Developments in the NII - communication services - December , 2009 UNIS - TEM Dec 2009

Developments in the NIIDevelopments in the NII- communication services -- communication services -

December , 2009December , 2009

UNIS - TEM Dec 2009UNIS - TEM Dec 2009

Rob van EngelshovenRob van [email protected]@nc3a.nato.int

NATO UNCLASSIFIED

NATO UNCLASSIFIED 2

OverviewOverview

● NCI ArchitectureNCI Architecture• DCIS TA, NGCS TA, ISAFDCIS TA, NGCS TA, ISAF

● NCI subsystemsNCI subsystems• Voice service, Protected Core, QoS, SLMVoice service, Protected Core, QoS, SLM

● DCIS, Satellite and ground systemsDCIS, Satellite and ground systems● FederationFederation● RecommendationsRecommendations

NATO UNCLASSIFIED 3

OverviewOverview




Aspects of the new NCI Aspects of the new NCI architecturearchitecture

● Service catalogueService catalogue● Converged IP network IPv4/6Converged IP network IPv4/6● QoS control architectureQoS control architecture● Move to a Protected Core (Pcore)Move to a Protected Core (Pcore)● MPLS in the NATO PcoreMPLS in the NATO Pcore● Service Level ManagementService Level Management● Architectures : NCRA Ed1 and SGRA Ed2Architectures : NCRA Ed1 and SGRA Ed2

NATO UNCLASSIFIED 4

NATO UNCLASSIFIED 5

Operations & CIS infrastructureOperations & CIS infrastructure

NATO Business processes(OAA)

Networking and Information Infrastructure(NII)

SLA

NATO UNCLASSIFIED 6

NII in the NII in the NNEC CIS stack (subset DOTMPLFI)NNEC CIS stack (subset DOTMPLFI)

Se

rvic

e M

an

ag

em

en

t Co

ntro

l

Info

rma

tion

As

su

ran

ce

Users & Missions

Community of Interest

Information Integration

Communications

Service Catalogue (2010) - main Service Catalogue (2010) - main servicesservices

● Customer facing services :Customer facing services :• (secure) voice(secure) voice• Audio conferenceAudio conference• (secure) VTC(secure) VTC• TelefaxTelefax• Service DeskService Desk• IP-data serviceIP-data service• Circuit emulation (TDM over IP)Circuit emulation (TDM over IP)• L2 point-to-pointL2 point-to-point• WAN access for user domainWAN access for user domain• Wired Pcore interconnectWired Pcore interconnect• Satcom OTA Pcore interconnectSatcom OTA Pcore interconnect• Radio OTA Pcore interconnectRadio OTA Pcore interconnect

NATO UNCLASSIFIED 7

NCI architectureNCI architecture

● Core : transport system - Protected Core Network Core : transport system - Protected Core Network (PCN)(PCN)

● Access to the CoreAccess to the Core● EoIP & Circuit emulation subsystemEoIP & Circuit emulation subsystem● QoS control systemQoS control system● Service Level ManagementService Level Management● (Secure) voice/VTC system(Secure) voice/VTC system● Secure IP subsystemSecure IP subsystem● NU/NR IP subsystemNU/NR IP subsystem● User system accessUser system access● Other subsystems…. See NGCS TAOther subsystems…. See NGCS TA● DCISDCIS● SATCOMSATCOM

