Performance Enhancers: Striving For End-To-End Solutions

By Peter J. Brown

There are subtle advances in technology that are often overlooked. As the satellite industry marches on, customers and service providers alike are able to select from a growing list of software tools and solutions that can substantially boost satellite network performance. These software tools have given both the point-to-multipoint and point-to-point satellite network operators an added edge.

There are several reasons why performance enhancing protocols are becoming standard for new satellite network deployments in particular," says Chris Baugh, president of Orlando, FL-based Northern Sky Research. "The primary motivation involves the fact that the satellite industry has struggled constantly with the process of identifying and implementing viable business models, especially in the enterprise sector.

"Now, a new generation of two-way satellite systems is emerging at the same time that these performance enhancement specialists are rolling out full service or end-to-end software suites, so the timing is actually quite good for both parties," he adds.

Baugh is also quick to point out that while Virtual Private Networks (VPNs) over satellite have not been widely deployed, there are a number of enterprise customers in the terrestrial networking world who are either launching VPNs using satellite or actively exploring this option.

"VPN is getting a major push, too. As a result, anyone who has developed a workable solution for beaming IP Security Protocol (IPsec) over satellite is bound to attract interest, especially if these solutions will fit with existing sites," Baugh says. "The satellite market is driven by its customers, so there is bound to be an uptick in the activity which surrounds any migration to VPN over satellite."

Overcoming Satellite Latency

Sending IP data via Transport Control Protocol (TCP) over satellite is not always the best way to proceed. At Los Angeles, CA-based Mentat Inc., the SkyX Gateway product line transparently converts TCP into Xpress Transport Protocol (XTP 4.0). The positive results are immediately apparent.

"For most types of networks, TCP works very well and there is no reason to generally replace it. The situations where TCP does not perform well are long latency, high bit error and asymmetric bandwidth links, which unfortunately for the satellite industry, are exactly the conditions typical of satellite networks," says D.C. Palter, vice president, sales and marketing for Mentat. "We also understand that end users need to run standard TCP-based applications, and therefore any solution to the problem of TCP over satellite must be compatible with and transparent to this existing infrastructure."

"There is an absolute requirement for acceleration whenever links designed to run at speeds up to 2 Mbs only yield 120 kbs," says Jerry Toporek, Mentat’s vice president of engineering.

After evaluating Mentat, NBC News deployed the Mentat SkyX Gateway as part of communications packs for five temporary bureaus throughout the Middle East. "We like it, and we noticed an immediate improvement in performance. We needed a seamless reliable IP datastream. Before Mentat, we just extended our LAN [Local Area Network] into the field," says Danny Miller with field operations at NBC News. "We are running IP data through a TDM mux. We use Mentat–the SkyX Gateway model XR10–along with a Comtech/EFData 300L modem, and a RAD multiplexer. Our plan is to build an infrastructure for 32 remotes."

Besides NBC News, Mentat customers include the U.S. Navy-Naval Research Labs, Infinite Global Infrastructures LLC, Intelsat, SSI Micro (an ISP providing service to remote sites across northern Canada), Boeing Satellite Systems and Globecomm Systems.

As small, specialized ISPs have come knocking, Mentat has responded with a pre-fetch feature, which has just been released. Pre-fetching centers on proactively downloading the embedded objects on each Web page, and speeds Web page displays by moving the embedded objects to the end user’s side of the satellite link so they are available locally when the browser requests them.

"It is not a cache but a proactive retrieval system for the objects that we know the browser will be requesting momentarily. It does not reduce or increase the amount of content that needs to be transmitted, but moves the data across the link sooner than would happen otherwise," says Palter. "However, the SkyX data compression feature does compress the data and reduce the amount of traffic on the link in much the same way WinZip works on an individual file."

When it comes to enhancing the performance of Voice over IP (VoIP), Mentat has its hands tied by the laws of physics. Devices such as the Mentat SkyX Gateway do not reduce the latency of the satellite link and, therefore, cannot improve the quality of VoIP.

"The satellite delay is due to the quarter-second it takes for the signal to travel from the Earth to the GEO satellite and back to Earth, and there is no way to change this," says Toporek. "Fortunately, the UDP [User Datagram Protocol] itself used for transfer of voice packets and other real time applications over the network works fine. The only issue is that the satellite delay itself is noticeable to the end users."

Reliable One-Way Satellite Transport

A data stream and a revenue stream are two different things entirely. As the demand for IP data increases, the content providers and the movers of IP data are intensifying their search not only for more efficient ways to move existing IP data, but for ways to free up bandwidth on existing pipes so that more revenue can be derived from the network in question.

