TACOMS+ CONCEPT, ARCHITECTURE & CAPABILITIES
N&S CaT April 2016
Per Carlén (Ex SWE TACOMS member)
Agenda
• Aim
• Background
• TACOMS+
– Aim, scope
– Capabilities
– Services/Functions
– Deliverables
– Future work
• Final words
Aim with presentation
UNCLASSIFIED 3
• Give an insight into TACOMS+ capabilities • Why? N&S CaT is intermediate CCB/custodian
TACOMS background
UNCLASSIFIED 4
• Focus: Deployable federated networks • Nations are sovereign, interconnects over a standardized IOP
(InterOperability Point) • As much COTS as possible
Phase 1 ST4637: Tacoms
Head Stanag
ST4639:
Interfaces
ST4640:
Lower Layer Specifications
ST4643:
CO Protocols
ST4644:
CL Protocols
ST4646:
Management Protocols
ST4647:
Gateway Protocols
Annex A: IOP Annex B: ENAP
Annex A: Cables Annex B: Ethernet
Annex A: Numbering Annex B: Call Processing Annex C: Routing Annex D: Coding Annex E: Signaling
Annex A: Addressing Annex B: BD Annex C: Routing Annex D: QoS Annex E: Protocols Annex F: Real-Time Data
Annex A: Messaging Annex B: MIBs Annex C: SLM
Annex A: IP Annex B: ISDN Annex C: ST4206 Annex D: Mixed / Single Mode IntOp
• Phase 1 STANAGs (promulgation in 2010) covering OSI L1-L3 + Voice • “Quickwins” update in 2012 • Interdependencies between services -> complex solutions
(static)
Configuration complexity – Phase 1
Number of configurations (places where peers has to be configured) are shown as a function of number of NEs. Avoid full-mesh! Goal: Keep #conn=#NE-1
0
500
1000
1500
2000
2500
3000
3500
4000
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49
Configurations with manual ldap
Configurations with auto-ldap
TACOMS+ MoU 2012 - 2016
• Aim/deliverables – Reference Implementation – New set of STANAGs
• Then FMN came along… STANAGs -> Support FMN with profiles etc. Note: it was merely the format that was changed, not the conceptual/architectural.
• Requirements – TACOMS+ Operation Requirements inherited or derived from
• 15(+) NATO mission types • Initial FMN Concept paper
• Deliver to NATO and Nations – Standards/profiles – Comprehensive implementation guidance
• incl. implementation test cases and results
7
TACOMS+
• Inspirations – Lessons learned from previous experiences (e.g. AMN, TACOMS
phase 1) – Following FMN concept and capability milestones
• Support for mobility, zero day capability, federated networking
– Aligned with PCN principles • PCN like interfaces and Security Architecture and federated management
– ST4711 inspired QoS
• Execution through multi-national MOU
• Deliver to NATO and Nations – tested standards/profiles – comprehensive implementation guidance
• incl. implementation test cases and results
8
Scope
IOPs for: - Deployed strategic - Tactical Core - Tactical Edge Meaning…. - wired (Cu/FO) - LoS - Satcom Meaning… - Different bearers - Topology changes - Autonomous units
IOP-D
IOP-D
IOP-E
IOP-AIOP-A
IOP-A
IOP-A
IOP-A
IOP-A
IOP-A
IOP-C
IOP-C
IOP-F
IOP-F
IOP-F
IOP-F
IOP-D
IOP-B
IOP-B
IOP-C
IOP-C
IOP-C
IOP-F
IOP-B
IOP-B
IOP-B
Strategic core
Tactical core
Tactical edge
Unclassified 10
• Common network (FC), composed of national resources. • Transport service to
users
• Users are responsible for protecting their information, using; • NINE • SCIP
Network Architecture
Note: GW does not refer to SCIP-GW
Security Architecture
• Inherited from the architectural model that IST-069 and IST-103 proposed for PCN
– Separation of “Black Transport Core” and “Red Service/User Domain”
– Same federation principles as with PCN
• PCN: PCore – PCS TACOMS: FCore - FCS
IPV4 routingTACOMS Core/unclass
Routing 1
UnclassVoice
Mission SecretIPv4/6
Routing 2
UnclassVoice
UnclassVoice
Z
Mission SecretIPv4/6
Routing 2
Z
PCN-1: IOP1-like interface where PCSs (FCSs) interconnect PCN-2: Typically COI part of mil unit connects here
When Mil unit X relocates, it disconnects from SWE PCN-2 interfaces and connect to NOR PCN-2 interfaces (and gets NOR addresses)
PCN – relocation
PCN-1: IOP1-like interface where PCSs (FCSs) interconnect PCN-2: National matter
- When Mil unit X relocates, it disconnects from SWE infrastructure and connects to NOR PCN-1 interface.
