CENTRIXS: “Interconnecting Coalition Networks” Gabor Szarka NC3A CAT9: NII Communications...
-
Upload
christal-palmer -
Category
Documents
-
view
221 -
download
8
Transcript of CENTRIXS: “Interconnecting Coalition Networks” Gabor Szarka NC3A CAT9: NII Communications...
CENTRIXS:“Interconnecting Coalition
Networks”
Gabor SzarkaNC3A CAT9: NII Communications Infrastructure
ServicesUNIS-TEM 3rd Dec. 2009 MITRE
Agenda
1. CXI phase -1 network interconnect
2. CENTRIXS-GCTF / HOA changing requirement
3. CNFC – NATO interconnect – 4 evaluated options
4. HOA - Phased installation (urgent <-> flexible)
5. Comparison – CXI / HOA different approach
2
1.1 CENTRIXS-ISAF Network Interconnection
Points
Two Network Interconnection Points in phase-1: ISAF_HQ Kabul KAF – RC-S Kandahar Airfield
Physical interconnect on base – red fibre Gbit speed
Different AS for the management domains – BGP routing among autonomous systems
Redundancy among Interconnection Points, but on base as well
Testing with standalone CENTRIXS-ISAF IP stack – changeover 12th Oct
3
1.3 Secure VoIP
Different technology (SIP versus CISCO CM)
Already existing users under phase 0 (migration)
Gateway is using SIP trunk; SIP <-> Call manager conversion happens on CENTRIXS-ISAF side of the GW.
Selected codec – local call G.711 (64 kbps) over the WAN links G.729 shall be used (issues with CUCM and VG) – codec selection during call set-up
Numbering plan – two different numbering authority (CENTCOM / NCSA)
5
1.4 Outstanding issues in phase – 1 IOC
CONOPS MOU between two O&M entity shall be agreed Visibility on the GW to the other O&M shall be provided
Read only credentials Different management tools
BGP routing: Originally planned load sharing doesn’t work yet (Kabul
primary, KAF standby) Secure VoIP function not operational yet over the GW:
Functionality tested during original setup – missing elements on the CENTRIXS-ISAF side (CUCM)
Numbering plan conflict (migration phase from phase 0 -> phase-1)
6
2.1 Requirement for CNFC <-> NATO IE
7
“Establishment of mission-critical information exchange for mission-classified information between NATO commands, NATO Units and with coalition partners other than NATO through the realization of a NATO POP CENTRIXS”
“Seamless mission classified information exchange (data, chat, VoIP) between:”
- SHAPE- JC Lisbon- CC Mar Northwood- NAEW Base- Deployed SOCC- Flagship of COM SNMG
- TF 151 (US lead Coalition Operation CMF)- EUNAVFOR (EU Operation ATALANTA – TF 465) *- Force Contributing Nations within a NATO led TF- International maritime liaison organisations (e.g. IMO)
2.2 Situation in the AOO
8
The only mission classified network currently available and well established in and for the AOO for Counter-Piracy Operations is CENTRIXS GCTF / CNFC
Today, NATO is not connected to CENTRIXS, CNFC sub-domain, and this results in a reduction of operational and overall situation awareness for NATO
NATO as a whole is not part of CNFC yet (NATO nations are part of CNFC COI – national SO allowed only onboard ship)
2.3 CNFC VPN COI inside CENTRIXS
9
GCTF
CENTRIXSISAF
CENTRIXSFour Eyes CENTRIXS
JCENTRIXS
K
CMFP
CNFC SIPR Net
SIPR Net - Secret Internet Protocol Router Network (USA)CNFC - (Combined Naval Forces CENTCOM)ISAF - GCTF ISAF enclaveGCTF - (Global Counter Terrorism Forces Network)CMFP - Cooperative Maritime Forces PacificK - CENTRIXS US – Republic of KoreaJ - CENTRIXS US - Japan
CNFC
Functional services:Colaboration @ Sea (CAS) (DHS, TT, Mail)Different systems (e.g. IBM based Lotus)
C2PC
SAMETIME(CHAT)
3.1 Evaluated options (1/2)
1. Implementation of a CENTRIXS NATO POP in NATO with connection to relevant NATO elements/entities Use of NATO NGCS WAN with encrypted channels No connection with NATO systems Parallel tunnels (inverse tunneling would mean case by
case re-accreditation)
2. Same as option 1 without use of NATO NGCS WAN Stove pipe system No connection with NATO systems
10
3.2 Evaluated options (2/2)
3. Gateway between NS NATO systems and CENTRIXS CNFC FASs are proprietary system based (IBM Lotus
Domino etc.) – no accredited IEG guards, proxies exist Security accreditation may be more difficult to achieve
4. Gateway between MS NATO systems and CENTRIXS (ISAF like solution) Requires the establishment of a new MS domain
11
3.3 OPTION 1: CNFC extended through NGCS
12
HOA Mission Network
NGCS
NATOPOP
(SHAPE)
CENTRIXS CNFC(HOA Nations)
JC Lisbon(CENTRIXS CNFC)
CC MarNorthwood
(CENTRIXS CNFC)
SHAPE(CENTRIXS CNFC)
FLAGSHIP AT SEA(CENTRIXS CNFC)
- Eligibility issue (CENTRIXS traffic over NGCS) – will the funds be available?- Security issue (Approval to Operate) – who is the authority?- Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?
