Embed Size (px)
Citation preview
VALIANTSURF - Wikilnfo
T h e a c c r e d i t e d s e c u r i t y l e v e l o f t h i s s y s t e m Is: T O P S E C R E T / / S I - G A M M A / T A L E N T K E Y H O L E / / O R C O N / P R O P I N / R E L I D O / R E L TO U S A , F V E Y * T O P SECRETOSIWORCONJREL T O U S A , F V E Y
(U) VALIANTSURF From Wikilnfo
(TS//SI//REL) VALIANTSURF is the coverterm for the development of Data Network Cipher (DNC) exploitation capabilities in TURMOIL for integration into the TURBULENCE DNC thread. VALIANTSURF is the preferred reference for all TURBULENCE DNC exploitation capabilities since the fact that NSA does work with DNC's is classified "S//REL". The TURBULENCE DNC capability exploits communications encrypted with DNC Internet Protocols.
Contents
• 1 (U) Data Network Cipher (DNC) Classification • 1.1 (U) Official CES Classification Guide • 1.2 (U) Guidelines
• 2 (U) DNC Protocols • 2.1 (U) IPsec • 2.2 (U) PPTP • 2.3 (U) HOOKED • 2.4 (U) CINDER • 2.5 (U) DNSC
• 3 (U) TU DNC Products • 3.1 (S//SI//REL) IPSec DNC Products
• 3.1.1 (U) Spin History • 3.1.2 (S//SI//REL) DNC Metadata Flow • 3.1.3 (TS//SI//ORCON//REL) DNC Decryption Flow • 3.1.4 (TS//SI//REL) DNC Survey Flow • 3.1.5 (S//SI//REL) DNC Analyze Flow
• 4 <U) Requirements, Planning, and Reviews • 5 (U) Design Details
• 5.1 (S//SI//REL) Architectural Taxonomy • 5.2 (U//FOUO) Current DNC Design Documents • 5.3 (U) Design Reviews and Technical Exchanges • 5.4 (U) Technical Documents • 5.5 (U) DNC Enterprise Messaging Fabric • 5.6 (S//SI//REL) DNC IKE SMG (Replaced Ike Analytic) • 5.7 (S//SI//REL) DNC IKE Analytic
• 6 (U) CIET Tasking • 7 (U) Test
• 7.1 (S//SI//REL) DNC Metadata • 7.2 (TS//SI//REL) DNC Decrypt • 7.3 (U//FOUO) LONGHAULTest • 7.4 (U//FOUO) One CA Server Toggled among Multiple TURMOILs
• 7.4.1 For more information, Contact one of these POCs • 8 (U) Deployments
- 8.1 (U//FOUO) VALIANTSURF RFC and DR Needs for TURMOIL Baseline Deliveries 2011 • 8.2 (U//FOUO) VALIANTSURF RFC and DR Needs for TURMOIL Baseline Deliveries 2010 • 8.3 (U//FOUO) Live Dataflow • 8.4 (U//FOUO) TURMOIL Installations • 8.5 (U//FOUO) IPsec/IKE Metadata Routing • 8.6 (U//FOUO) IPsec/ESP Metadata Routing FALLOUT to TOYGRIPPE • 8.7 (S//SI//REL) VAO STATUS • 8.8 (U//FOUO) Deployments and Development systems • 8.9 (U//FOUO) CIET Deployments • 8.10 (U//FOUO) Monitoring
• 9 (U) Governance • 9.1 (U) DNC Thread Schedules • 9.2 (U) VALIANTSURF Thread Status Weekly Meetings 2012
• 9.2.1 (U//FOUO) VALIANTSURF Activity Leads Status Review • 9.3 (U) Team Members • 9.4 <U) Stakeholders
• 10 (U) VALIANTSURF Historical -• 10.1 (U//FOUO) Deployment Documents • 10.2 (U) Design Reviews and Technical Exchanges • 10.3 (U//FOUO) VALIANTSURF Activity Leads Status Review • 10.4 (U) VPN Thread Schedules
• 11 (U) Pages of Interest
(U) Data Network Cipher (DNC) Classification
MAT A Sek-13-3-o.pdf, Blatt 1
VALIANTSURF - Wikilnfo
(U) Guidel ines
• (U//FOUO) The fact that NSA is interested in DNC is U//FOUO. • (S//REL) Just the fact that NSA does work with DNC is classified.
• (S//REL) If the only information given is that you are a DNC expert or you work on DNCs, then the classification is S//REL
• (TS//SI//ORCON/REL) If the information given is that you decrypt DNCs, the classification is, at a minimum TS//SI //ORCON//REL
• (TS//SI//ORCON/REL) If the fact of DNC exploitation is mentioned or inferred (with or without mention of a specific target or person), the classification is TS//SI//ORCON//REL
• (TS//SI//ORCON/REL) The decryption results are classified, at a minimum, TS//SI//REL
(TS//SI//ORCON/REL) The classifications above are the minimum classifications. A higher classification may be reguired depending on the rest of the content. For example, mentioning you work on DNCs is SECRET//REL but if you mention you work on DNCs and are in CES, the classification should be TS//SI//ORCON//REL since CES deals with exploitation.
