2012 6th Advanced Satellite Multimedia Systems Conference (ASMS) and 12th Signal Processing for Space Communications

Workshop (SPSC)

Security in IP Satellite Networks: COMSEC and

TRANSEC integration aspects

Juan Manuel RODRIGUEZ BEJARANO, Ana YUN, Borja DE LA CUESTA

Thales Alenia Space España,
Calle Einstein 7 (PTM),
Tres Cantos, 28760, Spain
[email protected]

Abstract—Interactive broadband satellite systems may A malicious user could access the signal within the
encounter several types of threats e.g. data communication coverage area and thus take the control of the communication.
eavesdropping, signalling spoofing, etc. The integration of security With the right technology and if the parameters of a
countermeasures is therefore seen as a major system requirement transmission are known an attacker could access the satellite to
for institutional, military and industry applications. There are impersonate another user.
commonly two types of technologies to implement security in
satellite systems: the support of secure VPN to guarantee Also, are common the denial of service attacks, where the
Communications Security (COMSEC) for end to end user security hacker emits a powerful signal that blocks the actual
communications and security at transmission level (TRANSEC) communication signal.
implemented at the lower protocol layers. Since the satellite
networks are transparent at network layer, apparently there is no But the most important threats are not these inherent attacks
problem in the security and encryption procedures integration. to wireless networks, where solutions were widely studied. The
However they are not always adapted and optimized to satellite TCP / IP protocol stack is based on end to end models where
networks (e.g. end-to-end IPSec is not compatible with TCP the communication process uses a technologies chain that may
accelerator technologies that modify the transport layer be different at the link layer. This model makes assumptions
information) and are far from addressing all the security about the overall performance features of the underlying link
requirements. This paper analyzes the different techniques used layers in order to achieve this service:
within TRANSEC and COMSEC and the most important
integration issues. • An end to end path between a source of data,
• The maximum RTT is not too much between any pair
I. INTRODUCTION of nodes in the network,
Satellite networks are a very special case of the whole of • A small end to end packet drop probability.
the wireless networks. They have singular features and their
“from-everywhere and to-everywhere” nature made arise some Fortunately, there are more and more networks that may
particular problems from the security point of view. violate one or more of the assumptions so, there are multiple
studies focusing on this topics.
In particular this paper addresses the IP based satellite
communications networks, a particular case of the satellite In particular, Satellite IP networks have problems with
networks where communications are established using Internet delays and transmission errors and one of the biggest issues
protocols over the link layers [1]. Furthermore, these networks studied in satellite communications is the problem of the
will be treated from the security point of view. TCP/IP protocol stack use of TCP in space links. This links are
characterized by low data transfer rates (compared with wired
Most of the concepts may appear on most of the wireless networks), huge and changing RTTs, elevated and varying bit
networks but there are some points that are unique to IP error rates (BER) and high latencies.
satellite communications networks. For example the broadcast
transmission in one or several beams may convert the coverage There are some techniques that intervene some parametrs at
area in a threat zone. Those areas could cover tens or thousands the transport layer or the IP layer to improve the overall
of kilometres so they can make available the signal from performance [2]. The problem is that there are other
unimaginable spots. techniques that snoop or modifies the TCP/IP protocols. So,
security techniques implemented on this layers may have some
This availability from thousands of kilometres make that problems.
the satellite networks use is preferred for military services or
governmental communications so; security is a key feature in But security not only have problems with the connection
satellite communication networks. acceleration but also the space segment latency that may affect
with the used topologies IP satellite networks as multicast or
with the QoS maintenance used in satellite communications.

