MilNet-Protocol Goes with the Flow
Written by Cheryl Gerber
MIT 2010 Volume: 14 Issue: 3 (April)
The Defense Advanced Research Projects Agency (DARPA) is developing the equivalent of Caller ID for the Internet through a Military Networking Protocol contract awarded to a Lockheed Martin-led industry team. The new routing protocol will strengthen cybersecurity and network traffic management while allowing military data to flow through existing Internet equipment.
Delivering secure MilNet-Protocol technology will let operators know who is on their networks at all times. “Today’s Internet is based on anonymous flows of data, so we are adding a layer on top of that with user information to make sure the traffic is authorized,” said Mike Briske, Lockheed Martin MilNet-P program manager, C4ISR Systems. “It’s a routing protocol that ties in secure aspects of user attribution to every packet flowing through the network.”
Part of the MilNet-P technology is based on Anagran Inc.’s FR-1000 flow-based, network traffic management technology, which processes data by flow rather than individual packets.
As a subcontractor, Anagran brings a sense of historical continuity to both the MilNet-P program and the technology. Its founder and chief executive officer is Lawrence Roberts, who designed and led the team that developed ARPANET in 1969, the world’s first major packet network, which later became the Internet. Now he’s involved in re-engineering the same packet network he designed decades ago.
“The problem is that the equipment we have on the net today has never undertaken the job of verifying whether the source is correct,” said Roberts. “We can dramatically improve the situation so everyone knows who they are talking to. And the way we are doing it can’t be masked effectively.”
Packet switching divides data into packets before sending them across networks to their destinations. The packets are sent in paths based on routing decisions made by the adapters, switches and routers through which they pass.
But skyrocketing Internet traffic demands from streaming video, Voice over Internet Protocol (VoIP), peer-to-peer (P2P) and wireless technologies have strained packet switching. Peak network traffic often results in uneven bandwidth distribution and poor quality, manifested by rate and delay jitter on voice and video transmissions. Virus and identity theft attacks have exacerbated it.
FLOW-BASED PROTOCOL
To address the problem, Anagran adapted its intelligent fast flow technology to support a flow-based signaling protocol called TIA- 1039, with Hewlett Packard under MilNet- P’s predecessor, the DARPA Control Plane contract, which sped up military data transmissions on IP versions 4 and 6, primarily on high delay data paths originating from satellites.
Specifications for a flow-based protocol to eliminate packet loss and delay were adopted by the Telecommunications Industry Association, known as the TIA 1039 standard for “Quality of Service Signaling for IP QoS Support.”
“The original intent of TIA 1039 in the DARPA Control Plane project was to address satellite delays. TCP worked poorly across satellites, so the TIA 1039 was created to fix that problem,” said Roberts.
Along with IP, Transmission Control Protocol forms TCP/IP, the original protocols created to connect computers and deliver data across the Internet. But today, network equipment that complies with the TIA 1039 protocol significantly improves network efficiency. “The TIA 1039 network equipment provides back to the sender a rate to send at, regardless of whether it’s a server or desktop,” said Roberts.
Intelligent fast flow technology manages the transmission rate of every data flow rather than processing every single packet. “It provides routing as well as sophisticated traffic management, often associated with deep packet inspection (DPI), without needing to conduct intrusive DPI,” said Tim Gibson, program manager, DARPA Strategic Technology Office.
Gibson developed the original concept for and managed the Control Plane contract and is doing the same for the MilNet-P program. The flow manager is also considered green technology, as it consumes less power and is smaller, occupying less space on a rack than standard routers or DPI devices, Roberts noted.
The DARPA program is also working to standardize the MilNet protocol. “We are trying to create a proof of concept and support an emerging standard that allows commercial hardware vendors to incorporate flow technology in a standard protocol within their systems,” said Briske.
“We’re using Anagran’s FR-1000 bandwidth management boxes inside the network to incorporate flow technology and the Mil- Net protocol,” said Briske. “We’re adding security overlays over TIA1039.”
Intelligent flow technology is an Internet game changer for the military, analysts say. “We’re calling them network controllers, but they’re actually small flow routers that have additional identity-specific detail. Using a digital certificate, such as the Common Access Cards, the data can be cryptographically signed so we know who is making the connection,” said Gibson.
