Protocol spoofing is used in data communications to improve performance in situations where an existing protocol is inadequate, for example due to long delays or high error rates. Note: In a computer security context, spoofing refers to various forms of falsification of data that are unrelated to the techniques discussed here. See spoofing attack.
Spoofing techniques
In most applications of protocol spoofing, a communications device such as a modem or router simulates the remote endpoint of a connection to a locally attached host, while using a more appropriate protocol to communicate with a compatible remote device that performs the equivalent spoof at the other end of the communications link.
Error correction and file transfer protocols typically work by calculating a checksum or CRC for a block of data known as a packet, and transmitting the resulting number at the end of the packet. At the other end of the connection, the receiver re-calculates the number based on the data it received and compares that result to what was sent from the remote machine. If the two match the packet was transmitted correctly, and the receiver sends an ACK to signal that it's ready to receive the next packet. The time to transmit the ACK back to the sender is a function of the phone lines, as opposed to the modem's speed, and is typically about of a second on short links and may be much longer on long-distance links or data networks like X.25. For a protocol using small packets, this delay can be larger than the time needed to send a packet. For instance, the UUCP "g" protocol and Kermit both use 64-byte packets, which on a 9600 bit/s link takes about of a second to send. XMODEM used a slightly larger 128-byte packet, which takes about of a second to send. The next packet of data cannot be sent until the ACK for the previous packet is received. In the case of XMODEM, for instance, that means it takes a minimum of of a second for the entire cycle to complete for a single packet. This means that the overall speed is only half the theoretical maximum, a 50% channel efficiency. Protocol spoofing addresses this problem by having the local modem recognize that a data transfer is underway, often by looking for packet headers. When these are seen, the modem then looks for the end of the packet, normally by knowing the number of bytes in a single packet. XMODEM, for instance, has 132 bytes in a packet due to the header and checksum being added to the 128 bytes of actual data. When the modem sees the packet has ended, it immediately sends of spoofed ACK message back to the host. This causes the local computer to immediately send another packet, avoiding the latency of waiting for an ACK from the remote machine. The data for multiple packets is held in an internal buffer while the modem is sending it to the remote machine. This allows the packets to be sent continually, greatly improving channel efficiency. However, this also requires the link between the two systems to be error-free, as the modem has already ACKed the packets even before they have been sent. This was normally addressed by using a modem-level error correction protocol, like Microcom Networking Protocols. Protocol spoofing was also widely used with another feature of earlier high-speed modems. Before the introduction of echo cancellation in v.32 and later protocols, high-speed modems typically had a very slow "backchannel" for sending things like these ACKs back to the sender. On the ~18,500 bit/s TrailBlazer, for instance, the modem could send as many as 35 UUCP packets a second to the receiver, but the backchannel offered only 75 bit/s, not nearly enough for the 35 bytes, 280 bits, of ACK messages generated by the remote host. In this case, the spoofing allowed the sending modem to continue sending packets as fast as it could. At the same time, the modem on the remote receiving end dropped the ACK packets being generated by the local computer's software, keeping the backchannel clear. Since the channel efficiency only became a major problem at speeds over 2400 bit/s, and modems able to run faster than that typically had significant processing power anyway, protocol spoofing was mostly associated with these higher-speed systems.
TCP spoofing
TCP connections may suffer from performance limitations due to insufficient window size for links with high bandwidth-delay product, and on long-delay links such as those over GEOsatellites, TCP's slow-start algorithm significantly delays connection startup. A spoofing router terminates the TCP connection locally and translates the TCP to protocols tailored to long delays over the satellite link such as XTP.
RIP/SAP spoofing
SAP and RIP periodically broadcast network information even if routing/service tables are unchanged. dial-on-demand WAN links in IPX networks therefore never become idle and won't disconnect. A spoofing router or modem will intercept the SAP and RIP broadcasts, and re-broadcast the advertisements from its own routing/service table that it only updates when the link is active for other reasons.