QPEP: A QUIC-Based Approach to Encrypted Performance Enhancing Proxies for High-Latency Satellite Broadband

Abstract: Satellite broadband services are critical infrastructures enabling advanced technologies to function in the most remote regions of the globe. However, status-quo services are often unencrypted by default and vulnerable to eavesdropping attacks. In this paper, we challenge the historical perception that over-the-air security must trade off with TCP performance in high-latency satellite networks due to the deep-packet inspection requirements of Performance Enhancing Proxies (PEPs). After considering why prior work in this area has failed to find wide adoption, we present an open-source encrypted-by-default PEP - QPEP - which seeks to address these issues. QPEP is built around the open QUIC standard and designed so individual customers may adopt it without ISP involvement. QPEP's performance is assessed through simulations in a replicable docker-based testbed. Across many benchmarks and network conditions, QPEP is found to avoid the perceived security-encryption trade-off in PEP design. Compared to unencrypted PEP implementations, QPEP reduces average page load times by more than 30% while also offering over-the-air privacy. Compared to the traditional VPN encryption available to customers today, QPEP more than halves average page load times. Together, these experiments lead to the conclusion that QPEP represents a promising new approach to protecting modern satellite broadband connections.