For the companies engaged in moving IP data over satellite, identifying unused capacity and executing flawless one-way file deliveries without the need for multiple retransmissions are pressing matters as well. At Stamford, CT-based Kencast Inc., the capabilities of the Kencast Fazzt Digital Delivery system are constantly being upgraded. Fazzt is engineered to carry out error-free file deliveries via satellite without any return links or acknowledgements, performing the task at hand with just five percent overhead.

"As we observe the growing trend involving more and more video channels, which are being run through statistical multiplexers with variable output, for example, our customers are realizing that they need to do something with the extra bandwidth," says Dr. Lewis Wolfgang, CTO at Kencast. "And evaluating how you are going to put bandwidth to better use means taking a second look at file transfers, including video files and live streams."

Whereas the main emphasis in Fazzt 6.3 was on content on demand, encryption and key management, the new Fazzt 6.4 brings powerful tools for shared services in the form of the Fazzt Enterprise Server and Fazzt PowerPublisher.

As part of the Web Publisher on the Fazzt Enterprise Server, for example, a record of network performance can be broken down into individual transmissions and content requests with tunnel usage statistics generated, too. The same platform handles all aspects of content management, including browsing and searching all content as well as managing all categories of content.

"Shared content delivery systems have to be structured to address the fact that each content provider does not need a fixed pipe. With dynamic bandwidth allocation done in a more variable way, such things as opportunistic data insertion at the application level and automated broadcasts become more user-friendly," says Wolfgang. "With Fazzt 6.4, we have revamped our bandwidth management to introduce sub-channels, which allow for the borrowing of unused bandwidth and provide a lot more control to end users in general."

Again, the goal with Fazzt is to deliver the file in question in a single transmission, prevent its theft, keep it clean and validate that fact, while mapping it and authorizing who can get it.

Because it is not unusual or uncommon for content to undergo a triple satellite hop, and then pass onto land lines as it moves across the Internet, content might be required to transit in a multicast-, then a unicast-, and then back to a multicast-format, especially for enterprisewide networks. Fazzt takes this set of requirements in stride.

Kencast enables entertainment customers like TVN Entertainment Corp. to distribute multimedia content via satellite to cable headends, or in the case of OnCommand Corp., to distribute movies to more than 3,000 hotels nationwide at the push of a button. Associated Press uses Fazzt to distribute photos and video news releases to thousands of newspapers.

Application Layer Focus

When a Denver, CO-based energy concern, Tom Brown Inc., was looking for a way to move IP data from multiple sites in the field in order to augment an existing frame relay network earlier this year, the goal was to implement a VPN over satellite using HNS’s DirecWay two-way VSATs to support traffic to and from mobile laptops.

With IP data files ranging anywhere in size from .5 MB to 20-30 MB, flowing from as many as 15 sites with perhaps three times as many users all attempting to gain access to the company’s internal network, a robust and reliable solution was required. Operating this VPN in a secure manner is a paramount concern. So, Tom Brown turned to Maryland-based V-One Corp., which specializes in application layer VPNs that overcome performance problems associated with end-to-end security through satellite networks.

"The most predominant VPN protocol out there is IPsec. As a network layer VPN protocol, IPsec functions properly over satellite, but performance is degraded significantly, since each packet must travel across the space segment for decryption and acknowledgement cycles," says Jim Naughton, director of the satellite program at V-One.

V-One’s SmartGate client/server software is designed to address the performance-disabling latency problem, which stems from the distance the IP data must travel–22,300 miles out to space and back–by taking advantage of a satellite network’s protocol acceleration capabilities.

In addition to a software solution, security appliances from V-One come in 2RU and 1RU configurations. V-One offers a solution that sidesteps the network address translation trap and seamlessly transits multiple firewalls.

"We designed our encrypted traffic to resemble SSL (Secure Socket Layer). When data leaves our VPN server it looks like network TCP traffic, though sensitive user and addressing information is never transmitted in the clear. We perform all encryption, authentication and access control services," says Naughton. "By taking advantage of techniques to improve performance, such as protocol spoofing, we can move a 3 MB file in 20 to 30 seconds, whereas a transmission of the same file sent with standard IPsec would still be far from complete after more than 20 minutes."

"Our users have taken to it quite easily. It is almost nothing to get it installed and up and running. Today, we use this V-One solution on all our VPN connections," says Pete Monfiletto, chief technical architect at Tom Brown. "The whole VPN network performance problem simply went away."

"While SmartGate operates as a client/server solution, it is not inhibited from functioning in a point-to-point or multicast environment," says Naughton. "Since we operate at the application layer, we can coexist with virtually anything out there and take advantage of existing open ports."