(U) DNC Protocols
(U) IPsec
(U) The IPsec DNC protocol suite comprises the following protocols: a File: DNC IPSEC
• (U) ISAKMP - Internet Security Association and Key Management Protocol (RFC 2407, RFC 2408) Operation.jpg provides an authentication and key exchange framework. (U) IPsec DNC
• (U) IKE - Internet Key Exchange vl(RFC 2409) and v2(RFC 4306) provide an authentication and Operation key exchange mechanism.
• (U) ESP - Encapsulating Security Payload (RFC 2406) provides traffic confidentiality (via encryption) and optionally provides authentication and integrity protection.
• (U) AH - Authentication Header (RFC 2402) provides integrity and authentication protection the includes immutable IP header fields. This differs from ESP integrity protection that does not include the IP header.
(U) PPTP
(U) The Point-to-Point Tunneling Protocol (PPTP) was developed in 1996 by the PPTP Forum, comprised of Ascend Communications, U.S. Robotics, 3Com, Copper Mountain Networks, ECI Telematics, and lead by Microsoft.
(U) The Microsoft implementation of PPTP (RFC 2637) permits the data link layer protocol, Point-to-Point Protocol (PPP) (see STD-0051), to be tunneled through an IP network, encapsulated within an enhanced/modified Generic Routing Encapsulation (GRE) transport protocol (IP Next Protocol 47). The contents of the PPP data is normally IP network protocol packets for a private network, but can also carry any other Local Area Network (IAN) protocol, like Microsoft NetBEUI or Novell IPX/SPX.
(U) Microsoft PPTP (MS-PPTP) permits the encapsulated PPP data to be authenticated using either version 1 (RFC 2433) or version 2 (RFC 2759) of the Microsoft extensions to the PPP Challenge Handshake Authentication Protocol (CHAP) (RFC 1994), and to be encrypted using RC4 with key lengths of 40, 56, or 128 bits (RFC 3078, RFC 3079). The mode of the encryption is negotiated and key lengths are exchanged using the PPP Compression Control Protocol (CCP) (RFC 1962).
(U) HOOKED
(TS//SI//REL) HOOKED HAND is a DNC protocol used in a commercial DNC product.
(U) CINDER
(TS//SI//REL) CINDERASH/TRACK are ESP-like protocols that use non-RFC defined fields.
(U) DNSC
(TS//SI//REL) DNSC is ...
SCARLETFEVER SSL Brief •
(U) TU DNC Products
(S//SI//REL) IPSec DNC Products
(S//SI//REL) The TU DNC products are the outputs of four processing data flows:
• (S//SI//REL) The TU DNC Metadata flow collects metadata about IPsec (IKE/ISAKMP and ESP) events then forwards the metadata to follow-on SIGINT Development (SIGDEV) systems.
• (TS//SI//REL) The TU DNC Decryption flow detects IPsec communications, selects by IP-Address, decrypts the traffic selected for decryption, and re-injects the encapsulated (cleartext) content into TURMOIL for processing.
2 O f 13
(U) Official CES Classif ication Guide
• (U//FOUO) CFS CRYPTANALYSTS 02-12 • • fUZ/FQUOI CT ASSTFTC ATTON GUTDF FOR ECI PICARESQUE (PIQ) 02-10 (I
MAT A Sek-13-3-o.pdf, Blatt 2
VALIANTSURF • Wikilnfo
• (TS//SI//REL) The TU DNC Survey flow forwards to XKEYSCORE all encapsulated (cleartext) sessions that are selected by IP-Address for decryption by the TU DNC Decryption flow that are also marked for SIGDEV
• (S//SI//REL) The DNC Analyze flow selects by IP-Address IKE/ISAKMP and ESP packets that are then sessionized and forwarded to PRESSUREWAVE for analysis.
(U) Spin History
(TS//SI//REL) Spin 9 efforts transitioned fielded DNC software from the Red TURMOIL {TML) architecture to the Blue and implemented a redesign of the decryption flow that reallocates some functionality between TURMOIL and the DNC Attack Orchestrator (VAO).
(TS//SI//REL) Spin 10 efforts started development of a decryption capability that can be deployed to SMK, improved DNC detection and processing capabilities, and developed the DNC Analyze flow.
i'1 ii-iu-r.-. .:•'«•[ Wwnel Kvy ExMngt* IKE) I
Mornd Scturty Awotuton Key Irlamgamc* Protocol [6WMP1
IPSacurffy ilP»c|/ AultWMCaUm H ' . .,: In
Encapiualng S«urtr Pnykad (ESP)
TURBULENCE VPN
VPW i n u n tetoctod Um 4sei)p(an arid U H )
IE. taMfean
TwvlorTTi & NoTVanstofrnQA
Tranatarrn & Survey & NoTransJormQA
Tn-uiofm & AwU|M & ItoTrinUorT-YJA
(TS/ /SI / /REL) TU V P N P r o d u c t s
(S//SI//REL) DNC Metadata Flow
• (TS//SI//ORCON//REL) The DNC Metadata Flow coUects metadata about IKE/ISAKMP and AH/ESP events and forwards the metadata to follow-on SIGINT Development (SIGDEV) systems.
• (TS//SI//ORCON//REL) All IKE/ISAKMP packets seen in the incoming data are collected, bundled and then sessionized within TURMOIL. Then the metadata is extracted, converted to ASDF and then sent to the ASDFReporter component within TURMOIL. The ASDFReporter gathers all ASDF generated within TURMOIL and sends the bundles to FALLOUT via TUBE. FALLOUT delivers the metadata records to the appropriate destinations. The IPSec IKE metadata all goes to TOYGRIPPE via MAILORDER. TOYGRIPPE is a DNC analytic database in CES used by the cryptanalysts in conjunction with a vulnerability database to determine exploitability.