PCN perspective on current TACOMS+ relocation
TACOMS+ Layers
• Bearers in Mission Networks set constraints for the IP layer performance – Cross layer interaction with bearer is important to mitigate possible
issues raising from bearer dynamics
FCSFCS
Information domain
Network domain
IP
Information domain
Network domain
IP
Application protocols
IP protocols
GRE/IPSec
Generic bearer
TIP
NIP
IOP
FCS A FCS B
“Users” “Users”
TACOMS+
• TACOMS builds federated capabilities on top of national assets
• Capabilities are created in layers
– Higher layers use lower layer services
UNCLASSIFIED 15
TACOMS+ Bearer Domain
UNCLASSIFIED 16 of 5
Build on top of national network assets: Resource sharing within federation Sovereign control of national assets
Na#onalNetworkDomain
TACOMS+ Network Domain
UNCLASSIFIED 17 of 5
NIP
NIPNIP
NIP
NIP
FederatedNetworkDomain
Separation of national domain and federation Overlay IP network for federation IP transport Connectionless network service DiffServ QoS classes (ST4711)
TACOMS+ CO Network Domain
UNCLASSIFIED 18 of 5
Connection-oriented network service DiffServ QoS enhanced with reservations of resources
from the service classes Traffic Engineering when required
FederatedCONetworkDomain
TACOMS+ Information Domain
UNCLASSIFIED 19 of 5
Media Services (Voice) with Reservation capabilities Multi-level priority and pre-emption
Name Service with Distributed root & DNSSEC
FederatedInforma- onDomain
Derived requirements –examples
UNCLASSIFIED 20
Desired outcomes for – Agility, Flexibility & Scalability
• support (as a minimum) the 15+ NATO mission types
– handle almost any network topology to allow full flexibility and adaptability in missions both on the strategic as well as the tactical level,
– allow for sufficient nodes in the same network (dependent on network topology) as demanded by the mission,
– support ad-hoc networks, i.e. where the topology of the network is unknown prior to the start of the mission,
TACOMS+ Themes & SoWs
Making solutions matching the requirements • Technical
– Agility and Flexibility • SWE, NOR, DEU, NCI Agency
– Connection Oriented Services • FRA, FIN, DEU, SWE, ITA
– Future IOP Bearers and Interfaces • ITA, FRA, FIN, NCI Agency, (SWE)
– Service Management and Control • tbd
• Cross cutting – Security
• NCI Agency
– Architecture • All
21
Multinational effort
TACOMS ORGANISATION
BOARD : Project Steering grouprepresentatives of the Participating nations
EXECUTIVE : International Project OfficeProject management and leadership
NATIONAL ADVISORS : Technical Working GroupExpertise, Guidance, QA review
V & V : Collaborative Implementatiom TeamNational implementations tested in federation
WORK PACKAGES : Multi-national team effort 9 suppliers across 6 Nations (Industry, Academia and Government orgs) and NCI Agency
WP WP WP WP
TACOMS working process
23
COST <> COTS
• Enhanced standards for federated networking
– Mission Network Transport Services with minimum cost and configuration effort
– Minimise impact on national systems
• reuse existing or planned national equipment
– Build on commercial standards and industry best practice
– Implementable as far as possible with off-the-shelf components or military equipment
UNCLASSIFIED 24
COTS and…
• TACOMS+ builds capabilities out from technologies that are mostly based on ‘Cisco-Off-The-Shelf’
• Some of the capabilities require additional control logic that is executed by the side of the COTS device
UNCLASSIFIED 25
COTSFORWARDING
PLANE
COTSCONTROLPLANE
TACOMSCONTROLPLANE
TACOMSCONTROLPLANE
COTSFORWARDING
PLANE
COTSCONTROLPLANE
UNCLASSIFIED 26
Design
• As much COTS as possible • Implementation independent • Topology agnostic • No central dependencies • No full mesh • Pre-deployment possible • Fast connect/disconnect (no manual config) • PCN-type architecture, with ND/ID separation • Although PCN-type, ”any color” IOP is possible
Capability packages
CL transportAuto-
connectivityName resolutionTime sync
ServiceAnnouncement
CO transport Media
ServiceMitigation
KPIEstimation
KPIDissemination
Capability packages
UNCLASSIFIED 27
27
CL Transport o Federated transport network capability o Inspired by PCN (implements PCN-1) o FMN Spiral 1 NIP-G + network functions
Autoconnectivity o Adds additional capability to make automated attach
& detach procedures o FMN Spiral 1 optional capability
Service Announcement o Autoconnectivity for services o Exchange service dependent information elements
Time Sync o Tme Synchronization for Network Domain and
Information Domain
Name Resolution o Federated Root (hidden root in each federated
domain) o DNS SEC – integrity handling
CO Transport o Generalization of IntServ o “MPLS-TE+ over IP” o Provides resource assured connections for arbitrary
services o Sensor systems o Media transport
Voice o SIP based VoIP infrastructure model o Resource Reservation o Priority calls
o Pre-emption o SCIP support
o Separation of national domain and federation
o Call Managers in national domain o SBCs in federation domain
KPI Estimation o Transmission bearer interrogation
o What kind of networking environment is below the IP
o What can be estimated from the bearer if it is not known
o What can be done co-operatively
KPI Dissemination o Who needs to know the link/network KPIs o How those should be disseminated most efficiently