978-1-4673-2676-6/12/$31.00 ©2012 IEEE 281

For this reason this paper analyzes compatibility techniques as entity, being the digital signature, the more
connection split, additional Pre-acceleration, the use of TLS- extended mechanism.
VPNs, ML-IPSec, SLE, Multicast security, IPSec anti-replay
and overhead and header compression • Integrity: requires that the information can only be
modified by authorized entities. The alteration includes
The paper starts in Section 1 introducing the problem of writing, changing, deleting, creating and restoration of
security and satellite performance techniques integration. the transmitted messages.
Section 2 goes through the different security levels and • Data integrity: ensures that the received data have not
services pursued in satellite communications. Services are seen been modified in any way, for example through a
as user and communication oriented security services and cryptographic hash signature,
levels are oriented to the layered satellite architecture.
• Data stream integrity: ensures that the sequence of
Section 3 outlines the security techniques are performed in blocks or units of data received has not been altered
satellite communications, dividing its scope: the lower layers and there is no or lost repeated units, for example by
(TRANSEC) or the upper (COMSEC) time-stamps use.
Section 4 reviews some novel and existing techniques to • Non-repudiation: offers protection to a user against
mitigate these security integration problems. another user that denies that some communication was
Finally conclusions are stated in section 5. actually performed. This protection is performed by a
collection of irrefutable evidence means that will
facilitate the resolution of any dispute. Digital
II. SECURITY SERVICES AND LEVELS signatures are the mechanism used for this purpose.
Security can be approached from different points of view.
Security expresses the analysis of threats and solutions in a • The non-repudiation of origin: protects the recipient
integral manner, defining policies, procedures and hardware that the sender denies having sent the message.
and software solutions to ensure an optimal level of support, • Non-repudiation of receipt: protects the sender that the
maximizing the use of resources and protecting the highest recipient denies having received the message.
level of information.
• Access Control: Requires that the resources access
Security services are the procedures and mechanisms used (information, computing capabilities, communications
to secure the possible identified threats. The security services nodes, physical entities, etc.) is controlled and limited
globally accepted are: authentication, integrity, non- by the target system, using hardware keys or
repudiation, access control, availability and privacy. passwords, for example, protecting against
Security levels are defined in this study to introduce some unauthorized use or manipulation.
criteria in the security implementation. Security levels are • Availability: Requires that the computer system
related to the level of protection of the information and data resources are available to authorized entities when
transmission procedures at the different protocol layers. Two needed.
different levels of protection are introduced. TRANSEC
(transmission security) and COMSEC (communications • Privacy: requires that information is accessible only by
security). authorized entities. The disadvantage of privacy
methods is that they dramatically increase the volume
A. Security services of traffic exchanged with negative repercussions on the
availability of bandwidth on demand.

Security services are defined to address the security threats The most important security service is confidentiality.
of the system. The security services protect the systems data The information confidentiality applies to all data
processing and information transfer within the system using exchanged between the entities authorized or perhaps only
one or more security mechanisms. Security services can be selected portions or segments of data, for example through
classified as follows: encryption.
• Authentication: requires the proper identification of the The traffic flow confidentiality protects the identity of the
origin of the message, ensuring that the entity is not origin and destination(s) of the message. It is performed with
false. There are two types: different methods, for example: sending confidential data to
many destinations in addition to the true one, changing the
o Entity authentication: which ensures the
volume and timing of traffic exchanged, by producing constant
identity of the entities participating in
traffic adding an amount of spurious traffic to the significant
communication, through passwords, or
traffic, so as to be indistinguishable for an attacker.
similar procedures and
o Information source , which ensures that a B. Security Levels
unit of information comes from a certain