• (TS//SI//ORCON//REL) Sampled AH/ESP packets seen in the incoming data are collected, metadata is extracted per session, and the metadata is converted to ASDF and sent to the ASDFReporter within TURMOIL. The ASDF records follow the same paths as the IKE Metadata above.
S E C R E T / / C O M I N T / / R E L T O U S A , F V E Y
Internet Key Exchange [IKE) / Internet Security Association Key Management Protocol (ISAKMP)
VS-IKE.MD2 T MAILORDER | C IPsefl KE Metadata I F ASDF 1
J T U B E L_ _
F A L L O U T
VSJKE.M01 T Socket Connection C iPsecywE Records F SOTF
T J T U R M O I L
y S - I K E ^ D 3 T MAILORDER d iPsec/lKE Helaöala F ASDF
(TS / /S I / /ORCON/ /KEL) V P N IKE M e t a d a t a D a t a f l o w
S E C R E T O C O M I N T / / R E L T O U S A , F V E Y
„ Authentication Header (AH) Encapsulating Security Payload I ESP)
VS.BSP-I.1D2 T MAILORDER C IPsecESP Metadala F ASDF
I T U B E
I I
_t_ F A L L O U T
VS-ESP-MOI T Socket Connection C iPseciESP Metadata Bundfcs F ASDF m SOTF
v s - e s p - r . c : T MAILORDER c IPsec/ESP Metadata P: ASDF
(TS / /S I / /ORCON/ /KEL) V P N E S P M e t a d a t a D a t a f l o w
(TS//SI//ORCON//REL) DNC Decryption Flow
(TS//SI//ORCON//REL) The DNC Decryption Flow detects and decrypts selected communications that are encrypted using IPsec then reinjects the unencrypted packets back into TURMOIL Stage 1. TURMOIL Stage 1 applications process the packets into sessions and when appropriate forwards the unencrypted content to follow-on processing systems. The DNC eventing (PPF) components in TURMOIL detect all IKE/ISAKMP and ESP packets and queries KEYCARD for each unique IKE exchange session and each unique ESP session to determine if the link should be selected for processing. Selection is based on IP address. Decryption is attempted if either the source or the destination IP address is targeted for decryption in KEYCARD (the KEYCARD tasking action is labeled "TRANSFORM" so as not to use the term "decrypt"). If KEYCARD returns a hit for an IKE packet, then the IKE packet is sent to LONGHAUL where is is used to recover keys. If KEYCARD returns a hit for an ESP packet, a key request is sent to LONGHAUL. The IPsec Security Parameter Index (SPI) correlates IKE
3 of 13
MAT A Sek-13-3-o.pdf, Blatt 3
VALIANTSURF • Wikilnfo
sessions with ESP sessions. A LONGHAUL response message will either return the key or indicate that a key could not be recovered. If a key is recovered, the ESP packets are decrypted and re-injected into TURMOIL for further processing.
• (TS//SI//ORCON//REL) All DNC Decryption functions and communications with LONGHAUL, specifically POISONNUT, the Attack Orchestrator (and a DNC Metrics service via POISONNUT) are hosted on a specially configured and dedicated TURMOIL processing host called a CA Server. All CA Service blade software is loaded and administered by CES approved and CA Services authorized administrators. The CA server is firewalled and effectively functions as an extension of the CES enclave. In the future all communications between the CA Server and the CES services (LONGHAUL, DNC Metrics) will be a secure JMS messaging service based on the ISLANDTRANSPORT / ISLANDHIDEAWAY infrastructure.
