US (DISA) - NATO (NC3A) ACP 145 Activity

US (DISA)US (DISA) - NATO (NC3A) NATO (NC3A) ACP 145 ActivityACP 145 Activity

UNIS TEM 6 – COI Services & Applications Breakout Session December 1, 2009

Dan White DISA DMS & National Gateway Technical Support Branch

A Combat Support Agency

Defense Information Systems Agency

Leon Schenkels NC3A Core Applications

Core Enterprise Services

A Combat Support AgencyDefense Information Systems Agency

PurposePurpose

• Provide a synopsis of recent ACP 145 Allied messaging gateway activity between NATO/NC3A and DISA

2


TopicsTopics

• Reason for testing

• Background

• Test environment

• ACP 145 services exercised

– Directory services

– Messaging services

– Security services

• Schedule

• Lessons learned

• Summary

3


Reason for TestingReason for Testing

• NC3A engineering group obtained initiative funding to perform preliminary ACP 145 interoperability testing with the US

– N3CA wanted to evaluate:

• Feasibility of the ACP 145 allied messaging gateway concept

• Alternative ACP 145 gateway product

• NATO centralized Alliance Replication Hub (ARH) directory architecture

• NATO-US PKI interoperability

– The desire was to complete the test effort prior to the end of the NATO fiscal year 2009 (CY 09)

– The initial testing scope was focused on ACP 123 STANAG 4406 interoperability - including PKI, Directory, and implicitly DMS/NMS interoperability

4


Background (1)Background (1)

• Messaging interoperability between the US and NATO is currently provided by legacy (ACP 127/ACP 128) message switching systems provided via the NATO AIFS and US National Gateway Centers

• Message traffic exchanged between NATO and the US during October 2009 was 45K messages – traffic volumes are considerably higher during joint exercises

• Although the ACP 123 and STANAG 4406 agreements for military messaging interoperability have been in place for many years, there was no common agreement on a security protocol for providing end-to-end confidentiality, integrity, and non-repudiation services

• The CCEB nations agreed to interconnect national ACP 123 / STANAG 4406 systems using messaging gateways, resulting in the definition and ratification of ACP 145 (CCEB) and ACP 145(A) (NATO)

• In March 2009 NATO ratified ACP 145(A)

5


Background (2)Background (2)

• ACP 145 employs a P772 military content encapsulated in a CMS content type which contains a S/MIME ESS security label over an X.400 transport

• The CCEB nations and NATO agreed to use X.500 for directory services

– The CCEB nations and NATO ratified the ACP 133(C) Directory Schema

– The CCEB Nations have a current agreement (ACP 137) for bilateral directory replication to exchange directory information using LDIF attachments to messages

– NATO provides a centralized directory hub, Alliance Replication Hub (ARH) for all NATO Nations to exchange directory information

• Between the gateways, the CCEB nations and NATO agreed to use X.509 PKI as the mechanism for providing message integrity services (PKI signing) between the Gateways and to support a chain of trust with regard to non-repudiation services

– Confidentiality is handled via network layer encryption

6


Test EnvironmentTest Environment

7

• Testing was performed between the NATO lab and US lab over the Internet using a Virtual Private Network (VPN)

DISA DMS Testbed

US ACP 145 GW

NATO ACP 145 GW


Messaging ServicesMessaging Services

• The US used the CommPower US ACP 145 Gateway product that is operational today on the US-UK ACP 145 gateway system

• NATO used ClearSwift Deep-Secure ACP 145 Gateway product

– NATO selected this product for testing in order to evaluate an alternative ACP 145 Gateway product and verify vendor product interoperability

• Leveraged the existing UK – US ACP 145 messaging interoperability test plan

– P772 Elements of Service (EoS)

– Security labeling

– Notifications and receipts

– Address lists

– PKI

8


Directory ServicesDirectory Services

• NATO Concept of Operation employs a centralized directory hub

– Alliance Replication Hub (ARH)

– Member nations use either DISP (X.500) or LDAP to push their entries into the ARH and pull other nations’ entries

• The US successfully used a COTS product (ISODE Sodium Sync) to synchronize directory entries with the ARH while performing conversions between the ACP 133 and US DMS directory schemas

– Demonstrated LDAP strong authentication using two alternative mechanisms

• LDAPS (over SSL) - only providing transport level authentication and confidentiality services

• LDAP w/ SASL/EXTERNAL (leveraging TLS credentials)

9


Security ServicesSecurity Services

• US – NATO established a bilateral security label mapping agreement for the exercise

• Utilized both US and NATO PKIs

– Replicated via the ARH directory

– Used by the ACP 145 gateways to sign messages on origination, verify signatures on receipt, provide CRL checking and certificate hierarchy validation

• Non-repudiation is based on an end-to-end chain of trust

– NATO Originator to GW using NATO digital signature;

– GW to GW using US DOD PKI and NATO digital signatures;

– GW to US recipient using US Fortezza signature and encryption

10


ScheduleSchedule

Date Milestones

Jul 2008Jul 2008 UNIS TEM session on DMS and NMSUNIS TEM session on DMS and NMS

Dec 2008Dec 2008 First contact and exchange of information First contact and exchange of information between NC3A and DISA teambetween NC3A and DISA team

