TCP/IPsec Compatibility in Wireless Networks

In order to improve the performance of TCP(Transmission Control Protocol) in wireless environments, several enhancement mechanisms for TCP have been proposed and are now widely used, such as Snoop[1] and ELN-ACK[2] (Explicit Loss Notification with Acknowledgment). But these mechanisms conflict with IP Security Protocol (IPsec) [3]. If subscribers utilize IPsec to ensure the security of communication, these enhancement mechanisms cannot be implemented and the performance of TCP in wireless channels cannot be improved.

1 IPsec Protocol
IPsec provides subscribers with end-to-end security protection over IP layer. IPsec consists of two parts: one is key management and the other is implementation of security protocols. Its Authentication Header (AH)[4] and Encapsulating Security Payload (ESP)[5] can offer both data integrity and identification of date source. Moreover ESP can ensure data confidentiality. AH and ESP can both operate in transport mode or in tunnel mode. The upper layer protocol header, can be protected in either mode by encryption or integrity protection.

  The security service offered by IPsec needs a shared key to implement data verification and data encryption. Internet Key Exchange (IKE)[6] realizes the key management function. Through two phases of message exchange, the required security parameters for security protocols are obtained and refreshed safely when needed.

2 TCP over Wireless Networks
Assuming that all the packet losses are due to network congestion, TCP triggers corresponding congestion avoidance mechanism when packet losses occur to release the network congestion by diminishing the size of transmission windows and slowing down the data transmission rate. But in wireless environments, the high rate of error code and continual switching of mobile host also cause a mass of packet losses. If TCP triggers the congestion avoiding mechanism and slows down the transmission rate in this situation, the channel resources would be wasted and the performance of TCP may be affected. At the same time, the time-delay in wireless networks becomes larger and then it slows down the increase of congestion windows and reduces the throughput of TCP. 

  Now research is carried out to address the problems in TCP application over wireless networks. The Snoop mechanism, advanced in Reference [1], appends a software module at the base station: Snoop agent. This agent watches TCP messages that are transmitted by every TCP connection point between mobile host and fixed host, and puts all the non-responding TCP messages into buffer storage at the same time. By receiving multi-redundant acknowledgement, Snoop agent perceives the local timeout and judges which message segment has been lost on wireless links. Snoop immediately retransmits the TCP message segment in buffer and discards the redundant ACK due to the loss. By retransmission in local base station, Snoop can recover the message loss over wireless links and prevent the sending TCP from triggering fast retransmission mechanism because of the multi-redundant ACK. As a result, the performance of TCP from fixed host to mobile host can be improved.

  Another important reason that affects the performance of TCP in wireless networks is that the transport layer cannot confirm whether the packet losses are due to network congestion. So the Explicit Congestion Notification (ECN)[7] mechanism has been proposed. According to ECN, an ECN-ECHO mark is defined in TCP header to inform the sender whether the network congestion has occurred. Only after receiving the notification of network congestion, can the sender trigger the congestion avoidance mechanism to slow down the transmitting speed.

  Based on Snoop and ECN, ELN-ACK is proposed in Reference [2]. It appends a responding packet called ACKELN on TCP and defines an ELN in ACKELN to represent the reason of packet losses, in which "0" stands for wireless networks and "1" stands for network congestion. Every base station has one ELN agent according to ELN-ACK. ELN agent stores messages that are sent from fixed host to mobile host into buffers, judges the reason of packet losses and sets the value of ELN in ACKELN. When the fixed host receives the ACKELN and ELN equals 1, it is regarded that the packet losses are due to network congestion and the fixed host triggers the normal congestion avoidance mechanism to slow down the sending speed. If ELN equals 0, it means the packet losses are due to wireless networks and the fixed host immediately retransmits the lost packet without diminishing the size of slip window. This mechanism improves the throughput and the time-delay performance of TCP from fixed host to mobile host to a high degree.

3 TCP/IPsec Compatibility
There are conflicts between IPsec and the enhancement mechanisms of TCP in wireless networks, mainly in following two aspects:

  (1) The enhancement mechanisms of TCP in wireless networks depend on some data in TCP header, such as source ports, destination ports, message serial numbers and acknowledgement serial numbers. The mid-nodes in networks retransmit packets or create ACK operation according to this data to improve the performance of TCP, such as Snoop agent in Snoop mechanism does. The enhancement mechanisms cannot take effect if the mid-nodes do not receive this data. But when subscribers use ESP in IPsec to protect IP packets, the whole TCP message is encrypted and all the
mid-nodes except for the two ends of TCP connection cannot receive the actual data of TCP header. Thus the enhancement mechanisms in TCP cannot take effect.

  (2) When subscribers use AH to protect packets, all the mid-nodes in networks cannot make any change on TCP header because AH protects the integrity of TCP header and data. But in the enhancement mechanisms of TCP, some mid-nodes need to make change on TCP header. Therefore AH protocol cannot work in coordination with the enhancement mechanisms of TCP.

