Validation of Encryption Devices over BGAN US … · Validation of Encryption Devices over BGAN ... AOS, Inc. has been contracted to provide a three-part study to assess the ... SDM

Validation of Encryption Devices over BGAN US Centric

Interim Phase C Report (For Distribution at Inmarsat’s Discretion)

Thales DC2K

ViaSat KG-250 GD KG235

Taclane KG175

Prepared by: AOS, Inc.

March 23, 2006

Inmarsat Ltd. Proprietary Page 1 of 21 99 City Road www.inmarsat.com London EC1Y 1AX

Contents 1 Executive Summary 3 2 Introduction – Project Objectives 3 3 Selection of Encryption Devices and Deployment Scenarios 6 4 Glossary 7 5 Encryptors Tested 8 6 Equipment Configuration 8 7 Packet Switched Thales DC2k Testing via Thrane BGAN UT 10 8 Packet Switched Taclane KG-175 Testing via Thrane BGAN UT 12 9 Packet Switched ViaSat KG-250 Testing via Thrane BGAN UT 14 10 Thales DC2K Retest & AOS Performance Enhancing Proxy (PEP) 16 11 Summary of Test Results 19 Figures Figure 1 AOS-Inmarsat VPN PS Network 4 Figure 2 Thales DC2K BGAN Testing via IOR I-4 Satellite Config 10 Figure 3 Taclane KG175 BGAN Testing via IOR I-4 Satellite Config 12 Figure 4 ViaSat KG250 BGAN testing via IOR I-4 Satellite Config 14 Figure 5 Thales DC2K and AOS PEP Test Configuration 16 Tables Table 1 PS Encryption Test Data via Thales DC2K IP Encryptor 11 Table 2 PS Encryption Test Data via KG175 IP Encryptor 13 Table 3 PS Encryption Test Data via KG250 IP Encryptor 15 Table 4 Testing Data: Linux – No PEP vs AOS PEP 17 Table 5 Testing Data: Windows XP Pro – No PEP vs AOS PEP 17 Table 6 Testing Data: Windows versus Linux – No AOS PEP 18 Table 7 Testing Data: Windows versus Linux – With AOS PEP 18


1 Executive Summary The primary objective of this study was to verify that USG Type 1 encryption equipment would function properly over the Inmarsat BGAN satellite network. Since there was no direct BGAN access from America, AOS collaborated with Inmarsat’s Engineers to build a VPN network from Dallas, Texas to London, UK that would remote the BGAN UT’s network connections. From the extensive testing performed via the AOS-Inmarsat VPN BGAN network there appears to be no impediment for the proper use of the Taclane KG175 (Type 1), ViaSat KG250 (Type 1) and the Thales DC2K IP encryptors on the Inmarsat BGAN network. The L3 KG240 and General Dynamics KG235 encryptors were not available at this time. AOS expects to have both encryptors ready for AOR I-4 testing by the end of March. The report that follows documents the BGAN satellite testing that has been performed via the Thrane Explorer 500 UT and the above IP encryptors. It should be noted that all BGAN testing was performed using background class IP. See Figure 1 for an overview of the AOS-Inmarsat VPN network. This is an Interim Phase-C report. Additional testing will be performed with other BGAN UT variants when the AOR I-4 satellite is available over the US A Linux-based testing platform enabled greater flexibility to adjust queue and window sizes, which helped to improve the consistency of results. These settings required modification in response to the high jitter and increased delay introduced by the ADSL-based VPN tunnel between London and Dallas. Properly adjusting the MTU settings throughout the network (PC, routers and encryptors) was essential to achieve maximum throughput both on Windows and Linux operating systems. The AOS-Inmarsat VPN network provided the most cost effective method of testing, but the high and variable latency produced erratic data transfer rates. Therefore it was agreed that only network connectivity via the encryptors would be documented in the interim Phase-C report. Throughput and encryption overhead values will be documented when AOR I-4 access is available. 2 Introduction – Project Objectives AOS, Inc. has been contracted to provide a three-part study to assess the interoperability between BGAN services and a range of existing and future cryptographic equipment typically used by the US Government. The three-part study consists of:


2.1 Phase A Prioritization with justification of circuit switch (CS) and packet switch (PS)

encryption devices likely to be deployed with BGAN UT’s at commercial launch. The study recommended modifications to BGAN UT and core network to ensure long term compatibility with the encryption equipment under test. Relevant peripherals and applications for after BGAN launch were listed in order of importance.