282
 Security levels are referred to the layers where security is • IPsec with encryption in either tunnel and transport
implemented in the satellite system. mode. The security associations can be set up either
manually or using PKI with either certificated or pre-
Security can be implemented at different layers of the
shared secrets.
protocols stack, from the lowest (Physical and MAC) to the
higher (Link, Network, Transmission and Application). • TLS/ SSL/HTTPS with encryption
All these protocol layers manage one or several data planes • External crypto tokens as HAIPE (High Assurance
(control, management and traffic), but the information Internet Protocol Encryptor)
processing is more or less the same at the same Layers. For
these reason security levels are grouped in two different levels: Since the interactive broadband satellite systems are
transparent at network layer, apparently there is no problem in
• Physical and MAC layer techniques (TRANSEC or the security and encryption procedures integration. Many
TRANsmission SECurity) to better protect the full security solutions are availible, however they are not always
signal transmission in satellite system adapted and optimized to satellite networks. Security
implementations may vary substantially per system and
• Higher Layers techniques (COMSEC or
business case.
COMmunications SECurity ) to guarantee secure
transmissions for end to end user security
communications
III. SECURITY TECHNIQUES OVER SATELLITE
1) TRANSEC During this section some security techniques applied to
satellite networks are described. These techniques are divided
depending on its action area, If the used techniques imply link
TRANSEC comes from “Transmission Security” and it layer or physical interaction then are classified as TRANSEC
protects the transmission from interception and exploitation. techniques. If this techniques use the IP network protocol or
TRANSEC is intended to reduce the security risks associated above layers then they are classified as COMSEC techniques.
with the security threats and vulnerability specific to the
satellite networks, related to:
• Control, management and data confidentiality and A. TRANSEC techniques
integrity: The countermeasure techniques commonly used for
• Risk of channel activity patterns tracking: disguise mitigating the above risks consist in link layer encryption (and
transmission energy in order to conceal channel associated key management), authentication and traffic activity
activity fluctuations. concealment / obfuscation. For this reason the encryption is the
main technique and is therefore at the centre of TRANSEC.
• Risk of control channel information monitoring: Other techniques are also covered within TRANSEC and are
disguise traffic volumes, secure traffic source and noted among the recommendations by the American
destination. Department of Defense (DoD) and National Defense Area
(NDA), the following items are TRANSEC techniques
• Risk of user data eavesdropping: disguise user
susceptible to be implemented:
information
• Low Probability of Detection (LPD): this is based on
• Network access and connection establishment:
protecting the channel activity. Detecting energy on the
• Risk of hub and remote units faking: ensure that channel, provides information to external agents about
remote terminals connected to the network are the usage of the uplink, data volume, etc.
authorized users.
• Low probability of Interception (LPI): the control
• Intrusion risk: mitigate the intrusion risk / protect channel information shall be protected, source and
against Denial-of-Services (DoS) and Replay attacks. destination of each transmission shall be securised and
encrypted. Also, to minimize the probability of
detecting the transmission (by receiving the side- and
2) COMSEC back-lobes of the transmission, for example) is
considered inside this item.

COMSEC comes from “Communication Security and it • Anti-jam (resistance to jamming): TRANSEC
protects the end-user communications. End to end solutions include the possibility of increasing the
communications are usually protected using secure tunneling robustness of the transmission by protecting it from
or VPN implementations. jamming and interception. To achieve the required
security levels, a variety of methods can be applied.
The term VPN in this framework is associated to secure end
to end tunnels, based on technologies such as: • Continuous transmission: this is based on keeping
the channel always occupied at the maximum

283
 occupancy even when there is no data being packet is encrypted and/or authenticated, but the header is left
transmitted. This methodology protects the in clear text, having thus no effect on routing. Transport mode
transmission in front of external receivers analysing the is used for host-to-host communications. In tunnel mode the
activity on the transponder. whole packet is encrypted and/or authenticated, and then
encapsulated into a new IP packet with a new header, this is the
• Frequency hoping: by changing the frequency mode used in network-to-network communications, and used to
transmission following a pseudo-random sequence, create VPN.
based in a cryptographic algorithm and a key, prevents
the potential third party to acquire all the information
and detecting the real transmission.
• Spread spectrum techniques: they are based on
setting the transmission power under the channel noise
level. The possibility of transmission detection and
interference is minimised.
• Side-lobe cancellation: all the antennas have
transmission side and back lobes that can be detected
and used by third parties to recover the information.
These lobes can be cancelled by using specific Figure 1. IPSec encapsulation in ESP mode
techniques.
The use of IPsec over satellite networks brings a series of
• Data encryption: these methods are widely used today drawbacks due to the special characteristics of them. The BER
and protect the communication in several senses. can seriously affect the time necessary to set up a SA, given
Encryption methods can authenticate the source and that the process of key interchange is based in UDP, a not
the destination by encrypting the information with a reliable protocol, and the reliability is built in higher levels,
public and private key system. Information can be sent thus the discovery of errors is done after receiving several
encrypted so it cannot be decoded by a third party. packets.
They can also protect data from errors as they typically
include some kind of error detecting code. The high propagation delay present in satellite links affects
seriously the TCP throughput, this is usually minimized by the
use of TCP accelerators to enhance the data rate. But if IPsec
encryption is applied before the TCP accelerators, the data
B. COMSEC techniques packets will be encrypted/authenticated, and the TCP
This section contains a brief description of the main accelerator will not have access to the TCP header, needed to
protocols used for the implementation of VPN, addressing the accomplish its function.
most important features and characteristics, thus allowing a Another factor to be taken into account is the overhead
detailed analysis of its performance on each use scenario. produced by the encapsulation of packets, and the addition of
1) IPsec the IPsec headers, this can affect the bandwith used on the
satellite links.

