CENTRIXS: “Interconnecting Coalition Networks” Gabor Szarka NC3A CAT9: NII Communications Infrastructure Services UNIS-TEM 3rd Dec. 2009 MITRE NATO UNCLASSIFIED

Agenda 1. CXI phase -1 network interconnect 2. CENTRIXS-GCTF / HOA changing requirement 3. CNFC – NATO interconnect – 4 evaluated options 4. HOA - Phased installation (urgent <-> flexible) 5. Comparison – CXI / HOA different approach

1.1 CENTRIXS-ISAF Network Interconnection Points Two Network Interconnection Points in phase-1: ISAF_HQ Kabul KAF – RC-S Kandahar Airfield Physical interconnect on base – red fibre Gbit speed Different AS for the management domains – BGP routing among autonomous systems Redundancy among Interconnection Points, but on base as well Testing with standalone CENTRIXS-ISAF IP stack – changeover 12th Oct

1.2 CXI routing

1.3 Secure VoIP Different technology (SIP versus CISCO CM) Already existing users under phase 0 (migration) Gateway is using SIP trunk; SIP <-> Call manager conversion happens on CENTRIXS-ISAF side of the GW. Selected codec – local call G.711 (64 kbps) over the WAN links G.729 shall be used (issues with CUCM and VG) – codec selection during call set-up Numbering plan – two different numbering authority (CENTCOM / NCSA)

1.4 Outstanding issues in phase – 1 IOC CONOPS MOU between two O&M entity shall be agreed Visibility on the GW to the other O&M shall be provided Read only credentials Different management tools BGP routing: Originally planned load sharing doesn’t work yet (Kabul primary, KAF standby) Secure VoIP function not operational yet over the GW: Functionality tested during original setup – missing elements on the CENTRIXS-ISAF side (CUCM) Numbering plan conflict (migration phase from phase 0 -> phase-1)

2.1 Requirement for CNFC <-> NATO IE “Establishment of mission-critical information exchange for mission-classified information between NATO commands, NATO Units and with coalition partners other than NATO through the realization of a NATO POP CENTRIXS” “Seamless mission classified information exchange (data, chat, VoIP) between:” SHAPE JC Lisbon CC Mar Northwood NAEW Base Deployed SOCC Flagship of COM SNMG TF 151 (US lead Coalition Operation CMF) EUNAVFOR (EU Operation ATALANTA – TF 465) * Force Contributing Nations within a NATO led TF International maritime liaison organisations (e.g. IMO)

2.2 Situation in the AOO The only mission classified network currently available and well established in and for the AOO for Counter-Piracy Operations is CENTRIXS GCTF / CNFC Today, NATO is not connected to CENTRIXS, CNFC sub-domain, and this results in a reduction of operational and overall situation awareness for NATO NATO as a whole is not part of CNFC yet (NATO nations are part of CNFC COI – national SO allowed only onboard ship)

2.3 CNFC VPN COI inside CENTRIXS Functional services: Colaboration @ Sea (CAS) (DHS, TT, Mail) Different systems (e.g. IBM based Lotus) CENTRIXS ISAF GCTF CMFP CNFC SIPR Net CNFC CENTRIXS Four Eyes CENTRIXS J CENTRIXS K SIPR Net - Secret Internet Protocol Router Network (USA) CNFC - (Combined Naval Forces CENTCOM) ISAF - GCTF ISAF enclave GCTF - (Global Counter Terrorism Forces Network) CMFP - Cooperative Maritime Forces Pacific K - CENTRIXS US – Republic of Korea J - CENTRIXS US - Japan SAMETIME (CHAT) C2PC

3.1 Evaluated options (1/2) Implementation of a CENTRIXS NATO POP in NATO with connection to relevant NATO elements/entities Use of NATO NGCS WAN with encrypted channels No connection with NATO systems Parallel tunnels (inverse tunneling would mean case by case re-accreditation) Same as option 1 without use of NATO NGCS WAN Stove pipe system

3.2 Evaluated options (2/2) Gateway between NS NATO systems and CENTRIXS CNFC FASs are proprietary system based (IBM Lotus Domino etc.) – no accredited IEG guards, proxies exist Security accreditation may be more difficult to achieve Gateway between MS NATO systems and CENTRIXS (ISAF like solution) Requires the establishment of a new MS domain

3.3 OPTION 1: CNFC extended through NGCS HOA Mission Network NGCS NATO POP (SHAPE) CENTRIXS CNFC (HOA Nations) JC Lisbon (CENTRIXS CNFC) CC Mar Northwood SHAPE FLAGSHIP AT SEA Eligibility issue (CENTRIXS traffic over NGCS) – will the funds be available? Security issue (Approval to Operate) – who is the authority? Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?

