Post on 10-Dec-2016
503H8 503H8
Secure Broadband IP over Satellite
Michael Lara, Sr. Systems Engineer
503H8
Agenda
• Satellite Fundamentals
• Challenges
• Applications
• Security
• Open Standards
• Additional Resources
503H8 503H8
Satellite Fundamentals
503H8
Agenda - Satellite Fundamentals
• Introduction
• Satellite Fundamentals
• Satellite Orbits
• Propagation Delay
• Satellite Beams
• Frequency Bands
• Polarization
• SCPC vs. TDMA
• Modulation and Coding
503H8
Introduction
?
?
?
? ?
503H8
Satellite Orbit Types
GEO
MEO
LEO
503H8
Propagation Delay (Latency)
GEO
MEO
LEO
Speed of Light 299,762 kms GEO/Speed of Light = ~120 ms Forward Uplink: 120 ms Forward Downlink: 120 ms Return Uplink: 120 ms Return Downlink: 120 ms Best Case Total: 480 ms Typical Satellite Network Latency: GEO: 500-560 ms MEO: 220-260 ms LEO: 40-50 ms
~35,790 km
~13,000 km
~2,000 km
503H8
Satellite Beams
Image source: www.wikipedia.org
Single Beam Spot Beams
503H8
Example Satellite Beams
Image source: www.satbeams.com
Satellite: Eutelsat 172A Orbital Slot: 172 East
North Pacific
South East Pacific
South West Pacific
South Pacific
North East Asia
Global
503H8
Frequency Bands
Image source: www.esa.int
503H8
Single Channel per Carrier (SCPC) and Time-Division Multiple Access (TDMA)
• TDM/TDMA and SCPC are the two most leading
technologies of satellite networking today
• Satellite Routers and Network Management technologies
supporting both solutions have seen significant growth in
recent years
503H8
SCPC vs. TDMA Single Channel Per Carrier Pros: • Dedicated link between
the hub and remote • Low overhead
(equipment) • High-throughput link • Bandwidth always
available when needed Cons: • Cost for dedicated space
segment
Time Division Multiple Access Pros: • Shared resource • Low user cost when
compared to a dedicated 24/7 link
Cons: • High overhead (equipment) • Possible Contention • Less efficient (when
compared to SCPC)
SCPC HOT LANE
$$$
1024k 1024k
503H8
Modulation and Coding (MODCOD)
Modulation - A signal pattern to deliver information through a
carrier signal
• Amplitude Modulation (AM)
• Frequency Modulation (FM)
• Phase Modulation
• BPSK, QPSK, 8PSK, 16APSK
Coding – Correction (or detection) of data errors over a
transmission medium
• Bit Error Rate (BER)
• Forward Error Correction (FEC)
• Turbo (1/2, 3/4, 8/9, etc), LDPC, 2D 16-State
Image source: www.ni.com
503H8
Satellite Operator
Teleport Facility
Hub Infrastructure
Network Operations
Service Provider
End User
VNO Hub CoLo
Managed Service
Network Operator
Operational Models
503H8 503H8
Challenges
503H8
Agenda - Challenges
• Line-of-Site
• Beyond-Line-of-Site
503H8
Line-of-Site (LOS)
• No obstructions or physical blockages between UAV
and ground station
• High transmission rates
• Limited power
• Compact antennas
• Low wattage terminals
• Location and range restraints
503H8
Beyond-Line-of-Site (BLOS)
• Mission will determine the transmission data rates needed,
as well as the duration and range of the UAV flight path
• No one size fits all solution
• Multiple antenna options
• BLOS communications requires bouncing a signal off a relay
• Geosynchronous satellite
• Radio reflector such as the troposphere
503H8
Challenges for BLOS
• Link budget
• Ultra-small antennas limit the
maximum return channel capacity
that can be realized
• Adjacent Satellite Interference
(ASI)
• Focus of these small antennas is not
as sharp as larger antennas resulting
in a greater amount of energy being
dispersed over a wider area
503H8
Feederlink
Hub Teleport
Remote
HTS Satellite - Spotbeams Traditional Satellite
Hub Teleport
Remote
Remote
Hub Teleport
Overcoming BLOS
• Worldwide coverage of High Throughput Satellites (HTS)
• Spotbeam architecture of HTS translates to greater power and
more uniform beam contours = higher transmission from smaller
antennas
503H8 503H8
Applications
503H8
Agenda - Applications
• COOP
• COTM
• NMS
• Use Cases
• Airborne
• Warfighter Support
503H8
The Need for a COOP Solution
• Reasons for outages:
• Environmental factors
• Human error
• Malicious intent
• Maintain business continuity
• Loss of access to critical information
503H8
PSTN
LMR
WiFi/WiMax
CDMA
911 Center Unified Command
Vehicles
Mobility and
Real-time Communications
Network Resilience
and High Availability
Geo-Diverse
Network
Satellite Based Emergency Management
Remotely Coordinated Rescue Efforts and Dispatch
503H8
Communications on the Move
• Physics Limitations • Extremely small aperture or phased array antennas • Link Budget challenges • Spectral Density concerns • Terminals dropout and reacquire frequently
• Mobility Management • Change satellite beams as remote travels • Require persistent network control • Identify who is where and when
• Consistent IP Addressing World Wide • Need dynamic system for IP subnet migration • Routing re-convergence
503H8
Enabling Technologies
• Autobeam Switch
• Open AMIP
• On board EIRP maps
Enabling Technologies
• Global NMS
• DVB-S2
• GQOS
• Spread Spectrum
• Doppler
192.168.0.1
192.168.0.1
Enabling Technologies
• Global ACQ Key
• Persistent IP address
192.168.0.1
Enabling Technologies
• Global NMS
• DVB-S2
• GQOS
• Spread Spectrum
• Doppler
Enabling Technologies
• Autobeam Switch
• Open AMIP
• On board EIRP maps
Enabling Technologies
• Global ACQ Key
• Persistent IP address
Seamless Global Roaming of Mobile and Itinerant Assets
IP Mobility
503H8
What is an NMS anyway?
