901, 1903, 1905, 1907 has a VPN server 1909, 1911, 1913, 1915, which performs the tunneling of VPN packets along with the associated cryptographic functions. A VPN client 1919 has the capability to establish a secure connection with any one of the VPN servers 1909, 1911, 1913, 1915.
Virtual private networks are attractive because the cost of one connection per site to a public network (which may be needed in order for the site's users to access hosts on the public network) is more economical than a leased line type connection into a private network. In addition, given today's security concerns, users are finding VPNs to be a reliable security solution, in large part, because VPN protocols (such as IPSEC) provide significantly higher security using advanced encryption technology than what is supplied by conventional private networks. VPN tunnels do not allow the service providers to view the packets within the VPN tunnel; in contrast, “leased line” service providers can examine the data carried over the leased line.
For interoperability reasons, private networks are often implemented using the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol suite. However, this popular protocol suite possesses a number of drawbacks. The performance short-comings relate to the TCP protocol itself, which was designed during the infancy of data communications in which the data network were unreliable. These drawbacks include TCP Slow Start, TCP Connection Establishment, limited Maximum Window Size, Go-Back-N ARQ (Automatic Repeat Request), and Discarded Packet Congestion Control. TCP Slow Start is a congestion avoidance algorithm that limits TCP throughput on connections that have recently been established. TCP Connection Establishment has the drawback of requiring a full-round trip prior to allowing user data to flow. The default maximum window size (which is typically 64 KB) limits peak throughput of a TCP connection. The lost packet recovery algorithm uses a Go-Back-N scheme, which has significant negative performance impact when operating on a high-bandwidth delay connection. In addition, most TCP/IP networks handle congestion by discarding packets, which results in very inefficient Go-Back-N retransmissions; and the TCP implementations severely restrict their window sizes on discovering packet loss, thereby severely reduces throughput.
Furthermore, TCP operates relatively inefficiently, with respect to bandwidth utilization. These inefficiencies include Excessive ACK (Acknowledgement) Packets, and lack of compression. Most TCP implementations provide a TCP ACK for either every received TCP segment or for every other TCP received segment. The ACK traffic, thus, consumes a significant amount of bandwidth. Furthermore, because TCP does not provide data compression, greater bandwidth is needed. The above performance hindrances are particularly pronounced over high-bandwidth high-delay networks, such as geosynchronous communication satellite networks and over highly asymmetric networks.
Accordingly, there is a clear need for improved approaches for enhancing the performance of private networks to support secure communications. There is also a need for an approach to selectively provide performance enhancing functions in a secure environment. There is also a need to minimize development and implementation costs. There is also a further need to interoperate with existing standards and protocols.