DoD Network of the Future: Powered by Commercial Networks ... · DoD Network of the Future Powered...

att.com/gov/defense

DoD Network of the Future Powered by Commercial Networks and Innovation

2 | DoD Network of the Future Powered by Commercial Networks and Innovation

DoD Network of the Future Powered by Commercial Networks and Innovation | 3

Table of ContentsBottom Line Up Front .......................................................................................................................................................................................................................................................... 4

Background .................................................................................................................................................................................................................................................................................... 4

Mission and Business Challenges .............................................................................................................................................................................................................................. 5

Technology and Investment Shaping the Network of the Future ........................................................................................................................................... 7

Network Transformation .................................................................................................................................................................................................................................................. 7

Commercial Networks ......................................................................................................................................................................................................................................................... 8

Potential NFV Benefits ......................................................................................................................................................................................................................................................... 8

SDN, NFV, and Orchestration in the DoD Network of the Future ............................................................................................................................................ 9

The Advantages of SDN ...................................................................................................................................................................................................................................................10

The Promise of Network Function Virtualization (NFV) .....................................................................................................................................................................11

Orchestration Creates System Harmony ......................................................................................................................................................................................................11

WAN Connectivity ................................................................................................................................................................................................................................................................... 12

Securing Commercial Networks .............................................................................................................................................................................................................................. 13

Virtual Private Network ................................................................................................................................................................................................................................................... 13

Commercial Solutions for Classified: Confidentially and Integrity Using IPSec ........................................................................................................14

Access to Innovation ...........................................................................................................................................................................................................................................................14

Recommendations ................................................................................................................................................................................................................................................................ 15

Conclusion ..................................................................................................................................................................................................................................................................................... 19

About Global Business – Public Sector Solutions ....................................................................................................................................................................................19


Bottom Line Up FrontTechnology and the rate of technological change continue to transform government, the military, industry, and individuals’ lives. The fundamental question for the future is whether to embrace dynamic technological change to optimize mission and business functions and reduce costs or continue a course that may never deliver the advantages this technology can offer. Leaders of global industries such as banking, manufacturing, hospitality, logistics, and retail who have realized that they no longer have the resources or capacity to maintain technological change have instead leveraged the extraordinary investments made by commercial network providers to change the way they operate to fulfill their missions. The experience of these industries gives the Department of Defense (DoD) a roadmap by which to increase efficiencies, better support its complex mission and dramatically shift its Information Technology strategy for the future. This requires a new vision and strategy for procuring and sustaining network technology, moving from the current self-supported networking environment to one that is delivered by global telecommunications carriers and thus replacing a model based on hardware acquisition, operations and maintenance to one based on consuming network and network functions as-a-service wherever possible.

Commercial networks are faster and more resilient, have greater reach, and are continually modernized, providing levels of reliability, agility, and security unheard of just a few years ago. Many of the DoD networks enabling vital operations today are running on technologies that are more than 20 years old. Supporting the force of the future requires a DoD Network of the Future and a new model for networking. Further, leveraging commercial network capabilities in an as-a-service model would dramatically decrease O&M costs related to networking by as much as 50%; considering the reported O&M costs of the top two DoD network investments,1 the savings could exceed $1B annually.

The transition to commercial networks is not an all-or-nothing proposition. DoD should look to make incremental changes, focusing first on exception networks, base level networks, and/or networks that are at, past, or approaching major lifecycle replacement milestones. This strategy will control transition costs by continuing to leverage existing investments that have service life remaining.

BackgroundMilitary operations today are characterized by complexity. It is impossible to know the location or underlying mission of the country’s next deployment, and nothing on the horizon suggests the future will be any less complex. Such an environment requires flexibility, agility, resilience, and a broad portfolio of capabilities, not only for command and control of the forces, but also for the mission and business systems that support them. Unfortunately, many of these systems were designed for a more predictable past and are not up to the task of supporting the ever-changing present, much less an unknown future.

While these challenges are known problems, and large programs are currently attempting to offer solutions, there are fundamental, perhaps philosophical, changes still required if the DoD Network of the Future is to deliver the transformative capability required to successfully support U.S. forces as they face the challenges of the future. To meet these challenges, the Network of the Future must be software-defined, orchestrated and cloud-enabled; it must leverage commercial carriers, implement as-a-service, including modern security; and it must include wireless technologies and embrace Internet of Things (IoT) concepts.

The DoD Network of the Future must be able to scale to meet the needs of this immense and complex organization. The DoD has more than 1.3 million men and women serving on active duty, employs more than 730,000 civilian personnel, and counts another 800,000 in the National Guard and Reserve, making it the nation’s largest employer. In addition, more than 5.5 million family members and military retirees receive benefits because of their past service or their relationship to a service member.2

Supporting the diverse IT needs of this organization is a tremendous challenge that involves more than 15,000 classified and unclassified networks, connecting more than seven million computers and IT devices, 10,000+ operational systems (20% mission-critical, 67,000 servers in more than 770 data centers, and support to more than 6,000 locations, 600,000 buildings and structures in 146 countries with a 170,000-person IT workforce). The total IT budget is an estimated $31B with $10B in infrastructure such as data centers, networks, software applications, desktops, and mobile devices.3 And that’s all before a single task element is deployed. A hardware-centric infrastructure can only scale with the addition of more hardware. With constrained budgets and increasing time pressure, the cost and delays associated with acquiring new hardware is untenable.


The DoD Network of the Future must be ubiquitous. History has shown that the ability to communicate and share information is as important as ordnance and strategy to effectively support military campaigns. Today, there are often multiple active missions across the globe, making it imperative for distributed forces to be able to access information no matter where they are and no matter what form factor their computing device may have. With nearly everything and every person connected to the network, a seamless information environment providing command and control that allows joint and coalition interoperability is critical to mission success. Therefore, it is essential that the DoD have the most modern Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance (C4ISR) capabilities available and can modernize on demand.