Operations Functions
Centralized
Focus
Network
Management
System
Configuration
Control
Monitoring
Reporting
Troubleshooting
Analysis
Integration
Automation
503H8
Benefits: One Stop Shop Your Customers
•Quicker fault resolution
• Improved usage analysis
Your Employees
•Simplifies day-to-day activities
•Reduces “swivel chair” mistakes
Your Business
•Simplifies deployment
• Increases customer satisfaction and retention
•Streamlines operations
503H8
Global Network Management
Global NMS is flexible enough to allow IP addresses to remain fixed while
allowing for differences in configuration across different beams, including
varying out-route and in-route sizes as well as different QoS profiles.
503H8
Applications
• VOIP, Email, VTC
• Special Requirements
• Encryption and
prioritization
• MLPP
• TRANSEC
Requirements
• Max T1 equiv Bandwidth –
1.544 Mbps
• 12” – 18” antennas
• Flat Panel
• Frequency Band Topology
Use Case: Airborne - Traditional Business
503H8
Applications
• High definition video and
surveillance
• Special Requirement
• TRANSEC/IA
Requirements
• Minimum 2 Mbps
• Freq Band
• Flat Panel/Parabolic
Antenna
Airborne – (ISR)
CUSTOMER CHALLENGE
iDirect Government SOLUTION
By utilizing satellite, the Coast Guard was able to use
high definition video and thermal imaging cameras to
track the course of the oil spill.
An iDirect e850mp was placed in the aircraft and used to
transmit imagery to a ground based command center
outfitted with an iDirect e8350. Based on the data
collected the Coast Guard was outfitted with a visual
representation to assist in the clean-up.
DEEPWATER
HORIZON OIL SPILL
In the wake of one of the largest oil spills the Coast Guard
needed a solution to allow them to track the size and
movement of the Deepwater Horizon spill zone.
503H8
Use Case: Warfighter Support - Tactical
Tactical Terminals
e800
L3 GCS L3 GCS
Datapath
GlobeComm
503H8
Use Case: Warfighter Support - Manportable
Manportable
GATR
Datapath L3 GCS
Tampa Microwave
Tampa Microwave
Norsat
850mp
CUSTOMER CHALLENGE
iDirect Government SOLUTION
The National Guard selected iDirect’s VSAT technology
for its ease of deployment and management.
Integrated with AVL TracStar antenna and SkyPort’s
satellite network.
Utilized Quality of Service and support for multiple VLANs.
The combination provided a reliable, easy to deploy
solution in the case of catastrophic loss of traditional
networks.
NATIONAL GUARD
The National Guard needed an emergency communications
system to support special teams during crisis management
events and terrorist threats.
CUSTOMER CHALLENGE
iDirect Government SOLUTION
Deployed iDirect VSAT remotes with AVL TracStar
antenna for broadband IP network capability in the field.
Integrated with AVL TracStar auto acquisition antenna.
Communications system links Army logisticians to
headquarters.
Supports any IP centric application, allowing logisticians
to requisition parts, attend meetings via VTC and a
number of other tasks.
LOGISTICIAN
The U.S. Army Combat Service Support group needed to deliver
requisitions for parts or supplies by courier to a location from
which they could be transmitted electronically, in order to avoid
possible enemy ambush from driving through hostile terrain.