2.2 Phase B

A plan was developed to test all packet switched encryptors. Since there was no BGAN direct access from the US an Internet Virtual Private Network (VPN) was constructed between Inmarsat London, UK and AOS Dallas, Texas. The VPN network was required to remote the BGAN network interfaces since only IOR BGAN access was available at this time. The encryptors under test, with necessary Internet routing equipment, was located at AOS Dallas and the BGAN UT, with coordinating Internet routing equipment, was located at Inmarsat London. See the below Figure 1 for a diagram of the VPN PS test network:

VPN Tunnel

East Tunnel

VPN Tunnel

VPN Tunnel

West Tunnel VPN Tunnel

Figure 1: AOS-Inmarsat VPN PS Test Network


2.2.1 The PS testing objective was to ensure that the encryptors under test would operate properly over the BGAN network. A matrix utilizing File Transfer Protocol (FTP) tests, with and without encryption, was constructed to calculate encryption overhead values through the BGAN network. Using Performance Enhancing Proxy (PEP) software was to be implemented to verify if BGAN network speeds would be increased if used.

2.2.2 No circuit switched testing was performed since there was no economical

synchronous serial transmission vehicle between the two test sites. Circuit switched equipment testing will be done at a later date once US BGAN access is available.

2.3 Phase C

Once the above PS test network was operational BGAN testing was to be performed using each encryptor through each BGAN UT. All unclassified test set-up information will be supplied. Test results were to be summarized and encountered problems and solutions were to be highlighted. The test results were to include: • Typical end-to-end connection success rate • Typical connection time (if applicable) • Observed average throughput (if applicable) • Average overhead observed • UT interface configuration settings • Crypto configurations setting (non-classified settings only) • Three reports will be developed;

For Distribution at Inmarsat’s Discretion For Distribution to Inmarsat Personnel Only For Distribution to US Government Personnel Only


3 Selection of Encryption Devices and Deployment Scenarios The proposed encryption equipment was to be evaluated within each of the proposed scenarios. The four scenarios were:

• Scenario 1: Forward Presence in Theatre (Reconnaissance Operations) • Scenario 2: Early Entry and Secondary Comms for Coalition Operations • Scenario 3: Communications in Support of Logistics (Land) • Scenario 4: Remote Forward Operations

After careful review on how AOS’ US Government clients use their encrypted communications in the field a consolidation of the above scenarios was done. Basically, the encryption users fell into two groups;

• Group 1: Quickly deployed reconnaissance or remote forward operation groups that need very small and lightweight encryption/communications equipment. Size, weight and equipment power requirements matter for this group.

• Group 2: More stationary operations. This group would be typical of secondary

comms and logistical support groups. For this group equipment size, weight and power requirements is not of primary importance.

Therefore, the scenarios to be considered for this study are:

• Scenario 1: Recon and remote forward operations where small and lightweight encryptors will be primary consideration

• Scenario 2: Coalition operation and logistics support where greater encryptor size and weight will not be considered a detriment

It should be noted that the above scenarios will not have any effect on how the encryptors will be tested. The primary factor on which encryptor will best for one of the above scenarios will be dictated by size, weight and power requirements. Besides these physical characteristics the data throughput and overall and easy of use will be important to the field user. If all other data handling characteristics are equal, experience has proven that the first encryptors to be deployed to the field are the smaller and lighter units. Therefore, the expected IP Type 1 encryptor deployment priority (from first to last) would be in the following order: KG250, KG175, KG235 and KG240. This priority list will continue to change as smaller, lighter and more versatile Type 1 encryptors become available.


