Figure 2-4. MIL-STD-2045-14503 OSI Applications on TCP/IP
Systems
Network protocols provide network transport services between resources on the network. The network protocol standards provide connections, routing, flow control, and data format services for applications to communicate across networks using common protocols without specific knowledge of details of each other's implementation. DODIIS network protocol standards are currently based on DOD TCP/IP network standards with some minor extensions.
The FIRP was recently established to reassess federal requirements for open systems networks and to recommend policy on the Government's use of networking standards. FIRP recommendations include:
As a result of the FIRP report NIST has modified FIPS 146-1 to reflect the FIRP recommendations. The new FIPS has been renamed "Profiles for Open Systems Internetworking Technologies (POSIT)" and issued as FIPS 146-2. FIPS 146-2 will remove the mandate to acquire only OSI protocols to provide interoperability between heterogeneous computer systems. FIPS 146-2 will recommend use of the Industry/Government Open Systems Specifications (IGOSS) - NIST Special Publication (SP) 500-217 - to agencies wishing to acquire computer networking products and services based on the OSI standards. For IPS guidance, the FIPS 146-2 will make general reference to the Internet Engineering Task Force (IETF) voluntary standards and specific reference to Request For Comment (RFC) 1610, the current list of official Internet protocol standards. Finally, the reference to the Government Network Management Profile (GNMP) FIPS 179-1 will be removed.
The FIRP's recommendation is to remove the GOSIP mandate but still achieve interoperable solutions through affinity groups. Within DOD the lead manager and coordinator of data communications protocol standards for DOD affinity groups is the Standards Coordination Committee (SCC). DODIIS intends to actively support DOD affinity groups, as necessary, and follow the interoperability guidelines established by the SCC.
Within the middle three OSI protocol layers, DODIIS will standardize on the DCPS as defined by MIL- STD-2045-14502 which has five parts arranged by protocol layer and type of network service. Table 2-10 shows the relationships of MIL-STD-2045-14502 to protocol layers and type of network services.
TCP provides a connection-oriented service for the end-to-end reliable transport of data between host processes. MIL-STD-2045-14502 also supports UDP, a connectionless transport level network service to support network application processing. DOD specifications for IP provides connectionless services for data transfer between hosts.
The IETF Internet Protocol Security (IPSEC) Working Group is developing a security protocol in the network layer to provide cryptographic security services to protect client protocols of IP (IPv4 and IPv6). The protection will support combinations of authentication, integrity, access control, and confidentiality services. The IP Security Protocol (IPSP) is planned to be independent of the cryptographic algorithm and support host-to-host security, and subnet-to-subnet and host-to-subnet topologies.
Table 2-10. Military Standards TCP/IP Services Reference
One approach for accommodating OSI applications on TCP networks is to adopt OSI application layer protocols, but retain the lower layer TCP/IP protocols. This can be accomplished by implementing MIL- STD-2045-14503, Internet Transport Service Supporting OSI Applications, which is based on RFC 1006, ISO Transport Services on Top of the TCP. This approach emulates the OSI transport layer within a TCP/IP protocol stack (see figure 2-4 ). In essence, MIL- STD-2045-14503 smoothes over differences in services offered by the OSI and TCP/IP transport services, and allows the operation of OSI applications within TCP/IP networks. MIL-STD-2045-14503 provides this capability by mapping OSI TP0 transport interface to the corresponding TCP/IP transport interface, providing a bridge between OSI and TCP/IP. However, MIL-STD-2045-14503 is not the only method for supporting both DOD TCP/IP and OSI, there are cases where alternative methods such as dual protocol stacks or other methods for protocol stack interoperability may provide a more effective transition approach. Every DODIIS project that must operate under both protocol suites will have to make implementation decisions based on cost/technical analysis of the implementation environment and availability of products.
Figure 2-4. MIL-STD-2045-14503 OSI Applications on TCP/IP
Systems
DOD provides additional guidance for IP router support that is based on the Internet Protocol Suite. Router configuration for DODIIS sites will comply with the instructions identified in MIL-STD-2045- 13500, Internet Relay Profile for DOD Communications. MIL-STD-2045-13500 is top level guidance for all routing options and specific architecture and configuration decisions are up to the owner of the network. For specific guidance on connecting routers to the DODIIS backbone sites should refer to JWICS for direction and assistance on router configuration. The goal for most network routing configurations is the Open Shortest Path First (OSPF) routing protocol which provides enhanced capabilities and will provide a means to implement mesh topologies.