TOP SECRET//COMINT//REL TO USA, FVEY
Internet K e ^ t c h a n g e ^ l K E ^ ü r t t e r n e t Security Association Key M a n a g e m e n t Protocol ( IS
T U B E
VPN a t socket connecion C Sclwled Appdca!innS«5J0fi5' F S O T F
" Selected AppKaLon Sessions an oenvfiM ana selected from intüecrypied patHcts exacted
from me VPN runnel ana inserted •mo tfte tu RWOiL input s-trean
7 MAILORDER C Selected Application Sesscny F SOTF
E X O P U M P
VPH11 l_ -• rj.yl.IS
C Selected Appi Sessions* r >:\s.:nr
T AuthenticatJaj^ea^^
T U R M O I L - F, Binary
VPNIfl T Secure Socket [SSL1 C PiQ Bl*3e F,!ana3em#nl F WeDSA
P I Q
Services
VPM1 T Soc*et Connection C Sett lor Ml Queryf Response
VPM4 T IT* (JMS) c ike Messages
_ F IHi.SOAPj _
T ITn {JMS] C ESPKeyReqHes F IH<sqapi
&
£ 5? tu
m a LiJ
Ü
( T S / / S I / / O R C O N / / R E L ) V P N D e c r y p t i o n D a t a f l o w
T U M U L T Stage 0
DNC IP Address Selector Lookup
>TKEYCARDJ
V Stage I J Sessions \ J Packets \£
ONC Key Recovery Msgs
I
DNC Metadata
TURMOIL Stage l Payload Decomp
Decompressed DNC Packets t TURMOIL
Stage V j Selected Packets
IromDNC
JL
Survey Sessions Horn DNC
XKEYSCORE Stage 2 FE
DNC Metadata* i
' (ASDF)
TOYGRIPPE
{ FALLOUT k DNC
-Metadata. (ASDF) c ±±
Strong Selected DNl
Sessions
Selected Sessions Survey Sessions from DNC from DNC
i * . XKEYSCORE Stage 2 BE
TUBE ^Strong Selected Sessions
VALIANTSURF Spin 22 December 7. 2010
TOP SECRET/ /COMINT/ /REL TO USA, FVEY
( T S / / S I / / O R C O N / / R E L ) S i m p l e V A L I A N T S U R F D a t a f l o w
4 of 13
MAT A Sek-13-3-o.pdf, Blatt 4
VALIANTSURF - Wikilnfo
V A L I A N T S U R F Spin 22 December 13. 2010
TOP SECRET//COMINTWREL TO USA, FVEY
1 " ° ^ ' -^"ONEROOF )
( T S / / S I / / O R C O N / / R E L ) C o m p l e x VAL IANT SURF D a t a f l o w
DEPRECATED
TOP SECRET/7COMINTOREL TO USA, FVEY
Staged TURMOIL R Q B l a * KEY CARD TUBE
IP-AoUress I Art ion - TRANSFORM
Q—IKE Taigel Quen;-
, ^ — I K E Tfl«j&( R e s p o n s e — § IF| TRANSFORM | !
SessiomzelKE
IKE Session"
ESP _ 'acket"
IF[ TRANSFORM \i
£ SP Target i iue - ,•
# - - < ESP Targei Respoa
^ K E Message*
Session ESP
ESP —SeSSiiw"
IF| KevHecoveredJ*
- E S P Key Request-
WESP Key Respond
Decompress Session ize, and S e e d Recoveted
Packets
C P -
Deciypi to reccwe encapsulated packets
VPN Metrics ( S O A P ) —
4 -
^ CGlPcledAnpfccalron S&ssiOi
Reinject recovered encapsulated packed
N l F J Application Session J is selected i
Selected
Q Socket
(j) M A I L O R D E R
Q I S L A N D T R A N S P O R T ( J M S )
I ISLANDHIDEAWA-f
<H) Secure Socket 1MTTPSI
6-•PiG Blade Manilwma'
Selected 'Application Sessions"
( T S / / S I / / O R C O N / / R E L ) V P N D e c r y p t i o n S e q u e n c e
MAT A Sek-13-3-o.pdf, Blatt 5
VALIANTSURF - Wikilnfo
(TS//SI//REL) DNC Survey Flow
• (TS//SI//REL) The DNC Survey Flow detects, decrypts selected communications that are encrypted using IPsec; then sessionizes the unencrypted packets and sends the sessions to XKEYSCORE. The DNC eventing (PPF) components in TURMOIL detects all IKE/ISAKMP and ESP packets and queries KEYCARD for each unique IKE exchange session and each unique ESP session to determine if the link should be selected for processing. Tasking is based on IP address. Decryption is attempted if either the source or the destination IP address is tasked for decryption in KEYCARD (the KEYCARD tasking action is labelled "TRANSFORM" so as not to use the term "decrypt"). If KEYCARD returns a hit for an IKE packet, then the IKE packet is sent to the POISONNUT(DNC Attack Orchestration) Service. If KEYCARD returns a hit for an ESP packet, a key request is sent to POISONNUT. A POISONNUT response message will either return the key or indicate that a key could not be recovered. If a key is recovered, the ESP packets are decrypted and re-injected into TURMOIL for sessionization. If KEYCARD also associated a "SURVEY" action with the DNC Tunnel IP-Address the encapsulated sessions are sent to XKEYSCORE. The DNC Survey flow requires that both "TRANSFORM" and "SURVEY" actions are assigned to a targeted IP-Address.
• (TS//SI//REL) All DNC Decryption functions and communications with POISONNUT(and a DNC Metrics service) are hosted on a specially configured TURMOIL processor called a CA Server. AU CA Server software is loaded and administered by CES approved and CA Server authorized administrators. The CA Server is firewalled and effectively functions as an extension of the CES enclave. In the future all communications between the CA Server and the CES services (POISONNUT, DNC Metrics) will use a secure JMS messaging service based on the ISLANDTRANSPORT/ ISLANDHIDEAWAY infrastructure.
T O P S E C R E T / / C O M I N T O R E L T O U S A , F V E Y
Internet Key Exchange {IKE) ^Internet Security Association Key Management Protocol (ISAKf*|P)
VPN7 T Socket Connexion c Encrypted and Decrypted
A p p e a l on sessions F- SOTF
XKEYSCORE
T TURMOIL
PIQ Blade
VPN1 T Socket Canned-on C Selector HiiOuery.RespGnse
, F B^ary. VPN18 T secure socket (SSL) C PIQ Blade Management f webSA
C IKE Messages F IHISOAP)
C ESP Key Req-'Res F IH(SOAP)
> a ~z
f-o a _! lT E CO X tu
O LU O -
(TS/ /SI / /REL) V P N S u r v e y D a t a f l o w
6 of 13
MAT A Sek-13-3-o.pdf, Blatt 6
VALIANTSURF - Wikilnfo
•V ! l , •• T U R M O I L
TOP SECRET//COMINT//REL TO USA, FVEY
^ J P - A O d r e s s I Action = TRANSFORM & S U R V E Y —
LXh"Packet-*t IKE Targel Quwy .