4 Glossary – List of Abbreviations AES Advanced Encryption Standard BGAN Broadband Global Area Network CEF Cisco Express Forwarding CN Core Network COMSEC Communications Security CS Circuit Switched FNBDT Future Narrow Band Digital Terminal FTP File Transfer Protocol IOS Internetwork Operating System (Cisco) HSD High Speed Data IP Internet Protocol IPSec IP Security Protocols ISDN Integrated Services Digital Network HAIPIS High Assurance IP Interoperability Specifications HTTP Hyper Text Transfer Protocol HTTPS HTTP Secure MMI Man Machine Interface MTU Maximum Transmission Unit PEP Performance Enhancing Proxy PIX Private Internet Exchange (Cisco) PS Packet Switched POTS Plain Old Telephone Service RTT Round Trip Time STE Secure Terminal Equipment SBU Sensitive but Unclassified SDM System Definition Manual SOW Statement of Work SP Service Provider STU Secure Telephone Unit TCP Transmission Control Protocol UT User Terminal USG United States Government VPN Virtual Private Network


5 Encryptors Tested 5.1 The IP encryptors that have been tested to date via the Inmarsat/AOS BGAN VPN circuit are the Thales DC2K (non Type 1), Taclane KG175 (Type 1) and the ViaSat KG250 (Type 1) 5.2 One of the Taclane KG235 (Type 1) IP encryptors failed during setup and will not be available for retest until mid-March. The KG235 failure was due to an internal clock error. New software and keying materials are en route to repair the defective KG235. The KG235’s failure is not related to the BGAN testing. 5.3 The L3 KG240 IP encryptors (Type 1) will not be available until the end of March. 5.4 The ViaSat KIV21 serial/IP encryptor will be tested when direct AOR I-4 BGAN access is available. 6 Equipment Configuration 6.1 Thrane Explorer 500 UT – Software release 1.01 This terminal is currently at the Inmarsat lab in London. The unit has been configured by Inmarsat’s Network Engineers. 6.2 The BGAN MMI is not being used in our current configuration. 6.3 The Inmarsat Performance Enhancement Proxy (PEP) software was NOT used during this report’s testing. AOS’s SkyPipe (PEP) was used exclusively during this interim Phase-C testing. Testing was performed with and without SkyPipe. 6.4 Since there was no BGAN direct access from the US an Internet VPN network was constructed between Inmarsat London, UK and AOS Dallas, Texas. Cisco 1712 and 2620 series routers were used to build the VPN tunnel connections. See Figure 1 for a diagram of the VPN PS test network. The current Cisco IOS in use is 12.3. See the Appendix for router configurations. 6.5 Linux versus Windows Computer Operating Systems (OS)

Linux was selected as the OS for the test PCs, as it could provide fine control of TCP buffers and window sizes. This only became important because of the significant combined latency of the commercial ADSL service used for the VPNs coupled with satellite delay. On this unusual test platform, an optimized Linux platform provided more consistent FTP throughput results.


6.6 Encryption equipment configuration: The following reports contain the specified encryptor configuration settings.

6.6.1 The “For Distribution to US Government Personnel Only” test report contains all encryptor configuration instructions.

6.6.2 The “For Distribution to Inmarsat Personnel Only” test report will provide the Thales DC2K encryptor configuration instructions.

6.6.3 The “For Distribution at Inmarsat’s Discretion” test report has no encryptor configuration instructions.

6.7 SkyPipe Performance Enhancing Proxy (PEP) Software

SkyPipe is a proprietary AOS, Inc. software application optimized for TCP traffic over secure satellite links. SkyPipe features IPSec compliant, 256-bit AES encryption VPNs. SkyPipe can be terminated to a Cisco PIX or security IOS. SkyPipe can be furnished as a software client or as a pocket-sized, USB-powered external hardware device. See Figure 5 on page 16 for a typical implementation of the client/server architecture.

SkyPipe substitutes the TCP protocol with a highly efficient and reliable UDP-based protocol that is especially designed to maximize data transfer over high-delay and loss-intensive networks such as satellite and radio links. The SkyPipe Performance Enhancing Proxy (PEP) supports multiple standard application protocols, including HTTP, HTTPS, FTP, SOCKS, and protocol-independent port forwarding. The PEP software assumes that the client/server application software can support a proxy. The PEP can also operate in a ‘transparent’ mode via an external hardware device, thus eliminating the need for the client/server PEP software. SkyPipe also utilizes HTTP prefetching, further enhancing transfer of HTTP-based data thus drastically increasing web traffic performance and download times for web pages. Basic router functionality, including Network Address Translation (NAT) and on-the-fly compression saves the user bandwidth and money. Since all remote SkyPipe clients need to communicate with a local server, public SkyPipe servers will be available from various satellite service providers. Private servers are also available and can be installed at user facilities. SkyPipe is a particularly timely solution for users of the new Inmarsat BGAN high-speed data service and ideally suited for those who will employ Government encryption devices to secure their mobile networks. US Government/Type 1 hardware encryption devices are afforded an additional layer of security by “double wrapping” of traffic.