The amount and type of hardware needed to configure a site network will depend upon the physical size of the site, the number and types of applications that are to be used, and the number of users. This section covers the lower layer communications protocols that support DODIIS network architecture. This section provides guidance for selecting site network architectures and discusses DODIIS network communication standards and new technologies. The lower level protocols provide some level of independence from the upper level protocols in selecting inter-networking connections and physical media. Various standards- based technical solutions can be devised to address local and inter-networking solutions using available devices to address immediate requirements. Table 2-11 provides a current view of various DODIIS standards-based solutions to address networking and communications requirements.
Table 2-11. Network and Communications Protocol Standards Current DODIIS site network architectures are based on Ethernet standards with FDDI backbones to support larger installations. Ethernet is a LAN based shared media protocol, originally designed to support file transfer transactions on a host network and limited to 10 Mbps maximum bandwidth. Sites are migrating to distributed computing environments across both LANs and Wide Area Networks (WANs), using GUI and integrating multimedia data, including voice and images. Current DODIIS site network architectures will not support many of the network computing advancements and will require a gradual transition to new technologies as they mature. Interfaces for DODIIS sites are also evolving to support the new technologies and provide more comprehensive data communications coverage for transmitting and receiving intelligence data between DODIIS sites and field units.
When selecting hardware, sites should ensure that all network components are compatible with the ISO 8802-3 specification, the FDDI link and physical level communication standards (ISO 9314) are discussed later in this section. MIL-STD-187-700 provides detailed technical standards and design objectives to allow strategic and tactical users to share digital information across common user communications systems.
There are numerous local factors, physical and organizational, that will affect each DODIIS site network architecture. Each site must determine its own strategies and requirements for grouping and connecting local intelligence organizations and resources. Network performance and loading will drive most site architecture decisions. One strategy is to isolate work groups with their associated processing resources on subnetworks, reducing the network traffic on the site network backbone. This strategy provides administrative granularity, fault isolation, and growth capacity. This strategy will be less effective when some resources are used by multiple work groups or several work groups conduct extensive amounts of collaborative work.
MIL-STD-2045-14502-4 covers DOD configurations for the data link layer on LANs. This standardized profile specification is based on ISO 8802-2 Logical Link Control (LLC). In addition to LLC the DOD standard covers support for Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) as well as other options covered under Internet RFCs (see appendix C for cross reference of all base standards to MIL-STDs).
Current DOD guidance for LAN physical layer standards are covered in MIL STD 2045 14502-5 which covers the Media Access Control (MAC) and physical media. MIL-STD-2045-14502-5 provides the standard profile based on ISO 8802-3. Only 10base5, 10base2, and 10baseT are covered under the current specification and there are specific directions on the type of cables to be used in an office and tactical environment. DODIIS provides further extensions to this specification to support sites and systems using 10baseF configurations (see section 2.6.3.6 ).
A majority of DODIIS Site LAN architectures are based on ISO 8802-3 standards using Carrier Sense Multiple Access/Collision Detection (CSMA/CD) technology. The maximum data rate for Ethernet is 10 Mbps although there are alternatives to improve the maximum load (seesection 2.6.3.6 ). Commercial 802.3 Ethernet standards are not compatible with the ISO 8802-3 standards. DODIIS users must select Ethernet products that can be configured for or are compliant with the ISO 8802-3 as specified in MIL-STD-2045-14502-5.
A LAN security standard being monitored is the Standard for Interoperable LAN Security (SILS) (IEEE 802.10). The scope of IEEE 802.10 includes the standardization of the secure exchange of data at the OSI Reference Model (OSIRM) Data Link Layer (Layer 2), the management of cryptographic keys at the Application Layer (Layer 7), and the specification of associated network management objects.
When ISDN and ATM become feasible for use as an integral part of site's network architecture, additional link layer protocols will be required, and will be included as a DODIIS standard. The current DODIIS goal is to move towards ATM compliant network products as they become available at various levels of the network environment. Current expectations include implementing networks using ATM products that will eventually be available at all levels of a network from WANs to the desktop LAN interface.