Flexibility to handle growth is another requirement for the DoD Network of the Future. The DoD’s current network architecture presents limitations in handling growth, both in data requirements and reach, and is not ready to respond to changes in tasking, mission, or partner composition with the requisite speed. While this is partially the result of policy decisions rooted in securing the technologies available at that time, acquisition and fielding decisions have cemented those policy decisions. The Network of the Future can break from those restrictions, providing an agile and responsive infrastructure without compromising security or integrity.

To understand what is driving the unprecedented innovation and change in networking infrastructure, one need only look to Moore’s Law, which has proven itself again, this time in the networking space. Processing power has increased exponentially, and the cost per chip has decreased to a point that every “thing” will be connected, and every “action” will be recorded and streamed. The AT&T network, for example, has experienced a 150,000% increase in mobile data traffic in the last eight years and the number of devices connected to the network is projected to grow to 21 billion by 2020.4

The industry-wide global network carrier consensus is to move to software-defined networking (SDN) with network function virtualization (NFV) and centralized orchestration: SDN involves the physical separation of the network control plane from the forwarding plane, with the control plane managing several devices; and NFV virtualizes network functions that were performed by proprietary appliances onto commodity hardware, while orchestration delivers product/service-

independent capabilities to enable the design, creation, and lifecycle management of the SDN environment.

Making this shift creates a new market for software, reduces reliance on proprietary hardware appliances, and eliminates the associated lifecycle costs. This means that much of today’s purpose-built hardware such as routers and firewalls will go the way of phone booths and video stores; organizations that relied on them may eventually no longer be able to purchase or maintain these devices, and so must transform their networks as service providers have.

In the past 10 years, commercial network providers have invested more than $300B in modernizing their network infrastructure. DoD would have to invest billions to update its networks to achieve equivalency with current commercial technology and billions more in the future to stay current with the pace of technological change – but this could not be sustained either fiscally or from a staffing perspective. Fortunately, it’s not necessary, as current commercial products, services, and technologies provide secure, cost effective, and highly reliable options to assist DoD leaders with the imminent challenge of upgrading obsolete and overloaded networks in an austere budget environment. Current transport technology choices for network infrastructure and commercial Wide Area Network (WAN) services, coupled with the introduction of disruptive technologies in the campus and WAN spaces, provide DoD’s network architects and visionaries with the tools to address current difficulties and stay ahead of future challenges.

Mission and Business ChallengesThe DoD still has analog, fixed, premises-based, time-division multiplexing (TDM) and asynchronous transfer mode (ATM) infrastructure. This aging network architecture is based on point-to-point circuits that

— Ash Carter Secretary of Defense, April 23, 2015

“…there are many areas where the potential in leveraging commercially-driven technology is so huge, that we have to embrace it going forward.”


require constant hardware maintenance and upgrades. In addition to these legacy technologies not offering many features and capabilities of modern networking, they have longer term consequences such as limited or no suppliers in the future and limited ability to scale to meet evolving mission demands.

Additional challenges include:

1. Increased cyber threats – From 2013-2015, the Director of National Intelligence named the cyber threat as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September 11, 2001. The increased volume and persistence of current and new threat actors make the current architecture vulnerable.

2. Network infrastructure efficiency – While the current DoD backbone network achieves a 99.5% operational availability, higher availability is often required to effectively support enterprise voice, enterprise e-mail, enterprise thin client, or the high availability, low latency, low jitter requirements of mission and weapons systems.

3. TDM systems supporting legacy C2 systems/applications – While the military departments (MILDEPs) have multi-year strategies to migrate an aging and costly communications environment to a cost-effective collaboration environment, the existing TDM environment is 30 years behind current commercial technologies.

4. Aging infrastructure and limited capacity (CAT3 station wiring, power, HVAC, limited diversity) – Outdated fixed installation infrastructure inhibits DoD’s ability to offer Internet Protocol (IP)-based services that enable enhanced communications, collaboration applications, and enterprise services to all users.

5. Interoperability within DoD and between mission partners – DoD enterprise maintains redundant, duplicative, and overlapping investments in internal and mission partner standards and interfaces to achieve interoperability and data sharing.

6. Technology adoption/refresh and operationalization – Equipment is nearing the end of useful life, requiring both refreshed and new technology to provide enhanced capabilities and continued network defense. Operationalization of tech adoption/refresh/modernization can take years to accomplish.

7. Disparate NetOps/DCO models and NM/Cyber tools across DoD components – Limited integration and automation make operations, administration, maintenance, and provisioning (OAM&P) of the DoDIN labor intensive and complicated. The sheer number of DoD’s individual help desks costs millions of dollars to staff, operate, and maintain. For the most part, each desk conducts its functions in a similar manner. These help desks can be consolidated and augmented with digital labor and personnel re-purposed to other mission areas.

8. Complex and dynamic missions driving need for more agile and new capabilities – Today’s disaggregated, forward-edge missions are difficult to support with fixed networks, and warfighters demand networks and devices that are mobility-enabled and rapidly provisioned for specific mission sets.

9. Next-Generation end-user devices/soft clients/mobility apps – A significant number of DoD personnel work in non-deployable roles, performing tasks that require only basic office automation software and soft clients using Non-Secure Internet Protocol Router NETwork (NIPRNet)-connected desktop, notebook computers, and mobile devices.

10. Declining budgets – Investments in new technologies and operational capabilities require a self-funding strategy for the department to stay within current budget constraints. This includes leveraging savings achieved through modernization or streamlining activities to fund future year investments.

Today’s commercial networks can overcome these challenges with affordable, efficient, and secure access to mission-critical applications. The recent demand for mobility, Big Data, and IoT applications, coupled with technology transformations brought on by data center evolution and cloud services, are driving transformative changes across the technology spectrum. DoD can realize

“If software is where all the action is, hardware is the backwater of old technology.”

— Andrew Bartels Forrester principal analyst, in the Global Tech Market Outlook For 2016 To 2017


cost savings and efficiencies from managing bandwidth with on-demand networks that can be rapidly provisioned as needed to support the dynamic environment of global operations. Commercial network provider solutions align well with the DoD’s stated goals for IT infrastructure.5

Technology and Investment Shaping the Network of the FutureToday’s digital economy requires businesses and government agencies to move fast. Server virtualization, cloud computing, mobility, and software as-a-service (SaaS) have helped government organizations meet mission-critical operational demands faster and more efficiently.

