CENTRIXS:“Interconnecting Coalition

Networks”

Gabor SzarkaNC3A CAT9: NII Communications Infrastructure

ServicesUNIS-TEM 3rd Dec. 2009 MITRE

Agenda

1. CXI phase -1 network interconnect

2. CENTRIXS-GCTF / HOA changing requirement

3. CNFC – NATO interconnect – 4 evaluated options

4. HOA - Phased installation (urgent <-> flexible)

5. Comparison – CXI / HOA different approach

2

1.1 CENTRIXS-ISAF Network Interconnection

Points

Two Network Interconnection Points in phase-1: ISAF_HQ Kabul KAF – RC-S Kandahar Airfield

Physical interconnect on base – red fibre Gbit speed

Different AS for the management domains – BGP routing among autonomous systems

Redundancy among Interconnection Points, but on base as well

Testing with standalone CENTRIXS-ISAF IP stack – changeover 12th Oct

3

1.2 CXI routing

4

1.3 Secure VoIP

Different technology (SIP versus CISCO CM)

Already existing users under phase 0 (migration)

Gateway is using SIP trunk; SIP <-> Call manager conversion happens on CENTRIXS-ISAF side of the GW.

Selected codec – local call G.711 (64 kbps) over the WAN links G.729 shall be used (issues with CUCM and VG) – codec selection during call set-up

Numbering plan – two different numbering authority (CENTCOM / NCSA)

5

1.4 Outstanding issues in phase – 1 IOC

CONOPS MOU between two O&M entity shall be agreed Visibility on the GW to the other O&M shall be provided

Read only credentials Different management tools

BGP routing: Originally planned load sharing doesn’t work yet (Kabul

primary, KAF standby) Secure VoIP function not operational yet over the GW:

Functionality tested during original setup – missing elements on the CENTRIXS-ISAF side (CUCM)

Numbering plan conflict (migration phase from phase 0 -> phase-1)

6

2.1 Requirement for CNFC <-> NATO IE

7

“Establishment of mission-critical information exchange for mission-classified information between NATO commands, NATO Units and with coalition partners other than NATO through the realization of a NATO POP CENTRIXS”

“Seamless mission classified information exchange (data, chat, VoIP) between:”

- SHAPE- JC Lisbon- CC Mar Northwood- NAEW Base- Deployed SOCC- Flagship of COM SNMG

- TF 151 (US lead Coalition Operation CMF)- EUNAVFOR (EU Operation ATALANTA – TF 465) *- Force Contributing Nations within a NATO led TF- International maritime liaison organisations (e.g. IMO)

2.2 Situation in the AOO

8

The only mission classified network currently available and well established in and for the AOO for Counter-Piracy Operations is CENTRIXS GCTF / CNFC

Today, NATO is not connected to CENTRIXS, CNFC sub-domain, and this results in a reduction of operational and overall situation awareness for NATO

NATO as a whole is not part of CNFC yet (NATO nations are part of CNFC COI – national SO allowed only onboard ship)

2.3 CNFC VPN COI inside CENTRIXS

9

GCTF

CENTRIXSISAF

CENTRIXSFour Eyes CENTRIXS

JCENTRIXS

K

CMFP

CNFC SIPR Net

SIPR Net - Secret Internet Protocol Router Network (USA)CNFC - (Combined Naval Forces CENTCOM)ISAF - GCTF ISAF enclaveGCTF - (Global Counter Terrorism Forces Network)CMFP - Cooperative Maritime Forces PacificK - CENTRIXS US – Republic of KoreaJ - CENTRIXS US - Japan

CNFC

Functional services:Colaboration @ Sea (CAS) (DHS, TT, Mail)Different systems (e.g. IBM based Lotus)

C2PC

SAMETIME(CHAT)

3.1 Evaluated options (1/2)

1. Implementation of a CENTRIXS NATO POP in NATO with connection to relevant NATO elements/entities Use of NATO NGCS WAN with encrypted channels No connection with NATO systems Parallel tunnels (inverse tunneling would mean case by

case re-accreditation)

2. Same as option 1 without use of NATO NGCS WAN Stove pipe system No connection with NATO systems

10

3.2 Evaluated options (2/2)

3. Gateway between NS NATO systems and CENTRIXS CNFC FASs are proprietary system based (IBM Lotus

Domino etc.) – no accredited IEG guards, proxies exist Security accreditation may be more difficult to achieve

4. Gateway between MS NATO systems and CENTRIXS (ISAF like solution) Requires the establishment of a new MS domain

11

3.3 OPTION 1: CNFC extended through NGCS

12

HOA Mission Network

NGCS

NATOPOP

(SHAPE)

CENTRIXS CNFC(HOA Nations)

JC Lisbon(CENTRIXS CNFC)

CC MarNorthwood

(CENTRIXS CNFC)

SHAPE(CENTRIXS CNFC)

FLAGSHIP AT SEA(CENTRIXS CNFC)

- Eligibility issue (CENTRIXS traffic over NGCS) – will the funds be available?- Security issue (Approval to Operate) – who is the authority?- Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?