NATO UNCLASSIFIED 9

Relationship between Ref. Relationship between Ref. ArchitecturesArchitectures

NATO UNCLASSIFIED 10


Secu

re Vo

ice & V

TC

sub

system

Secure IP

subsystem

SP1

SP2ND

N

NGCS Protected Core subsystem

Secure IP

subsystem

NU/NR IP subsystem

Circuit E

mulation

subsystem

Unclass

Voice & VTC subsystem

Secu

re Vo

ice & V

TC

sub

system

Secure AIS

NU

/NR

AIS

HQ PABX

Unclass Legacy Circuits

NDN Telephony

Internet

Public PSTN

NDN Packet

DeployedDeployable

Secure Legacy Circuits

National Secret AIS

IEG

AISIF

AISIF

Bref

Bref

B ref

SIOP2

SIOP2

SIOP2

SIOP5

SIOP5

SIO

P5

SIOP5

SIO

P1

SIO

P1

SCIP to

VoSIP

ISG

ISG

-If

NATO-R GW

SIOP5

Baseline Unclass IP

Baseline Secure IP

Baseline QSIG network

VoSIP

VoIP

SCIP

NSIE

NSIE to

VoSIP

Dref

NNI or SIPIF

IProuted

Psecref

Pref

IProuted

TelephonyNUNI

TelephonyNUNI

TelephonyNUNI

VTCNUNI

VTCNUNI

Cref

Secure PRI

Dref

Theatre telephony

Dref or SIPIF

VMS/NS

NATO Communication

Infrastructure


NATO Communication

Infrastructure

SP1

SP2ND

N

NGCS Protected Core subsystem

Secure IP

Node

Circuit EmulationNodeUncl

ass

Voice

&

VTC Node

Bref

Bref

B ref

SIO

P2

SIOP2

SIOP5

SIO

P5

Fleet Interface Point

(HF - VLF)

SIOP5

NU/NR

IP N

odeSIOP2 SIOP2

PSecRef

Brass HF

Remote Tx SitesCircuit

Emulation

Node

PSecRef

SIOP2

Sec

ure

IP

No

de

NU

/NR

IP N

od

eNA

TO

Mar

itim

e H

Q SIO

P5

SIO

P5

SATCOM FIP including

HSB Theatre Injection Site and

NATO SGT Sites

SIO

P2

Circu

it

Em

ulatio

n

No

de

Brass H

F

Rem

ote R

x Sites

PS

ecRefS

IOP

2C

ircu

it

Em

ula

tio

nN

od

e

Circuit

Emulatio

n

Node

SU

B V

LF

Rem

ote

Rx

Sit

es

SUB VLF

Remote

Tx S

ites

Interconnection

With On Board NGCS Node

SIOP2

SIOP2

SIOP5

SIOP5

NU/NR

IP Node Secure IP Node

SIOP2

SIO

P2

PS

ecR

ef

PSecRef

Intra Nodal PerspectiveIntra Nodal Perspective


NDN

SP

SAT SAT

Deployable Assets

Deployed CRO

NGCS NODE A NGCS NODE B

REMOTE NATO NODE DEPLOYED NGCS NODE

NDN PacketNS/MS AIS

HQ PABX

Legacy Circuits

NU/NR AIS

NDN Telephony

Public PSTN NU/NR IPNodeUnclass

Voice & VTCNode

Circuit Emulation

Node

NGCSPcoreNode

NS/MS AIS

HQ PABX

Legacy Circuits

NU/NR AIS

NDN Telephony

Internet

Public PSTNNU/NR IPNode Unclass

Voice & VTCNode

Circuit Emulation

Node

NGCSPcoreNode

NS/MS AIS

HQ PABX

Legacy Circuits

NU/NR AIS

NU/NR IPNode Unclass

Voice & VTCNode

Circuit Emulation

Node

NS/MS AIS

HQ PABX

Legacy Circuits

NU/NR AIS

NU/NR IPNodeUnclass

Voice & VTCNode

Circuit Emulation

Node

NGCSPcoreNode

NGCSPcoreNode

Secure Voice & VTC

Node

Secure Voice & VTC

Node

Secure IPNode

Secure IPNode

Secure IPNode

Secure IPNode

Secure Voice & VTC

Node

Secure Voice & VTC

Node

Secure IPNode

Secure IPNode

Secure Voice & VTC

Node

Secure Voice & VTC

Node

Secure IPNode

Secure IPNode

Secure Voice & VTC

Node

Secure Voice & VTC

Node


OverviewOverview




The Protected Core SegmentThe Protected Core Segment

● Protected Core segments can be federated to form Protected Core segments can be federated to form a Protected Core (Pcore)a Protected Core (Pcore)