IPsec is a protocol part of the Internet Protocol Suite, 2) HAIPE

standardized by the IETF, initially intended for the IPv6
protocol. IPsec operates at IP layer, and can be used for HAIPE (High Assurance Internet Protocol Engryptor) is a
protecting any application traffic, not needing an adaptation of specification from the United states National Security Agency,
the application itself. IPsec provides confidentiality, which devices used in securing US governmental
authentication, integrity, access control and rejection of communications have to accomplish. HAIPE is based on IPsec,
replayed packet, by means of two traffic security protocols, the including additional restrictions and enhancements.
Authentication Header (AH) and the Encapsulating Security
Payload (ESP). The AH provides authentication of IP packets, 3) SSL/TLS
but it does not provide confidentiality. ESP, on the other hand,
provides authentication as well as confidentiality.
SSL/TLS provides security services for TCP based
IPsec bases its operation in the Security Associations (SA), applications. SSL/TLS provides authentication and privacy for
these are one-way relationships between a sender and a end to end communication over networks, and protection
receiver that applies security services to the traffic carried on against eavesdropping and phishing, to client-server
them. In order to set a two-way secure exchange two security applications. Usually only the server is authenticated, bilateral
associations are needed. On each SA the security services can authentication requires the deployment of a public key
be based in ESP or AH, but not both at the same time, if both infrastructure. The protocol works on a client-server basis; the
should be used, then two SA are necessary. two parts of the communication negotiate a stateful connection
using a hand-shaking procedure, and agree to the parameters
IPsec has two modes of operation: transport mode and
used to establish the connection’s security.
tunnel mode. In transport mode only the payload of the IP

284
 Due to the operation over transport layer, SSL/TLS can (DTLS) provides security services for datagram
only provide security over TCP layer, being unable to provide communication systems. It works in a similar way to SSL/TLS
security for applications running on top of UDP. On the other but with UDP encapsulation. Another VPN mechanism
hand, this characteristic makes possible the use of TCP available is Secure Socket Tunneling Protocol (SSTP), it
accelerators with SSL/TLS traffic, minimizing the problem of provides a method to transport PPP or L2TP traffic through an
the degradation of the throughput of TCP protocol due to the SSL channel.
delay on the satellite link. There are similar problems with
HTTP accelerators, as are placed at application layer SSL works in higher layers, like SSL/TLS, so the problems
and issues faced with its use in satellite communications are
similar to those discussed in SSL/TLS. And thus having also
the advantage over IPsec on the possible use of TCP
accelerators with SSH encrypted traffic.
6) PPTP

