ece537/10 #1spring 2009 © 2000-2009, richard a. stanley ece537 advanced and high performance...
Post on 22-Dec-2015
216 views
TRANSCRIPT
ECE537/10 #1Spring 2009© 2000-2009, Richard A. Stanley
ECE537 Advanced and High Performance Networks
10: HAIPE, Management in High-Speed Networks
Professor Richard A. Stanley, P.E.
ECE537/10 #2
Overview of Tonight’s Class
• Student presentations/discussions
• Review of last time
• Overview of management issues in high-speed networks
ECE537/10 #3
Last time
• There are an increasing number of approaches for providing minimum levels of service over packet networks
• Many of these schemes do not fit nicely into the n-layer protocol model (e.g. MPLS)
• Many of these schemes do not interoperate well with one another, so decisions must be taken about implementation
ECE537/10 #4
HAIPE
• High Assurance Internet Protocol Encryption
• Developed to provide IPSec-like encryption in a Type 1 cryptographic device (i.e., one that is usable in U. S. DoD networks)
• Increasingly found in military networks, and often misunderstood
ECE537/10 #5
Type 1 Cryptographic Product
• NSA endorsed classified or controlled cryptographic item for classified or sensitive U.S. government information, including cryptographic equipment, assembly or component classified or certified by NSA for encrypting and decrypting classified and sensitive national security information when appropriately keyed.
ECE537/10 #6
Type 2 Cryptographic Product
• NSA endorsed unclassified cryptographic equipment, assemblies or components for sensitive but unclassified U.S. government information.
ECE537/10 #7
Type 3 Cryptographic Product
• Unclassified cryptographic equipment, assembly, or component used, when appropriately keyed, for encrypting or decrypting unclassified sensitive U.S. Government or commercial information, and to protect systems requiring protection mechanisms consistent with standard commercial practices. A Type 3 Algorithm refers to NIST endorsed algorithms, registered and FIPS published, for sensitive but unclassified U.S. government and commercial information.
ECE537/10 #8
Type 4 Cryptographic Product
• A Type 4 Algorithm refers to algorithms that are registered by the NIST but are not FIPS published. Unevaluated commercial cryptographic equipment, assemblies, or components that neither NSA nor NIST certify for any Government usage.
ECE537/10 #9
Example of HAIPE Tunnel
• Diagram of Tunnel design
ECE537/10 #10
Design of HAIPE
• Example of HAIPE Design• Breakdown of IP Traffic• HAIPE on both sides of connection
ECE537/10 #11
Packet Format Examples
ECE537/10 #12
Compression
• HAIPE can compress many pieces of data• Plain Text Compression
ECE537/10 #13
HAIPE Configuration Steps
• Configure and setup Security Policy Database for Plaintext and cipher text.
• Configure and setup the Security Association Database• Configure and setup the Traffic Flow Security• Configure the HAIPE Generic Discovery Client • Understand and configure the HAIPE Internet Key
Exchange• Configure and setup the HAIPE Peers and Transforms• Setup a Tunnel between two HAIPE Devices• Solicit a Transmit Address Table
ECE537/10 #14
HAIPE Configuration Options
ECE537/10 #15
HAIPE Network Basics
ECE537/10 #16
Sharing the Network Load for Efficiency and Reliability
ECE537/10 #17
Version 1.35
• v 1.3.5 – Created to act as a Gateway similar to a Proxy
Sever (Applications-Level)– Cannot support routing operations– No Open Network Management (Rulesets
within Network)– Added equipment to deal with these
shortcomings necessary in networks
ECE537/10 #18
Version 3.X
• v 3.X.X– Able to meet the demand of an IPv6 structured
network– Supports Routing Information Protocol (RIP)– Preferred version for maintaining larger scaled
network– Supports Integration of single Red/Black HAIPE
devices (less equipment = reduced configuration complexity).
ECE537/10 #19Fall 2009© 2000-2009, Richard A. Stanley
General Dynamics C4 Systems INEs*
• TACLANE (Tactical Local Area Network Encryptor or Tactical FASTLANE)
• TACLANE Micro
– KG-175D
• HAIPE IS version 1.3.5 certified
• Transmits at up to 200 Mb/s
• General Dynamics HAIPE INE Manager is called GEM-X.
* Inline Network Encryption
ECE537/10 #20Fall 2009© 2000-2009, Richard A. Stanley
General Dynamics C4 Systems INEs
• TACLANE Micro
– KG-175A
• HAIPE IS version 1.3.5 certified
• Transmits at up to 2 Gb/s
• Older versions of TACLANE such as KG-175 and KG-175B (mini) are no longer available but are supported.