Service Mitigation o How should transmission bearer be used to maximize
the benefit out of it o How should IP layer use the bearer o How should services adapt to the network conditions
Information Domain Network Domain
Scratching on the surface
UNCLASSIFIED 28
UNCLASSIFIED 29
Capability packages, building blocks
• A CP consists of service(s) and function(s) • A service is what the user sees and utilizes • A service is built with functions • For almost every service/function, there are
• Options and justifications • Technical specification(s) • Implementation examples • Test specifications
Required services/functions
Capability package
CL transport
RoutingFunction
AuthenticationFunction
AddressPlan
PKIFunction
TimeService
CL ForwardingService
FC ProtectionFunction
CL Transport
UNCLASSIFIED 30 Required services/functions
Capability package
CL transport
RoutingFunction
AuthenticationFunction
AddressPlan
PKIFunction
TimeService
CL ForwardingService
FC ProtectionFunction
Main service in TACOMS+ Shuffles packets between users, across the FC
CL Forwarding service
UNCLASSIFIED 31
– QoS: 4711 CL
CL ForwardingIncoming Outgoing
Routing
UpdateForwarding
table
RoutingProtocolupdates
Control Plane
Forwardingl Plane
Routing function
UNCLASSIFIED 32
• Supports forwarding of packets
– Unicast, multicast, anycast
• Generic layer towards bearer
• Dual Stack
ASN:xASN:y
WAN
PIM-SM
BSR
boundary
PIM-SM
BSR
boundary
Address- and numberingplan
UNCLASSIFIED 33
• Avoid collisions • Aids in pre-deployment • Base for discovery-functionality, Autoconnectivity etc • Scalability (65536 nodes
per entity) • IPv4 • IPv6 • Unicast, multicasrt • BGP ASN
FC Protection
UNCLASSIFIED 34
• Protect the integrity of the FC
IOP
IOP
FCS
Shaping/Policing
Anti Spoofing
Route filtering
Access filters
Authentication
IDS/FW
Anti Spoofing
Access filters
S C
IDS or IPS
Stateful FW
Filter flows to/from
Client/servers in the FCS
Access filters
Anti spoofing
Client/Server
self protection
Authentication
UNCLASSIFIED 35
• Ensures that only entitled parties can interconnect and send traffic on the FC. (compare PCN)
• Need technical means since bearer can be virtually anything (not only 5m optical fiber)
• Certificate-based (in IKEv2)
• Rogue nodes can be disconnected
• Comes witha a basic level of TFC (GRE/IPsec)
WANSWE
NOR
PKI
UNCLASSIFIED 36
• Different trust-models supported
• Local CRL DP
• (Issues with COTS and revocations)
– IKEv2 rekey != reauth (recent IOS solves this)
– CRL validity & caches (applies to ”off-the-grid” situations)
Autoconnectivity
UNCLASSIFIED 37
Required services/functions
Capability packages
Auto-connectivity
Service
Auto-connectivityNO manual configuration when
interconnecting Speeds up interconnection Less error-prone (human factor)
Autoconnectivity
UNCLASSIFIED 38
• Discover-configure, discover-configure – RIPv2 -> IPsec/GRE
– RIPng -> Peering
• Variety of implementations
RIPv2 over Ethernet SWE ASN:
d46.257NOR ASN:
d47.2
Demo Autoconn
UNCLASSIFIED 39
CO Transport
UNCLASSIFIED 40
Required services/functions
Capability package
CO transport
CO RoutingFunction
Resource Reservation
Function
Signaling Function
KPI Estimation
CO ForwardingService
CL Transport
o Generalization of IntServ o “MPLS-TE on IP” o Based on network level resource reservations for IP flows o Provides resource assured connections for arbitrary services
o Sensor systems o Media transport
B
C
D
E
F A
H
G
COCP
UNCLASSIFIED 41
UNI
Reservation Routing Signaling
User
Forwarding Plane
CO Forwarding Service
UNCLASSIFIED 42
o Non default forwarding pattern for traffic o Next-hop selection based on
other criteria than shortest path
o Assurance of resources to the connection via reserving and setting aside
o Policing of traffic at ingress @ flow level
User Signaling
UNCLASSIFIED 43
Users – Local API
Reservation Service
Remote API
UNI
SIP MESSAGE: SESSION RESERVE REQUEST
Local API Remote API
Anycastaddress
Unicastaddress
SIP 302 Redirect
SIP MESSAGE: SESSION RESERVE REQUEST
SIP 200 OK
SIP MESSAGE: SESSION RESERVE RESPONSE - SUCCESS
Reservation in the Network Domain carried out...
SIP 200 OK
Reservation is used...
SIP MESSAGE: SESSION TEAR-DOWN REQUEST
SIP 200 OK
SIP MESSAGE: SESSION TEAR-DOWN RESPONSE - SUCCESS
Reservation in the Network Domain is torn down...
SIP 200 OK
HTTP POST: SESSION RESERVE REQUEST
Local API Remote API
Anycastaddress
Unicastaddress
HTTP 302 Redirect
HTTP POST: SESSION RESERVE REQUEST
HTTP 200 OK
Reservation in the Network Domain carried out...
Reservation is used...
HTTP POST: SESSION TEAR-DOWN REQUEST
Reservation in the Network Domain is torn down...
HTTP 200 OK
• Convey user requirements into CO control plane • Protocol used: SIP(S) or HTTP(S)
Crypto - Interworking Signaling
UNCLASSIFIED 44
Elements - FilterSpec/QSPEC+ (GIST)
UNCLASSIFIED 45
TSpec:
Peak-Rate: [Value Bytes per sec]
Rate: [Value Bytes per sec]
Burst-Size: [Bytes]
ConstraintsParams:
Path-Reliability: [Value]
Path-TFC-Level: [Value]
Path-Latency: [Value]
Path-Jitter: [Value]
HandlingDirectives:
Path-Pinning: [Value]
Admission-Priority: 2
RPH-Priority: [Value]
TrafficClassifier:
DSCP-bits0-2: [Value]
DSCP-bits3-4: [Value]
FilterSpec:
Network-Layer-Version: [IPv4|IPv6]
Source-address: [address/prefix-len]
Destination-address: [address/prefix-len]
IP-protocol: [ANY|UDP|TCP|ESP….]