The Point-to-Point Tunneling Protocol is a protocol to

Figure 2. TLS encapsulation implement VPN developed by Microsoft. It encapsulates PPP
packets in IP packets and transmit them over IP networks. The
specification of PPTP does not describe any methods for
encryption or authentication, leaving this task to the PPP
The high latency on satellite links affects SSL/TLS in a
protocol tunneled. The payload is encrypted using Microsoft
similar way as IPsec, it can produce a delay on the
Point-to-Point encryption.
establishment of connections. The frequency of session
connection is very application dependent, and SSL provides A number of serious security vulnerabilities are known in
with ways to reuse old sessions, so this problem can be PPTP, related to the PPP authentication protocols and the
minimized. design of MPPE, making PPTP unsuitable for establishing a
secure VPN.
The problem of the overhead introduced by SSL/TLS has to
be taken into account as well, and adquires a similar
importance as for IPsec for average packets.
4) HTTPS IV. INTEGRATION PROBLEMS AND SOLUTIONS
Previous section addressed possible problems in the
security integration. Possible solutions have to take into
Hypertext Transfer Protocol Secure is a secure version of
account the context where are going to be applied. The satellite
HTTP based in the use of SSL/TLS, it works at application
system operator integrator not always has access to the election
layer over SSL/TLS. HTTPS creates a secure channel over an
of the security method, depending on the system architecture
insecure network. It uses authentication based on certificates,
and the topology.
and SSL/TLS as an encryption layer. HTTPS is generally
implemented in the main Internet browsers, and it is mainly
used in online banking.
From the point of view of this study HTTPS has no more A. Conection split in PEP
implications for satellite communications apart from the ones
already considered on SSL/TLS.
The most extended commercial solution to solve TCP/IP
5) SSH problems on space segments is the Performance Enhancement
Proxy (commonly PEP) [3] which intervenes within the
transport layer or the IP layer to improve the overall
Secure Shell is another valid protocol to establish VPN performance. To perform this, PEP commonly spoofs the
connections. It was primarily intended to access shell accounts protocol headers. Depending on the PEP operation type and the
in Unix based systems, SSH works at application layer, and captured data three different techniques can be performed.
provides confidentiality and integrity of data over an insecure
network. Apart from its primary function, SSH is capable also • The PEP node do not change any data on packets, the
of port forwarding and tunneling, which makes possible to built PEP node only is used to locally retransmit the data to
VPN based on this protocol. avoid possible looses.
SSH uses public-key cryptography for authentication. It is • The PEP node uses spoofing to intercept the data in the
based in a client-server model, an SSH client is used for middle and act as the recipient for the sender.
establishing connections to SSH servers. SSH is present on Commonly the PEP node creates several connections
most modern operating system, making affordable building and then the PEP node retransmits the data to the
systems based in the protocol in a great variety of systems. receiver. The ACKs are sent accordingly.
There are several protocols based on SSL/TLS to • PEPs nodes can also use custom protocols. New or
implement VPN. The Datagram Transport Layer Security modified protocols are designed to avoid issues like

285
 “three way handshake” and the “slow start phase” of
TCP.
The interaction between encryption mechanisms and the
performance enhancement proxies is not obvious. The most
evident issue is that IPsec encrypts the TCP header and a TCP
PEP would inspect the TCP header for TCP flow identification
and to check the sequence number. Encryptions at transport
level (TLS) manipulate application headers but the application
PEP inspects the application datagram for fast connection and
improve efficiency.
Figure 4. ML IPSec
The PEP component could intercept the client connections
and impersonate the server. The PEP server should manage two This method implies that the encryption method is not free
secure connections with two different keys exchange at the for the user.
session establishment. Once established the connections the
PEP component deliver the requested content to the client E. SLE
impersonating the final server. Similar to TSL/SSL-VPNs, SLE encrypt the data, but leave
the headers clear so TCP Acceleration continues working.
This method implies that the encryption method is not free
for the user.