LANs can be connected together by routers to serve a wider community as peers to the local network. The definition of the aggregate LAN depends on the application. MANs link non-contiguous premises within a fixed location. MANs link all of an organization's locations together within a site (campus) using LAN technologies typically at data rates between 10 and 100 Mbps. A MAN is typically a collection of peer subnets connected together using routers and bridges.
IEEE 802.6 defines a strategy for connecting peer networks together at high speeds using a Distributed Queue Dual Bus (DQDB) architecture to support two way communications. Currently Switched Multimegabit Data Services (SMDS) provides technology support for IEEE 802.6 (see section 2.6.3.3 ). It is expected that SMDS and ATM technologies will eventually merge, since they use similar technologies and approaches.
A WAN uses common carrier leased lines to connect distant site networks and requires additional communications support to cover the distances. Data rates for the DODIIS WAN currently run at 9.6 to 64 Kbps between DODIIS sites and the DODIIS network backbone. Link Access Protocols-Balanced (LAP-B) link protocols are used to provide X.25 packet service between DODIIS sites and to remote sites. Future DODIIS WAN connections are expected to use ISDN services and Link Access Procedure-D (LAP- D) protocols to provide data services at rates to 1.5 Mbps to DODIIS sites. In addition, ATM, along with B-ISDN and SONET, will eventually evolve to support increased data rates between DODIIS sites (see section 2.6.3.8 ).
MIL-STD-2045-14502-3 covers the addition of point to point connections using the X.25 at the network layer and using LAP-B to provide the data link layer. Both leased/dedicated lines and switched network services are also supported. This specification is used in the DODIIS community to provide backside network services from larger intelligence centers to smaller sites that do not have dedicated DODIIS access and to provide contingency support from major unified commands to deployed locations.
MIL-STD-2045-14502-6 is the directive that identifies the means for transmission of IP packets over Combat Net Radio. MIL-STD-2045-14502-6 is the standardized network profile that identifies network services to support MIL-STD-188-220. Combat Net Radio is a slow speed communications device and there will be limitations to the network services that can be provided. All DODIIS development should identify any possible requirements for data access and communications in these type of conditions and tailor their architecture and services to support this type of network media when required. Alternatives such as character based interfaces and limited functionality are valid approaches to resolve slow speed interfaces.
There are DODIIS network and communications configurations that are not completely covered in the current MIL-STD-2045-14502 baseline. These extensions to the military standards baseline are identified here to provide DODIIS sites and manager with the additional options they can use when evaluating their technical approach. Although these options are not covered in the current military standards baseline, it is believed they can be supported under MIL-STD-2045-14502 and do not relieve DODIIS from meeting the base specification on all other layers.
DODIIS sites will continue to support connections to various data sources depending on site requirements. Current interface requirements to systems and networks which handle voice, data, and video communications services necessitate the implementation and maintenance of separate components and protocols for each communication medium. DODIIS sites require access to AUTODIN, Defense Secure Network (DSNET), and other systems external to the DODIIS network, such as the NSA PLATFORM II network and the Community On-line Intelligence Network System (COINS).
The ultimate DODIIS objective is to provide multiple types of communication services from a single subscriber loop, rather than multiple loops. Achieving this objective will require the evolutionary integration of Broadband Integrated Services Digital Network (B-ISDN) capabilities and other new technologies (see section 2.6.3.8 ).
Trends for intelligence application requirements are moving towards networked multimedia applications and graphical user interfaces and are increasing demands for communications support that can handle greater amounts of data in a shorter time period. The current DODIIS network architecture will have to evolve towards higher speed network communication technologies to support the increased demands for communications bandwidth at all levels. There are several communications technologies that are emerging as candidates for future DODIIS upgrades. The migration to the new technologies will occur as the standards for these technologies become formally established and compliant products become readily available on the commercial market. The target for the future DODIIS communications backbone is B- ISDN using Asynchronous Transfer Mode (ATM) and Synchronous Optical Network (SONET) services.
The importance of a consolidated DODIIS approach towards network management has only recently been recognized. The transition towards the client server architecture environment and the consolidation of intelligence processing resources at central sites calls for a management strategy that centralizes system management support while still providing timely and effective fault detection and maintenance responses to remote sites
Network management strategies are evolving from equipment based reporting of operating parameters to an object-oriented management environment that identifies Specific Management Functional Areas (SMFAs) and Specific Management Functions (SMFs) (see sections 2.9.1.2 and 2.9.1.3 ) across the entire network. Section 2.6.4 concentrates on the specific services, protocols, and information structure required to implement a DODIIS network management strategy.
