1. Field of the Invention
The present invention relates generally to IP networking and specifically to providing a mechanism to allow packets transformed by IP-layer encryptors to benefit from Performance Enhancing Proxies (PEPs).
2. Background Art
Hosts can communicate across the Internet by sending and receiving packets to each other. As packets travel from one host to another through the Internet, they may travel through various routers, proxies, and other network devices. Some of these network devices include satellite transmission systems to transport packets utilizing satellite communications and encryptors to securely transmit packets over public or insecure areas of the network. Network devices often operate transparently from the end hosts so that the end hosts are unaware of their presence. By operating transparently, network devices can be added and removed without requiring any modifications to the end hosts.
One type of a network device is a Performance Enhancing Proxy (PEP). Performance Enhancing Proxies attempt to overcome short comings that an existing reliable transport protocol, such as TCP, may suffer in certain challenged environments. For example, TCP operates poorly over satellite connections because TCP is not tuned for high bandwidth and large delays that are characteristic of satellite communications. To alleviate these performance problems, a PEP can be deployed at both ends of a satellite connection to intercept TCP connections that wish to pass through the satellite connection. Once the PEPs intercept a TCP connection, they use an alternative protocol that is more suitable for satellite communication to transmit the data in the intercepted TCP connection over the satellite. Furthermore, PEPs manage the TCP connection on both ends of the satellite connection so that the end hosts are unaware that either the PEPs or an alternative protocol is being employed in the interim. Since the alternative protocol is more suitable than TCP for satellite communications, the over-all end-to-end performance that is experienced by the two end hosts are enhanced compared to a TCP connection that is run directly over the satellite link.
Another type of a network device is an IP-layer encryptor. IP-layer encryptors are deployed to provide secure communications between two or more private networks that are separated by a public or insecure network. When a packet in a private network attempts to enter the public network, an IP-layer encryptor intercepts and encrypts the packet before allowing the packet to pass to the public network. When a packet from a public network attempts to enter a private network, an IP-layer encryptor intercepts and decrypts the packet and allows only authenticated packets to enter the private network. Hence, IP-layer encryptors allow private networks to maintain security when hosts in the private networks communicate with each other over a public or insecure network. Often, the side of an IP-layer encryptor that interfaces the public or insecure network is referred to as the black-side or ciphertext side of the IP-layer encryptor and the opposite side of the IP-layer encryptor that interfaces a network to be protected from the public network is referred to as the red-side or plaintext side of the IP-layer encryptor.
Unfortunately, IP-layer encryptors tend to make PEPs, on the black-side, inoperative for communications initiated by hosts on the red-side of the IP-layer encryptors. When IP-layer encryptors encrypt red-side packets into black-side packets, they produce simple IP packets that do not contain any higher-level protocol information. IP-layer encryptors effectively hide, from the black-side, any information related to higher-level protocols that are being used by the corresponding red-side packets. Since PEPs operate only on packets containing higher-level protocol information, black-side packets produced by IP-layer encryptors cannot take advantage of black-side PEPs. Therefore, even if a red-side packet was originally utilizing a higher-level protocol, its corresponding black-side packet cannot take advantage of black-side PEPs.
Therefore, what is needed is a mechanism to allow red-side packets that flow through IP-layer encryptors to take advantage of black-side PEPs.