Efforts to accelerate network infrastructure deployments, though, haven’t come quite as far. Many organizations still wrestle with the time-consuming task of configuring diverse and proprietary application-specific networking equipment when adding or changing network functionality. The inability to build and scale network infrastructure quickly has hindered enterprises’ attempts to be nimbler in

responding to business and customer demands.

Global network providers, however, are changing the situation. Like server and application software in data centers, functions that typically reside in WANs are now also being virtualized. This approach, based on standard network function virtualization (NFV) technology, is creating significantly faster and simpler ways to deploy and manage network infrastructure. With industry-standard hardware and a few clicks, customers are now able to deploy routing, security, WAN acceleration, and other complex network functions to handle rapidly growing volumes of data traffic and dynamically changing IT and business requirements.

Network TransformationThe recent demand for Mobility, Big Data, and the Internet of Things, coupled with technology transformations brought on by data center evolution and cloud services, are driving transformative changes across the technology spectrum. These capabilities can have a direct impact on the DoD.

Commercial Alignment to DoD Way Forward to Tomorrow’s Strategic Landscape

DoD Goal

Execute Joint Information Environment (JIE) capability initiatives

Improve partnerships with mission partners and industry

Ensure successful mission execution in the face of the cyber threat

Provide a DoD cloud computing environment

Optimize the Department’s data center infrastructure

Exploit the power of trusted information sharing

Provide a resilient communications and network infrastructure

Improve oversight and execution of DoD IT investments

Commercial Network Solutions Alignment

Highly available On-Demand network, with multiple class of service options, enhanced security features, and secure, dynamic cloud connectivity

Global reach, with a worldwide ecosystem of companies providing network services and connectivity

Sophisticated security tools and ability to leverage carrier-derived threat data seen across their global networks

Cloud connectivity solutions that improve security, reduce latency,and drive down typical costs that can be consumed as a commodity

Tools and methodologies to support both application rationalizationand move phases of data center consolidation initiatives

Standards-based network and tools that enable security and mobilityacross DoD and coalition operations

Modern, highly available, and secure, wireline, wireless and satellite network solutions and capabilities that align to individual users’ requirements

Efficient network solutions with embedded data analytics for transparency, visibility and oversight

Figure 1 – Commercial Alignment to DoD Way Forward to Tomorrow’s Strategic Landscape


Commercial NetworksWhile government agencies may be accustomed to the perceived security of proprietary networks, many have come to realize the unique advantages that commercial network providers can offer. Top-tier carriers own, operate, and maintain state of the art IP backbones that reach >99% of the world’s economy. Technology leaders like AT&T are providing secure connectivity with an average actual performance uptime of 99.999% from premises-edge to premises-edge. The addition of new technologies being brought to market through transformation initiatives to these time-tested, proven core networks can deliver secure, highly-available connectivity with the most modern features and functionality.

Further, with the growing need to securely connect any person and any device, from anywhere, commercial cellular capabilities, augmented with satellite services where needed, would allow the DoD to securely connect its people with data and applications from virtually anywhere on the globe. Commercial Connectivity Service (CCS) extends a client’s existing WAN infrastructure into the cellular network, enabling the client to pursue application deployments that include mobile workers, hard to reach locations, and temporary venues. Connectivity via Internet Protocol Security (IPSec) or Generic Routing Encapsulation (GRE) tunneling provides a private and reliable link between the wired and cellular environments. Additionally, leveraging AT&T Dynamic Traffic Management (ADTM) enables Quality of Service (QoS) network technology that would allow DoD to prioritize its mission-critical data traffic on commercial carriers’ 4G LTE networks.

Working with commercial providers to incorporate SDN, NFV, orchestration, and white-box technologies, which use cost-efficient commodity hardware, would be transformative for DoD, providing a level of agility and flexibility for DoD network operators and clients and driving down operating expenses by as much as 50%.6 Additionally, advances in wireless commercial network solutions such as in-building Wi-Fi, cellular, and satellite can support the DoD’s mission to securely connect to human and physical assets practically everywhere on the globe.

Wireline and wireless products on the roadmap that will benefit DoD in the future include:

• 400GB–AT&Texpectstobeginfieldtrialtestingof400Gigabit Ethernet data speeds this year. When complete, 400GbE will support faster uploads and downloads, supporting the ability to transport massive amounts of data at record speeds.

• ProjectAirGig–Thistransformative technology from AT&T Labs is unlike anything currently available in commercial or government domains; it may deliver low-cost, multi-gigabit wireless Internet speeds using power lines. AT&T is experimenting with multiple ways to send a modulated radio signal around or near medium-voltage power lines. With no direct electrical connection to the power line required, this has the potential to offer multi-gigabit speeds in urban, rural and underserved parts of the world. Project AirGig delivers this last-mile access without any new fiber. Field trials are scheduled to begin soon.

Potential NFV BenefitsPotential benefits of an NFV-enabled DoD Communications infrastructure include reduced operational and capital expenditures, an expanded vendor ecosystem, improved user experience, improved technology integration, reduced time to deploy, and quicker response to traffic growth.

• Operations & Maintenance (OpEx) Savings: Automation enabled by NFV will provide better agility and the ability to quickly adapt to changes needed in the network. From an operations perspective, NFV can reduce the cost of powering and housing equipment. NFV will help with OpEx savings by reducing the number of times a technician must visit an enclave location simply because some network function change has to be made.

• Procurement (CapEx) Savings: If most, or all, network functions can run on general-purpose or commoditized hardware, there will be a reduction in the cost of the hardware. Also, since everything runs on the same hardware, less hardware is needed.

• Growth: One of the big challenges to mission support infrastructure growth is the deployment of additional equipment for capacity, but that challenge should be significantly reduced if all the hardware is the same.

— Martina Kurth Gartner Research Director, May 2016

“The proliferation of network function virtualization (NFV) and software defined networking (SDN) will fundamentally transform the telecommunications industry in the next five to 10 years.”