3.4 OPTION 2: CNFC extended through

stove pipes

13

- Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?

HOA Mission Network

CENTRIXS CNFC(HOA Nations)

JC Lisbon(CENTRIXS CNFC)

CC MarNorthwood

(CENTRIXS CNFC)

SHAPE(CENTRIXS CNFC)

FLAGSHIP AT SEA(CENTRIXS CNFC)

Dedicated

communicationlinks

3.5. OPTION 3: CENTRIXS/CNFC-NS

14

CNFC Information DomainNATO SecretInformation Domain

NATO SECRET (28 NATO Nat.)

CENTRIXS-CNFC

(HOA Nations)

NATOPOP

CrossDomain

Gateways(email, Chat, VOIP)

SHAPE

CC MarNorthwood

JC Lisbon

FLAGSHIP AT SEA

- Direct connection between NS and a non-NATO coalition system- No accredited guards available for the specific systems

3.6 Option 4. : CENTRIXS/CNFC-MS-NS

15

CNFC Information DomainNATO Mission SecretInformation Domain

MISSION SECRET (NATO HOA Nat.)

CENTRIXS-CNFC

(HOA Nations)

email

chat

VOIP

NATOPOP

(SHAPE)

NATO SECRET

SHAPE

CC MarNorthwood

JC Lisbon

FLAGSHIP AT SEA

- Establishment of a Mission Secret Domain ?

3.7 Challenges

Maritime community is using different Core and Functional Area Services – technical and infosec challenges during accreditation (no guards are accredited yet)

Frequent rotation of Flagship: Different solutions for back-link (national or NATO PoP) – with

limited capability to extend satellite links. Individual accreditation for different flagship is not duable in

timely manner (one solution for all) MC195 requires “only” NS access from onboard ship

No Deployed Shore HQ (yet?)

16

4.1 Phased approach

Selected options are option 1. and 2. (extend CNFC) – to achieve this NATO should be part of CNFC COI

Phase 0: Extend CNFC VPN through Shape PoP to different static HQs: First step – get NATO access to CNFC Tunnel through existing GCTF access No CNFC services provisioned from the NATO PoP Limited No of seats avail at NATO locations

Phase 1: Upgrade phase – 0 CNFC PoP at NATO shall be established (servers) VPN concentrator installation

17

4.2 NATO Connectivity CNFC Operational view

18

US EUCOM

US PACOM

US NORTHCOM

US CENTCOM DATG CTF 150

Stuttgart, GE

DDIS

ABSL

DATGAdmiral Danish Fleet HQ

Karup

Admiral Danis Fleet HQ

XTAR

SIPRNet

NGCS

CENTRIXS

US NAVCENT

NATO POP CENTRIXS

NATO POP Nation

CNFC

SHAPE

JC Lisbon

JFC Brunssum

JFC Naples

MCC Northwood

MCC Naples

Operation Ocean XYZ

Operation Allied XYZ

SNMG unit

SNMG flagship

NATO SNMG

CTF 150CTF 151

CTF Oper ATALANTA

CNFC

5.1 5.1. CENTRIXS-ISAF CNFC/HOA comparison

CENTRIXS-ISAF

Connects to a NATO Mission Secret Network

Same security classification different O&M

Connects to NATO Secret through IEG

Core services based on the same platform (MS)

Established Mission Secret – large No of users

CNFC

Is used as Mission Secret Network.

One O&M through the whole of CNFC

No NATO Secret GW exists

Different platform (MS <-> IBM)

IOC – limited No of new users in static HQs

19

NATO UNCLASSIFIED Releasable to ISAF 20

CONTACTING NC3A

NC3A Brussels

Visiting address:

Bâtiment ZAvenue du Bourget 140B-1110 BrusselsTelephone +32 (0)2 7074111Fax +32 (0)2 7078770

Postal address:NATO C3 AgencyBoulevard Leopold IIIB-1110 Brussels - Belgium

NC3A The Hague

Visiting address:

Oude Waalsdorperweg 612597 AK The Hague

Telephone +31 (0)70 3743000Fax +31 (0)70 3743239

Postal address:NATO C3 AgencyP.O. Box 1742501 CD The HagueThe Netherlands