In addition to Tom Brown and multiple federal agencies, V-One’s clients include McKesson HBOC, Blue Cross/Blue Shield, Raytheon, Southwest Airlines and Amtrak.

What Do People Really Mean By End-To-End?

Secure networking through VPNs seems like a pretty straightforward proposition, regardless whether a satellite link is present or not. At France-based UDcast, which has been at the forefront of developing Unidirectional Link Routing (UDLR)-based products and services, a new acceleration tool known as UDboost is taking shape that overcomes the performance degradation, or latency and bit error rate, associated with IPsec transmissions over satellite.

According to the company, UDLR is a routing protocol that mimics a conventional bi-directional transmission atop an asymmetric link. UDLR can also be used as a tunneling mechanism that allows for interoperability or the assembly of the diverse elements of a network into a single entity, thereby improving performance. UDLR is a Layer-2 protocol that renders the hybrid satellite/terrestrial links equivalent to Layer-2 Ethernet-type connections.

As the former innovation manager at Maiaah!, a MPLS service provider in Europe, and a former pre-sales senior manager for UUnet, Pierre Francon, marketing manager at UDcast, has seen his fair share of end-to-end IP solutions.

"A true end-to-end solution cannot be viewed here as just the satellite segment alone. End-to-end means creating a single secure tunnel from the client at the point of origin right through to the destination server," says Francon. "Extending the trusted domain or environment does not allow for the breaking of a VPN at the Network Operations Center (NOC)."

According to UDcast, with UDboost, any third party encryption or firewall with IPsec embedded will work, and there is no conversion of TCP to a different protocol over the satellite link. "With UDboost, there is a dynamic modification or changing of window size, along with a modification of the TCP slow start mechanism as well as a selective suppression of acknowledgements on the return link," says Francon. "Again, our emphasis all along at UDcast has been on enhancing the performance of asymmetrical links, and this is reflected in UDboost.

"With so much focus now in particular on the new generation of satellite broadband platforms that are using DVB/RCS, our customers are looking to optimize the return path performance in particular, and thus reduce the overhead associated with the return path," Francon adds. "With UDboost, we provide a double value proposition here. Both the satellite service providers and the end users benefit in the process."

UDboost incorporates both HTTP caching and pre-fetching. Providing network access to multiple users in remote locations minus these two elements can be very expensive, indeed.

"You want to avoid using your satellite capacity over and over again just to bring the same CNN logo back. You want to retain any unchanged Web page components, and just deliver refreshed content," says Francon. "This approach applies to all Web-enabled applications, not just Internet browsing. While it is easy to cache and pre-fetch at the hub, it is very difficult to perform these two things at the remote location where the true benefit is derived."

UDcast also released UDcrypt recently in order to help customers benefit from IPsec multicast, which enables users to distribute a single IPsec key to multiple end users simultaneously. Since IP multicast is so bandwidth efficient, network security can be significantly enhanced by re-keying every 10 or 15 seconds, or even less, if required.

"Remember that when it comes to performance enhancement, the judicious use of multicasts is always preferable. Reducing the volume of much more expensive unicast transmissions whenever possible must be seen as a priority," says Francon.

Supporting Legacy Protocols

While this article centers primarily on software solutions, Dulles,VA-based Encore Networks has developed an innovative VPN gateway. Founded in the summer of 2002, Encore Networks has named its VPN appliance the Broadband Access Network Device for Intelligent Termination, or BANDIT.

Among other things, the BANDIT product line enables network operators–large and small–to migrate from legacy systems to standards-based IP networks. But BANDIT does more. Besides interoperating with off-the-shelf IPSec VPN clients and gateways, BANDIT enables tunnel pass-throughs. In addition, it is capable of addressing, among other things, all aspects of IPsec tunnel initiation, multiplexing, switching, and termination as it resides between the IP core network and the LAN.

With so many companies now deploying satellite-based IP VPNs, a strong demand exists for devices or platforms that can provide and maintain both dynamic firewall and IPSec VPN functionality. Encore Networks says its BANDIT product line addresses both, while supporting IP router functions and legacy protocols with dial back-up and service fail-over support.

"We believe that support for legacy data protocols is extremely important. We provide a reliable way to convert a large number of satellite networks, which are not fully IP enabled, over to IP VPNs," says Abir Hnidi, CTO at Encore Networks. "ATMs tied to large banking networks are an excellent case in point. Banks tend to operate these systems using proprietary legacy protocols. The same is true when it comes to the insurance and retail industries, utilities and lottery networks.

"The goal here is to offer a solution that reduces both capital expenditures and operating expenditures simultaneously. The BANDIT product line allows the customer to migrate a satellite-based network to IPsec VPN, and thus avoid the tremendous costs associated with any wholesale replacement of the network and all of its components," he adds.