CUSTOMER CHALLENGE
iDirect Government SOLUTION
MWR Network supports over 600 Megabytes of satellite
connectivity for approximately 10,000 computers and
over 4,000 telephones.
Internet cafes are located in designated tents and
buildings at major military bases throughout the world.
Soldiers can access personal e-mail, internet, webcams
and, in some locations, high-resolution VTCs.
MORALE WELFARE RECREATION (MWR)
One of the greatest hardships of military service is spending
long periods of time away from home. Prior to 2003, a soldier
could only stay connected with loved ones via letters or an
occasional phone call.
503H8 503H8
Security
503H8
Agenda – Security
• Network Elements
• FIPS
• SCAP
• TRANSEC
503H8
SATCOM Mission Assurance: Network Elements
• Physical Threats • Access & Control • User Segment
Communications Control Ground Station/Gateway
(Hub)
Network Operations Center (NOC)
Public Network Private Network
Communications Satellite
End User Terminals
Access & Control OTA: Exchange of control and traffic engineering data between remote and hub that needs to be protected. (e.g., TRANSEC)
Access & Control Terrestrial Network Elements: Operations centers controlling network traffic require application security controls, network access controls, and system –level controls that include end-point security measures (e.g., SCAP).
503H8
FIPS
• Federal Information Processing Standards – FIPS
• What is FIPS?
• Publicly announced standards developed by the U.S. federal
government for use by all non-military government agencies and by
government contractors
• These standards specify requirements for cryptography modules
• Current version of the standard is FIPS 140-2
503H8
FIPS 140-2 Level 1, Level 2 and Level 3
FIPS 140-2 Level 1 FIPS 140-2 Level 2 FIPS 140-2 Level 3
• Limited requirements; loosely, all components must be production-grade and various egregious kinds of insecurity must be absent.
• Physical tamper evident • Role-based
authentication required
• Physical tamper evident • Attempts to prevent
access to CPS held within cryptographic module
• Physical security module has high probability of detecting & responding to attempt at physical access, use or modification
• Strong enclosure and tamper detection/response circuitry that zeroizes when compromised
503H8
SCAP
• Security Automation Protocol
• Improved information assurance compliance and security
support for network management systems and protocol
processors
503H8
SATCOM Mission Assurance: TRANSEC
• Cyber-security vulnerabilities of the terrestrial components of large satellite networks are similar to traditional terrestrial service providers but offer some unique challenges
Mask Channel Activity The ability to secure transmission energy to conceal traffic volumes:
• Constant wall of fixed-size strongly encrypted traffic segments • The frequency of which do not vary in response to network utilization. • ACQ Obfuscation
Control Channel Information The ability to disguise volumes to secure traffic source and destination:
• Content and size of all user (Layer 3 and above), as well as network link layer (Layer 2) traffic, will be completely indeterminate from an adversary’s perspective
• Over-the-air key updates
Terminal Authentication and Validation The ability to ensure that remote terminals connected to the network are indeed authorized users:
• Authentication protocol (X.509 certificates) • RSA public key encryption (private and public key)
Transmission Security TRANSEC
• Satellite transmission can reveal: • What types of applications are active • Who is talking to whom • Is the network or a particular remote
active now? • Large footprint of typical satellite beam
coverage increases vulnerability of satellite networks to interception
503H8
Busy Hour and Traffic Engineering without
TRANSEC
0
1
2
3
4
5
6
7
12AM-6AM 6AM-12PM 12PM-6PM 6PM-12AM