The Common Access Card authenticates users for access to DoD networks, provides the ability to encrypt and cryptographically sign e-mail and facilitates public key infrastructure authentication tools.
The state-of-the-art version of the standard TIA 1039 protocol for the International Telecommunication Union is called the ITU Q.Flowstatesig. “Flowstatesig defines how the network controls the state of flow by signaling the rate at which users can send,” explained Roberts. “At the beginning of the flow, it feeds back to users the rate at which they can operate given their QoS and their priority. And there’s a marker placed in the protocol for a security header.”
The Lockheed team is also adding security to the 1039 protocol by using an approach that will avoid any problem with firewalls and intrusion detection systems. “Lockheed is working with Microsoft to leverage the Microsoft Active Directory structure to make authentication automatic and seamless for users,” said Gibson.
BOTNET DEFENSE
MilNet-P will make it easy for network operators to prevent cyber-attackers from achieving their goals. “If a machine has been cyberhacked and there are attempts to use it as a stepping stone to attack another machine, the additional information on these network controllers will know who owns each flow,” Gibson said.
Botnets are a major source of cyberattacks causing denial of service and spam in multitudes of computers simultaneously. They are automated networks that have been infected with Trojan horse viruses, a form of malware that creates holes in security systems through which to install denial of service or spam.
“A botnet is essentially a tree, with a master and its bots branching out, passing information up and down the tree,” said Roberts. “These botnets tend to be in the millions, and they are the cheapest, easiest way to send spam now.”
MilNet-P can pinpoint the compromised computers that are part of a botnet. “Since each machine creates a net flow stream record of the source and destination of network traffic, you have all the traces of the bot and its parent in your memory,” said Roberts.
Under the MilNet-P program, the team has been tasked to store these records in a database. “This will make it easy to create a data-mining program later on to search for the patterns and traces of communication flow where the records of the bots and their masters are stored in the database,” he said.
Another subcontractor, LGS Innovations, is working to facilitate systems integration, secure authentication and intelligent prioritization. “We are working closely with Lockheed Martin in the design and integration of the system so all the pieces of the system fit together,” said Lloyd Greenwald, LGS Innovations’ MilNet-P technical lead.
LGS and Lockheed Martin are coordinating the parts contributed by subcontractors. “We’re working on implementing interfaces between boxes, router hardware and servers, helping with authentication and setting it up for network prioritization,” said Greenwald.
The interfaces and emulation technology will ease the testing process. “Right now we are building an emulator, which reduces the risk of integration and makes it easier for hardware and software to talk to each other. Subcontractors can use the emulator to get early testing of their pieces before other pieces of the technology are ready. This helps them to know how their pieces of the technology will interact with other pieces,” he said.
The team is also working to secure the attribution of flows so identity information is not leaked. “We want to make sure first that we attribute flow without revealing identity information on the network,” Greenwald said.
Knowing the location and identity of sources will also help optimize resources and quickly determine if the right traffic is being used on the right part of the network. “We will be contributing intelligent prioritization, which is like network prioritization with decision support added. It helps military network operators deal more easily with prioritization. But we won’t get going on this until phase two of the program at the end of this year,” he said.
The MilNet-P is a three-phase program.
QUALITY OF SERVICE
The MilNet-P system provides greatly enhanced control over military networks. It gives military commanders the ability to allocate network bandwidth and priorities on a unit or mission basis, or even for specific people for specific purposes at certain times.
“The QoS decisions the system makes are based upon priorities and bandwidth allocation inputs by network administrators. The flow-based routers used in the system never drop or preempt data flows, but simply slow them down when higher priority flows start. When the higher priority flow is finished, the lower priority flows are told to increase their speed. This immediate feedback from the flow routers in the MilNet-P system is critical to the system’s success,” said Gibson.
Ultimately, the MilNet-P will offer a healthy selection of priority levels while using minimal energy. “The whole protocol we are developing in the system will provide 256 priority levels allocated in eight bits,” he said.
The lack of prioritization on the Internet, including with VoIP and P2P, also hampers timely emergency preparedness. MilNet-P ultimately will solve that problem. “There is currently no priority system on the Internet,” said Roberts. “It’ll be valuable where both security and priority are important, such as homeland security, and for getting emergency calls through during natural disasters.”