, - - - f4—I KE Target R e s p o n s e — ^
IF[ TRANSFORLI |J
SessionizelKE
IKE -Session* I —
L£TT>Kket
IF[ TRANSFORM | , '
—ESP Target flawy >[
- Target Rospe«
Sessionce ESP
_ ESP • Session
I F | Key Recovered |
—ESPKev Request—
© Socket
<Q M A I L O R D E R
Q I S L A N D T R A N S P O R T <JMS>
( J ) t S L A N D H I O E A W A Y
® Secure Sockel ( H T T P S )
- E S P Key R e s f w ^
T D
-H I
Decompress
hi : • • .!• Retov&ed
Packets
q >
Deuyp' to recover encapsulated packets
VPN Maries (SOAP)
Reiriiect recovered encapsulareo" packets
', IF1 SURVEY I
auon Session—
H - - O Ü Blade Momlonng-
(TS/ /SI / /REL) V P N S u r v e y S e q u e n c e
(S//SI//REL) DNC Analyze Flow
(TS//SI//REL) The DNC Analyze Flow selectively collects IKE/ISAKMP packets and raw, encryted ESP packets that are sessionized and forwarded to PRESSUREWAVE for analysis. The DNC eventing (PPF) components in TURMOIL detect all IKE/ISAKMP and ESP packets and queries KEYCARD for each unique IKE exchange and each unique ESP session to determine if the link should be selected for analysis. Tasking is based on IP address. If KEYCARD returns an "ANALYZE" action for any IPsec packet hit, then the IPsec packet is sessionized and sent to PRESSUREWAVE.
SECRETJ/COMINT/JREL TO USA, FVEY
Internet Key Exchange (IKE) / Internet Security Association Key Management Protocol ItSAKMP]
TUBE
VPNS T: Sockel Connection C IPsec Packets Ssledoa loi Analysis
, F: SOTF
3 Encapsulating Security Payload (ESP")
TURMOIL L . - . ^ W .
VPN9 T; MAILORDER C: IPsec Pacftels Selected lor Analyses F SOTF
VPN1 T: Sock«! Correction C; S elector NIL Queryifteaponse
KEYCARD
EXOPUMP
VPN11 T: (Ti (JMS) C: IPsoc ParAols SolocMx) for Analysis F: XMUSOTF
irm-riaa) Key T - Transport C = Content F - Formal
SECRET7/COMINT7/REL TO USA, FVEY
(TS/ /SI / /REL) V P N A n a l y z e D a t a f l o w
MAT A Sek-13-3-o.pdf, Blatt 7
VALIANTSURF - Wikilnfo
SECRET//COMINT//REL TO USA, FVEY
Stage 0 TURMOIL KEYCARD TUBE
LH-, IKE _
Packet" ^IKE Select^
Query
IF| ANALYZE) J
IF[ ANALYZE ] {
' I K E Select a / " " i * , R e s p o n s e W
ESP Packet"
IF[ ANALYZE ) J
ESP Select ] Query <t
ESP Selecbk * ResponseVr
IF| ANALYZE)
Sesstonize ESP
Q E SP Sessior>
KE Session-
EXOPUMP PWv
Q Socket
<J> MAILORDER
Q ISLANDTRANSPORT (JMS)
(H) Secure Socket Layer (HTTPS)
ffil ESP Session »I
SECRET//COMINT//REL TO USA, FVEY
SP Sessior-
(TS/ /SI / /REL) V P N A n a l y z e S e q u e n c e
(U) Requirements , Planning, and Reviews
(U) Des ign Details (S//SI//REL) Architectural Taxonomy
• DNCA (Digital Network Crypt Applications) - branch • ROMULANALE - Name of project within DNCA that develops capabilities for the CAServer • GALLANTWAVE - DNSC project *and* thread on fielded systems, including TURMOIL and XKS (DeepDive)
• GW Mission App - legacy capability on CAServer for DNSC decryption • ROMULANGAWK - ROMULANALE provided capability on CAServer for DNSC decryption in software • ROMULANGOWL - ROMULANALE provided capability on CAServer for DNSC decryption in hardware (pending)
• VALIANTSURF - DNC project *and* thread on fielded systems, currently including only TURMOIL • MALIBU - DNC processing architecture for VALIANTSURF on TURMOIL using session based processing
• PIQServices - capability on CAServer for DNC decryption under MALIBU • WAIMEA - DNC processing architecture for VALIANTSURF on TURMOIL using packet stream based processing. This
covers all configurations of the architecture (software and hardware) • WAIMEAVISAGE - DNC WAIMEA processing architecture with decryption performed in software
• ROMULANVISAGE - ROMULANALE provided capability on CAServer for WAIMEAVISAGE • WAIMEAVISE - DNC WAIMEA processing architecture with decryption performed in hardware
- ROMULANVISE - ROMULANALE provided capability on CAServer for DNC WAIMEAVISE
(U//FOUO) Current DNC D e s i g n D o c u m e n t s
• MALIBU Architecture • WAIMEA Architecture
(U) D e s i g n Reviews and Technical Exchanges
(U) Technical D o c u m e n t s
