1 / 22

US (DISA) - NATO (NC3A) ACP 145 Activity

Defense Information Systems Agency. A Combat Support Agency. US (DISA) - NATO (NC3A) ACP 145 Activity UNIS TEM 6 – COI Services & Applications Breakout Session December 1, 2009. Leon Schenkels NC3A Core Applications Core Enterprise Services. Dan White

selma
Download Presentation

US (DISA) - NATO (NC3A) ACP 145 Activity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Defense Information Systems Agency A Combat Support Agency US (DISA) - NATO (NC3A) ACP 145 Activity UNIS TEM 6 – COI Services & Applications Breakout Session December 1, 2009 Leon Schenkels NC3A Core Applications Core Enterprise Services Dan White DISA DMS & National Gateway Technical Support Branch

  2. Purpose • Provide a synopsis of recent ACP 145 Allied messaging gateway activity between NATO/NC3A and DISA

  3. Topics • Reason for testing • Background • Test environment • ACP 145 services exercised • Directory services • Messaging services • Security services • Schedule • Lessons learned • Summary

  4. Reason for Testing • NC3A engineering group obtained initiative funding to perform preliminary ACP 145 interoperability testing with the US • N3CA wanted to evaluate: • Feasibility of the ACP 145 allied messaging gateway concept • Alternative ACP 145 gateway product • NATO centralized Alliance Replication Hub (ARH) directory architecture • NATO-US PKI interoperability • The desire was to complete the test effort prior to the end of the NATO fiscal year 2009 (CY 09) • The initial testing scope was focused on ACP 123  STANAG 4406 interoperability - including PKI, Directory, and implicitly DMS/NMS interoperability

  5. Background (1) • Messaging interoperability between the US and NATO is currently provided by legacy (ACP 127/ACP 128) message switching systems provided via the NATO AIFS and US National Gateway Centers • Message traffic exchanged between NATO and the US during October 2009 was 45K messages – traffic volumes are considerably higher during joint exercises • Although the ACP 123 and STANAG 4406 agreements for military messaging interoperability have been in place for many years, there was no common agreement on a security protocol for providing end-to-end confidentiality, integrity, and non-repudiation services • The CCEB nations agreed to interconnect national ACP 123 / STANAG 4406 systems using messaging gateways, resulting in the definition and ratification of ACP 145 (CCEB) and ACP 145(A) (NATO) • In March 2009 NATO ratified ACP 145(A)

  6. Background (2) • ACP 145 employs a P772 military content encapsulated in a CMS content type which contains a S/MIME ESS security label over an X.400 transport • The CCEB nations and NATO agreed to use X.500 for directory services • The CCEB nations and NATO ratified the ACP 133(C) Directory Schema • The CCEB Nations have a current agreement (ACP 137) for bilateral directory replication to exchange directory information using LDIF attachments to messages • NATO provides a centralized directory hub, Alliance Replication Hub (ARH) for all NATO Nations to exchange directory information • Between the gateways, the CCEB nations and NATO agreed to use X.509 PKI as the mechanism for providing message integrity services (PKI signing) between the Gateways and to support a chain of trust with regard to non-repudiation services • Confidentiality is handled via network layer encryption

  7. Testing was performed between the NATO lab and US lab over the Internet using a Virtual Private Network (VPN) Test Environment NATO ACP 145 GW US ACP 145 GW DISA DMS Testbed

  8. Messaging Services • The US used the CommPower US ACP 145 Gateway product that is operational today on the US-UK ACP 145 gateway system • NATO used ClearSwift Deep-Secure ACP 145 Gateway product • NATO selected this product for testing in order to evaluate an alternative ACP 145 Gateway product and verify vendor product interoperability • Leveraged the existing UK – US ACP 145 messaging interoperability test plan • P772 Elements of Service (EoS) • Security labeling • Notifications and receipts • Address lists • PKI

  9. Directory Services • NATO Concept of Operation employs a centralized directory hub • Alliance Replication Hub (ARH) • Member nations use either DISP (X.500) or LDAP to push their entries into the ARH and pull other nations’ entries • The US successfully used a COTS product (ISODE Sodium Sync) to synchronize directory entries with the ARH while performing conversions between the ACP 133 and US DMS directory schemas • Demonstrated LDAP strong authentication using two alternative mechanisms • LDAPS (over SSL) - only providing transport level authentication and confidentiality services • LDAP w/ SASL/EXTERNAL (leveraging TLS credentials)