After NFV, the infrastructure will be able to adapt to the capacity needs much more quickly.

• User Experience: Another potential benefit of NFV is that the location of a service could move to where the traffic is. This could reduce the delay and improve the user experience.

• Reduced Time to Deploy: When all hardware is the same, DoD will have the ability to test the equipment faster, and potentially deploy new capabilities more quickly.

• Expanded Vendor Ecosystem: Hardware independence allows smaller vendors to join the ecosystem, enabling the selection of the best-in-breed vendors. APIs allow small vendors to reuse other components (such as management and authentication) of larger entities and focus on their areas of value-add.

• Technology Integration: Since SDN has taken off in several networks such as LANs/WANs, NFV provides a virtualization platform for SDN, and can utilize OpenStack for its infrastructure.

• Security: Ability to create NFV software to provide unique security that can be quickly updated to adapt to an ever changing environment.

SDN, NFV, and Orchestration in the DoD Network of the Future A software-defined and controlled environment would allow the DoD network to scale quickly, enhancing the ability to deploy the same service in diverse or distributed enclaves. Software supporting network functions such as Multiprotocol Label Switching (MPLS) edge routers

with virtual machines would allow DoD to efficiently augment network capacity. Simplicity and consistency are additional benefits of a software-based environment. Instead of bigger boxes, it’s simple to add more virtual machines when they’re needed.

Open architecture is a hallmark of these new networks. Instead of a proprietary command line interface (CLI)-dependent provisioning model, organizations are moving to a data-driven network model. Imagine a set of data models enabling each type of application supported by the DoD network, where those models are pushed onto the network elements themselves. This puts the onus on suppliers to be able to support those data models, resulting in service-specific virtual functions enabled as needed. This is a very different model from those used today, where proprietary CLI code is required to provision network elements and services.

Any move to a more virtual, software-based environment must address security mandates and concerns, of course. Consider that many security breaches often arise from human error, incorrect configurations, and inconsistencies in how network elements are deployed in different locations. Movement to a more centralized software-based approach decreases these types of human driven errors.

Finally, the use of commercial network capabilities to build the next generation DoD network as a platform will encourage innovation in the community. An initial goal is to be able to put application-specific managed capabilities on the network, on demand, in support of different missions. A logical next step would be to open the network


up to approved end users, allowing them to deploy new functions on the network in support of future mission requirements. The benefits include reduced cycle times and configuration efficiency gains.

SDN and NFV will reshape the DoD IT program landscape as acquisition teams no will longer need to purchase dedicated hardware devices, simplifying the deployment of network services. This flexibility allows DoD IT departments to respond in a more agile manner to changing network service demands and implement on-demand usage-based services to rapidly meet business needs. It also opens a wider aperture to procuring and managing hardware components that must comply with DoD regulation by allowing a wide portfolio of standard (e.g. commodity) servers and storage devices to be utilized in an open architecture strategy. This leads to reducing and even eliminating the various stovepipe hardware functionalities that bring life cycle management challenges to program offices and organizational IT teams such as obsolescence, vendor dissolution, and hardware/ firmware intrinsic vulnerabilities that provide unresolvable attack vectors for adversaries.

NFV also fosters a highly competitive, innovative development ecosystem among software vendors to bring “best of breed” virtual appliance solutions quickly to the DoD, knowing that they can be easily replaced in a cost-effective manner if another developer builds a better mousetrap. The corresponding incentive to industry to define a better solution at a non-hardware level and have the capability to implement it quickly has the potential to bring an Agile methodology to network development.

The flaws in classical, hardware-centric network architecture are compounded when placed within the modern environment of increasing energy costs, reduced capital investment portfolios within DoD, the challenge of attracting and retaining qualified personnel, and the subsequent high cost of those with the specialized skills necessary to design, integrate, and operate increasingly complex hardware-based appliances. Moreover, hardware-based appliances rapidly reach end-of-life, requiring much of the procure-design-integrate-deploy cycle to be repeated with increasing total cost of ownership. Large enterprises such as DoD, where technology refresh periods are driven by operational cycles (such as ship maintenance availability) measured in five to ten year intervals across multiple, disparate hardware devices, can realize large scale cost avoidance by migrating to an NFV architecture. A movement to SDN/NFV also has the potential to provide a more stable

and predictable budgetary glideslope in out years due to its hardware vendor-agnostic architecture and advantages in ease of integration, installation, and operation.

Such a network is built on the three pillars of SDN, NFV, and orchestration. SDN and NFV are well-known technology terms that have been gaining in popularity in data center environments for several years and are now moving into the campus and WAN networks. AT&T refers to the orchestration component as Enhanced Configuration Orchestration Management and Policy (ECOMP).

The Advantages of SDNThrough SDN, a future DoD network would be more intelligent, open and, ultimately, programmable. The term ‘application-aware networking’ has been in use for some time, but SDN is almost the opposite; the idea is to enable an application to be network-aware. If an application such as a high-bit-rate HD video feed needs a certain set of network capabilities to support it, whether it is CoS or low jitter, then the network-aware application signals a request to the network to provide that service in real time.

Other attributes of SDN applicable to a DoD next generation network are centralization of the control plane and separation of the control and data planes. In this model, applications request and manipulate services provided by the network. In a complementary fashion, the network exposes network state and configuration back to the applications via APIs.

Mission-Specific Applications

DoD Network of the Future

SDN

NFV

ECO

MP

Figure 2 – Potential Foundation of DoD Network of the Future


Class of Service (CoS) on demand is an example of an application that could be supported on this type of network. CoS on demand-enabled flows provisioned by a centralized SDN controller and traffic engineering application would be analogous to an ATM switched virtual circuit call setup, but not limited by lack of ongoing market support as is ATM.

A DoD application could request that a flow be placed in a higher class of service. The way CoS is delivered is not being changed necessarily (in terms of prioritization,

queuing, policing); what is being changed is how the CoS capability is exposed. Rather than being statically defined, it starts moving toward an on-demand concept; and rather than being site-driven or interface-driven, it starts to be more flow-driven or application-driven.