There are two areas of discussion for network management in DODIIS standards. The first area identifies the protocol and service standards for network entities (objects) to collect and report management information and management application standards for using the information. Network entities include protocol layers, software, hardware, and communication devices. The second area focuses on management information format and management structure standards for providing DODIIS system managers with a concise snapshot of current and historical parameters for the network. The use of standard management protocols allows the collection of management information in a consistent manner that allows sharing of management information between management domains (see section 2.9 ).
Purchase of network components for the DODIIS network environment will consider the capabilities for each component to report management information in the formats specified. The standard network management protocols supported by DODIIS components will be at a minimum the following:
SNMP is the primary implementation available with current commercial network products. MIL-STD- 2045-17507 is a three part specification that covers the protocol, the Management Information Base (MIB), and the structure and identification of management information. The DODIIS goal is to migrate to SNMPv2 when sufficient products become available on the commercial market. The major impetus for DODIIS migration to SNMPv2 is improved security support and peer to peer sharing of network information.
For the near term, the DODIIS community standard for reporting network management information will be SNMP as defined in MIL-STD-2045-17507-1. SNMP is currently available in numerous commercial network products. SNMP provides a very basic service that has six type of Protocol Data Units (PDUs). The simplistic nature of SNMP prevents it from addressing additional network management needs including peer-peer management, data sharing, and bulk data transfers. There have also been some concerns expressed in the security areas of the SNMP protocols. All the shortfalls are being addressed by the IETF in a concerted effort to replace the SNMP network management structure with a new version that is identified as Simple Network Management Protocol Version 2 (SNMPv2).
Simple Network Management Protocol Version 2 (SNMPv2) became an Internet Standard during 1993. SNMPv2 allows entities to act as agents and managers, support peer-peer management and perform bulk data transfers. SNMPv2 also has enhanced security features including "parties" which limit operations for entities to specific subsets of all SNMPv2 operations. At this time it is expected that DODIIS will migrate to SNMPv2 compliant products as they become readily available in the commercial market.
SNMPv2 has kept most of the PDUs that were available in SNMP and has a section addressing coexistence between SNMP and SNMPv2. The preferred transport protocol for SNMPv2 will be UDP, but there are transport mappings described for alternate protocol suites.
SNMPv2 also adds to SNMP security, and will provide bulk data retrieval and support for high speed networks. It is expected that there will be a co-existence of SNMP and SNMPv2-based products.
MIL-STD-2045-17507-2 identifies the specific management information elements required to support network management. Since the current MIB definitions will not cover all possible elements; MIL-STD- 2045-17507-3 identifies Abstract Syntax Notation ASN.1 as the standard for describing all MIB structures.
OMNIPoint represents a practical approach to network management based on consensus among users, suppliers, and standards organizations brought together as partners in the Network Management Forum (NMF). OMNIPoint is a set of standards, implementation specifications, testing methods, tools, and object libraries that make possible the development of interoperable management systems and applications. The first specification, OMNIPoint1, defines a complete infrastructure that, when implemented, enables management systems to interoperate and exchange information in a common way, as shown in figure 2-5 . While building on the stability of international standards, OMNIPoint goes well beyond them to specify exactly what suppliers must implement in order to satisfy a specific user need. OMNIPoint gives suppliers the information they need to create off-the- shelf technology or to employ such technology in development of a management system.
Figure 2-5. OMNIPoint 1 Management Model
DODIIS network security services are those being developed for DOD, as defined in Volume 6 of the TAFIM, DOD Goal Security Architecture (DGSA), and those defined within ISO 7498-2-1988 (E) - Part 2: Security Architecture. In particular, the DGSA provides the abstract security architecture and security requirements that are to be applied throughout the DOD. The DGSA specifies security principles and target security capabilities that will guide system security architects in creating DOD compliant security architectures. DODIIS intends to align its objective security architecture with that defined in the DGSA as these requirements become finalized and products become available. ISO 7498-2 provides a general description of security services and related mechanisms, which may be provided by the OSI Basic Reference Model (ISO 7498); and defines the positions within the OSI Basic Reference Model where the security services and mechanisms may be provided. The security services defined are authentication (peer entity and data origin), access control, data confidentiality (traffic flow, connectionless, connection oriented, and selective field), data integrity (connectionless, selective field connectionless, connection oriented with recovery, connection oriented without recovery, and selective field connection oriented), and non-repudiation (of origin and delivery). ISO 7498-2 also identifies pervasive security mechanisms that are not specific to any particular security service. These mechanisms include trusted functionality, security labels, event detection, security audit trail, and security recovery. The following sections briefly discuss current and emerging DODIIS standards for network security.