• (S//SI//REL) IPsec Sessionization • • (S//SI//REL) HOOKED Sessionization • (S//SI//REL) CINDER Sessionization • (S//SI//REL) PPTP Sessionization • (S//SI//REL) New Protocol (IPsecESP,PPTP,HOOKED,CINDER) Specification • • (TS//SI//REL) Turmoil Analysis for Increment 3 • (TS//SI//REL) VPN IKE ASDF data flow —
- (TS//SI//REL) VPN IKE ASDF Sequence Diagram —
• (TS//SI//REL) APEXWPN Data Flow j£ • (TS//SI//REL) APEXWPN Sequence Diagram —
8 O f 13
MAT A Sek-13-3-o.pdf, Blatt 8
VALIANTSURF - Wikilnfo
• (TS//SI//REL) SPIN 15 VPN Storyl • • (TS//SI//REL) Spin 15 TURMOIL Model -• (TS//SI//REL) S31322 Branch VPN Brief ••
• (TS//SI//REL) VS Monitoring
(U) DNC Enterprise M e s s a g i n g Fabric
• (S//SI//REL) VPN AMF(ITx)Fabric Diagram
(S//SI//REL) DNC IKE SMG (Replaced Ike Analytic) • (S) Description - The IKE SMG (Sesionized Metadata Generator) inherited the internal business logic of the IKE Analytic,
but was re-hosted as an iBridge service. There is no longer any connection to PRESSUREWAVE or METROTUBE. The IKESMG runs as a CCM graph IPSECIKEMDATA with input from IPSECEVENTTOBME via IOPort.
• (S) Spin 17 - No Release. Initial version developed but not delivered to TURMOIL • (S) Spin 18 - Initial Release. Patched Version had verbose logging. • (S) Core 3 . 1 - Part of ValiantSurf Shark feather. APEX processing removed. Sessionization by Exchange introduced. • (S) Core 4.x - Future release compliant with Schema version 8.
(S//SI//REL) DNC IKE Analytic
• (S) Spin 15 - No Release. Verified Spin 14 VIAS runs successfully on Metrotube 2.3.1 (Metrotube Spin 15 version). • (U) Other Wiki Links:
• ( U ^ ^ ^ ^ ^ f 31321(CON) Analytic Developer • (S) VALIANTSURF Wiki • (S) VPN Metadata Flow diagram • (S) VpnlpsecVpnLargeDataCharacterization
• (S) Spin 14 - Upgraded Spagic workflow to follow the robust PWV Retriever Pattern. • (S) Pattern Comprises separate service assemblies for Listener, Metadata Retriever, DataRetriever, Throttler, and DNC
wrapper. • (S) Error handling and VIAS logging capabilities added.
• (S) APEX (DEMO) - Modified SOTF Parser and TGIF Record Factory to process Apex metadata.
• (S) Spin 13 - Upgraded Spagic workflow to match Metrotube 2.1. • (S) Numerous bug fixes relating to Toygrippe content including Exchanges Types, Message Types, Phase2-Only,
missing transforms(see MadForge DNC-analytic project for details). • (S) Added capability to process Toygrippe file classification determined by DNC Metadata.
• (S) Spin 12 - The VPN Analytic has been re-named as the VIAS (VPN IKE Analytic Service). In this spin, there were 2 major changes.
• (S) First, the analytic was converted to run in the Metrotube 2 framework, as a JSorcerer Service on the Metrotube Service Bus.
• (S) Second, the VIAS is now released by the ValiantSurf (DNC) team directly to Turbulence, where Spin 11 and earlier versions were packaged by the DNC team, delivered informally to Metrotube Services who performed the software release to Turbulence.
• (S) Spin 11 and prior - VPN Analytic runs as a Metrotube 1 service. • (S) An improvement to the IkeSessionizer algorithm correctly matched up the initiator and responder by waiting for the
responder to return a non-ZRC (Zero Responder Cookie).
(U) CIET Tasking • (S//SI//REL) Tasking for TEC/MHS/CROSSCUT
(U) Test VALIANTSURF/TestData
• (S//SI//REL) RFCs Required for TML 18.1 and earlier releases ~. • (S//SI//REL) VALIANTSURF RFCs
(S//SI//REL) DNC Metadata
• (S//SI//REL) Spinl4 VPN IKE Metadata Test Document *j • (S//SI//REL) Spinl3 VPN IKE Metadata Test Document -• (S//SI//REL) Spinl2 VPN IKE Metadata Test Document
9 O f 13
• (TS//SI//REL) Turmoil VPN Decrypt Sequence Diagram
MAT A Sek-13-3-o.pdf, Blatt 9
VALIANTSURF - Wikilnfo
(TS//SI//REL) DNC Decrypt
• (TS//SI//REL) Spinl2 VPN Decrypt Test Document *J
(U//FOUO) LONGHAUL Test
LONGHAUL Test Documentation Page
(U//FOUO) One CA Server Toggled a m o n g Mult iple TURMOILS
(U//FOUO) This section describes a network design to have one CA server serve multiple TURMOILs. Note that a CA Server can only communicate to one TURMOIL at a time.
