QPEP: A QUIC-Based Approach to Encrypted Performance Enhancing Proxies for High-Latency Satellite Broadband

TL;DR

QPEP introduces a QUIC-based encrypted PEP for satellite broadband that enhances security without sacrificing TCP performance, significantly reducing page load times and providing over-the-air privacy.

Contribution

This paper presents QPEP, an open-source, QUIC-based encrypted PEP that can be adopted independently by customers, overcoming previous barriers to secure satellite broadband performance.

Findings

QPEP reduces average page load times by over 30% compared to unencrypted PEPs.

QPEP more than halves page load times compared to traditional VPN encryption.

QPEP provides over-the-air privacy without compromising TCP performance.

Abstract

Satellite broadband services are critical infrastructures enabling advanced technologies to function in the most remote regions of the globe. However, status-quo services are often unencrypted by default and vulnerable to eavesdropping attacks. In this paper, we challenge the historical perception that over-the-air security must trade off with TCP performance in high-latency satellite networks due to the deep-packet inspection requirements of Performance Enhancing Proxies (PEPs). After considering why prior work in this area has failed to find wide adoption, we present an open-source encrypted-by-default PEP - QPEP - which seeks to address these issues. QPEP is built around the open QUIC standard and designed so individual customers may adopt it without ISP involvement. QPEP's performance is assessed through simulations in a replicable docker-based testbed. Across many benchmarks and network conditions, QPEP is found to avoid the perceived security-encryption trade-off in PEP design. Compared to unencrypted PEP implementations, QPEP reduces average page load times by more than 30% while also offering over-the-air privacy. Compared to the traditional VPN encryption available to customers today, QPEP more than halves average page load times. Together, these experiments lead to the conclusion that QPEP represents a promising new approach to protecting modern satellite broadband connections.