● Reference to PCN briefingsReference to PCN briefings


NCI : Interconnection of security NCI : Interconnection of security domainsdomains


IP QoS :•Real-time data•Near-real time data•Interactive•Bulk transfer•Best Effort•Critical system data

ProtectedCore

Network

Network Protocol

Discontinuity


SCR

UAR

UAR UAR

UAR

UAR

SCR

SCR

NDN

SP

NDN

User domain

SLASIOP1

SLASIOP1

MPLS

NATOSATCOM

NationalSATCOM

CommercialSATCOM

NDN

ZNICESAR

User domain

ZNICE SAR

User domain

NGCS

LDP

RSVP-TEColored lines indicate different QoS properties

MPLS management & control

High availabilityWAN

NATO’s Satcom Protected Core NATO’s Satcom Protected Core Segment Segment

(PCS – terminals view)(PCS – terminals view)


NATO and NationalSatcom

transponders

NATO and National Satcom

transponders

SCR (P)

SCR (P)

Service ProviderNetworks

SGS-1(F1)

SGS-1(F14)

SCR (P)

SCR (P)

SCR (P)

SCR (PE)

UAR (PE)

UAR (PE)

UAR (PE)

SCR (P)

UAR (PE)

Tier-0 Tier-1 Tier-2

One PCS

Non-EPM (4486 ed.3)

EPM (4606 ed.1/ ed.3)

BCR (P)

BCR (P)

BCR (P)

BCR: Black Core Router

SCR: Satcom Convergence Router

UAR: Unclassified Access Router

SCR(PE)

UAR (PE)

UAR (PE)

UAR (PE)

UAR (PE)

UAR (PE)

UAR (PE)

: MPLS Core (TRANSIT, i.e. Tier-1, Tier-2)

: MPLS Provider Edge (ACCESS, i.e. Tier-3)

NATO’s Satcom Protected Core NATO’s Satcom Protected Core Segment Segment

(PCS – router view)(PCS – router view)


NATO and NationalSatcom

transponders

NATO and National Satcom

transponders

SCR (P)

SCR (P)

Service ProviderNetworks

SGS-1(F14)

SCR (P)

SCR (P)

SCR (P)

SCR (PE)

UAR (PE) UAR

(PE)

UAR (PE)

SCR (P)

UAR (PE)

Tier-0 Tier-1 Tier-2

One PCS

Non-EPM (4486 ed.3)

EPM (4606 ed.1/ ed.3)

BCR (P)

BCR (P)

BCR (P)

BCR: Black Core Router

SCR: Satcom Convergence Router

UAR: Unclassified Access Router

SCR(PE)

UAR (PE)

UAR (PE)

UAR (PE)

UAR (PE)

UAR (PE)

UAR (PE)

: MPLS Core (TRANSIT, i.e. Tier-1, Tier-2)

: MPLS Provider Edge (ACCESS, i.e. Tier-3)

Protected Core NodeProtected Core Node

NATO UNCLASSIFIED 20LP : Link Protection

Interface with nationsInterface with nations



Key Service Interoperability PointsKey Service Interoperability Points

SGRA

LocalUser Network

PCSNation A

E

C A

Maritime

D

BC

Airborne

Nationalplatforms

User Network

Existing systems

Link 16/22

PSTN/ISDN/GSMUMTS

Internet

Gateway

Gateway

Gateway

Gateway

Satellite dish

Satellite

Satellite dish

PCSNation C

Black MANET Black MANET

User Network

Link16/22

RAP

User Network

PCSTACOMS

Z

G2 SAR

IP-encryptionfunctions

1

2

3

4

5

4 4

44

4

1

1

1

2

2

2

1

3 3 3

4

4

4

2

4

1User

Network2

User Network

Airborne

WIRA

WIRA

S3RA

PCSTACOMS 1

Technology specific interfacesCore data and voice service providedCompliant with Security architecture requirements