MilNet-P will allow first responders to have priority during emergencies, particularly for 911 calls. Another goal is to simplify. “To address the increasingly complicated nature of networks today, we are pushing for auto-configuration. The final piece of the MilNet-P project is to create a protocol that is user-friendly and simple to configure,” said Briske.
To achieve this, DARPA and Lockheed Martin will incorporate auto-configuration in the MilNet-P to improve readiness, reduce the time and lower the costs associated with advanced training in network device configuration. “Instead of needing highly trained people at every unit or command post who know the arcane router configuration scripting languages, the MilNet-P program provides an automated environment—up to 400 network controllers or flow router devices— in less than an hour. This is a metric from the BAA,” said Gibson.
Automating router configuration allows the military, as well as the commercial sector when the technology goes commercial, to have users just hook up the network controllers to the communications infrastructure. “The network controllers talk with one another and automatically distribute the signed and authenticated configuration files among themselves. We’re planning to test this exact scenario in the Phase I tests next winter,” he said.
The MilNet-P team is developing the autoconfiguration routine to ensure that the IP piece is self-configuring. “The plan is that as long as all the network controllers are in one autonomous system, then one administrator should be able to generate and distribute all of the network controller configuration files,” he continued.
Fewer personnel will be required for this advanced task, and the level of training required for those remaining will be much lower. “In fact, the requirements for router training and certification from major router equipment manufacturers effectively go to nil,” Gibson explained. “Readiness and combat effectiveness will increase because the people are kept from making configuration errors. And the automatically-generated configuration files are checked for logic errors and correctness as part of the generation process.”
PEER TO PEER
Flow technology also will address a lack of subscriber equalization owing to the growth of P2P applications such as BitTorrent, a file sharing protocol used for distributing huge amounts of video and other data.
The growth of P2P has created an inequality in network resource distribution. P2P traffic uses many sessions concurrently, which results in taking more than its share of bandwidth in a network. Various measurements show that 27 percent to 70 percent of a network’s total available bandwidth can be consumed by P2P applications at a time, while representing only 5 percent of users. This slows networks significantly for other equally paying subscribers.
DPI is the common method of detecting P2P, by inspecting the contents of users’ data packets for patterns characteristic of P2P applications. However, the flow technology used in MilNet-P provides an alternative solution. “DPI is intrusive and compute-intensive, and equipping a multi-gigabit network with DPI is prohibitively expensive. As P2P applications increasingly use encryption, it is more difficult to detect them using DPI,” said Roberts.
P2P applications use multiple network flows at once, instead of one flow per subscriber, in order to deliver their large files faster. “The net has unfairness built in, which is a serious problem since users cannot change their computers to use more flows just as P2P networks do. You might have 100 network flows supporting one P2P application, which pays the same as its neighbor who gets only one flow,” said Roberts.
“Our concept is equal capacity for equal pay,” he said. “We want to treat subscribers equally, and we accomplish that by equalizing the bandwidth for subscribers.”
Flow technology in the Anagran FR-1000 detects the behavior of P2P applications— specifically, their large number of sessions and high bandwidth usage. Host equalization ensures fair network usage, as all hosts receive an equal share of the network bandwidth.
As the military has realized, the use of P2P applications not only gobbles up bandwidth, but also compromises desktop security. Using flow technology under development in the MilNet-P program, potential security violations can be identified and prevented by counting and managing the number of network flows associated with each user, controlling their capacity and recording where each flow goes.
According to the BAA for the DARPA program, MilNet-P will also use software or Field Programmable Gate Array (FPGA)- based routers, which DARPA considers to be more flexible and significantly cheaper than Application Specific Integrated Circuit (ASIC) designs. Software or FPGA-based routers could be more broadly applied than ASIC designs, which are customized for specific use.
MilNet-P will create a better-protected and administered network by using flow management technology, advocates say. “I’ve been waiting for many years to do this, but memory was too expensive before. Now that memory has gotten so cheap, it makes flowbased traffic management less expensive to do and it consumes considerably less energy,” Roberts observed. ♦