Security in broadband satellite systems for commercial and institutional applications

Objectives

In the project technical issues have been identified relating to the deployment of VPN solutions in a network based on a broadband satellite system. Appropriate solutions for these issues have been assessed and validated via functional tests as well as performance measurements and the results have been illustrated.

The key results of the project as well as conclusions and recommendations have been disseminated among standardization bodies and conferences relevant for the satellite industry.

The project had several key objectives. One of them has been the identification of the technical issues and drawbacks linked to the deployment of a VPN with an interactive broadband satellite system. The analysis of these issues and drawbacks had been performed based on various application scenarios and cases in order to provide an exhaustive review.

Another objective has been the identification, specification and validation of technical solutions that the satellite system industry, e.g. satellite terminal manufacturer, PEP manufacturer, satellite system integrator or satellite network operator, could implement to solve these technical issues and allow the seamless and optimized support of VPN by interactive broadband satellite systems. The validation also included the usage of suitable testbeds and simulators.

Finally a key objective of the project has been the dissemination of the project results and recommendations to the satellite community, by preparing a whitepaper, and disseminating within relevant conferences, forums and standardisation groups.

Challenges

Among others the following technical key issues have been addressed:

  • Performance Enhancing Proxies (PEPs) do not get access to the encrypted protocol headers and data required for protocol enhancement.
  • VPN technologies add overhead to packets and this may lead to packet fragmentation, additional load and delay.
  • Delayed packets could fall outside the IPsec anti-replay window.
  • Mobility could result in IP address changes of VPN peers having a negative impact on the VPN.
  • Encrypted QoS classifiers make QoS enforcement difficult.
  • NAT boxes cannot modify VPN protected packets.

Benefits

In the project several representative scenarios involving satellite systems have been identified and analysed regarding security requirements and technical issues caused by the deployment of VPN technologies. This will allow all stakeholders involved in the various scenarios to quickly identify the existing challenges arising with the integration of VPNs in their satellite networks.

Based on this analysis, promising solutions to solve these technical issues have been identified, and their integration into the satellite network architecture outlined. This will allow satellite equipment manufacturer to enhance their product line with the respective solutions. It will also show integrators and operators of satellite networks how those solutions have to be integrated in their networks.

Performance measurements have been done for these technical solutions based on testbeds. This will show to satellite network operators and users the respective performance impact of a certain technical solution.

Finally a whitepaper with the key project results and recommendations has been written. This can be used to easily disseminate the project results to a larger community.

Features

A major part of the project has been the identification and design of architectures. For selected reference scenario first the respective network architecture has been identified and illustrated. For instance, the network architecture of a public safety communication scenario as outlined below comprises usually the following components and networks: on-site networks at emergency/disaster site, a command & control centre, as well as databases and information servers in the Internet.


click for larger image

Based on this network architecture solutions for the various technical issues had to be integrated, resulting in an architecture extension and modification. For example, the appropriate position of PEP units in relation to the position of VPN gateways has been specified, a suitable mapping of QoS classes to IPsec SAs has been recommended, the most promising mobility solutions for the architecture have been identified and the appropriate locations of header compression units have been defined. This resulted in a final architecture for the respective reference scenario including the VPN solution.

Plan

The project has been organized in 5 tasks:

  • Task 0: Project and Quality Management
  • Task 1: Technical requirements identification: Identification of reference scenarios, their respective data security needs and technical issues caused by using VPN technologies
  • Task 2: Detailed specification: Identification and assessment of technical solutions for solving the technical issues and design of architectures for respective reference scenarios
  • Task 3: Proof of concept: Design and development of a testbed and performing validation tests for assessment of the technical solutions
  • Task 4: Recommendations summary: Definition of guidelines and recommendations for deploying VPNs in satellite systems

Current status

The project has been successfully completed.

A variety of scenarios relevant for the satellite industry have been identified, described, and analysed. Technical issues as well as potential solutions to address them have been identified, the solutions have been integrated in architectures for the respective reference scenarios.

Solutions and architectures have been assessed within two testbeds, their intended functionality has been successfully proven. Additionally performance measurements have been performed, focusing among others on throughput, overhead, delay and jitter aspects. A whitepaper with the key project results and recommendation has been written.

Furthermore the project results and recommendations have been disseminated within different conferences and standardization groups, part of this dissemination will be finished in 2012.

Contacts

Status date

Wednesday, October 23, 2013 - 17:02