[Sis-SCPS-INTEREST] Re: TCP Acceleration of IPSEC Traffic

Feighery,Patrick D. FEIGHERY at mitre.org
Wed Aug 3 13:55:44 EDT 2005 

PEPs need to see the transport header in the clear so you really have
two options.

1)  Apply the VPN after the PEP sees the unencrypted packet.  If your
VPN is introduced by a separate box versus at the host itself, can you
reposition either the VPN or the PEP in the network?  PEPs aren't
required to be at the RF point of presence.  However if you configure a
PEP to operate at a certain data rate, you need to make sure that
traffic generated by the PEP when combined with traffic not generated by
the PEP won't cause network congestion on your constrained bandwidth
environment.  That is a mouthful, but I think you get what I mean ;)

2)  Have the packet decrypted at or right before the PEP and reencrypted
at or right after the PEP.  I've heard of products out there that
perform this functionality, but this requires the keys be known in
places other than the ingress/egress of the VPN itself.

Best Regards

	Pat	

>>-----Original Message-----
>>From: sis-scps-interest-bounces at mailman.ccsds.org 
>>[mailto:sis-scps-interest-bounces at mailman.ccsds.org] On 
>>Behalf Of Vanitha
>>Sent: Wednesday, August 03, 2005 5:20 AM
>>To: 'sis-scps-interest at mailman.ccsds.org'
>>Subject: [Sis-SCPS-INTEREST] Re: TCP Acceleration of IPSEC Traffic 
>>
>>Hi All,
>>
>>If i intend to run PEP on an existing infrastructure running 
>>VPN, is there 
>>anyother better way to deploy PEP in the satellite Hub side, without 
>>terminating the VPN sessions. This breaks the end-to-end 
>>security. I have 
>>seen some prioprietary solutions, which has VPN and SCPS-TP 
>>integrated, but 
>>i think that requires changes to both the terminal and the hub.
>>
>>Thanks
>>Vanitha
>>
>>[This e-mail is confidential and may be priviledged. If you 
>>are not the
>>intended recipient, please kindly notify us immediately and 
>>delete the message
>>from your system; please do not copy or use it for any 
>>purpose, nor disclose
>>its contents to any other person. Thank you.]
>>---ST Electronics Group---
>>
>>
>>_______________________________________________
>>Sis-SCPS-INTEREST mailing list
>>Sis-SCPS-INTEREST at mailman.ccsds.org
>>http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-scps-interest
>>

More information about the Sis-SCPS-INTEREST mailing list