3.4 OPTION 2: CNFC extended through stove pipes HOA Mission Network CENTRIXS CNFC (HOA Nations) JC Lisbon (CENTRIXS CNFC) CC Mar Northwood SHAPE FLAGSHIP AT SEA Dedicated communication links Establishment of a Mission (i.e. CENTRIXS/CNFC) Domain in Static HQs ?

3.5. OPTION 3: CENTRIXS/CNFC-NS CNFC Information Domain NATO Secret Information Domain NATO SECRET (28 NATO Nat.) CENTRIXS -CNFC (HOA Nations) NATO POP Cross Domain Gateways (email, Chat, VOIP) SHAPE CC Mar Northwood JC Lisbon FLAGSHIP AT SEA Direct connection between NS and a non-NATO coalition system No accredited guards available for the specific systems

3.6 Option 4. : CENTRIXS/CNFC-MS-NS CNFC Information Domain NATO Mission Secret Information Domain MISSION SECRET (NATO HOA Nat.) CENTRIXS -CNFC (HOA Nations) email chat VOIP NATO POP (SHAPE) NATO SECRET SHAPE CC Mar Northwood JC Lisbon FLAGSHIP AT SEA Establishment of a Mission Secret Domain ?

3.7 Challenges Maritime community is using different Core and Functional Area Services – technical and infosec challenges during accreditation (no guards are accredited yet) Frequent rotation of Flagship: Different solutions for back-link (national or NATO PoP) – with limited capability to extend satellite links. Individual accreditation for different flagship is not duable in timely manner (one solution for all) MC195 requires “only” NS access from onboard ship No Deployed Shore HQ (yet?)

4.1 Phased approach Selected options are option 1. and 2. (extend CNFC) – to achieve this NATO should be part of CNFC COI Phase 0: Extend CNFC VPN through Shape PoP to different static HQs: First step – get NATO access to CNFC Tunnel through existing GCTF access No CNFC services provisioned from the NATO PoP Limited No of seats avail at NATO locations Phase 1: Upgrade phase – 0 CNFC PoP at NATO shall be established (servers) VPN concentrator installation

4.2 NATO Connectivity CNFC Operational view NATO SNMG SNMG unit CTF 150 CTF 151 SNMG flagship NATO POP Nation MCC Northwood US NORTHCOM MCC Naples US NAVCENT SIPRNet Operation Allied XYZ US PACOM Operation Ocean XYZ US CENTCOM JC Lisbon JFC Brunssum JFC Naples US EUCOM CNFC SHAPE CTF Oper ATALANTA CNFC NATO POP CENTRIXS NGCS CENTRIXS

5.1 5.1. CENTRIXS-ISAF CNFC/HOA comparison Connects to a NATO Mission Secret Network Same security classification different O&M Connects to NATO Secret through IEG Core services based on the same platform (MS) Established Mission Secret – large No of users Is used as Mission Secret Network. One O&M through the whole of CNFC No NATO Secret GW exists Different platform (MS <-> IBM) IOC – limited No of new users in static HQs

NATO UNCLASSIFIED Releasable to ISAF CONTACTING NC3A NC3A Brussels Visiting address: Bâtiment Z Avenue du Bourget 140 B-1110 Brussels Telephone +32 (0)2 7074111 Fax +32 (0)2 7078770 Postal address: NATO C3 Agency Boulevard Leopold III B-1110 Brussels - Belgium NC3A The Hague Oude Waalsdorperweg 61 2597 AK The Hague Telephone +31 (0)70 3743000 Fax +31 (0)70 3743239 Postal address: NATO C3 Agency P.O. Box 174 2501 CD The Hague The Netherlands NATO UNCLASSIFIED Releasable to ISAF