Hnidi indicates that his company is working with service operators and equipment vendors. And with its new BANDIT-Plus VPN host gateway, which features a high density 12-port serial module, among other things, customers will again have the ability to run secure IPsec tunnels out to countless remote sites where legacy applications are encountered.

This is a scenario where the advantages of a packet-based IP infrastructure could transform the network in question. However, the IT department in question may be reluctant when it comes to adopting new approaches, especially in small-to-medium enterprise environments. The looming presence of Multi Protocol Label Switching (MPLS), along with the gradual ramping up of MPLS over satellite, only complicates this situation.

"MPLS has gained a lot of momentum because it combines the best of the worlds of ATM and IP. MPLS optimizes traffic engineering, while allowing the offering of network-based VPN solutions, whereas IPsec has been used for site-to-site and off-net VPN solutions," says Hnidi.

"There are customers out there who are paranoid, and have very stringent security requirements for their end-to-end VPNs. MPLS does not do it for them," adds Hnidi. "In the not too distant future, VPNs will be offered with both MPLS and IPsec. This will happen as a result of the need to cover all the different sides of the VPN spectrum."

Increased Cancellation Performance

At Sunnyvale, CA-based Transcendent Technologies, a business unit of Applied Signal Technology, efforts are underway to significantly enhance the DoubleTalk Bandwidth Compression System, which allows for two-way satellite communications to be transmitted concurrently in the same segment of transponder bandwidth. These enhancements are currently being evaluated at various customer facilities around the world, according to Stephen Ruddy, marketing director for Transcendent Technologies.

In a nutshell, DoubleTalk does not impact signal C/N (carrier-to-noise ratio), and it is completely agnostic when it comes to modulation, FEC (Forward Error Correction), performance enhancing proxies or bit stream traffic. DoubleTalk was designed to provide the bandwidth efficiency of 16 QAM with the power efficiency and bit error advantages of QPSK. It can be used with 8PSK, too.

What new things are being added to DoubleTalk? "First and foremost, an embedded tuning capability has been added," says Ruddy. "Standard with each system will be the ability to tune from 50-90 MHz. This is accomplished using front panel buttons, and allows DoubleTalk to tune along with its corresponding modem. Options exist for 140 MHz and L-band."

Ruddy says that bandwidth has been extended to 4 MHz. Within that 4 MHz any number of signals can be processed, which opens up a range of applications, including point-to- point, multipoint, and multicarrier (multiple duplex links terminating at a single earth station).

"The most immediate application for 4 MHz will be very high rate multipoint networks. In these star configurations, the rate of the outbound is irrelevant, even if beyond DoubleTalk’s bandwidth," says Ruddy. "Residing at the hub only, each DoubleTalk applied cancels out a 4 MHz window through which the inbound traffic is transmitted."

Transcendent Technologies is taking aim at multipoint networks via a significant increase in cancellation performance in the presence of multiple carriers. "I am glad to report that this has been achieved. This will lead to an increase of overall performance and bandwidth savings for multipoint networks, which your readers no doubt recognize as the most stringent of network scenarios for utilizing this type of technology," says Ruddy. "This performance improvement will also offer users greater flexibility in choosing all other system components and operating parameters."

High Performance Options Lining Up

Not covered in this article are the numerous vendors of compression and IP encapsulation solutions. They are also quite active in propelling the satellite industry along in terms of the overall performance curve. And while we have focused on a handful of companies that are offering their customers a way to supercharge their satellite networks, other providers of high performance options are lining up. In other words, there is lots of energy in this specialized sector.

Take Global Science and Technology Inc. (GST), for example, with its new Space Communications Protocol Standards solution known as SkipWare. GST offers SkipWare as a top flight accelerator for IP data traffic.

A satellite network from Quebec-based Polarsat for UNICEF incorporates a traffic management solution from Sitara Networks that addresses Quality of Service parameters ensures that mission critical applications including voice get through. Polarsat is a new company that includes the broadband division of NSI Global Inc.

Reston, VA-based iDirect Technologies introduced its new iDS v.3.2 software, which the company says cuts the bandwidth requirement in half for VoIP calls over a satellite network as part of its ability to bring about a broader reduction in overall bandwidth consumption.

As hybrid networking shifts into high gear, every sector is looking for its own set of performance advantages. Making satellite technology more appealing and more compelling to a broader range of customers is no easy task. The companies mentioned here deserve credit for their drive and innovative contributions to the industry as a whole.

Peter J. Brown is Via Satellite’s Senior Multimedia & Homeland Security Editor. He lives on Mount Desert Island, ME.