SSTP: The problem with TCP over TCP, Part 2

All of these items are critical factors contributing to the TCP protocol’s overall success. The problems begin, however, when congestion controls from the outer TCP protocol interfere with those of the inner one and vice versa. TCP divides a data stream into segments which are sent as individual Internet Protocol (IP) datagrams. Each segment carries a sequence number that numbers bytes within the data stream along with an acknowledgement number indicating to the other side what sequence number was last received. TCP uses adaptive timeouts to decide when a re-send should occur. This design can backfire when stacking TCP connections though, because a slower outer connection can cause the upper layer to queue up more retransmissions than the lower layer is able to process. This type of network slowdown is known as a “TCP meltdown problem.”

Surprisingly, this is not a design flaw, as the idea of running TCP within itself had not even occurred to the protocol designers at the time, which is why this dilemma was not originally addressed. Fortunately, some computer scientists have been able to demonstrate situations where a stacked TCP arrangement actually improves performance. In any case, Virtual Private Networking products like OpenVPN have been designed to accommodate for the problems that may occur with tunneling TCP within TCP. Unlike SSTP, OpenVPN is able to run over UDP to handle such times when a stacked TCP connection would actually degrade performance. Although SSTP may be suitable in some situations, it is severely limited by only being compatible with the latest versions of the Windows operating system. Microsoft has not announced any plans to port it to previous Windows OS versions or any other OS for that matter.

This post was contributed by iVPN.net. For information on contributing content, click here.

 

 

SSTP: The problem with TCP over TCP, Part 1

TCP over TCP: Issues and Concerns
The Transmission Control Protocol (TCP) is undoubtedly a fundamental component in all modern day networks. The difficultly with TCP, however, begins when operating a TCP tunnel within TCP itself, which is often the case when operating VPNs in order to protect one’s online privacy. A TCP tunnel is an important networking feature designed to aggregate and transfer packets sent between end hosts as a single TCP connection. This is useful for creating secure, point-to-point VPN connections to not only protect privacy but to create the illusion that users are directly connected to a Local Area Network (LAN). Corporations use this technology to connect telecommuters and workers on the road with corporate servers. Gamers use it for games that only offer LAN-based networking features. Average consumers use it to prevent their data from being intercepted by nearby hackers.

What all of these users share in common is the problem a TCP-based tunnel has when running within an existing TCP connection. TCP was originally designed with congestion controls that help mitigate issues with slow, latent and unreliable networks. When TCP was first designed, consumers did not have ultra-fast Internet connectivity. In fact, most consumers did not have Internet connectivity at all. If they did, it was a dial-up connection ranging from 300 to 1200 bits per second (bps) over unreliable copper telephone wire. Even universities and corporations had relatively slow and unreliable connections when compared to today’s standards. As a result, protocols like TCP were designed to accommodate this by using various congestion controls that would help to achieve high network performance while avoiding congestion collapse. These mechanisms contain timers, sent data acknowledgments and controls for the rate of data entering the network. Today’s modern TCP protocol implementations use the following four algorithms to maintain high performance: congestion avoidance, fast recovery, fast retransmit and slow-start.

This post was contributed by iVPN.net. For information on contributing content, click here.

What We’re Reading, Week of 6/20

TechNewsWorld, Securing SCADA Systems: Where do we start?
Telecomasia.net, IPv6: What are you waiting for?
International Business Times, Security Breaches Becoming a Near Certainty For Businesses
Help Net Security, Disk encryption is an IT security priority
TMCnet.com, IPv6 and Security: Top Switchover Threats Organizations Should Watch For Over The Next Six Months

Part 3, Conversation with Martin Rosner, Continua Health Alliance, on Consent Management

This week, we feature the final part of our conversation with Martin Rosner, director of standardization at Philips – North America. Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions.

VPN Haus: How can patients manage the sharing of their health data?
Martin Rosner: Sharing of health data can be realized only if there are means to prevent unauthorized access to the data and to protect it in accordance with security and privacy regulations. Furthermore, patient empowerment is an important aspect of preventative care—increasing the number of educated patients who have more control over their own healthcare increases the likelihood that conditions will be caught before they become more serious. Soon patients will have more fine-grained control over the dissemination of personally identifiable information as related to health status. Electronic consent that specifies and governs the use of patient health data will furthermore increase consistency, compliance and efficiency for both patients and healthcare providers in this process.

VPN Haus: What role does Continua play in this?
Rosner: Our architecture addresses several requirements enabling digital consent.  Patients should be able to define and manage their digital consent and privacy policies in a user-friendly manner, such as on an at-home device or online. Digital consent should propagate with patient data and systems of services and care providers should enforce this. Our 2011 guidelines will address the first two requirements, while work has begun to address the third requirement in the next release.

VPN Haus: Technically speaking, how does this consent management process work?
Rosner: Taking the enforcement piece aside, the 2011 specifications address consent management with the use of the HL7 CDA R2 Consent Directive standard. This recently approved draft standard for trial use defines a document format for digital consent and enables the expression of structured patient consent policies. An advantage is that it is based on CDA R2 therefore well-defined protocols exist for the exchange of these documents such as through the use of the IHE XD* family of profiles.

What We’re Reading, Week of 6/13

IT-Director, Managing the risk for mobile IT users
Campus Technology, U Akron Implements New VPN Client for Secure Remote Access from 64-Bit Computers
Fox Business, IPv6 Changes Security: Is Your Business Ready?
CNET, Scammers turning to phone calls to gain PC access
ITBusinessEdge, Making sure IPv6 and IPv4 co-exist reliably and securely