DiffServ-codepoint: [Value]
Flow-Label: [Value]
SPI: [Value]
L4-sourceport: [Value]
L4-destport: [Value]
Network Signaling
UNCLASSIFIED 46
• NSIS or SIPng • Same API to Reservation Service and Forwarding Plane
• Supports pre-emption
Reservation Service Routing ServiceRequest: UserRequierments
+ Destination NodeID
Response: SourceRoutes/NextHop
Signaling Service Requests: Setup [route[x-n]]Response: [OK|FAIL]
Request: Setup [route[x-n]]Response: ID (CallID)
Ssignalingover forwarding
plane
Request: Tear (ID)Response: ID (CallID)
Requests:Tear (ID)Response: [OK|FAIL]
Network Signaling – NSIS+
UNCLASSIFIED 47
• NSIS with small modifications (Qspec etc) • TACOMS+ developed opensource NSIS-stack (Linux) • Support for pre-emption • No TE in current MRM, easily extended • Can traverse NSIS non-aware nodes
Network Signaling – SIPng
UNCLASSIFIED 48
• SIP??? Yes, it’s a protocol for maintaining arbitrary sessions. • Establishes a signaling overlay on top of the FC • Support for pre-emption and TE • Uses Route-header in SIP to do source routing, hence signaling
can only traverse (jump on) SIPng aware nodes. • Implies one SIPng entity per TACOMS node
Node DNode CNode BNode A
SIPng CO signalling layer
Forwarding plane
SIPng
proxy
SIPng
proxy
SIPng
proxy
SIPng
proxy
CO Routing – without TE
UNCLASSIFIED 49
Reservation Service Routing ServiceRequest:
UserRequierments
Response:
Incoming Interface, Next-
Hop (, Explicit route)
Service
Announcement
Layer
Topology information
is fetched from SA layer
Forwarding plane
• Both intra and inter-domain capability • Without TE:
• Incoming interface and next-hop are computed.
CO Routing – with TE
UNCLASSIFIED 50
Reservation Service Routing ServiceRequest:
UserRequierments
Response:
Incoming Interface, Next-
Hop (, Explicit route)
Service
Announcement
Layer
Topology information
is fetched from SA layer
Forwarding plane
• Both intra and inter-domain capability • With TE:
• Path computation based on constraints coming from user, made in originating node.
• Topology discovery database includes all (abstracted) links • Several attributes associated to the links (capacity, delay, TFC, reliability, …) • Links in topology database are identified with NodeIDs. In CL-BGP, the NodeID for
the destination NLRI has a coded BGP community.
FCS C
FCS A
FCS B
2 1
2
13
2
3
FCS internal link
IOP
1
3
Resource reservation
UNCLASSIFIED 51
• Resource sharing policy for individual DiffServ classes • Bookkeeping of resources • Connection Admission Control • Multi-Level Priority and Pre-emption • Authorization of use
Links, capacity, reservations...
Demo SIPng
UNCLASSIFIED 52
KPI Estimation
UNCLASSIFIED 53
Required services/functions
Capability package
KPI Estimation
KPI Measurement Function
KPI ProvisioningFunction
X-Layer Communication
Function
KPI EstimationService
CL Transport
KPI Estimation o Transmission bearer interrogation
o What kind of networking environment is below the IP
o What can be estimated from the bearer if it is not known
o What can be done co-operatively
KPI Estimation Service
UNCLASSIFIED 54
o Estimation of bearer capabilities based on different information sources o Pre-existing knowledge o Technical interrogation via
o API (integrated bearers) o Standard protocols (co-operative bearers)
o Measurement of bearer capabilities
KPI Provisioning
UNCLASSIFIED 55
• Pre-existing knowledge via SLA • FO • Fixed capacity LoS/Satcom
X-layer Communication
UNCLASSIFIED 56
• Integrated bearers with common control plane functions • Ability to control and monitor bearer KPIs • Common protocols to interrogate co-operative bearers • LLDP, DLEP • Difficult to address all bearer technologies
KPI Measurement
UNCLASSIFIED 57
• Estimation of bearer KPIs (capacity, delay, jitter) • Two methods depending on bearer (logic for choosing is included)
• TWAMP-light protocol • Non-intrusive • Based on packet dispersion • Normally supports bearers like LoS, Satcom
• Iperf (fallback) • Intrusive • Ball-parking
SWE FINGRE-tunnel
over ”unknown” bearer
TWAMP light
sender
TWAMP light
reflectorδt1δt2δt3δt4
δr 1δr 2δr 3δr 4
KPI Dissemination
UNCLASSIFIED 58 Required services/functions
Capability package
KPI Dissemination
Horizontal Dissemination
Function
KPI DisseminationService
CL Transport
Vertical Dissemination
Function
KPI Estimation
Service Announcement
KPI Dissemination o Who needs to know the link/network KPIs o How should the KPIs be disseminated most efficiently
KPI Dissemination Service
UNCLASSIFIED 59
Network Domain
FINDEU SWE
Information Domain
Service X Service X Service X
KPI
s
KPIs KPIs
KPI
s
KPI
s• Dissemination of bearer KPIs • Internally to other services that need that information • Other network nodes that need the information • Information Domain Services that benefit from the information
Horizontal Dissemination
UNCLASSIFIED 60
• Dissemination to the other nodes that need the information (policing/shaping) • For TE: Path calculation functions across the network • Uses Service Announcement Layer to convey KPIs
Property Community Remark
Link Capacity 1:[value 16bit] Bits per second
Link Reliability 2:[value 16bit] Link state change events (up/down)
service unavailability over the period of 24h
Link TFC Level 3:[value 16bit] Traffic flow confidentiality level of the link
Service Class [SC0-7] Reservable Link Capacity
4+SC:[value 16bit] Capacity that is allocated for the reservation purposes within particular service class in bps
Service Class [SC0-7] Unreserved Capacity
12+SC:[value 16bit] Capacity that is used from the particular service class in bps
Service Class [SC0-7] Delay
20+SC:[value 16bit] Delay within the particular service class in seconds.