ECE537/10 #21Fall 2009© 2000-2009, Richard A. Stanley
L3 Communications INEs
• Red Eagle INEs
• KG-240A
• HAIPE IS version 3.0.2
• 100 Mbps
• Managed by L3s CHM software
ECE537/10 #22Fall 2009© 2000-2009, Richard A. Stanley
L3 Communications INEs
• KG-245A
• HAIPE IS version 3.0.2
• 1 Gbps
• Interchangeable modules for fiber/copper
ECE537/10 #23Fall 2009© 2000-2009, Richard A. Stanley
L3 Communications INEs
• KG-245X
• HAIPE IS version 1.3.5
• 10 Gbps
• Interchangeable Fiber Transceivers
ECE537/10 #24Fall 2009© 2000-2009, Richard A. Stanley
ViaSAT INEs
• AltaSEC
• KG-250
• HAIPE IS version 3.0
• 100 Mbps
• Managed by VINE
ECE537/10 #25Fall 2009© 2000-2009, Richard A. Stanley
ViaSAT INEs
• KG-255
• HAIPE IS version 3.0
• 1 Gbps
ECE537/10 #26Fall 2009© 2000-2009, Richard A. Stanley
General Dynamics INE Example Network
ECE537/10 #27Fall 2009© 2000-2009, Richard A. Stanley
INE Keying Material
• Operational CIKs– CIK = Crypto Ignition Key
• Tamper Recovery Key• PrePlaced Keys
– Symmetric Keys
– Support Multicast
• Firefly Keys– Asymmetric Keys
ECE537/10 #28Fall 2009© 2000-2009, Richard A. Stanley
Fill Devices• Used to Fill INEs with
PPK/FFV keys to allow for transmission between devices.
• Simple Key Loader• Developed by Ralph
Osterhout and sold to Sierra Nevada Corporation.
• SAIC was then hired by the US Army to develop the software.
ECE537/10 #29Fall 2009© 2000-2009, Richard A. Stanley
Fill Devices
• Secure DTD2000 System (SDS)
• Developed by Sypris Electronics
• Ribbon cable problems when opening/closing lid
ECE537/10 #30Fall 2009© 2000-2009, Richard A. Stanley
Fill Devices
• AN-CYZ-10• DTD (Data Transfer
Device)• Older Version that the
SKL Replaced.• Developed by the NSA
ECE537/10 #31
Bottom Line
• HAIPE will likely be a major part of military networks for a long time to come
• Commercial networks that are unable to use HAIPE likely will seek to develop protocol modifications to IPSec to achieve peer discovery functionality
• Speeds will need to increase to keep pace with network developments– No one wants slower networking
ECE537/10 #32
Basic Network Management Tasks
• Configuration management– Keeping track of device settings and how they function
• Fault management– Dealing with problems and emergencies in the network
(router stops routing, server loses power, etc.)
• Performance management– How smoothly is the network running?
– Can it handle the workload it currently has?
ECE537/10 #33
Must be…
• Interface must be– Standardized– Extendable– Portable
• Management mechanism must be– Inexpensive– Implemented as software only
ECE537/10 #34
Functional Areas• Configuration Management - inventory, configuration, provisioning• Fault Management - reactive and proactive network fault management• Performance Management - # of packets dropped, timeouts, collisions,
CRC errors• Security Management - SNMP doesn’t provide much here • Accounting Management - cost management and chargeback
assessment• Asset Management - statistics of equipment, facility, and
administration personnel• Planning Management - analysis of trends to help justify a network
upgrade or bandwidth increase
ECE537/10 #35
SNMP• Simple Network Management Protocol• SNMP is a protocol that allows for remote and local
management of items on the network including servers, workstations, routers, switches and other managed devices.
• Comprised of agents and managers
– Agent - process running on each managed node collecting information about the device it is running on.
– Manager - process running on a management workstation that requests information about devices on the network.
ECE537/10 #36
SNMP Advantages
• standardized• universally supported• extendible• portable• allows distributed management access• lightweight protocol
ECE537/10 #37
Client Pull & Server Push
• The management system (client) “pulls” data from the agent (server)
• The agent (server) “pushes” out a trap message to a (client) management system
ECE537/10 #38
Built-In Assumption
• The management system can sense issues and respond to them in a timely fashion (i.e., while the action still makes sense)
• This is increasingly difficult to do in high-performance networks
ECE537/10 #39
Some Physics
• d = rt– where:
d = distance traveledr = rate of speedt = elapsed time
• To keep things simple, let’s ignore for the moment the fact that electromagnetic waves travel more slowly in cables than in free space
ECE537/10 #40
Example
• For EM waves, r = c = speed of light = 300 x 106 meters/second
• Therefore, in one microsecond, our signal travels 300 meters!
ECE537/10 #41
What About Cabling?
• Velocity factor for network cabling is typically between 0.45 and 0.75, for coaxial cable it is about 0.66 (solid dielectric)
• This slows the signal down, but not by much– In a microsecond, the network signal still
travels 135 – 225 meters
ECE537/10 #42
And the Signal?
• For a 100 Mbps Ethernet, what happens in a single microsecond?(100 x 106 bits sent / second) x (10-6 seconds)
= 100 bits on the wire in 1 µsec
• So what?• Let’s examine some of the implications
of this simple application of physics
ECE537/10 #43
Bottom Line
• Network management becomes an increasingly difficult challenge as network speeds increase
• This is further complicated by more complex protocols requiring more interaction to accomplish network tasks
ECE537/8 #44Spring 2009© 2000-2009, Richard A. Stanley
Disclaimer
• Parts of the lecture slides contain original work of George Riveire, Jason Riddle, Rahul Parwani, and Chris Francois, and remain copyrighted materials by the original owner(s). The slides are intended for the sole purpose of instruction in computer networks at Worcester Polytechnic Institute.