The Promise of Network Function Virtualization (NFV)The basic idea with NFV is to take what has been learned from data center evolution and virtualization and apply that knowledge to the network infrastructure realm. In this way, the network becomes more like the cloud, giving DoD the ability to share servers across the many network functions, such as load balancing, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), firewall, and WAN acceleration functions. The server capacity can be shared for these network functions just as it is in the data center.

In DoD’s Network of the Future, NFV provides the opportunity to leverage container technology in lieu of virtual machine (VM) technology. Container technology is likely to supplant current virtual machine technology due in part to the economics – fewer VM licenses – and in part to the speed with which a container can be instantiated: a VM typically takes a little over one minute to turn up and make available for use, whereas a container can be turned on and made available for use in just a few seconds. The key to exposing this capability in near-real-time is robust orchestration.

Orchestration Creates System Harmony Orchestration is the function that automates sequences of activities, tasks, rules, and policies needed for on-demand

Application Layer

Control Layer

Infrastructure Layer

Applications

API

Control/Mgt Protocols

Network Services

API API

Figure 3 – Layers in an SDN Network Architecture

Computer Industry

App App

Virtualization Layer

X86 (Computer)

App

Windows OS

Linux MacOS

Network Industry

VNF VNF

Virtualization or “Slicing”

Fabric withControl APIs

VNF

NOX(Network OS)

Network OS

• Data Centers virtualized servers to improve TCO in the early 2000s

• Virtualization led to Multi-tenancy (sharing)

• Soware based orchestration led to Clouds

• Apply concepts to Virtual Network Functions (VNFs) (e.g., FWs, WAN acceleration, DNS, DCHP, etc.)

Figure 4 – Network Functions Virtualization


creation, modification or removal of network, application, or infrastructure services and resources. It’s key to an effective deployment of SDN and NFV, enabling these capabilities to be coupled and exposed in near real time. This requires movement away from a purpose-driven, hardware-oriented manual deployment model to a data-driven model for manageability, wherein functions become like workloads that are turned up and turned down, and traffic is steered through them as necessary.

For DoD, this concept could be pushed into the Layer 1 (optical transport network), Layer 2 (connection-oriented Ethernet), and Layer 3 (MPLS-TP) networking spaces. Data models would be defined in the YANG data modeling language (RFC 6020 and related RFCs), with the data on individual network elements manipulated by the NETCONF protocol (RFC 6241).

This data-driven model must support the typical Fault Management, Configuration Management, Accounting, Performance, and Security (FCAPS) functions, which should not be significantly different from vendor to vendor. Adherence to a standard data model by the vendors should make IT integration more efficient. Ultimately, DoD could publish network APIs to its network users for optimizing their applications for the network.

AT&T understands the importance of an effective orchestration engine to the industry, application developers, and clients. Its ECOMP platform enables the automation of service delivery, service assurance, performance management, fault management, and SDN tasks. Basically ECOMP is as an underlying Network Operating System (OS) with network applications built on top similar to how iOS or Android are the underlying OS for smartphones with their diversity of applications. It is mature, feature-complete, and tested in real-world deployments. Many believe it will mature SDN and become

the industry standard; therefore, AT&T is in the process of releasing approximately 8.5 million lines of code associated to the Linux Foundation. Releasing this software into open source levels the worldwide playing field. Most importantly, it will rapidly accelerate innovation across the cloud and networking ecosystems.

WAN ConnectivityThe current DoD architecture employs the use of commercial carrier transport for wide area networking. The use of traditional private line (OC-3/12/48/192) 2.4 to 10 Gbps layer 1 trunks has well known advantages and shortfalls. As AT&T and other common carriers move to newer infrastructure solutions, it is important that DoD actively begin leveraging the investments made by industry to ensure it has the most modern communications capabilities available to support the warfighter. And as commercial network providers roll out new technology necessary in a future where private line solutions are either obsolete or are carried over packet optical networks, it’s also vital to partner with carriers to ensure that DoD-specific critical attributes are identified and provisioned.

Commercial network providers have broad ranges of protocols and technologies available to support the evolution of the DoD infrastructure and WAN while ensuring continuity of service during the transition for DoD’s critical applications and missions with high QoS requirements (in terms of data delivery rates, latency, jitter, and availability, etc.)

AT&T uses various technologies to transport customer traffic at layers 1, 2, and 3. At layer 1, AT&T provides the next-generation layer 1 technology optical transport network (OTN), as industry migrates away from SONET.

Phys

ical

Hardware-Oriented Manual Model

Connections

Purpose Built Hardware

Manual Deployments

Specialized Sites

Vir

tual

Soware-Oriented Data-Driven Model

APIs and Flows

Soware Defined

Orchestrate Workloads

Technology Pods

Figure 5 – Control, Orchestration Management and Policy


AT&T supplies layer 2 transport with carrier Ethernet-like services with AT&T’s Switched Ethernet (ASE), as industry moves away from ATM and Frame Relay. And AT&T supports customers at layer 3 with the AT&T MPLS offering, AT&T Virtual Private Network (AVPN), as service providers use MPLS, which scales extremely well, in the core. AVPN is the flagship product that many other AT&T products and offerings use.

The existing size, scope, geographic footprint, and quantity of DoD networks may make it impractical to initially use a single network technology. Therefore, a hybrid network solution may be the best option. Both Ethernet and AVPN services offer DoD a range of choices and benefits that fill the need to run multiple applications at remote locations, bases, small depot sites, and heavy bandwidth sites such as data centers. Regardless of the customer requirement, AT&T can support any technology at any layer of transport.

Securing Commercial NetworksSecuring mission-critical information can be a daunting task. The evolution of technology and sophistication of today’s cyber threats have resulted in an increase in breaches across organizations of all sizes.

Commercial network providers have solutions in place to help protect DoD. By offering multiple layers of security across applications, devices, networks, and platforms, commercial providers reduce the risk of exposure from malicious attacks. Starting with the network, providers take advantage of unparalleled visibility to look for potential threats as they try to enter the network. Using security analytics developed from decades of experience, providers then work proactively to address identified threats before they reach client networks. Incorporation of network carrier security capabilities into core security operations serves to augment the DoD’s security initiatives such as Joint Regional Security Stack (JRSS).