F. Multicast security
Multicast data is used in several scenarios, as the corporate
or military, where security is a must. In order to protect
multicast IP packets, one solution is encapsulating them on
unicast traffic, allowing for example to keep this data within
VPN. Of course, this solution is not completely optimal for
every topology, requiring more resources in order to reach
every remote VPN member in a mesh scenario. Other
proposals give a specific treatment to multicast packets,
independently of the solution adopted for the unicast traffic.
Figure 3. Connection splitting on a PEP secure server The broadband interactive satellite network is a global network,
in the sense that every connected user may be able to listen
every multicast transmission existing in the satellite downlink,
as if all the hosts were located in the same LAN. In any case, in
B. Additional Pre-acceleration order to protect multicast traffic, secure bidirectional
If the PEP features can not be used after the encryption a transactions (employing security associations) are needed
"pre-acceleration" could be used between the LAN and the among the session participants and the entities responsible of
VPN. This implies to install pre-acceleration capabilities on managing the multicast security.
the final user PCs. Multicast security involves several aspects, such as data
confidentiality, integrity, group authentication, key
C. Use TLS-VPNs management or policy management.
The uses of TLS in the secure connection encrypt the data,
MSEC working group belongs to the IETF and standardizes
but leave the TCP headers alone, so TCP Acceleration
protocols for secure group communications and multicast. It
continues working. This method implies that the encryption
defines an architecture focusing at securing large multicast
method selection is not free for the user.
groups that does not require neither using multicast routing
protocols as PIM [RFC2362] nor IP multicast admission
D. ML-IPSec control protocols (IGMP [RFC3376], MLD [RFC3019]). A
Depending on the datagram part one key or other is used. security device will be in charge of the join process to the
PEP devices have the key to decode TCP header so, they can secure multicast group.
work properly.
The MSEC Architecture document [4] defines two
reference frameworks, one centralized, and other distributed,
applicable for very large multicast groups. The reference
framework is divided in functional areas that interact with each
other using standardized protocols.
IPsec [RFC4301] implementations need some extensions
for supporting multicast. The IPsec multicast extensions

286
service [RFC5374] provides the following network layer system considers that a replay attack has been produced. In
mechanisms for secure communications: DVB-RCS networks, the RCST can include QoS mechanisms
as classification / queuing functions (proposal presented in C2P
• Confidentiality using a group shared key. standard [5]), which can produce that RCST discards low
• Group source authentication and integrity protection priority packets, re-orders packets and delays packets. In order
using a group shared authentication key. to solve these inconveniences, some proposals have been
presented:
• Group sender data origing authentication.
• Improve the performance of IPSec anti-replay window,
• Anti-replay protection for a limited number of Group by splitting the whole window into two smaller
Senders. windows with the equal size.
• Filtering of multicast transmissions identified with a • Controlled-shift protocol, which can greatly reduce the
source address of systems that are not authorized by number of discarded good packets by sacrificing a
group policy to be Group Senders. relatively small number of packets.
A host may use either transport mode or tunnel mode to • Extended Sequence Number (ESN) is proposed to
encapsulate an IP multicast packet, following the same rules support high-speed IPsec implementations.
than those for unicast, but using a multicast IP address for the
IPsec packet. • Increase the anti-replay window size in the VPN
devices.
When tunnel mode IPsec is used, the “tunnel mode with
address preservation” method is necessary, since propagating • Configure distinct IPSec security associations per QoS
both the IP source and destination addresses into the tunnel class.
header allows a correct routing of the protected multicast VPN usually uses IPSec protocol (other protocols as SSL
packets. could be used). The solution planned for solve anti-replay
problem is implemented in the VPN devices. Therefore, the
location of VPN devices is essential for satellite system
G. IPSec anti-replay operator or integrator. If they control the VPN devices, they
decide which solution can be implemented and keep watch the
IPSec provides an anti-replay protection against an attacker
problem.
duplicating encrypted packets by assigning a unique sequence
number to each encrypted packet. The decryptor keeps track of However, in the case the satellite system operator or
which packets it has seen on the basis of these numbers. The integrator does not control VPN devices; the problem is much
sequence number is a 32-bit, incrementally increasing number more complex and requires further investigation. The system
(starting from 1) that indicates the packet number sent over the should provide a mechanism for detecting the use of VPNs in
security association for the communication. The sequence order to act according to VPN requirements.
number cannot repeat for the life of the security association.
The receiver checks this field to verify that a packet for a
security association with this number has not already been
received. If one has been received, the packet is rejected. The H. Overhead and header compression
receiver uses for that a 64-byte sliding window. If packets Mechanisms like IPsec or TLS provides various security
arrive outside of this sliding window, they are considered services for packets and datagrams but in contrast, the security
hacked and are dropped. features influence the packets overhead. One possible possible
method is to compress previously the traffic and, then, pass the
packets to the secure layers, but this method not solve the
overhead problem. There are some methods of header
compression, but headers normally contain relevant
information for security. Therefore, these methods have to be
studied in conjunction of security carefully Header
compression at various layers have to be studied.
The packet overhead is particularly significant in profiles of
small packet payloads (e.g., SCADA, voice communications).
If these small packets are encrypted the quantity of overhead
per each packet is increased. As a result, it is necessary a
mechanism to reduce the overhead associated with such
Figure 5. Anti-reply mechanism encrypted flows.
The use of QoS mechanisms can affect the performance Endpoints that exchange traffic over a TLS connection can
due to anti-replay mechanism. For example, one router can use the compression provided by TLS. TLS protocol includes
give priority to high-priority packets, which could cause some features to negotiate the selection of a data compression
low-priority packets to be discarded, and it can produce that the method. The method will be performed as part of the TLS