Network Domain
FINDEU SWE
Vertical Dissemination
UNCLASSIFIED 61
• Dissemination link KPIs to Information Domain Services • Resource sensitive applications – Voice, VTC, document sharing … • May cross RED/BLACK boundary • SNMP MIB defined
Network Domain
DEU
Information Domain
Service X Service X
Service Mitigation
UNCLASSIFIED 62 Required services/functions
Capability package
ServiceMitigation
Bearer MitigationFunction
MitigationService
IP-Layer MitigationFunction
KPI Estimation
KPI Dissemination
Application Layer MitigationFunction
Service Mitigation o How should the transmission bearer be used to maximize
the utilization o How should the IP layer use the bearer o How should services adapt to the network conditions
Mitigation Service
UNCLASSIFIED 63
• Mitigation service makes decision on possible technical actions that need to executed for the bearer
• Logic decision on how to approach deficiencies, which bearer has with respect to the services in IP-layer and application layer
Bearer Mitigation
UNCLASSIFIED 64
o X-Layer functions on mitigation in transmission bearer o Coherent action between IP-layer and transmission layer for QoS and
resource sharing o SatCom, BGAN, SDR, Radio relays
Application Layer Mitigation
UNCLASSIFIED 65
o How to manage application aspects based on network information and status o Audio/Video coding and level of service o Activation and de-activation of resource intensive applications o Application accelerations for long delay pipes
o if packets are not encrypted (TCP adaptation, RTP Jitter compensation)
IP-Layer Mitigation
UNCLASSIFIED 66
o IP-layer provisioning based on bearer knowledge which is acquired via KPI Estimation & Dissemination
o Provisioning capacity for service classes and link o Queue management
TRANSMISSION SYSTEM
FCS
GenericLocal
Interface
Transmission System
Interface(eg.modem)
Transmission System
Interface(eg. modem)
IP level Mitigation function
Control function
Other network
functions
GRE/IPSEC
TACOMS
management
serviceIP Routing
Other network
functionsIP Routing
GRE/IPSEC
SLA
FCS
Information
domain
IP level Mitigation function
ExternalGeneric
LocalInterface
Control function
InternalSpecific
LocalInterface
Specific Local
Interface
Mitigation functions
Link Layer Functions
Media assessment functions
KPI dissemination functions
Mitigation and dissemination
Demo Measurement-Mitigation
UNCLASSIFIED 68
RIPv2 over Ethernet SWE ASN:
d46.257NOR ASN:
d47.2
Link with Unknown KPIs
TWAMP sender
TWAMP Reflector
Service Announcement
UNCLASSIFIED 69
Required services/functions
Capability packages
ServiceAnnouncement
Service
ServiceAnnouncement
Auto-connectivity
• Autoconnectivity add-on • Speeds up the interconnection of services and
not just the IP-layer. • A database updated in real-time across the FC • No full-mesh conns, no central dependecies
Service Announcement Service
UNCLASSIFIED 70
• Inspired by Cisco Service Advertisement Framework
• Separate BGP routing process with IPv6 coded information
• Dictionary that maps certain parameters to IPv6 prefix and/or communities
• Voice GW & Prefixes, Network KPIs, NTP peers etc
Information domainservice announcement
Automatic configuration
Network domain service announcement
FCS BFCS A
Media
Chat
Time
Media
Chat
Time
Automatic peering
Service Announcement Layer Service Announcement Layer
Transmissionmediation
Transmissionmediation
Time sync
UNCLASSIFIED 71
Required services/functions
Capability packages
TimeService
Time sync
ServiceAnnouncement
Time sync Service
UNCLASSIFIED 72
• Provide a time with certain precision to services in the FC
• Self-sustained!
• Peer w neighbors
Name resolution
UNCLASSIFIED 73
Required services/functions
Capability package
Name Resolution
TimeService
Name ResolutionService
• Provide services in the FC with a name-resolution service.
• Designed to work on unclassified, but can also work within a security domain.