Virtual Private Network The AT&T VPN Service is a Layer 3 MPLS that uses IP to deliver the attributes of a private network within the confines of a shared networking infrastructure. It allows users like DoD to build an application-aware VPN to link their locations and efficiently transport voice, data, and video over a single connection.

AVPN provides WAN transport that does not traverse the Internet, mitigating all Internet-centric vulnerabilities

Unparalleled Scale & Network Visibility• Multi-protocolLabelSwitching(MPLS)-basedservices*available to 198 countries1 over 3800+ nodes

• Over137petabytesofdata cross the network on an average business day

• DedicatedEthernetaccessin 161 countries & territories

Responsive Analytics• 9.5petabytesofdataanalyzeddaily

• 3.7BnetflowrecordspassthroughAT&T analysis engines every hour

• SecurityOperationsCentersanalyzedata24x7x365

SecurityExpertise• Bestinclasssecurity

consulting group

• 270activesecurityandprivacypatents through 2016

• Expertsaverage15years’experienceinsecurity

Strategic Alliances• Modularandflexibleapproach

• Enhancedvalue

Why AT&T?


such as Distributed Denial of Service (DDoS) attacks. This technology provides increased ability for the warfighter to collaborate and share information for heightened situational awareness and provide access to knowledge bases in which actionable information can be researched expeditiously across a secure, robust, private virtual cloud. AVPN also offers privacy (traffic isolation), QoS, and traffic engineering advantages similar to those provided by a connection-oriented implementation, but without the complexity that former connection-oriented technologies imposed.

The highly redundant MPLS backbone supporting AVPN design delivers Service Level Agreements (SLAs) that support high network availability and AVPN characteristics enable DoD customers to position themselves for the implementation of the JRSS, which is also based on virtual route forwarding. This capability is identified in the Defense Information Systems Agency (DISA) Network Architecture Layer as converged IP/MPLS network and facilitates the DoD strategy of providing robust offerings in Infrastructure-as-a-Service (e.g., cloud connectivity VPN technology known as AT&T NetBond®) and Software Defined Everything, which is supported by robust Network Functions Virtualization (AT&T FlexWare) offerings.

Commercial Solutions for Classified: Confidentially and Integrity Using IPSec Commercial Solutions for Classified (CSfC) is a way of providing secure solutions, leveraging industry innovation to deliver Information Assurance quickly. It is founded on the principle that properly configured, layered solutions can provide adequate protection of classified data in a variety of different applications. NSA has developed, approved, and published solution-level specifications called Capability Packages (CPs), and works with technical communities from across industry, governments, and academia to develop and publish product-level requirements in U.S. Government Protection Profiles (PPs). NSA has certified AT&T as a trusted provider of CSfC.

Using NSA’s CSfC for VPNs, customers can leverage the large global network reach of AT&T and its superior SLAs to transport mission-critical traffic. When customers require encryption between VPN sites, AT&T recommends using IPSec over AVPN. Customers should use IPSec when any of the following are required: traffic encryption, direct authentication between the customer edge router (CER), integrity of traffic, or replay detection.

When IPsec is combined with AVPN’s end-to-end CoS prioritization, completely on the AT&T backbone network with no exposure to the Internet and no exposure to Internet-based vulnerabilities like DDoS, IPSec adds confidentiality protection, which MPLS alone does not provide.

The portfolio of commercial security solutions further extends network defense capabilities to help prevent, detect, and respond to threats. Solutions are also tailored to support the unique security and compliance needs of the DoD through a variety of security consulting services and customized solutions offered through strategic alliances. These services and solutions include capabilities such as:

• ThreatManagement

• FirewallSecurity

• WebSecurity

• EmailSecurity

• DDoSPrevention

• EnterpriseMobileManagement

• SecurityEventandIncidentManagement

• CloudNetworkSolutions

• Consulting

• RiskManagementFrameworkMethodology

Access to InnovationCommercial network provider clients also enjoy reach back to some of the brightest and best minds in the world. For instance, AT&T clients gain access to the renowned AT&T Labs organization. Through their account team, clients can tap the AT&T Labs for rich experience and insights across the realm of technology strategy and product roadmaps. AT&T clients also benefit from the AT&T Foundries, centers of excellence that are aligned with many of the most forward leaning, network-centric technologies in the marketplace, such as Big Data, cloud, IoT, and healthcare. Foundries are an open, collaborative environment of people and processes designed to inspire and promote the invention and innovation of ideas from concept to commercialization between AT&T, third party partners, and clients.


RecommendationsAT&T recommends that the DoD take steps toward modernizing its networks by leveraging commercial network provider capabilities and offers the following list of recommendations to begin this move.

Recommendation #1 – Leverage ‘as-a-service’ SolutionsDoD should take advantage of ‘as-a-service’ solutions that are based on commercial investments with costs shared over a massive customer base. These should require no capital outlay; they include tech refresh in the price, built-in operational efficiencies through automation, and built-in feature and service upgrades resulting in year over year improvements in end-user SLAs.

As of 4Q 2016, the AT&T global network carries more than 137 petabytes of traffic on an average business day on one of the world’s most advanced and powerful IP/MPLS backbones. It supports a full range of MPLS and IP-based services, including wireless data, video, data, and voice services. The AT&T Global MPLS network provides IP-based disaster recovery via external Border Gateway Protocol (eBGP). This protocol allows load balancing across discrete Customer Edge-Provider Edge (CE-PE) connections. The core backbone is the premise of this technical solution, which contains VPN and managed routers to ensure delivery of DoD data.

The AT&T Enterprise Network-as-a-Service (ENaaS) solution is an extension of its proven commercial network

sourcing model that has been applied in the nation’s banking, energy, and health sectors as well as by numerous Federal agencies. This is an end-to-end solution with AT&T electronically bonded real-time performance and security feeds to the DoD. Importantly, this rides on the AT&T core global MPLS network, NOT the public Internet, augmenting and improving the security provided by JRSS acting in a standalone capacity and decreasing the exposure risk.