287
Handshake Protocol and to then it will be applied the algorithm Performance Enhancement Proxies (PEP) [7] hinder the
associated with the selected method as part of the TLS Record integration of satellite systems security. This is unfortunate
Protocol. TLS defines one standard compression method which because IP satellite systems are mainly used for military and
specifies that data exchanged via the record protocol will not governmental scenarios.
be compressed. Even so, compression is applied to the data.
This paper has analyzed a series of common problems with
Encrypted traffic flow requires the IP packets tunnelling . the security integration but a great number of solutions found
Even though the IPsec packets mask the source-destination in the state of the art have been also proposed.
addresses avoiding intruders the tunnelling increase packet
overhead. Using the ESP IPSec mode (Encapsulating Security
Payload) results at least 50 bytes of additional overhead per
packet. This overhead possibly will be undesirable for many REFERENCES
satellite applications.
Robust Header Compression (ROHC) is a standard method [1] TS 102 292 Broadband Satellite Multimedia (BSM) services and
described in [6] for compressing the IP header, in UDP, RTP architectures; Functional architecture for IP interworking with BSM
and TCP packets. This compression system differs from other networks. Publication (2004-02-11)
compression systems in that it is performed on links with many [2] M. Allman, D. Glover, and L. Sanchez, “Enhancing TCP Over Satellite
Channels using Standard Mechanisms,” RFC 2488, Jan. 1999.
looses. If ROHC is applied per each hop the links will also
experience reduced performance when the encryption is used [3] J. Border, M. Kojo, J. Griner, G. Montenegro, Z. Shelby, “Performance
Enhancing Proxies Intended to Mitigate Link-Related Degradations”
on the header, because the encrypted headers cannot be (June 2001)
compressed. Therefore, the additional overhead may result the [4] M. Baugher, R. Canetti, L. Dondeti, F. Lindholm, “Multicast Security
inefficient utilization of bandwidth. A method to integrate (MSEC) Group Key Management Architecture” (April 2005)
ROHC with IPsec have to be studied. offering combined [5] ETSI TS 102 602: Satellite Earth Stations and Systems (SES);
benefits of IP security services and efficient bandwidth Broadband Satellite Multimedia; Connection Control Protocol for DVB-
utilization. RCS. Available at http://pda.etsi.org/ with free registration.
[6] C. Bormann, C. Burmeister, M. Degermark, H. Fukushima, H. Hannu,
Jonsson, R. Hakenberg, T. Koren, K. Le, Z. Liu, A. Martensson, A.
V. CONCLUSIONS Miyazaki, K. Svanbro, T. Wiebke, T. Yoshimura, H. Zheng, “RObust
This paper has shown that satellite systems have problems Header Compression (ROHC): Framework and four profiles: RTP,
UDP, ESP, and uncompressed”, (July 2001)
with security integration. Concepts of COMSEC and
[7] Technical Report on Performance Enhancing Proxies (PEPs) for the
TRANSEC have been introduced and it has been demonstrated European ETSI Broadband Satellite Multimedia (BSM) working group.
that satellite systems have security problems mainly with end ETSI Report TR 102 676 (September 2009)
to end communications.
Still, most problems are arising from the use of TCP over
satellite. The improvements on this protocol or the use of

288