The DMB approved the DNSIX 2.1 specifications in 1991. Detailed information on the DNSIX modules and design can be found in the DNSIX Interface Specifications, Version 2.1 (DDS-2600-5984-91) and the DNSIX Detailed Design Specification, Version 2.1 (DDS-2600-5985-91).
DIA is working closely with the DISA Center For Standards (CFS) to ensure that evolving DOD network security standards address DODIIS security needs. The DODIIS objective is to implement COTS solutions that are widely employed across the DOD community.
There are several COTS router products that implement the DNSIX Network Level Module (NLM) and some plan to offer the Audit Trail Module. In addition, there are COTS trusted networking products for CMWs that are designed to be backward compatible with
DNSIX 2.1. These trusted products provide additional security capabilities (e.g., token mapping, security attribute modulation) that go beyond the DNSIX 2.1 specifications. These products will be needed by DODIIS sites that have near-term requirements for trusted interfaces (e.g., Ops/Intel Interface).
DIA and DODIIS members are participating in industry forums to ensure that the government's functional requirements for network security are included in emerging standards. One prominent industry forum working towards this goal is the TSIG. The TSIG was created so that common B1/CMW security solutions and specifications could be developed and shared among vendors developing trusted Unix-based products. The working groups of TSIG include the Trusted Applications working group and the Trusted Administration working group. The primary products of TSIG are proposed trusted systems interoperability specifications. Two TSIG developed specifications were submitted to the IETF for possible consideration as Internet Architecture Board (IAB) RFCs. The two submitted specifications were the Trusted Network File System (TNFS) and the Common IP Security Option (CIPSO).
DODIIS is monitoring standards progressing within the IETF for potential inclusion within the DODIIS Profile. The IETF has a number of security-related working groups that are coordinated by the Security Area Directorate and the Security Area Advisory Group (SAAG). The working groups are developing security-oriented protocols and candidate Internet standards, most of which would benefit the DODIIS community. These working groups are currently addressing the following areas:
Future Internet standards developed in support of these areas will be monitored for potential inclusion in the DODIIS Profile.
MISSI is an NSA initiative. The purpose of MISSI is to provide a set of products that can be used to build or enhance security architectures. MISSI products are intended to be flexible so that they can be combined and configured in different ways to meet a variety of operational security and mission needs. MISSI objectives are to provide capabilities that are affordable, compatible with commercial technology, and extensible to support new security standards. MISSI products and services include:
The DODIIS community intends to take advantage of MISSI products and services to provide security capabilities within and across DODIIS sites and to remain interoperable with the DOD security infrastructure.
SDNS, a joint program of the U.S. Government and computer industry representatives, developed OSI security protocol specifications for data networking. These specifications were published by NIST. The NIST publications are Secure Data Network System (SDNS) Network, Transport, and Message Security Protocols (NISTIR 90-4250), Secure Data Network System (SDNS) Access Control Documents (NISTIR 90-4259), and Secure Data Network System (SDNS) Key Management Documents (NISTIR 90-4262). The four SDNS protocols defined are the Security Protocol at Layer 3 (SP3), the Security Protocol at Layer 4 (SP4), the Message Security Protocol (MSP), and the Key Management Protocol (KMP). The SP3 and SP4 specifications have become ISO standards and are referred to as the Network Layer Security Protocol (NLSP) (ISO IS 11577) and the Transport Layer Security Protocol (TLSP) (ISO IS 10736), respectively. MSP will be used within the Defense Message System (DMS) to provide message handling security services (see section 2.6.1.1 ). The DODIIS community is participating in the DMS program to ensure message interoperability across the DOD community.
There are several OSI security-related standards that are in various stages of the ISO standards process. OSI security standards being monitored for potential inclusion within the DODIIS Profile include:
IEEE standard 802.10 specifies how to use encipherment to provide secure data exchange in the MAC sublayer of the OSI Data Link Layer of LANs.
