SubscribeRouted, Internet Protocol (IP)-based networks have introduced significant new complexities to the network operator.
Routed, Internet Protocol (IP)-based networks have introduced significant new complexities to the network operator. Safeguarding the source and destination information in an IP packet and detecting security breaches require the architecture to adequately address information risks. Finding enough network capacity to satisfy users remains a challenge for the operator.
The most important rule for effective network operation and application delivery is that users and operators must agree on measures to be observed and service quality to be delivered for each traffic type on an end-to-end basis, where feasible. There are significant inter-dependencies among these elements, such that a decision regarding traffic management may greatly impact the information assurance strategy and vice versa.
Figure 1. Application Delivery Elements
Traffic Management
Traffic Management, regardless of the protocols or product, includes three functions: classification, precedence or priority, and congestion management.
Classification: source or destination addresses, service quality designators, physical ports, or the application that generated the packet.
Precedence (priority): how the system will treat each class. One class may be guaranteed immediate transmission without waiting, while another class may have to wait until all the other classes are idle before being transmitted.
Congestion management: when the amount of data attempting to access the network exhausts the resources of the network access device.
Information Assurance
Information Assurance doctrine is controlled by the National Security Agency (NSA) for US military networks. Figure 2 depicts the legacy model for assuring information.
Figure 2. Legacy Information Assurance
A cryptosystem performs end-to-end encryption of data circuits grouped by security classification to prevent non-authorized access to the data. TRANSEC encrypts link data and takes measures designed to protect transmissions from interception and exploitation by means other than cryptanalysis.1
Committee on National Security Systems (CNSS) policy permits the use of NSA-certified encryption products and commercial AES encryption products.2 NSA-certified products include government-specified encryption products that support unstructured serial data and IP inline network encryption (INE) products.
Inline encryption uses virtual private network (VPN) technology to secure the information. VPNs take IP packets, encrypt them, and place the secure data in a new IP packet with new source and destination addresses that reflect the INE units, rather than the addresses of the originator and receiver. But VPNs introduce as much as 20% more overhead into the network and the encryption of the data deprives the traffic management system of the markers desirable for traffic classification.3
Protocol Acceleration and Data Compression
Protocol acceleration techniques can be deployed to improve data throughput and application reliability across IP networks.
Web caching stores the most recently accessed web files on a client or client server. TCP protocol monitors data loss and latency to control the speed of the virtual circuit, such as satellite links. Packet headers, payloads, voice, and video can all be compressed. The best throughput improvements are achieved on low-speed circuits where the compression can be executed quickly. Voice, video, and ASCII-encoded data streams experience significant throughput improvements through compression.
The Department of Defense's transition to IP Version 6 by 2009 will result in a significant increase in the size of the IPV6 packet header over the IPV4 header, making IPV6 a prime candidate for header compression.
Practical Issues Confronting Application Delivery
Complexity of Configuration and Operation
Implementing traffic management schemes on a Layer 3 device, such as an IP router, is a detailed and complex operation. Each router port can require 10 to 20 configuration lines to specify the proper classifications, precedence, and discard policies - each dependent on data circuit speeds.
The learning curve for operators is clouded by proprietary configuration syntax. This complexity leads some network planners to separate network channels or underutilize the network bandwidth to avoid congestion and latency issues. While both of these steps simplify the configuration of the network and lessen the risk of application degradation, they deviate from the goal of increasing network efficiencies through a converged IP network.
How to Achieve Adequate Information Assurance Safeguards for Converged IP Networks
Transmitting packet networks over the airwaves presents information assurance risks requiring adequate information security practices. But packet networks, by their very nature, will betray the level of activity on the network by the transmission itself.
At issue is how a router or Layer 2 switch responds to a Denial of Service (DoS) attack bombarding an IP address with incoming traffic. Due to buffer management decisions, some routers will crash completely during a DoS attack. Others have a more robust design and can limit the impact of the attack to one network user service.
Weighing Alternatives to Assure Application Delivery
Layer 2 vs. Layer 3
A common view of IP networks reflects a simple router and IP modem tackling all link and network level technical issues with IP protocol. While practical for small, simple network problems, this approach bears significant cost and performance issues as the network scales to support more complex implementations.
A reasonable alternative is to let a specialized Layer 2 switch address link issues and a router address network issues. While Layer 3 devices offer far more parameters from which to create classifications - supporting a large number of service classes - it further increases the complexity of configuring traffic management policies. Layer 2 devices rely on only the physical port and class of service designation to establish service classes, resulting in a significant reduction in configuration complexity. For most tactical applications, the focused ability to manage circuit traffic, variable latency-sensitive traffic, and fair weighting of the remaining traffic is adequate for the user base.
Fragmentation Strategies
Variable-sized IP packets present a technical challenge when attempting to deliver a constant-bit rate channel over an IP aggregate. Unless the aggregate is extremely high-speed (greater than 8 Mbps), an unacceptable variable latency is introduced. The solution is to breakup, or fragment, large packets so higher-priority packets can be inserted between the fragmented packets.
IP protocol fragments and reassembles data packets by specifying a Maximum Transmission Unit (MTU). For a router controlled by a general microprocessor, fragmentation can consume significant processor resources. Without fragmentation, traffic management is not reliable and, without hardware support for fragmentation, data throughput is constrained.
Fixed-size packets introduce incremental overhead, since padding will be used if the payload does not completely fill a packet. Fixed-size packets simplify the processing required for traffic policing, implementing fair-weighting policies, and producing meaningful reports to describe how well service levels are maintained.