PCS Nation B

3 rd partyprovider

PNG1 - Scenario 1 (2010)PNG1 - Scenario 1 (2010)


Service Management scenario 1 Service Management scenario 1 (2010)(2010)



SATCOMSATCOM

SATCOM

Deployable CIS (DCIS)Deployable CIS (DCIS)

● Based on NCI networking principlesBased on NCI networking principles• Service catalogueService catalogue• QoS control architectureQoS control architecture• Service level management (central - stand-alone)Service level management (central - stand-alone)

● Transportable - 5 days notice to moveTransportable - 5 days notice to move● Configuration templatesConfiguration templates● BC protectedBC protected● In support of NATO NRF (DJSE concept)In support of NATO NRF (DJSE concept)

• Large and very small nodes (ORLT)Large and very small nodes (ORLT)● SATCOM reach back and in-theatre connectivitySATCOM reach back and in-theatre connectivity

• Tier 1, Tier 2, Tier 3 and Tier 4; Tier 1, Tier 2, Tier 3 and Tier 4;



Interface roadmapopportunity

Guidance to nationsGuidance to nations

● InterfacesInterfaces• SIOP1,2,3,4,5SIOP1,2,3,4,5

● Service catalogueService catalogue• Definitions, KPI, KQIDefinitions, KPI, KQI

● Service Performance targetsService Performance targets• Reference circuitsReference circuits

● Management requirementsManagement requirements• B-2-B interface, Content, definitionsB-2-B interface, Content, definitions

● Trust relationshipsTrust relationships• Protected Core Network (PCN)Protected Core Network (PCN)

● Policies and Concept of employment (Conemp)Policies and Concept of employment (Conemp)• Cost share, processCost share, process

● RoadmapRoadmap


ConclusionsConclusions

• Service Oriented ApproachService Oriented Approach• service definitionsservice definitions• Service delivery PointsService delivery Points• Service Level AgreementsService Level Agreements• Service Level ManagementService Level Management

• Slow migration to IP-convergenceSlow migration to IP-convergence• Limited support in IP-crypto - NINE ISPEC2Limited support in IP-crypto - NINE ISPEC2• Limited NATO SLMLimited NATO SLM• Limited QoS controlLimited QoS control

• Push uniform & automated controlPush uniform & automated control• QoS enabled IPQoS enabled IP• SLM - SLA SLM - SLA • MPLSMPLS


Conclusions (cont'd)Conclusions (cont'd)

• Required developmentsRequired developments• Cross security domain managementCross security domain management• Guidance Package for nations about federation of Guidance Package for nations about federation of

communicationscommunications

● Essential to build a trust relationshipEssential to build a trust relationship


RoadmapRoadmap


NATO


Questions?

Back-up slidesBack-up slides


PNG1 - scenario 2PNG1 - scenario 2


PNG1 - scenario 3PNG1 - scenario 3


SIOP1, SIOP2SIOP1, SIOP2

● 1000BASE-SX ethernet1000BASE-SX ethernet● L2 802.1Q (VLAN)L2 802.1Q (VLAN)● L2 802.1X L2 802.1X

• PKI authorityPKI authority• Certificate based authenticationCertificate based authentication• 802.1 X port based auth. (EAP-TLS)802.1 X port based auth. (EAP-TLS)

● ManagementManagement• SLA templateSLA template• SLA management (KPIs)SLA management (KPIs)• Performance/fault reporting per VPNPerformance/fault reporting per VPN• Policing/shapingPolicing/shaping


SIOP5SIOP5

● IPv4 address harmonizationIPv4 address harmonization● 802.1X may avoid the BPD, to be verified802.1X may avoid the BPD, to be verified


Documents

Developments in the NII - communication services - December , 2009 UNIS - TEM Dec 2009