7 Packet Switched Encryption Equipment Testing via BGAN I-4 Encryptor: Thales DC2K (non-Type 1) BGAN UT: Thrane Explorer 500 at Inmarsat UK

The test arrangement will be configured as in Figure 2 below.

VPN Tunnel

East Tunnel

VPN Tunnel

VPN Tunnel


Figure 2 – Thales DC2K BGAN Testing via IOR I-4 Satellite Configuration 7.1 The equipment required for this PS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver. 12.3 2 each Thales DC2K IP Encryptors 2 each Dell Desktop Computers with Linux Fedora Core 4 OS 1 each DSL high speed Internet connection with static IP’s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version 1.01. MMI not in use. 1 lot BGAN airtime for UT supplied by Inmarsat


7.2 The PS encryption tests to be performed via the BGAN I-4 configuration are described in the below Table 1

BGAN I-4 Tests forThales DC2K IP EncryptorVia Thrane Explore 500 UT Download/Get Download/Get Upload/Put Upload/PutFTP Data= 1MB zipped pkg KB/s Kbps KB/s KbpsFTP Tests on Nov. 17, 2005Test 1 17.0 136.0 25.0 200.0Test 2 6.9 55.2 18.0 144.0Test 3 7.9 63.2 20.0 160.0Test 4 9.3 74.4 25.0 200.0Test 5 12.0 96.0 9.9 79.2Test 6 8.4 67.2 17.0 136.0Test 7 12.0 96.0 11.0 88.0Test 8 12.0 96.0 16.0 128.0Test 9 12.0 96.0 16.0 128.0Test 10 16.0 128.0 16.0 128.0Average Kbps (Note 2) 90.8 139.1Range Kbps (Note 2) 55 to 136 79 to 200

Network delay (Millisecs)=1500 to 2000

Note 1: Please see section 6.5 for Host Operating System selection

Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas

FTP File Transfer Data Rates - With EncryptionNo TCP PEP - Linux FC4 PC OS (Note 1)

Table 1 – Packet Switched encryption test data via the Thales DC2K IP encryptor and the Thrane Explorer 500 UT over the BGAN IOR I-4 Satellite


8 Packet Switched Encryption Equipment Testing via BGAN I-4 Encryptor: Taclane KG175 (Type 1) BGAN UT: Thrane Explorer 500 at Inmarsat UK

The test arrangement will be configured as in Figure 3 below:

VPN Tunnel

VPN Tunnel

West Tunnel

Figure 3 – Taclane KG175 BGAN Testing via IOR I-4 Satellite Configuration 8.1 The equipment required for this CS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver. 12.3 2 each Taclane KG175 IP encryptors 2 each Dell Desktop Computers with Linux Fedora Core 4 OS 1 each DSL high speed Internet connection with static IP’s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version 1.01. MMI not in use. 1 lot BGAN airtime for UT supplied by Inmarsat



BGAN I-4 Tests forTaclane KG175 IP EncryptorVia Thrane Explore 500 UT Download/Get Download/Get Upload/Put Upload/PutFTP Data= 1MB zipped pkg KB/s Kbps KB/s KbpsFTP Tests on Nov. 17, 2005Test 1 11.0 88.0 11.0 88.0Test 2 6.4 51.2 16.0 128.0Test 3 7.7 61.6 11.0 88.0Test 4 7.6 60.8 10.0 80.0Test 5 9.6 76.8 8.5 68.0Test 6 14.0 112.0 6.7 53.6Test 7 14.0 112.0 17.0 136.0Test 8 14.0 112.0 9.6 76.8Average Kbps (Note 2) 84.3 89.8Range Kbps (Note 2) 51 to 112 54 to 136




FTP File Transfer Data Rates - With EncryptionNo TCP PEP - Linux FC4 PC OS (Note 1)

Table 2 – Packet Switched encryption test data via the Taclane KG175 IP encryptor and the Thrane Explorer 500 UT over the BGAN IOR I-4 Satellite


9 Packet Switched Encryption Equipment Testing via BGAN I-4 Encryptor: ViaSat KG250 (Type 1) BGAN UT: Thrane Explorer 500 at Inmarsat UK