3.4 OPTION 2: CNFC extended through
stove pipes
13
- Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?
HOA Mission Network
CENTRIXS CNFC(HOA Nations)
JC Lisbon(CENTRIXS CNFC)
CC MarNorthwood
(CENTRIXS CNFC)
SHAPE(CENTRIXS CNFC)
FLAGSHIP AT SEA(CENTRIXS CNFC)
Dedicated
communicationlinks
3.5. OPTION 3: CENTRIXS/CNFC-NS
14
CNFC Information DomainNATO SecretInformation Domain
NATO SECRET (28 NATO Nat.)
CENTRIXS-CNFC
(HOA Nations)
NATOPOP
CrossDomain
Gateways(email, Chat, VOIP)
SHAPE
CC MarNorthwood
JC Lisbon
FLAGSHIP AT SEA
- Direct connection between NS and a non-NATO coalition system- No accredited guards available for the specific systems
3.6 Option 4. : CENTRIXS/CNFC-MS-NS
15
CNFC Information DomainNATO Mission SecretInformation Domain
MISSION SECRET (NATO HOA Nat.)
CENTRIXS-CNFC
(HOA Nations)
chat
VOIP
NATOPOP
(SHAPE)
NATO SECRET
SHAPE
CC MarNorthwood
JC Lisbon
FLAGSHIP AT SEA
- Establishment of a Mission Secret Domain ?
3.7 Challenges
Maritime community is using different Core and Functional Area Services – technical and infosec challenges during accreditation (no guards are accredited yet)
Frequent rotation of Flagship: Different solutions for back-link (national or NATO PoP) – with
limited capability to extend satellite links. Individual accreditation for different flagship is not duable in
timely manner (one solution for all) MC195 requires “only” NS access from onboard ship
No Deployed Shore HQ (yet?)
16
4.1 Phased approach
Selected options are option 1. and 2. (extend CNFC) – to achieve this NATO should be part of CNFC COI
Phase 0: Extend CNFC VPN through Shape PoP to different static HQs: First step – get NATO access to CNFC Tunnel through existing GCTF access No CNFC services provisioned from the NATO PoP Limited No of seats avail at NATO locations
Phase 1: Upgrade phase – 0 CNFC PoP at NATO shall be established (servers) VPN concentrator installation
17
4.2 NATO Connectivity CNFC Operational view
18
US EUCOM
US PACOM
US NORTHCOM
US CENTCOM DATG CTF 150
Stuttgart, GE
DDIS
ABSL
DATGAdmiral Danish Fleet HQ
Karup
Admiral Danis Fleet HQ
XTAR
SIPRNet
NGCS
CENTRIXS
US NAVCENT
NATO POP CENTRIXS
NATO POP Nation
CNFC
SHAPE
JC Lisbon
JFC Brunssum
JFC Naples
MCC Northwood
MCC Naples
Operation Ocean XYZ
Operation Allied XYZ
SNMG unit
SNMG flagship
NATO SNMG
CTF 150CTF 151
CTF Oper ATALANTA
CNFC
5.1 5.1. CENTRIXS-ISAF CNFC/HOA comparison
CENTRIXS-ISAF
Connects to a NATO Mission Secret Network
Same security classification different O&M
Connects to NATO Secret through IEG
Core services based on the same platform (MS)
Established Mission Secret – large No of users
CNFC
Is used as Mission Secret Network.
One O&M through the whole of CNFC
No NATO Secret GW exists
Different platform (MS <-> IBM)
IOC – limited No of new users in static HQs
19
NATO UNCLASSIFIED Releasable to ISAF 20
CONTACTING NC3A
NC3A Brussels
Visiting address:
Bâtiment ZAvenue du Bourget 140B-1110 BrusselsTelephone +32 (0)2 7074111Fax +32 (0)2 7078770
Postal address:NATO C3 AgencyBoulevard Leopold IIIB-1110 Brussels - Belgium
NC3A The Hague
Visiting address:
Oude Waalsdorperweg 612597 AK The Hague
Telephone +31 (0)70 3743000Fax +31 (0)70 3743239
Postal address:NATO C3 AgencyP.O. Box 1742501 CD The HagueThe Netherlands