Name resolution Service
UNCLASSIFIED 74
• Flat hierarchy, works without central root
• DNSSEC
FederatedCorenamespace
FCMasterServer
PrimarynameserverFCSPOL
PrimarynameserverFCSBEL
PrimarynameserverFCSNATO
FCslave
FCzone
FCslave
POLmaster
BELmaster
FCslave
NATOmaster
MasterServer
FCzone
Periodiczonetransferrequests
Media
UNCLASSIFIED 75 Required services/functions
Capability packages
Media Service
Media
Media Resource Reservation
Function
Media Signaling Function
Media Dynamic Routing Function
CL Transport
CO Transport
ServiceAnnouncement
Media Service o SIP-based media profile o ST4705 numbering o GW routed calls to and from the federated domain
Media Service
UNCLASSIFIED 76
ASN:x ASN:y
GW
ASN:z
GWGW GW
User A User B
SIP & RTP Signalling & media SIP & RTPSignalling & media Signalling & media
eBGP
Service Announcement
eBGP
Service Announcement
iBGP -
Service
Announcement
Resource management integrated with network domain – Media-CAC needs to know capacity on links
Media Signaling
UNCLASSIFIED 77
o SIP signaling o B2BUA between national domain and network domain o SIP Resource-Priority extension @ core
Media Resource Reservation
UNCLASSIFIED 78
o Bookkeeping of calls and their resources o Call Admission Control
o SIP Resource Priority extension for priority calls o Pre-emption
o Resource control with forwarding plane filters and policers o Assurance of QoS within controlled DiffServ class
GW1
GW2
GW3Callee
Callee
Caller
CallerExisting call
Call being set up
Congestion
Call tear-down
signalling
Call tear-down
signalling
Media Dynamic Routing
UNCLASSIFIED 79
ASN:x ASN:y ASN:zUser A User B
Prefix: FD00:0520:941:358::/64
RT: 58.10.10.10:1
Next-hop: ::FFFF:58.10.10.10
Prefix: FD00:0520:941:358::/64
RT: 58.10.10.10:1
Next-hop: ::FFFF:46.12.11.11
Prefix: FD00:0520:941:460::/64
RT: 46.12.11.11:1
Next-hop: ::FFFF:46.12.11.11
Prefix: FD00:0520:941:330::/64
RT: 33.1.1.11:1
Next-hop: ::FFFF:33.1.1.11
Prefix: FD00:0520:941:330::/64
RT: 33.1.1.11:1
Next-hop: ::FFFF:46.11.11.11
Prefix: FD00:0520:941:460::/64
RT: 46.11.11.11:1
Next-hop: ::FFFF:46.11.11.11
GW
Prefix: 941 358
IP: 58.10.10.10
GW
Prefix: 941 460
IP: 46.11.11.11
GW
Prefix: 941 460
IP: 46.12.11.11
GW
Prefix: 941 330
IP: 33.1.1.11
• Flexible nomadic mobility of subscribers within mission network • Inspired by Cisco SAF • Utilizes Service Announcement to facilitate dynamic routing of 4705 prefixes • Representation of ST4705 prefixes as IPv6 prefixes • Hop-by-Hop routing pattern • Edge-to-Edge routing pattern
TACOMS+ components
Routing
Function
Authentication
Function
Address
Plan
Autoconnectivity
Function
PKI
Function
Name
resolution
Service
CL Transport
Service
Time
Service
Federated Core
Protection
Function
Service
Announcement
Service
CO Transport
Service
Reservation
Function
CO Routing
Function
Signaling
Function
Media service
KPI Estimation
Service
Media Resource
Reservation
Function
Media Dynamic
Routing
Function
Media Signaling
Function
KPI Measurement
Function
KPI Provisioning
Function
X-Layer
Communication
Function
KPI
Dissemination
Service
Horizontal
Disemination
Function
Vertical
Disemination
FunctionKPI Mitigation
Service
Bearer Mitigation
Function
IP-Layer
Mitigation
Function
Application
Mitigation
Function
KPI
Management
Function
A optionally depends on B
A depends on BA
A
B
B
Blue boxes denote user
accessible services.
Green boxes denotes
functions that builds
services
A optionally depends on
B
In a system …or cherrypicking
How mature are these
• Many of the TACOMS capabilities are developed and specified in different levels of TRL
• Most of the CO/KPI-capabilities hit TRLs 4 to 6
• Most of (CL) capabilities are applied in real systems and are moving towards fielding (TRL 7 to 9)
UNCLASSIFIED 81
TACOMS+ Service Architecture Tacoms ph2
Network Domain
Network Domain Support Services
Network Domain Services
Information Domain
Routing Service
CL Forwarding Service
Security ServiceAutoconfiguration
Service
Reservation Service
CO Forwarding Service
Information Domain Support Services
Routing Service Discovery Service Signaling Service Reservation Service
Information Domain User Services
Media Service
Signaling Service
Transmission Mediation Service
Monitoring Service
Packet Prioritazion Service
Network DomainService Provider
Information Domain Service Provider
Network Management Service
Network Configuration Service
Network Planning Service
Customer Management Service
Customer Management Service
Service Management Service
Service Planning Service
Service Level Management Service
Service Configuration Service
Service Level Management Service
SLA
MGMT
iF
CTRL IF DATA IF
MGMT
iF
PPI iF
C3 Classification Taxonomy
Operational Context
Missions and Operations
Policy and
Guidance
Strategic Concept Political Guidance Military Guidance Allied Publications C3 Policies
Mission
Types
Collective Defence (CD)
Consequence Management (CM)
Conflict Prevention (CP)
Counter Terrorism (Failed State) (CT(FS))
Counter Terrorism (State Sponsored Covert) (CT(SSC))
Support to Disaster Relief (DR) Extraction Operation (EOP)
Enforcement of Sanctions and Embargoes (ESE)
Peace Enforcement (PE)
Peacekeeping (PK)
Support to Humanitarian Assistance (SHA)
Anti-Terrorism (AT)
Peacemaking (PM)
Peacebuilding (PB)