The test arrangement will be configured as in Figure 4 below:

Figure 4 – ViaSat KG-250 Testing via IOR I-4 Satellite Configuration 9.1 The equipment required for this PS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver.12.3 2 each ViaSat KG250 IP Encryptors 2 each Dell Desktop Computers with Linux Fedora Core 4 OS 1 each DSL high speed Internet connection with static IP’s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version 1.01. MMI not in use. 1 lot BGAN airtime for UT supplied by Inmarsat



BGAN I-4 Tests forViaSat KG250 IP EncryptorVia Thrane Explore 500 UT Download/Get Download/Get Upload/Put Upload/PutFTP Data= 1MB zipped pkg KB/s Kbps KB/s KbpsFTP Tests on Nov. 21, 2005Test 1 16.0 128.0 5.6 44.8Test 2 15.0 120.0 7.9 63.2Test 3 16.0 128.0 7.8 62.4Test 4 16.0 128.0 6.5 52.0Test 5 12.0 96.0 7.4 59.2Test 6 12.0 96.0 6.6 52.8Test 7 14.0 112.0 7.2 57.6Test 8 12.0 96.0 9.5 76.0Average Kbps (Note 2) 113.0 58.5Range Kbps (Note 2) 96 to 128 44 to 76




FTP File Trasnfer Times - With EncryptionNo TCP PEP - Linux FC4 PC OS (Note 1)

Table 3 – Packet Switched encryption test data via the ViaSat KG250 IP encryptor and the Thrane Explorer 500 UT over the BGAN IOR I-4 Satellite


10 Thales DC2K Retest and AOS Performance Enhancing Proxy (PEP) The test arrangement will be configured as in Figure 5 below:

VPN Tunnel

East Tunnel

VPN Tunnel

VPN Tunnel


Figure 5 – DC2K and AOS PEP Testing Configuration: 10.1 The equipment required for this PS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver. 12.3 2 each Thales DC2K IP Encryptors 2 each Desktop Server Computers with Linux Fedora Core 4 OS 1 each Laptop Computer with dual boot Windows XP Pro and Fedora Core 4 OS’ 1 each DSL high speed Internet connection with static IP’s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version 1.01. MMI not in use. 1 each AOS EOS SkyPipe hardware client 1 lot BGAN airtime for UT supplied by Inmarsat


BGAN I-4 Tests forThales DC2K IP EncryptorVia Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/PutFTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % GainFTP Tests on Feb. 13, 2006Test 1 144.0 136.0 208.0 200.0Test 2 128.0 144.0 208.0 224.0Test 3 160.0 120.0 208.0 304.0Test 4 152.0 80.0 240.0 296.0Test 5 216.0 112.0 256.0 256.0Test 6 184.0 88.0 112.0 296.0Test 7 216.0 120.0 176.0 264.0Test 8 160.0 63.2 264.0 216.0Test 9 208.0 144.0 264.0 232.0Test 10 152.0 79.2 216.0 232.0Average Kbps (Note 2) 172.0 108.6 215.2 252.0 25 132Range Kbps (Note 2) 96 to 216 63 to 144 112 to 264 200 to 304




FTP GainNo PEP vs AOS PEP

FTP Xfer Rates w/EncryptionNo TCP PEP & Linux OS (Note 1)

FTP Xfer Rates w/EncryptionAOS PEP & Linux OS (Note 1)

10.2 Table 4 - Linux Client Computer - No PEP versus AOS PEP BGAN I-4 Tests forThales DC2K IP EncryptorVia Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/PutFTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % GainFTP Tests on Feb. 13, 2006Test 1 164.0 41.9 268.0 234.4Test 2 150.4 42.0 257.6 239.2Test 3 165.6 41.9 135.2 210.4Test 4 166.4 41.9 268.0 217.6Test 5 201.6 42.3 229.6 231.2Test 6 173.6 42.0 96.0 238.4Test 7 164.0 41.9 229.6 228.8Test 8 153.6 41.8 128.8 235.2Test 9 174.4 42.0 133.6 249.6Test 10 128.8 41.8 140.8 239.2Average Kbps (Note 2) 164.2 42.0 188.7 232.4 15 454Range Kbps (Note 2) 128 to 202 41 to 42 96 to 268 210 to 250