4 Solutions
At present, the data transmission service in wireless networks is continually increasing and the application of IPsec has become more widespread because of its better security. Therefore the issue of compatibility between the enhancement mechanisms of TCP in wireless networks and IPsec must be resolved.

4.1 Replacing IPsec with Transport Layer

Security/Secure Socket Layer ProtocolTransport Layer Security/Secure Socket Layer (TLS/SSL) is based on the security protocol in the transport layer and it works on TCP. Because TLS and SSL only encrypt the data part of TCP message and the TCP header is transmitted in unencrypted form, IPsec can be replaced by TLS or SSL. Thus the mid-nodes in networks can operate on TCP header and TLS and SLL can cooperate with the enhancement mechanism of TCP.

  The weakness of this mechanism lies in the fact that TCP header and IP header are both transmitted in unencrypted form, so the identification of both sides in communication may be revealed and many potential attacks, such as flux analysis, may occur.

4.2 ESP Protocol
ESP protocol can be extended by appending TCP source port, destination port, message serial number and acknowledgement serial number on ESP header[8]. This data will be protected for its integrity but may not be encrypted. So the mid-nodes in networks can obtain this data to make the enhancement mechanism of TCP in wireless network work normally, such as Snoop mechanism does.
But the mid-nodes cannot modify TCP header in this mechanism, so some enhancement mechanisms of TCP, such as ELN-ACK, cannot be put into use yet. And besides, security loophole may be caused if this data, including TCP resource port, terminal port, message serial number and acknowledgement serial number are transmitted in unencrypted form over networks.

4.3 Segmenting the TCP route
The TCP conversation route in communication network can be separated into two parts, as shown in Figure 1. One part is the wireless network between mobile host and base station; the other is the wired network between base station and fixed host. If subscribers have full confidence in wireless network and trust it can offer data transmission safely, IPsec can be replaced by the security protocol of link layer over wireless links. But over wired links between base station and fixed host, IPsec is still maintained. Thus the enhancement mechanism of TCP only operates on the wireless network between mobile host and base station, the conflict between IPsec and the enhancement mechanism can be avoided, and the security of communication and the performance of TCP can be assured as well.
The limitation of this mechanism is whether there is full confidence in wireless networks.

4.4 Modifying the End-to-End Protection Mode of  IPsec
This mechanism suggests modifying the end-to-end protection mode of IPsec protocol. The IP packet is divided into several protection fields and different fields use different mechanisms to offer segment protection. Each field has its own security association, key and access control rule to make it known which mid-nodes in the network can operate on this field. The IP packet with segment protection is sent from source end. Some authorized mid-nodes are permitted to decrypt and modify a certain field in this packet but other fields cannot be seen. After the IP packet arrives at a terminal, the whole packet is decrypted and recovered.

  By separating TCP header and TCP data of IP data into two different fields, the mechanism of modifying the end-to-end protection mode of IPsec offers a protection of thinner granularity than IPsec protocol. In normal end-to-end protection for TCP data, only the sender and the receiver have keys. But by utilizing another protection mode for TCP header, such as ELN agent in ELN-ACK, some authorized mid-nodes can also have keys besides sender and receiver. These authorized mid-nodes can do reading and writing on TCP header, and the conflicts between IPsec and the enhancement mechanism of TCP can be resolved.

  The authorized mid-nodes should be authenticated with their identity in the mechanism of modifying the end-to-end protection mode of IPsec. This authentication can be realized by Public Key Infrastructure (PKI) to prevent the attack by various middlemen. Only after authentication, can share secrets, such as key, be delivered to mid-nodes. The weakness of this mechanism is that the key is delivered only in manual mode. The dynamic key delivery cannot be realized until IKE is relevantly extended.

5 Conclusion
In wireless communication networks, in order to ensure the communication security and the performance of TCP protocol at the same time, the conflicts between them must be resolved. The four solutions mentioned above all have certain limitations to solve the conflicts completely. An excellent solution should consider the difficulties in deployment and implementation. The modification on current network configuration and communication protocol should be as small as possible and new security issues should not arise as a result of weakening of IPsec performance.

References
[1] Balakrishhan H, Seshan S, Katz R H. Improving Reliable Transport and Handoff Performance in Cellular Wireless Networks [J]. ACM Wireless Networks, 1995,1(4):469-481.
[2] Ding W, Jamalipour A. A New Explicit Loss Notification and Acknowledgement for Wireless TCP [C]. PIMRC 2001, San Diego CA, 2001.
[3] IETF RFC2401. Security Architecture of the Internet Protocol [S].
[4] IETF RFC2402. IP Authentication Header [S].
[5] IETF RFC2406. IP Encapsulation Security Payload (ESP)[S].
[6] IETF RFC2409. The Internet Key Exchange (IKE)[S].
[7] Perkins C E. Mobile IP—Design, Principles and Practice [M]. Addison Wesley Longman, 1998.
[8] Bellovin S. Transport-friendly ESP (or Layer Violations for Fun and Profit) [C]. Network Distributed System Security Symp. (NDSS’99), San Diego CA, 1999.

Manuscript received: 2004-07-21