Support of Non-Combatant Evacuation Operations (NEO)
Military Aid/Support to Civil Authorities (SCA)
Permanent Tasks
Tasks
CD Tasks CM Tasks CT (FS) Tasks CT (SSC) Tasks PK Tasks PE Tasks CP Tasks SHA Tasks DR Tasks EOP Tasks ESE Tasks
Operational Capabilities
Capability Hierarchy,
Codes and Statements
Prepare Project Engage Sustain Protect Inform C3
Business
Processes
IA Processes SMC Processes Governance Processes Management Processes Consultation Processes Cooperation Processes Mission Threads Support Processes
Information
Products
IA Information SMC Information Intent & Guidance Rules & Measures Plans Tasking & Orders Situational Awareness Resource Status Requests & Responses
Communication and Information Systems (CIS) Capabilities
User-Facing Capabilities
User
Appliances
User
Applications
IA Applications SMC Applications
Joint COI Applications
Air COI Applications
Land COI Applications
Maritime COI
Applications
Space COI Applications
Special Operations COI
Applications
JISR COI Applications
Logistics COI
Applications
EW COI Applications
Environmental COI
Applications
Missile Defence COI
Applications
CIMIC COI Applications
CBRN COI Applications
ETEE COI Applications
CIS COI Applications
Modeling and Simulation
COI Applications
Generic Applications
Technical Services
Information
Systems
Equipment
Communications
Equipment
Community Of Interest (COI) Services
COI-Specific
Services
COI-Specific IA
Services
COI-Specific SMC
Services
Joint COI Services
Air COI Services
Land COI Services
Maritime COI Services
Space COI Services
Special Operations COI
Services
JISR COI Services
Logistics COI Services
EW COI Services
Environmental COI
Services
Missile Defence COI
Services
CIMIC COI Services
CBRN COI Services
ETEE COI Services
Modeling and Simulation
COI Services
CIS COI Services
COI-Enabling
Services
COI-Enabling IA
Services
COI-Enabling SMC
Services
Operational Planning
Services
Tasking and Order
Services
Situational Awareness
Services
Business Support
Services
Modeling and Simulation
Services
Core Enterprise Services
Enterprise Support
Services
Enterprise Support IA
Services
Enterprise Support
SMC ServicesUnified Communication and Collaboration Services Information Management Services Geospatial Services
SOA Platform
Services
SOA Platform IA
Services
SOA Platform SMC
Services
Message-oriented
Middleware ServicesWeb Platform Services
Information Platform
ServicesComposition Services Mediation Services
Infrastructure
Services
Infrastructure IA
Services
Infrastructure SMC
ServicesInfrastructure Processing Services Infrastructure Storage Services Infrastructure Networking Services
Communications Services
Communications
Access Services
Communications
Access IA Services
Communications
Access SMC Services
Analogue Access Services
Digital (Link) Access Services
Message-based Access Services
Circuit-based Access Services
Frame-based Access Services
Packet-based Access Services
Multimedia Access Services
Transport
Services
Transport IA ServicesTransport SMC
ServicesEdge Transport Services Core Network Services Aggregation Services Broadcast Services Distribution Services
Transmission
Services
Transmission IA
Services
Transmission SMC
Services
Wired Local Area Transmission
Services
Wired Metropolitan Area Transmission
Services
Wired Wide Area Transmission
Services
Wireless LOS Static Transmission
Services
Wireless LOS Mobile Transmission
Services
Wireless BLOS Static Transmission
Services
Wireless BLOS Mobile Transmission
Services
IA SMC Groupings Baseline 1.0 - Friday, 15 June 2012
TACOMS+ in C3 Taxonomy
FC is delivering Edge-to-Edge IP transport services in CL/CO mode = FMN CORE TRANSPORT M1/M2/M3
FC is not delivering access services, BUT enables packet based access services via function that is needed in national interface
TACOMS+ project also delivers SIP profile for Media Services PKI for authentication Name resolution services Network time services Service announcement SMC for Core Network part
TACOMS+ Deliverables - Documents, RA - FMN support - Reference Implementation
UNCLASSIFIED 84
TACOMS+ Documents
UNCLASSIFIED 85
Annexes
FrontEnd EA model
RA – https://tacoms-ea.frontend.se
UNCLASSIFIED 86
Document examples….
Concept and Architecture
FCS C
FCS B
FCS A
FCS F
FCS E
FCS D
FCS C
FCS B
FCS A
FCS F
FCS E
FCS D
Federated Core
Strategic
Deployed
IOP
IOP
IOP
Federated Core
Segment
A
Federated Core
Segment
B
Federated Core
Segment
C
Federated Core
Segment
DIOP
IOP
Federated Core
Segment
E
Strategic
IOP
Solutions and justifications
Technical Specification
DiscoveryPhase 1
DiscoveryPhase 2
Send RIPv2
Send RIPng
Initiation with preconfigured values.
parent
child( ren)
((BGP prefix exist) and (my IP > peer IP)) or((BGP prefix exist) and (GRE prefix exist)) - Configure GRE (if my IP < peer IP)- Configure BGP
Exit
Received RIPv2 message. (New neighbor detected)- Configure GRE (if my IP > peer IP) - Enable RIPng - Spawn new process for neighbor (Discovery Phase2)
Note- IPv6Enc refers to the transformation of information into an IPv6 prefix.PrefixGRE = FD00:0202/32PrefixBGP = FD00:0510/32PrefixMSDP = FD00:0511/32PrefixSABGP = FD00:0500/32Mx = MSDP peer addressBx = BGP peer addressGx = GRE subnet addressSAx = SA-BGP peer address
RIPv2 sender gone or- Configuration CleanUp.