  10. Security Services • US – NATO established a bilateral security label mapping agreement for the exercise • Utilized both US and NATO PKIs • Replicated via the ARH directory • Used by the ACP 145 gateways to sign messages on origination, verify signatures on receipt, provide CRL checking and certificate hierarchy validation • Non-repudiation is based on an end-to-end chain of trust • NATO Originator to GW using NATO digital signature; • GW to GW using US DOD PKI and NATO digital signatures; • GW to US recipient using US Fortezza signature and encryption

  11. Schedule

  12. Preparation andCoordination • Held bi-weekly VTC / teleconferences • Established an operational VPN between the test labs • Developed a security label mapping agreement • Configured the ACP 145 gateways and directory servers • Tailored / Refined existing interoperability test plan • Received responsive vendor support in turning around fixes • Reworked existing US directory replication mechanism to support the NATO replication hub • Utilized collaborative capabilities (chat) to simplify test coordination • Established a web site for recording test execution and test results

  13. Test Results

  14. FindingsPKI Support • The NATO and US Gateways successfully replicated and utilized their partner nations PKI • Some minor discrepancies were encountered during certificate validation processing • US gateway had difficulty resolving the trust of the NATO PKI certificate path from the NATO root, however, the addition of the intermediate NATO CA as a trust point served as a workaround • US ACP 145 Gateway expects the CRL to be provided in the directory • NATO PKI requires applications to utilize CRL Distribution Points (CRLDP) • US system requires the NATO certificate policy to be configured to successfully validate certificate chain

  15. FindingsMessaging Support • Successfully exchanged messages between the US and NATO over the ACP 145 Gateway • NATO and the US are using different Elements of Service for correlation of Delivery Reports and Non Delivery Reports with the original message • US messaging system does not support general text body part • US gateway translates this to the IA5 text body part • Results in some "funny characters" bleeding through into the transformed message – result of not processing general text escape characters • US messaging components had difficulties with DN values beginning with O=NATO rather than the conventional C= attribute

  16. FindingsSecurity Labels • Establishing a security label mapping agreement was straightforward • Security labels were successfully mapped by the gateways • Testing with the new DMS Security Policy Information File (SPIF) is still pending

  17. FindingsDirectory Replication • The US successfully modified the replication mechanism to support the ARH • Used a meta-tool (ISODE Sodium Sync) to push and pull directory data to and from the Alliance Replication Hub (ARH) using secure LDAP • US directory components rejected entries within the ARH that violated the ACP133(C) structure rules

  18. FindingsAddress Lists • Explored additional options (source expansion vs. owner expansion) for expanding ALs • Substantial differences in national implementations for address list expansion, mostly because of lack of guidance in ACP123/ST’4406 on AL expansion procedure; differences among others: • Use of DL Expansion history • Change of MTS identifier and/or P1 originator • Use of DDA • Removal of duplicates • Exempt address processing

  19. Lessons Learned • Up-front analysis of differences in national implementations pays off – examples: • Mandatory / optional elements of service • Directory schema mapping • The Alliance Replication Hub concept did not require extensive software development and offers better scalability than bilateral directory replication • Security interoperability • Security label mapping agreements required between each nation pair • PKI interoperability is doable, but requires some tweaking

  20. Lessons Learned • Continue ACP 145 interoperability testing,to include legacy messaging transition andlegacy conversion gateways • US legacy to NATO via ACP 145 GW • NATO legacy to US via ACP 145 GW • Legacy to legacy tunneling over the ACP 145 • More experimentation with address list expansion options

  21. Summary • ACP 145 testing efforts between NATO and the US have proven to be a very useful and enlightening experience • Very pleasantly surprised by progress made within a few months, esp. given limited resources dedicated to the effort • Overcame minor glitches via workarounds and hot fixes • Identified product and other changes needed to migrate to operational system • The ACP 145 allied messaging gateway concept has been validated by three partners – NATO, UK, and US • The Alliance Replication Hub (ARH) directory concept has been explored and appears to be viable and scalable.

More Related