Buffering Techniques
Two parameters for the planner to understand are how efficiently different queuing techniques cooperate to use available bandwidth and how much separation is maintained between different classes' buffers.
Most routers offer a queuing technique that assures that latency-sensitive traffic is delivered promptly. Some routers, however, reserve a bandwidth pool to assure the service level is met, meaning there is no allowance to release idle bandwidth without operator intervention. Likewise, all routers support a congestion management technique, but effective administration of this technique should avoid buffer overflows that impact other users' traffic.
Related to the congestion management issue is a Denial of Service attack. If classes are defined such that different users' traffic are not commingled within a class, the denial of service attack can be contained and the device will remain online.
Implementing TRANSEC
The NSA policy for implementing TRANSEC over wireless networks in hazardous areas of operation continues to evolve. Concerns also still exist for using AES encryption products for TRANSEC in hazardous environments. There are COMSEC solutions based on legacy encryption products that are suitable for IP wireless networks.
Legacy serial encryption products can be implemented if the network access point supports unstructured serial data over IP with the ability to loop plain text to a legacy encryption device and return the cipher text to a port, which wraps the data in an IP packet and directs the flow to the IP wide-area network. A Layer 2 switching device can manage this problem without introducing excessive latency and consuming significant processor-memory resources.
Figure 3. Legacy Encryption Implementation
Ultra Electronics' PacketAssure Offering
Overview
PacketAssure is a switch that operates at the link and Ethernet layers. It complements existing IP router networks by shaping and policing LAN segments before aggregating them onto an Ethernet link with legacy circuit traffic.
Traffic management is implemented by assigning a service classification to each Ethernet port. Classifications include Priority, Variable, and Best-Effort flow rates. High service quality can be obtained by permitting users to easily pinpoint the applications subject to discard without complex policy definitions and configuration.
Each PacketAssure interface is modeled as a virtual circuit. Traffic management actions are taken based on the virtual circuit service class configuration or detection of congestion for data accessing the aggregated Ethernet uplink.
IP data is fragmented into fixed-sized packets and tagged with destination and service class information before being fed into a switch matrix. The buffering and switching architecture of the PacketAssure keeps the virtual circuit data isolated from other circuits to deliver high information assurance.
Virtual tunnels connect the PacketAssure ingress points to the egress points, while the PacketAssure core functions as a smart bridge to map data between source and destination MAC addresses. The network processor creates and maintains an Ethernet MAC address table that permits the switch matrix to direct traffic only between the originating and destination interface ports.
Traffic Management Elements
Classification
From the system's Graphical User Interface (GUI), operators assign one to four traffic management parameters per port. Configuration is quick and can be easily modified to accommodate changing requirements.
Precedence
The PacketAssure supports three general service classes: Priority Flow Rate (PFR), Variable Flow Rate (VFR), and Best-Effort Flow Rate (BEFR).
PFR is the highest priority, preempting any lower priority traffic. Applications best suited for PFR have predictable bandwidth requirements, like voice over IP or serial data transmission. VFR preempts BEFR traffic. VFR is modeled for applications with a nominal variation in bandwidth requirements like video over IP. BEFR is the lowest priority, modeled for best-effort traffic. BEFR, however, may use all unused bandwidth when PFR and VFR applications are inactive and each BEFR circuit is guaranteed a minimum data rate.
Congestion Management
PacketAssure has the ability to measure the rate at which data is flowing over a virtual circuit. When PFR and VFR circuits exceed their peak data rate, the non-conforming packets are discarded. When BEFR circuits exceed their peak data rate, operators may choose to either discard the non-conforming packets or tag them as non-conforming. If there is no congestion on the egress side of the PacketAssure, the non-conforming packets will be transmitted. Otherwise, non-conforming packets will be discarded at the egress point.
Information Assurance Elements
Type 1 Encryption for TRANSEC
Figure 4 depicts three different IP users and a legacy serial data circuit being policed and aggregated by the PacketAssure before framing and switching the data to a serial EIA-530 data port. The PacketAssure encapsulates the cipher data in IP packets and sends the packets to an IP radio for transmission. This allows for the use of military or commercial radio systems in a secure environment.
Figure 4. PacketAssure with Type 1 Encryption over TRANSEC
Data Separation
Each data port on the PacketAssure has its own memory buffer assigned to it. The system maintains data separation between different user ports without adding the additional overhead of a VPN layer.
PacketAssure Enhances IP-Based Modems
As the DoD transitions to IP-based networking there are a number of IP-based RF modems being introduced into the network. Many of these modems incorporate a small access router. The processor of a small access router can easily be overwhelmed by the requirements of handling varying packet sizes. This results in significant latency or throughput issues. The PacketAssure relieves this router of policy decisions and varying packet sizes, allowing the IP modem to use its processing power to route the traffic efficiently to its intended destination.
DoD Plans
The PacketAssure system was demonstrated as an element in the Flexible Converged Services System during JUICE 2006 at Fort Monmouth. DNE continues compliance and certification testing with a number of DoD agencies throughout 2007.
1 National Information Systems Security (INFOSEC) Glossary, NSTISSI No. 4009, January 1999
2 National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information, CNSSP-15 Fact Sheet #1, June 2003
3 The High Assurance IP Encryption (HAIPE) Guideline describes NSA's recommendation for inline encryption of data.
