CENTRIXS - APAN Community
Download
Report
Transcript CENTRIXS - APAN Community
CENTRIXS:
“Interconnecting Coalition
Networks”
Gabor Szarka
NC3A CAT9: NII Communications Infrastructure
Services
UNIS-TEM 3rd Dec. 2009 MITRE
Agenda
1. CXI phase -1 network interconnect
2. CENTRIXS-GCTF / HOA changing requirement
3. CNFC – NATO interconnect – 4 evaluated options
4. HOA - Phased installation (urgent <-> flexible)
5. Comparison – CXI / HOA different approach
2
1.1
CENTRIXS-ISAF
Network Interconnection Points
Two Network Interconnection Points in phase-1:
ISAF_HQ Kabul
KAF – RC-S Kandahar Airfield
Physical interconnect on base – red fibre Gbit speed
Different AS for the management domains – BGP
routing among autonomous systems
Redundancy among Interconnection Points, but on
base as well
Testing with standalone CENTRIXS-ISAF IP stack –
changeover 12th Oct
3
1.2
CXI routing
4
1.3
Secure VoIP
Different technology (SIP versus CISCO CM)
Already existing users under phase 0 (migration)
Gateway is using SIP trunk; SIP <-> Call manager
conversion happens on CENTRIXS-ISAF side of the
GW.
Selected codec – local call G.711 (64 kbps) over the
WAN links G.729 shall be used (issues with CUCM and
VG) – codec selection during call set-up
Numbering plan – two different numbering authority
(CENTCOM / NCSA)
5
1.4 Outstanding issues in phase – 1 IOC
CONOPS MOU between two O&M entity shall be agreed
Visibility on the GW to the other O&M shall be provided
Read only credentials
Different management tools
BGP routing:
Originally planned load sharing doesn’t work yet (Kabul
primary, KAF standby)
Secure VoIP function not operational yet over the GW:
Functionality tested during original setup – missing
elements on the CENTRIXS-ISAF side (CUCM)
Numbering plan conflict (migration phase from phase 0 ->
phase-1)
6
2.1
Requirement for CNFC <-> NATO IE
“Establishment of mission-critical information
exchange for mission-classified information
between NATO commands, NATO Units and with
coalition partners other than NATO through the
realization of a NATO POP CENTRIXS”
“Seamless
mission
classified
information
exchange (data, chat, VoIP) between:”
- SHAPE
- JC Lisbon
- CC Mar Northwood
- NAEW Base
- Deployed SOCC
- Flagship of COM SNMG
- TF 151 (US lead Coalition Operation CMF)
- EUNAVFOR (EU Operation ATALANTA – TF 465) *
- Force Contributing Nations within a NATO led TF
- International maritime liaison organisations (e.g. IMO)
7
2.2 Situation in the AOO
The only mission classified network currently available
and well established in and for the AOO for CounterPiracy Operations is CENTRIXS GCTF / CNFC
Today, NATO is not connected to CENTRIXS, CNFC
sub-domain, and this results in a reduction of
operational and overall situation awareness for NATO
NATO as a whole is not part of CNFC yet (NATO nations
are part of CNFC COI – national SO allowed only
onboard ship)
8
2.3 CNFC VPN COI inside CENTRIXS
Functional services:
Colaboration @ Sea (CAS) (DHS, TT, Mail)
Different systems (e.g. IBM based Lotus)
CENTRIXS
ISAF
CMFP
GCTF
CNFC
CENTRIXS
Four Eyes
SIPR Net
CNFC
ISAF
GCTF
CMFP
K
J
SIPR Net
CNFC
CENTRIXS
CENTRIXS
J
K
- Secret Internet Protocol Router Network (USA)
- (Combined Naval Forces CENTCOM)
- GCTF ISAF enclave
- (Global Counter Terrorism Forces Network)
- Cooperative Maritime Forces Pacific
- CENTRIXS US – Republic of Korea
- CENTRIXS US - Japan
SAMETIME
(CHAT)
C2PC
9
3.1 Evaluated options (1/2)
1. Implementation of a CENTRIXS NATO POP in NATO
with connection to relevant NATO elements/entities
Use of NATO NGCS WAN with encrypted channels
No connection with NATO systems
Parallel tunnels (inverse tunneling would mean case by
case re-accreditation)
2. Same as option 1 without use of NATO NGCS WAN
Stove pipe system
No connection with NATO systems
10
3.2 Evaluated options (2/2)
3. Gateway between NS NATO systems and CENTRIXS
CNFC FASs are proprietary system based (IBM Lotus
Domino etc.) – no accredited IEG guards, proxies exist
Security accreditation may be more difficult to achieve
4. Gateway between MS NATO systems and CENTRIXS
(ISAF like solution)
Requires the establishment of a new MS domain
11
3.3 OPTION 1: CNFC extended through NGCS
HOA Mission Network
CC Mar
Northwood
CENTRIXS CNFC
(HOA Nations)
(CENTRIXS CNFC)
NGCS
JC Lisbon
NATO
POP
(CENTRIXS CNFC)
(SHAPE)
SHAPE
(CENTRIXS CNFC)
FLAGSHIP AT SEA
(CENTRIXS CNFC)
- Eligibility issue (CENTRIXS traffic over NGCS) – will the funds be available?