RIPv2 over Eth, source IPv4: ESWE
Network: 110.46.x.y/32
RIPv2 over Eth, source IPv4: ENOR
Network: 110.47.x.y/32
RIPng in GRE, source: IPv6 link-local GRE SWE
Network1: IPv6Enc(PrefixBGP, BGP HopsSWE, BGP ASNSWE, BSWE) Network2: IPv6Enc(PrefixMSDP, BGP ASNSWE, MSWE) Network3: IPv6Enc(PrefixSABGP, SABGP HopsSWE, SABGP ASNSWE,SASWE)
RIPng in GRE, source: IPv6 link-local GRE NOR
Network1: IPv6Enc(PrefixGRE) Network2: IPv6Enc(PrefixBGP, BGP HopsNOR, BGP ASNNOR, BNOR) Network3: IPv6Enc(PrefixMSDP, BGP ASNNOR, MNOR) Network4: IPv6Enc(PrefixSABGP, SABGP HopsNOR, SABGP ASNNOR, SANOR)
1-3
4-5
Steps in textIPv4 addresses on interfaces are configured:SWE: Ethernet: ESWE (111.46.a.b/8)NOR: Ethernet: ENOR (111.46.a.b/8)RIPv2 is configured and enabled on Ethernet interfaces
RIPng prefix:GRE- Assignment and configuration of addresses on GRE-interfaces: NOR: GNOR+2/30, IPv6Enc(PrefixGRE2, BGP ASNNOR, GNOR+2)/127 SWE: GNOR+1/30, IPv6Enc(PrefixGRE2, BGP ASNNOR, GNOR+1)/127
START
Configured
Send RIPng
BGP established
Exit(RIPv2 sender gone) or(Timeout ~120 seconds)- Configuration CleanUp.
Established
Send RIPng
Exit(RIPv2 sender gone) or(BGP transition from established) - Configuration CleanUp.
(MSDP prefix exist) and (MSDP not configured) or(SA prefix exist) and (SA not configured) - Configure related Item (MSDP/SA)
(MSDP prefix exist) and (MSDP not configured) or(SA prefix exist) and (SA not configured) - Configure related Item (MSDP/SA)
6-7
8-9
Implementation examples
UNCLASSIFIED 91 of 5
FCS BFCS A
RIPng incl SA-BGP bootstrap
IOP-Router
SA-BGP
Media GW iBGPOnly SA-BGP
500"-prefixesallowed
SA-BGP
IOP-Router
Service X GW
eBGPSA-Layer
iBGPOnly 520"-
prefixesallowed
iBGPOnly
Service X"-prefixesallowed
Test Specifications
UNCLASSIFIED 92 of 5
Reference Architecture
UNCLASSIFIED 93
• Project Steering Group has decided that the RA is where all deliverables will be placed.
• Currently the latest versions of docs are on a FIN wiki. • PSG has allocated funding for maintaining the RA for two
additional years. • FrontEnd (SWE company) has the database. • The funding is at FMV (SWE) • N&S CaT is the intermediate CCB/custodian? • Further discussion is needed to sort out the details
• Licenses • Access to the RA • Updating docs in the RA • Maintenance of the RA • Etc
FMN Audio-based Collaboration
NATO FMN Instruction
• Request to act as SME – Merging CPs with existing
Instruction
• Final version delivered to the ACT at the end of February ‘15 – Used within the CWIX’15
– Maintenance will fall to the CPWG and CIAV ?
FMN Instruction (SME: Marko & Per) 2015
FMN Communication Services FMN Instruction (Marko & Per, T+ support) 2015
• 90% TACOMS+ CL-Forwarding
• Autoconnectivity optional
TACOMS and FMN
• A TACOMS+ system is one possible realization of FMN networking capabilities – TACOMS is not the realization
• Functionally adhering to the FMN concept
• Aim and aspiration in future spiral requirements – Auto configuration (optional now)
– KPI Measurement (spiral 2)
– PCN security model (spiral 4?)
– Dual Stack with IPv6
96 of 5
TACOMS+ RI
• TACOMS+ nodes that can be used for testing of other nodes or user services over a TACOMS+ FC.
• Location: Aalto university
• Three nodes – NLD, NOR, SWE.
• Current status:
– SWE (masked as NATO) up
– NLD will be up (May?)
– NOR?
Future Work (Annex 9) snippets
Enhancements:
• Reduce setup time
• Increase easiness
• Automation of redundancy
• Automate QoS-policies
• Etc
Future work – Plug and play infrastructures
UNCLASSIFIED 99
L3 cryptos
L2 bridging cryptos
FCS A FCS B
L3
network
L3
network
P2P Ethernet
Autoconnectivity
• Work on any L2/L3 multicast enabled bearer
• Requires certain functionality in cryptos (low-grade?)
• Replace discovery protocol (RIPv2->SSDP?)
Future work – UNI
UNCLASSIFIED 100
• As crypto functionality progresses, a ”PCN-2”-type interface becomes interesting.
• In FMN-terms, a hosted user is the look-alike.
Final words…right…
UNCLASSIFIED 101
• Developed capabilities meet the requirements
• Nice flora of services/functions that have been tested in multinational settings
• Modularity makes cherry-picking possible
• TACOMS+ has influenced FMN Spiral 1 and will influence solutions for FMN comms in coming Spirals
• First multinational incarnation of PCN (PCN-2 hidden)
– Agility, flexibility and scalability
QUESTIONS
UNCLASSIFIED 102 of 5