AT&T’s ENaaS solution supports end-user network connectivity within and between each BAN across the WAN.

The AT&T ENaaS solution provides the broad spectrum of services necessary to support the DoD base area network (BAN) and wide area network (WAN) requirements. As illustrated, the AT&T ENaaS solution supports end-to-end user network connectivity (both Secret Internet Protocol Router Network [SIPRNet] and NIPRNet) within and between each BAN across the WAN. The figure demonstrates connection from an end user on Base A (top left) to an end user on Base B (bottom left). The solution uses AT&T engineers and contractor augmentation as required to provide continuity of operations for data, voice, and video services during the transformation to ENaaS.

For the BAN, AT&T’s Managed Router and Managed LAN Services offer a scalable solution for real-time administration of the network equipment resources that make up the BAN. Using AT&T VPN Service over the existing AT&T MPLS backbone, the current WAN can be replaced with a new, scalable, high-availability, managed solution that provides additional reliability, throughput


and security compared to today’s existing WAN services. Using criteria provided by NSA in its CSfC Program, VPNs with layered IPSec encryption can carry user traffic securely across the new WAN, while wireless solutions can be implemented on each BAN to securely support current and future IP connectivity requirements for multiple device types where hardwire connectivity is not possible or practical.

The AT&T backbone co-exists with the wireless LTE already provided by AT&T and other carriers. AT&T will manage and control all wireless endpoints (from smart phones to IOT devices to SIM-enabled sensors) over a private, secure LTE. To ensure the proper coordination and authorities of control, there is a logical demarcation at which the AT&T MPLS will connect to MILDEP, DoDIN, and other mission systems networks, including the Defense

Industrial Base. AT&T will also develop the electronic bond from the AT&T Global Network Operations Center (GNOC) to any DoD Security Operations Center (SOC) for real-time awareness and communications.

AT&T recommends a pilot program to migrate 10 bases to AVPN with historic availability of 99.9998 percent and provide modern

Managed Router, BAN & Desktop Services

AT&T Enterprise Network as a Service

DoD Networks and Mission Systems

DEM

ARC

ATIO

N

NIPR

Base A Building

SIPR

CER

CER

SDP

High Available Access

NIPR

SIPR

WiFi

Secure WiFi

Base Area Network

DataCenter

Managed Router, BAN & Desktop Services

NIPR

Base B Building

SIPR

CER

CER

SDP

NIPR

SIPR

WiFi

Secure WiFi

Base Area Network

DataCenter

AVPN

High

Availa

ble

Acces

s

AVPN

TIC

LTEMobility & IoT

MPLS VPN(AT&T Global Network)

PBR &BGP Peering External Networks

IPSec Encryption

DoDAVPN

Cloud Services

AT&T LCM Team, NOC

(GCSC), SOCDoD SOC

JRSS

DODIN

Internet

Telecommuter

DIB

Cell Tower

End UserEncryption Firewall WiFi WAP VoIP

Legend

Figure 6 – AT&T ENaaS solution

10Gb

Data Video Devices Workloads VoIP

DoD Site

DoD Site

– Routing– Firewall– WAN Acceleration– Session Border

Controller

• Functionality – Enclave separation – Multiple flows

• Network Transformation – SDN – NFV – Orchestration

FlexWare

Figure 7 – DoD Proof of Concept: Recommendation 2


transport, security and management services for NIPR and SIPR data. While this proposal starts as a pilot, the proposed architecture is 100 percent scalable across the entire DoD, because it is based on the existing, in-place global AT&T network. The pilot is the initial launching point for secure and flexible cloud access, reliability, and global connectivity.

Recommendation #2 – Deploy SDN and NFVProve the performance and operation of a virtualized network, built using the latest SDN and NFV concepts, technologies, and platforms.

This recommendation will provide the DoD with a demonstration of the transformational network elements such as white-boxes, VNF, and orchestration as well as commercial network technologies working in multiple separate enclaves with multiple flows emulating DoD traffic (deterministic traffic with high/variable background traffic). The demonstrated capabilities will also prove out the technologies’ ability to adapt/evolve quickly between diverse mission sets to improve operational flexibility.

Further, DoD will be able to capture and assess maintenance and provisioning efficiency metrics for comparison against their traditional IT provisioning models.

Recommendation #3 – Take Advantage of Commercial WAN CapabilitiesMake use of multiple next-generation DoD network capabilities in the context of a next-generation WAN based

on 1) MPLS VPN services, 2) Network on Demand (NoD), 3) AT&T FlexWare (NFV on Demand, and 4) AT&T NetBond cloud connectivity, demonstrating the applicability of new WAN technologies to the DoD environment.

The next-generation DoD network and protocol solutions developed in recommendation #2 would be used as the destination for flows sources in a private or government cloud. The next generation transport technologies tested will include SDN-enabled NoD, AT&T FlexWare and AT&T NetBond. An RFC-4364-compliant MPLS VPN service supporting six classes of service (CoS) would be used as the foundational transport.

This recommendation will expand upon Recommendation 2 by demonstrating the capabilities of additional next generation transport technologies to include NoD, AT&T FlexWare, and AT&T NetBond, including CoS. DoD will gain additional insight regarding the interaction of network protocols and commercial service as they pertain to the separate enclaves and the emulated traffic flows.

Recommendation #4 – Incorporate Commercial Security ProductsLeverage NFV to develop a security virtualization approach that supplements the current perimeter-based defense in-depth architecture to better protect DoD assets. Take advantage of commercial threat monitoring and logging along with Big Data capabilities to automate cyber incident management and analytics.