Motivation:
1. Power/space/cooling limitations 2. Long lead time to gain approval to add CA Services servers 3. Hardware cost
4. Limits on public IP address space at some sites
Click for details on the CA Server Bank. For more information. Contact one of these POCs
ML Network Engineer CA Services Developer TML Integration and Test
TURMOIL Lab Manager Tl VS Thread Lead
(U) Deployments VALIANTSURF Deployment Roles & Responsibilities (U) CIET Deployment Overview ( j (U) VALIANTSURF Levels of Success j
(U//FOUO) VALIANTSURF RFC and DR N e e d s for TURMOIL Bas e l i ne Del iveries 2 0 1 1
(U//FOUO) VALIANTSURF RFC and DR N e e d s for TURMOIL Bas e l i ne Del iveries 2 0 1 0
• (TS//SI//ORCON/REL) RFC DR Needs TURMOILBaselines
(U//FOUO) Live Dataflow
TU FLE VPN Metadata Beacons
(U//FOUO) TURMOIL Insta l la t ions
;* RPH Log B I * Config Log • | ]
(U//FOUO) IPsec/IKE Metadata Rout ing
Site SIGAD TUBE MAILORDER PDDG
TUBE MAILORDER Trigraph
TUBE MAILORDER System Digraph
System Route METROTUBE MAILORDER PDDG
M F M A : Trio
MHS LATTICE USJ-759
AH HXN 51 MHS-LIVE-T16 via NSAW 0 0 TYG
MHS LATTICE USJ-759 KY EXM 52 MHS-DEV-T16 via NSAW o o TYG MHS LATTICE USJ-759
N/A N/A N/A MHS-DEV-T16 via Site Store
KY TYG
MHS-STARQUAKE USJ-759A AH HXN 51 MHS-LIVE-T16 via NSAW 0 0 TYG
10 of 13
MAT A Sek-13-3-o.pdf, Blatt 10
VALIANTSURF - Wikilnfo
KY EXM 52 MHS-DEV-Tie via NSAW OO TYG
KY TYG QX MHS-DEVT16 via Site Store
N/A N/A
US-3150 RU
EXN 51 G1-T16 via NSAW OO TYG
US-3150 RU
DVN 52 G2-DEVT16 via NSAW OO TYG
US-3150 RU LPN 53 G3-LPT via
NSAW OO TYG US-3150 RU
LPN 54 G4-LPT via NSAW OO TYG
US-3150 RU
LPN 55 G5-LPT via NSAW OO TYG
US-3150 RU
DVN 56 G6-DEV-LPT via NSAW OO TYG
TEC USD-1001TEC BL EXM 51 TEC-T16 via NSAW OO TYG
YRS USF-787 MH EXM 51 YRS3-LPT via NSAW OO TYG
(U//FOUO) IPsec/ESP Metadata Rout ing FALLOUT to TOYGRIPPE
FALLOUT Processing & Dataflow FALLOUT Dataflow Statistics I
Site SIGAD FALLOUT MAILORDER PDDG
FALLOUT MAILORDER Trigraph
TOYGRIPPE MAILORDER Trigraph
FALLOUT MAILORDER System Digraph
TUBE Upstream Source System Digraph (Source System Atom)
Upstream Source System
MHS-LATTICE USJ-759 AH KLG TYF D0,D9 51 MHS-LIVE-T16
MHS-LATTICE USJ-759 AH KLG TYF D0,D9 52 MHS-DEV-T16
MHS-STARQUAKE USJ-759A KY KLG TYF D0,D9 51 MHS-LIVE-T16
MHS-STARQUAKE USJ-759A KY KLG TYF D0,D9 51 MHS-DEV-T16
US-3150 RU KLG
TYF D0,D9 51 G1-T16
US-3150 RU KLG
TYF D0,D9 52 G2-T16
US-3150 RU KLG TYF D0,D9 53 G3-LPT
US-3150 RU KLG TYF D0,D9 54 G4-LPT
US-3150 RU KLG
TYF D0,D9 55 G5-LPT
US-3150 RU KLG
TYF D0,D9 56 G6-LPT
TEC USD-1001TEC BL KLG TYF D0,D9 51 TEC-T16
CROSSCUT US-3301 U6 KLG TYF
SARATOGA US-3167 IL KLG TYF
MUSCULAR DS-200B C4 KLG TYF
YRS USF-787 MH KLG
TYF D0,D9 51 YRS 1-LPT
YRS USF-787 MH KLG TYF D0,D9 52 YRS2-LPT YRS USF-787 MH KLG
TYF D0,D9 53 YRS3-LPT
(S//SI//REL) VAO STATUS
POISONNUT Wiki
• Last Updated Wed Mar 5 20:36:00 GMT 2008 ' RUNNING
11 of 13
MAT A Sek-13-3-o.pdf, Blatt 11
VALIANTSURF - Wikilnfo
(U//FOUO) Dep loyments and D e v e l o p m e n t sy s t ems
(U/7F0U0) VALIANTSURF TURMOIL components are deployed directly to the TURMOIL systems.
(U//FOUO) The VALIANTSURF mission-application is deployed on the CAServer platform. See CAServer#Deployments for site specific configuration.