FTP GainNo PEP vs AOS PEP

FTP Xfer Rates w/EncryptionNo PEP & Win XP Pro

FTP Xfer Rates w/EncryptionPEP & Win XP Pro PC

10.3 Table 5 - Windows XP Pro Client Computer – No PEP versus AOS PEP


BGAN I-4 Tests forThales DC2K IP EncryptorVia Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/PutFTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % GainFTP Tests on Feb. 13, 2006Test 1 164.0 41.9 144.0 136.0Test 2 150.4 42.0 128.0 144.0Test 3 165.6 41.9 160.0 120.0Test 4 166.4 41.9 152.0 80.0Test 5 201.6 42.3 216.0 112.0Test 6 173.6 42.0 184.0 88.0Test 7 164.0 41.9 216.0 120.0Test 8 153.6 41.8 160.0 63.2Test 9 174.4 42.0 208.0 144.0Test 10 128.8 41.8 152.0 79.2Average Kbps (Note 2) 164.2 42.0 172.0 108.6 5 159Range Kbps (Note 2) 128 to 202 41 to 42 96 to 216 63 to 144




FTP Xfer Rates w/EncryptionNo PEP & XP Pro Client

FTP GainNo PEP Windows vs Linux

FTP Xfer Rates w/EncryptionNo PEP & Linux OS (Note 1)

10.4 Table 6 - Windows versus Linux Client Computer – No AOS PEP BGAN I-4 Tests forThales DC2K IP EncryptorVia Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/PutFTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % GainFTP Tests on Feb. 13, 2006Test 1 268.0 234.4 208.0 200.0Test 2 257.6 239.2 208.0 224.0Test 3 135.2 210.4 208.0 304.0Test 4 268.0 217.6 240.0 296.0Test 5 229.6 231.2 256.0 256.0Test 6 96.0 238.4 112.0 296.0Test 7 229.6 228.8 176.0 264.0Test 8 128.8 235.2 264.0 216.0Test 9 133.6 249.6 264.0 232.0Test 10 140.8 239.2 216.0 232.0Average Kbps (Note 2) 188.7 232.4 215.2 252.0 14 8Range Kbps (Note 2) 96 to 268 210 to 250 112 to 264 200 to 304




FTP GainWith PEP - Window vs Linux

FTP Xfer Rates w/EncryptionAOS PEP & XP Pro PC

FTP Xfer Rates w/EncryptionAOS PEP & Linux OS

10.5 Table 7 - Windows versus Linux Client Computer – With AOS PEP


11 Summary of Test Results The primary goal of this interim report is to provide some initial feedback to the Inmarsat user community regarding the compatibility of US Centric IP encryptors via the BGAN IOR I-4 satellite. During the course of this report only the Thrane Explorer 500 BGAN UT was available for testing. The only IP encryptors available during the tests were the Thales DC2K, Taclane KG175 and ViaSat KG250. Additional BGAN UTs and encryption equipment will be available for testing in late March/April when BGAN access is available via the AOR I-4 satellite. The BGAN VPN communications link between AOS (Dallas) and Inmarsat (London) provided an economical testing vehicle. However, the VPN link did inject an additional variable delay due to the multiple router hop Internet connections. The asymmetrical (512Kb upload/5MB download) DSL Internet connection at Dallas added yet another variable to our testing. This ADSL line is an unmanaged and unqualified service that had no guaranteed Quality of Service (QoS). These ADSL factors, coupled with a high latency satellite circuit, produced erratic IP throughput measurements. The round trip time (RTT) over the VPN network varied from 1500 to 2200 milliseconds (ms). Due to these variables it was determined to limit the encryption testing to basic continuity measurements rather than trying to establish encryption overhead values. See Figure 1 on page 4 for an overview of VPN test network. Initial BGAN testing enabled us to characterize the impact of the unusually high jitter produced by the VPN test network. Some effects of latency could be counteracted by significantly increasing the queue lengths and window sizes (both send and receive) and it was found these changes could be made more easily on a Linux OS (Fedora Core 4) than Windows (2000 Pro or XP Pro). From a testing perspective, this produced more reliable data transfer at higher speeds and so all testing was performed on Linux computers. It should be noted that this measure was only needed to validate connectivity at such an early stage of the BGAN evolution, and the Windows TCP window sizes are sufficient for local BGAN operation. During the initial BGAN testing via the AOS-Inmarsat VPN we discovered that the Thales DC2K IP encryptors would not pass data traffic. This was due to the encryptors IPSec incompatibility with Cisco’s CEF (Cisco Express Forwarding) being enabled. Once this feature was disabled in all three routers the Thales DC2K IP encyrptors properly passed encrypted data traffic. The proper setting of the Maximum Transmission Unit (MTU) was important to insure the highest possible data transfer. Using advanced satellite IP accelerators such as SkyPipe, MTU sizing and packet stuffing techniques are used to enhance performance. While using a network protocol analyzer (Ethereal) the MTU’s on the computer, Cisco routers and encryption equipment was adjusted for maximum data transfer.