10Gb

Data Video Devices Workloads VoIP

DoD Site

DoD Site

– Routing– Firewall– WAN Acceleration– Session Border

Controller

Virtual Network Functions

Cloud Service Providers:– Amazon Gov– Private Gov

• Ability to stand up new sites in days and add new services in minutes

• On-demand scaling of speed to support bandwidth-intensive apps (video, data replication)

• Multiple virtual functions on common hardware improving TCO

• Dynamic connection to mission critical user communities

• Easy to manage – soware- controlled configuration and management

FlexWare

SDN Enabled MPLS VPN Network

NetBond

Figure 8 – DoD Proof of Concept: Recommendation 3


AT&T has the some of the most sophisticated cyber defense tools and protocols in the world. By using the AT&T AVPN, the DoD can realize the benefits of these AVPN built-in security solutions. Offering multiple layers of security across applications, devices, networks, and platforms reduces the risk of exposure from malicious attacks. Starting with the network, AT&T has unparalleled

visibility into potential threats as they try to enter its network. Using patented security analytics developed from decades of experience, AT&T proactively works to address identified threats before they reach DoD networks.

The AT&T portfolio of additional security solutions further extends its network defense capabilities to help prevent, detect and respond to threats. It also provides tailored solutions to support unique security and compliance needs of the DoD through a variety of security consulting

services and customized solutions offered through strategic alliances.

With its experience and breadth of solutions, AT&T can work with the DoD to help in securing mission- critical information. The table below recommends additional managed security features to be overlaid onto the network connectivity described in recommendations 1, 2, and 3.

Recommendation #5 – Exploit Mobility for Internet of ThingsAvoid costly infrastructure upgrades by leveraging LTE/4G Mobility infrastructure and Smart Base capabilities to offer solutions to supplement (or even bypass) these challenges. As shown in the table below, current Smart Base and IoT technologies can help the DoD meet several initiatives and comply with directives related to force protection, energy conservation, and vehicle maintenance and management.

Cyber Security Solution Description

Threat Management Helps to detect and respond to threats with 24x7x365 data monitoring and threat analysis conducted by a team of security experts.• Deliver expertise, tools, and management to help mitigate risks posed by viruses,

botnets, and advanced persistent threats• Fortify protection with 24x7x365 data collection, monitoring, and analysis

Firewall Security Designed to help prevent malicious threats from entering the DoD network and accessing critical data. These solutions also help:• Defend the network against unauthorized connections and reduce risks of

damaging attacks• Provide expert management and 24x7x365 security monitoring• Increase productivity by freeing resources to focus on mission-critical business

Web Security Capabilities designed to help protect DoD against threats that can enter its network through the Internet. These solutions also help:• Provide online filtering and control to help block malware and specific URLs• Control web content and applications• Provide proxy utilization and flexible configuration options through optional

hybrid configuration

Security Incident and Event Management Solutions

Designed to analyze data across the network to correlate alerts and prioritizesecurity events.• Provides a broad view of network security by efficiently correlating alerts from

multiple devices and device types• Prioritizes security events based on threat and risk management methodologies• Assists in helping to maintain compliance with government and industry regulations


Additionally, leverage commercial network providers’ numerous MILDEP base infrastructure contracts and experience (e.g., N2, IMOD, CTS, and CTC-IS) to build mobility towers and infrastructure to provide high bandwidth, lower power consumption, diverse path alternatives to traditional fiber, inside plant wiring, power, and HVAC construction upgrades.

ConclusionUltimately, the ability of DoD to successfully execute its mission(s) depends upon smart investment in its network and communications. The critical nature of this mission requires the DoD Network of the Future be built as a best in breed, embracing the innovations available in today’s market. In this manner, DoD will ensure a communications infrastructure capable of protecting the security of the nation.

DoD has an opportunity to leverage SDN, NFV, and orchestration to fundamentally transform the way communications networks are procured and operated on a long-term basis, providing the agility and flexibility needed to support expanding sets of missions, sensor platforms and sensor fidelity/functionality. Once fully realized, a software-based, modernized DoD Network of the Future will improve efficiency, reduce complexity, lead technology evolution, decrease costs, and provide network-centric solutions that improve business and mission productivity on a global scale.

While it is important that DoD officials start this journey quickly, the journey itself is not a sprint. AT&T has identified a path and built catch products to make it a smooth, low risk, cost-sensible evolution, and is already working with customers who are making this shift to Next Generation networks.

Technology is rapidly changing how the world works and communicates. DoD must respond to the call for a faster, more scalable network that meets the needs of this new environment. A predominately IP, software-defined network is the answer. Join AT&T on this journey to begin to arm the nation’s military with a network of tomorrow, today.

About Global Business – Public Sector SolutionsAT&T Global Business – Public Sector Solutions is a trusted provider to Department of Defense agencies. Our network expertise, innovative technologies and skilled professional services staff deliver visionary solutions that defend our nation and prepare for the future. By addressing government needs with solutions spanning network, cybersecurity, mobility, unified communications, cloud services and more, AT&T enables defense agencies to remain focused on their mission. To learn more, visit att.com/gov/defense.

AT&T Global Business – Public Sector Solutions 1900 Gallows Road Vienna, Virginia 22182

att.com/gov/defense

Area of Need Solution

Physical Security – Force Protection

Video Surveillance (motion & heat detection), Smart Fencing, Shot Spotter, Telemedicine

Energy Conservation Smart Meters, Smart Grid, Smart Lighting, Vehicle Telematics, Smart Waste, Smart Water, Leak Detection, Water Quality

Vehicle Asset Management & Maintenance

Fleet Tracking and Telematics


02/16/17 TS-2412 (federal government)

©2017 AT&T Intellectual Property. All rights reserved. AT&T, Globe logo and Mobilizing Your World are trademarks of AT&T Intellectual Property.

1GAO Report Number: GAO-16-696T 25 MAY 20162DoD Personnel, Workforce Reports & Publications Website – SEP 16 Report3Federal Government IT Dashboard – 2016 Report4Gartner IoT Endpoints and Associated Svcs. Worldwide Report – JAN 17 Report5DoD Way Forward to Tomorrow’s Strategic Landscape Document – AUG 20166AT&T estimated OpEx savings from SDN/NFV deployment across it global network

DoD Network of the Future: Powered by Commercial Networks ... · DoD Network of the Future Powered...

Documents

Transcript of DoD Network of the Future: Powered by Commercial Networks ... · DoD Network of the Future Powered...