- Security issue (Approval to Operate) – who is the authority?
- Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?
12
3.4
OPTION 2: CNFC extended through
stove pipes
HOA Mission Network
CC Mar
Northwood
(CENTRIXS CNFC)
Dedicated
JC Lisbon
(CENTRIXS CNFC)
CENTRIXS CNFC
(HOA Nations)
communication
links
SHAPE
(CENTRIXS CNFC)
FLAGSHIP AT SEA
(CENTRIXS CNFC)
- Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?
13
3.5.
CC Mar
Northwood
OPTION 3: CENTRIXS/CNFC-NS
JC Lisbon
NATO Secret
Information Domain
Cross
Domain
CNFC
Gateways
(email, Chat, VOIP)
Information Domain
CENTRIXS
-CNFC
(HOA Nations)
NATO SECRET
(28 NATO Nat.)
NATO
POP
FLAGSHIP AT SEA
SHAPE
- Direct connection between NS and a non-NATO coalition system
- No accredited guards available for the specific systems
14
3.6 Option 4. : CENTRIXS/CNFC-MS-NS
CC Mar
Northwood
NATO SECRET
JC Lisbon
FLAGSHIP AT SEA
SHAPE
NATO Mission Secret
Information Domain
MISSION SECRET
(NATO HOA Nat.)
email
CNFC Information Domain
chat
VOIP
CENTRIXS
-CNFC
(HOA Nations)
NATO
POP
(SHAPE)
-Establishment of a Mission Secret Domain ?
15
3.7 Challenges
Maritime community is using different Core and Functional
Area Services – technical and infosec challenges during
accreditation (no guards are accredited yet)
Frequent rotation of Flagship:
Different solutions for back-link (national or NATO PoP) – with
limited capability to extend satellite links.
Individual accreditation for different flagship is not duable in
timely manner (one solution for all)
MC195 requires “only” NS access from onboard ship
No Deployed Shore HQ (yet?)
16
4.1 Phased approach
Selected options are option 1. and 2. (extend CNFC) –
to achieve this NATO should be part of CNFC COI
Phase 0: Extend CNFC VPN through Shape PoP to
different static HQs:
First step – get NATO access to CNFC
Tunnel through existing GCTF access
No CNFC services provisioned from the NATO PoP
Limited No of seats avail at NATO locations
Phase 1: Upgrade phase – 0
CNFC PoP at NATO shall be established (servers)
VPN concentrator installation
17
4.2 NATO Connectivity CNFC
Operational view
XTAR
NATO
SNMG
SNMG
flagship
SNMG
unit
CTF 150
CTF 151
NATO POP
Nation
DDIS
MCC
Northwood
Operation
Allied XYZ
Operation
Ocean XYZ
JC
Lisbon
MCC
Naples
US NORTHCOM
US NAVCENT
ABSL
JFC
Brunssum
US PACOM
Karup
DATG CTF 150
JFC
Naples
US CENTCOM
SIPRNet
US EUCOM
Admiral Danis Fleet HQ
SHAPE
CNFC
CNFC NATO POP
CENTRIXS
NGCS
DATG CENTRIXS
Admiral Danish Fleet HQ
CTF Oper
ATALANTA
Stuttgart, GE
18
5.1
5.1. CENTRIXS-ISAF CNFC/HOA comparison
CENTRIXS-ISAF
Connects to a NATO
Mission Secret Network
Same security classification
different O&M
Connects to NATO Secret
through IEG
Core services based on the
same platform (MS)
Established Mission Secret
– large No of users
CNFC
Is used as Mission Secret
Network.
One O&M through the whole
of CNFC
No NATO Secret GW exists
Different platform (MS <->
IBM)
IOC – limited No of new users
in static HQs
19
CONTACTING NC3A
NC3A Brussels
NC3A The Hague
Visiting address:
Visiting address:
Bâtiment Z
Avenue du Bourget 140
B-1110 Brussels
Telephone +32 (0)2 7074111
Fax +32 (0)2 7078770
Oude Waalsdorperweg 61
2597 AK The Hague
Postal address:
NATO C3 Agency
Boulevard Leopold III
B-1110 Brussels - Belgium
Postal address:
NATO C3 Agency
P.O. Box 174
2501 CD The Hague
The Netherlands
Telephone +31 (0)70 3743000
Fax +31 (0)70 3743239
NATO UNCLASSIFIED Releasable to ISAF
20