Maximum data transfer would occur when packets were not being split into two packets as they passed through the encryptor, router and computer interfaces. As a general rule all computers, network routers and DC2K IP encryptors MTU’s were set to 1280, 1416 and 1400 respectively. These values are documented on the test configuration Figures 2, 3 and 4. The IP encryptor test data throughput measurements are tabulated in Tables 1, 2 and 3. This data validates the DC2K, KG175 and KG250 IP encryptor’s capability to pass encrypted data via the BGAN network. The initial data throughput values were disappointing but not unexpected due to the numerous variables and is almost certainly attributable to the high latency in the AOS-Inmarsat VPN circuit. FTP download speeds ranged from an average of 84Kbps to 113Kbps, whereas, FTP uploads averaged from 58Kbps to 139Kbps. Configuring all encryptors was straight forward. After configuring all administrative settings (i.e., red/black setup and handling keying materials) the encryptors would synchronize with each other within a minute. The AOS-Inmarsat VPN BGAN network did not produce any special encryptor configuration requirements. The MTU settings were the primary time consuming adjustment. Various MTU settings were tried before the best possible settings were obtained. All MTU settings will be re-validated when direct AOR I-4 access is available. AOS has previously used Performance Enhancing Proxy (PEP) software over the Inmarsat GAN networks using the Windows OS platform. Initial BGAN tests showed that using AOS’ PEP (SkyPipe) would obtain improved FTP reliability and data transfer speeds comparable to our non-PEP Linux testing. During initial testing our PEP would not function in the Linux environment. However, in a recent development AOS has produced a Linux based PEP called SkyPipe EOS. This Linux based transparent capture solution has produced some remarkable results over the AOS-Inmarsat BGAN VPN. See the recent Thales DC2K test results on pages 16-18 for actual test configuration and data. The PEP function is to primarily remove the issues of latency and thus get a more accurate ‘estimate’ of throughput speeds. Additional Thales DC2K IP encryptor tests were performed with and without PEP and between the Windows and Linux platforms. Using SkyPipe with either a Windows or Linux client computer working into a Linux server produced very similar results of approximately 200Kbps download and approximately 242Kbps upload FTP data transfers. SkyPipe’s improvement to FTP uploads is impressive. Without SkyPipe the FTP uploads for a Linux client computer averaged 109Kbps, whereas, a Windows client computer only averaged 42Kbps. No testing of Inmarsat’s PEP was done during this time period. It is understood that Inmarsat’s PEP will also improve upload BGAN characteristics.


This concludes this interim report. BGAN Packet Switched encryption testing will resume when AOR I-4 access is available. The AOR I-4 access is expected by mid April, 2006. At this time the Hughes 9201 and Nera WorldPro 1000 BGAN UT’s should be available for testing. The KG235 and KG240 Type 1 USG encryptors are expected to be available at this same time. Data testing will be done with and without encryption, as well as, with and without PEP. Having direct access to the AOR I-4 BGAN satellite will make encryption IP overhead measurements practical and the results meaningful. When direct AOR I-4 access is available AOS will perform Circuit Switched (CS) testing using USG Type 1 serial link encryptors (i.e., the L3 STE, the SafeNet KIV7, STUIII, L3 OmniXp/Xi, Sectera Wireline and ViaSat KIV21). The Thales DC2K LX non Type 1 serial link encryptor will be tested to compare encryption overhead values.


Documents

Validation of Encryption Devices over BGAN US … · Validation of Encryption Devices over BGAN ... AOS, Inc. has been contracted to provide a three-part study to assess the ... SDM