Site A
Site B
Site C
Historical Traffic Patterns by Site
0
1
2
3
4
5
6
7
12AM-6AM 6AM-12PM 12PM-6PM 6PM-12AM
Site A
Site B
Site C
March 7, 2012 Spike
0
1
2
3
4
5
6
7
12AM-6AM 6AM-12PM 12PM-6PM 6PM-12AM
Voice
Video
Historical Traffic Patterns by Type
0
1
2
3
4
5
6
7
12AM-6AM 6AM-12PM 12PM-6PM 6PM-12AM
Voice
Video
March 7, 2012 Spike
503H8
Busy Hour and Traffic Engineering with
TRANSEC
0
1
2
3
4
5
6
7
12AM-6AM 6AM-12PM 12PM-6PM 6PM-12AM
Site A
Site B
Site C
Voice
Video
503H8
Before TRANSEC
XXLMXXLLMLX XX MM
TO
S
Demand Header DID
$%^#$#%@^&&# SA DA
TO
S
XXLMXXLLMLX XX ML
TO
S
Demand Header DID
XXLMXXLLMLX SA DA
TO
S
Demand Header DID
HAIPE
Protocol Processor
PC
00110101101001 SA DA
TO
S
$%^#$#%@^&&# SA DA
TO
S
00110101101001 SA DA
TO
S
HAIPE
$%^#$#%@^&&# SA DA
TO
S
$%^#$#%@^&&# SA DA
TO
S
XXLMXXLLMLX XX MM TOS Demand
Header DID
XXLMXXLLMLX XX MM
TO
S
Demand Header DID
XXLMXXLLMLX XX MM
TO
S
Demand Header DID
XXLMXXLLMLX
TO
S
Demand Header DID XX MM
Outroute Inroute Inroute
BTP BTP
BTP
DID# 512
DID# 512
BTP
Internet
SIPRNET
NIPRNET
503H8
With TRANSEC
IV KEY RING XXLMXXLLMLX $%^#$#%
XLM
$%^#$#% $%^#$#%
$#%
IV KEY RING XXLMXXLLMLX $%^#$#%
XLM
$%^#$#% $%^#$#%
$#%
XXLMXXLLMLX $%^#$#%
TO
S
Demand Header DID $%^#$#%@^&&# SA DA
TO
S
XXLMXXLLMLX $%^#$#%
TO
S
Demand Header DID
HAIPE
Protocol Processor
PC
00110101101001 SA DA
TO
S
$%^#$#%@^&&# SA DA
TO
S
00110101101001 SA DA
TO
S
HAIPE
$%^#$#%@^&&# SA DA
TO
S
$%^#$#%@^&&# SA DA
TO
S
Outroute Inroute Inroute
DID# 512
DID# 296
IV KEY RING XXLMXXLLMLX $%^#$#%
XLM
$%^#$#% $%^#$#%
$#%
IV KEY RING XXLMXXLLMLX $%^#$#%
XLM
$%^#$#% $%^#$#%
$#%
IV KEY RING XXLMXXLLMLX $%^#$#%
XLM
$%^#$#% $%^#$#%
$#%
#$% #$% #$% #$%
Remote Can Not
be Spoofed.
X.509
CERTIFICATE
Internet
SIPRNET
NIPRNET
503H8 503H8
Open Standards
503H8
Agenda – Open Standards
• OpenAMIP
503H8
OpenAMIP Standard
• Open Architecture approach for antenna integration
• IP based protocol that facilitates the exchange of information
between and Antenna Control Unit and Satellite Router
• Allows router to command the antenna and enable the use of
Automatic Beam Switching
• Eliminates the need for proprietary coding to make new
antennas or routers introduced into the market work together
• Incorporated as the antenna to satellite modem
communications protocol in the ARINC 791 standard
503H8
OpenAMIP
Airborne Antennas
Antenna Type/Model
General Dynamics M17-17A
Honeywell 11.5”
48cm Horn array
Rantec 11.5”
18”
TECOM KuStream series
KaStream series
ThinKom Dual-band Planar Array
EM Phased Array
Maritime Antennas
Antenna Type/Model
Cobham SATCOM
Sea Tel:
USAT 24, USAT 30, 2406,
4010C, 4010W, 5010C,
5010W, 4006, 5006, 6006,
4009, 5009, 6009, 9707,
9597, 9797, 14600
SAILOR 900 ADU TT-
7009A
Intellian V110
Jotron SATURN B120 ADE
Navisystem V-SAT95HT
KNS Supertrack Z6MK2
Maritime Broadband C-Bird
C2SAT 1.2m Ku II
Mitsubishi
Orbit OrSat AL-7103
OrBand AL-7107
Marine Technologies BB90CF, BB100CF2A,
BB100CF3A
EPAK Ri6, DSi6, DSi9
503H8 503H8
Thank You
Michael Lara
Sr. Systems Engineer
mlara@idirectgov.com
503H8 503H8
Additional Resources
503H8
Resources
• TRANSEC White Paper https://www.idirectgov.com/uploads/1000/673-iGT_TRANSEC_White_Paper_5_15.pdf
• Airborne White Paper https://www.idirectgov.com/uploads/1000/578-igt_airbornecommunicationsonthemovev5.pdf
• SCAP Brief https://www.idirectgov.com/uploads/1000/593-scap_tech_brief_1214.pdf
• OpenAMIP https://www.idirectgov.com/uploads/1000/625-Open_AMIP_0215.pdf
• COOP Application Brief https://www.idirectgov.com/uploads/1000/651-iDirectGov_COOPCaseStudy_4p0315.pdf
• Logistician Case Study https://www.idirectgov.com/uploads/1000/680-iDi_CS_Logistician_2pg_FA_0515.pdf
• MWR Case Study https://www.idirectgov.com/uploads/1000/621-iDiGT_CS_SPAWAR_MWRNet_0215.pdf
• Training Brochure https://www.idirectgov.com/~idirect/uploads/iGT_Training_0515.pdf