Apr 2009 - onwardApr 2009 - onward Monthly VTC s and detailed minutes and action Monthly VTC s and detailed minutes and action itemsitems

May 2009May 2009 Build and (re)configure ACP145 environment Build and (re)configure ACP145 environment including VPN connectivityincluding VPN connectivity

Jun-Jul 2009Jun-Jul 2009 Initial testsInitial tests

Aug - Oct 2009Aug - Oct 2009 Testing (including regression)Testing (including regression)

Nov - Dec 2009Nov - Dec 2009 Wrap-up experimentation (documentation)Wrap-up experimentation (documentation)

11


Preparation andPreparation andCoordinationCoordination

• Held bi-weekly VTC / teleconferences

• Established an operational VPN between the test labs

• Developed a security label mapping agreement

• Configured the ACP 145 gateways and directory servers

• Tailored / Refined existing interoperability test plan

• Received responsive vendor support in turning around fixes

• Reworked existing US directory replication mechanism to support the NATO replication hub

• Utilized collaborative capabilities (chat) to simplify test coordination

• Established a web site for recording test execution and test results

12


Test ResultsTest Results

Counts Status

172172 Total test cases in the test planTotal test cases in the test plan

114114 Test cases passedTest cases passed

3232Test cases failedTest cases failed- e.g., some Elements Of Service not supportede.g., some Elements Of Service not supported- e.g., problems with large numbers of recipientse.g., problems with large numbers of recipients

2626Test cases inconclusive, invalid, or not executedTest cases inconclusive, invalid, or not executed- latest US SPIF not available, so unable to testlatest US SPIF not available, so unable to test- some need to be revisitedsome need to be revisited

13


FindingsFindingsPKI SupportPKI Support

• The NATO and US Gateways successfully replicated and utilized their partner nations PKI

– Some minor discrepancies were encountered during certificate validation processing

• US gateway had difficulty resolving the trust of the NATO PKI certificate path from the NATO root, however, the addition of the intermediate NATO CA as a trust point served as a workaround

• US ACP 145 Gateway expects the CRL to be provided in the directory

• NATO PKI requires applications to utilize CRL Distribution Points (CRLDP)

• US system requires the NATO certificate policy to be configured to successfully validate certificate chain

14


FindingsFindingsMessaging SupportMessaging Support

• Successfully exchanged messages between the US and NATO over the ACP 145 Gateway

– NATO and the US are using different Elements of Service for correlation of Delivery Reports and Non Delivery Reports with the original message

– US messaging system does not support general text body part

• US gateway translates this to the IA5 text body part

• Results in some "funny characters" bleeding through into the transformed message – result of not processing general text escape characters

– US messaging components had difficulties with DN values beginning with O=NATO rather than the conventional C= attribute

15


FindingsFindingsSecurity LabelsSecurity Labels

• Establishing a security label mapping agreement was straightforward

• Security labels were successfully mapped by the gateways

• Testing with the new DMS Security Policy Information File (SPIF) is still pending

16


FindingsFindingsDirectory ReplicationDirectory Replication

• The US successfully modified the replication mechanism to support the ARH

– Used a meta-tool (ISODE Sodium Sync) to push and pull directory data to and from the Alliance Replication Hub (ARH) using secure LDAP

• US directory components rejected entries within the ARH that violated the ACP133(C) structure rules

17


FindingsFindingsAddress ListsAddress Lists

• Explored additional options (source expansion vs. owner expansion) for expanding ALs

• Substantial differences in national implementations for address list expansion, mostly because of lack of guidance in ACP123/ST’4406 on AL expansion procedure; differences among others:

• Use of DL Expansion history

• Change of MTS identifier and/or P1 originator

• Use of DDA

• Removal of duplicates

• Exempt address processing

18


Lessons LearnedLessons Learned

• Up-front analysis of differences in national implementations pays off – examples:

– Mandatory / optional elements of service

– Directory schema mapping

• The Alliance Replication Hub concept did not require extensive software development and offers better scalability than bilateral directory replication

• Security interoperability

– Security label mapping agreements required between each nation pair

– PKI interoperability is doable, but requires some tweaking

19


Lessons LearnedLessons Learned

• Continue ACP 145 interoperability testing,to include legacy messaging transition andlegacy conversion gateways

– US legacy to NATO via ACP 145 GW

– NATO legacy to US via ACP 145 GW

– Legacy to legacy tunneling over the ACP 145

– More experimentation with address list expansion options

20


SummarySummary

• ACP 145 testing efforts between NATO and the US have proven to be a very useful and enlightening experience

– Very pleasantly surprised by progress made within a few months, esp. given limited resources dedicated to the effort

– Overcame minor glitches via workarounds and hot fixes

– Identified product and other changes needed to migrate to operational system

• The ACP 145 allied messaging gateway concept has been validated by three partners – NATO, UK, and US

• The Alliance Replication Hub (ARH) directory concept has been explored and appears to be viable and scalable.

21

US (DISA) - NATO (NC3A) ACP 145 Activity

Documents

Transcript of US (DISA) - NATO (NC3A) ACP 145 Activity