(U//FOUO) CIET Deployments
Site Type Current TURMOIL Next TURMOIL Hardware |CA Server Comment JCE Dev Unknown Core 3.0.10 1-BCH none none
MHS ESO Dev Unknown TBD TBD none none SMKG2 Dev 18.1.5 Core 3.0.10 TBD TBD none
SARATOGA Live 17.1 Core 3.0.10 TBD TBD none
MUSCULAR Live 18.1.1 18.1.5 TBD TBD none SMK Live 17.1 Core 3.0.10 TBD TBD none
CROSSCUT Live 15.6.1 Core 3.0.10 TBD TBD none
MHS Live 15.6.1 Core 3.0.10 TBD TBD none TEC Live 15.6.1 15.6.1 TBD TBD none
(U//FOUO) Monitor ing
• (U//FOUO) CA servers are monitored by the T3332 Data Operations Center (DOC)as part of their TU monitoring fSLACKKEYl DOC TU SlackKev Homepage. To access the TopView TU PRC - DOC I
• (U//FOUO) The VALIANTSURF SOP used by the DOC VALIANT SURF Tab Special Instructions
• (U//FOUO) During business hours, the DOC uses the following contact list: DOC business hours POC list#VALIANTSURF
• (U//FOUO) DOC After Hours Call-in Procedures
• (U//FOUO) VALIANTSURF CA Server Troubleshooting Guide
(U) Governance
(U) DNC Thread S c h e d u l e s
(U) VALIANTSURF Thread S t a t u s Weekly M e e t i n g s 2 0 1 2
(U//FOUO) VALIANTSURF Activity Leads Status Review
(S//SI//REL) The VALIANTSURF Leads Meeting reviews are held weekly on Mondays. The purpose of this review is to discuss the major goals and status of activities taking place. Any roadblocks that would cause a failure in meeting the established goals should be discussed at this time.
(U) Team M e m b e r s
S31322 Thread Lead Rl,IDA/CCS(CON) Architecture Lead S31322(Integree) Architecture Team S31322 Architecture Team S31322(CON) Systems Engineer 31322 Systems Engineer S31322 Systems Engineer
/S31322 SW Developer 1322 SW Developer
S31322 SW Developer 1322 SW Developer
S31322(CON) SW Developer S31322(CON) SW Developer
1322 SW Developer S31322(CON) CAS Deployment
/S31322(CON) Integration & Test Lead 1322(CON) Integration & Test Engineer
/S31322(CON) Integration & Test Engineer /S31322(CON) Integration &Test Engineer
12 O f 13
MAT A Sek-13-3-o.pdf, Blatt 12
VALIANTSURF - Wikilnfo
( U ) l YS31322(CON) Integration & Test Engineer
Team Alias: DL Valiantsurf (mailto:|
(U) Stakeholders
S3124
weekly
(U) VALIANTSURF Historical -
(U//FOUO) Dep loyment D o c u m e n t s
• (S//SI//REL) Spin 11/12 Metadata Flow management -• (U) Spin 9 VPN PIQ Blade Version Description Document (VDD) for MHS, YRS, TEC -• (U) Spin 9 MHS PIQ Blade Baseline Change Request -• (U) Spin 8 VPN TML Test Checklist 20070416 • • (U) Spin 8 VPN MHS Checklist 20070416 -
(U) D e s i g n Reviews and Technical Exchanges
• (S//SI//REL) VPN TU IT meeting minutes 1 May 2009 • • (S//SI//REL) VPN/TUMMS requirements meeting minutes 23 April 2009 -• (S//SI//REL) VPN TUBE Metadata Bundle Classification meeting minutes 3 April 2009 • • (S//SI//REL) Brief to YRS during TDY 17-21 Nov 2008 • (S//SI//REL) Spin 12 TURBULENCE VPN Technical Review • (S//SI//REL) Spin 10 TURBULENCE VPN Technical Review Minutes -• (S//SI//REL) Spin 10 TURBULENCE VPN Technical Review • (S//SI//REL) Spin 10 VPN / ISLANDTRANSPORT / ISLANDHIDEAWAY Technical Exchange 20080124 Meeting Minutes • • (S//SI//REL) Spin 10 VPN / ISLANDTRANSPORT / ISLANDHIDEAWAY Technical Exchange 20080124 Meeting Agenda • (S//SI//REL) Spin 9 TURBULENCE VPN Design Review «J • (S//SI//REL) Spin 9 TURMOIL VPN Design Review Minutes • (S//SI//REL) Spin 9 TURBULENCE VPN Design Review Minutes -
(U//FOUO) VALIANTSURF Activity Leads Status Review
(S//SI//REL) The VALIANTSURF Activity Leads Status reviews are held bi-weekly on Mondays throughout the Spin. The purpose of this review is to discuss the major goals and status of activities taking place. Any roadblocks that would cause a failure in meeting the established goals should be discussed at this time.
(U) VPN Thread S c h e d u l e s
• (U//FOUO) Spin 11 VPN Sprint Schedule • (U//FOUO) Spin 10 VPN Sprint Schedule
(U) Pages of Interest • (U//FOUO) TURMOIL VALIANTSURF • (U//FOUO) TURMOIL GALLANTWAVE
Retrieved from Category: VPN
D4*nvt*fl Ff«m ' l< H - • .f.- H .-m 11 ••! D-tfwrt • O - J I . H and N S A J C S S M 1-52. Dated: Z007010a
Declassify On: ZOSZDlga
TOP SECRETOSI//ORCON/REL TO USA, FVEY
13 O f 13
MAT A Sek-13-3-o.pdf, Blatt 13
