Building a protective black core for the Global Information Grid

To achieve its ultimate goals, the Global Information Grid (GIG) will need to function more like the Internet, as an all-encompassing network of networks that can support many applications. To maintain military standards for information assurance, the GIG's architects have penciled in a "black core" of encryption that would form the center of their private Internet.

These plans are tentatively in place, but several technological and organizational problems remain before a large-scale implementation of a black-core infrastructure.

But Tony DeSimone of the Johns Hopkins Applied Physics Lab said this is the right target. Between 2005 and 2007, the university loaned him to the Defense Department Chief Information Officer’s Networks and Information Integration Office as a deputy to Julie Tarr, a Johns Hopkins colleague who was then senior engineer on the GIG design effort.

DeSimone and Tarr published a seminal paper, "Defining the GIG Core," that contrasted the black-core option against the alternative of a striped core, in which data would be decrypted and re-encrypted repeatedly in its transit across the GIG. On one hand, the striped core approach would simplify some aspects of GIG architecture by allowing routers to inspect addressing and differentiated service headers, in addition to the nature of the data being transmitted, when deciding how to prioritize packet transmission. On the other hand, such "red gateways," where packets would be processed in clear text rather than encrypted form, would be potential vulnerabilities. DeSimone and Tarr concluded it was better to target a black-core architecture in which packets are not decrypted until they reach their destinations.

"Architecturally, black core is the better choice," DeSimone said. However, he added that there are challenges to achieving that goal. Technologically, the challenges include figuring out how to efficiently route packets and manage networks if even the packet headers and network management signaling must be encrypted. Organizationally, groups that have traditionally managed their own networks would need to trust an encryption scheme that DOD globally manages.

Dow Street, an Internet architecture specialist at LinQuest who helped lay preliminary plans for routing in a black-core architecture, said one problem is that the departmentwide benefits the architecture seeks to achieve don't necessarily match the more immediate concerns of project managers, who are judged on the results they deliver for specific missions, facilities or agencies.

"The benefits of having a single cyphertext core will only be realized when a large number of major network programs buy into this model," Street said. Meanwhile, to get to that point, many competing interests in the military must agree that goal is worth the disruption and complexities of the transition.

No official from DOD or its networking and telecommunications arm, the Defense Information Systems Agency, will speak on record about plans for a black-core system. One DOD official, who asked to remain anonymous, said the black-core concept is something DOD is pursuing, but added, "However, there are a number of technical issues that must be resolved before that can be accomplished." A transition strategy is being created to define the stages the black-core "will evolve through as it transitions to the end-state vision," he said.

Meanwhile, a manual, "Net-Centric Enterprise Solutions for Interoperability," published by the Navy's Space and Naval Warfare Command, warns that "the black core is a concept fundamental to GIG networking, but actionable guidance is still in its infancy." The command's advice to military technology planners is to monitor the development of plans for the GIG and try to avoid choices that would preclude a migration to a black-core architecture.

Complex challenge

The black-core problem becomes more complex when combined with the trend toward routing synchronous communications, such as phone calls and video conferences, via IP networks. Optimizations that mark packets as a priority are complicated when those packets are encrypted. In addition to the problem of assuring smooth transmission of voice-over-IP packets to preserve voice quality, military phone networks must also enforce a concept of precedence to ensure that the most important command and control calls will go through even when a network is busy.

A black-core network needs to be able to meet those service levels while still protecting the application data and ensuring that the network properly functions. Even when commercial networks employ technologies such as virtual private networks, they typically don't insist on the tight control over network control and management data that military technologists desire, DeSimone said.

A similar problem exists with network transmission via satellite links, in which performance enhancing proxies (PEPs) are commonly used to alter the normal TCP/IP cycle of data transmissions and acknowledgments, which takes too long when each packet must be bounced off a satellite and back to Earth. However, because the PEPs work by essentially faking an acknowledgment for each packet transmission, they require access to the packet header that a black-core network would deny them. In a paper for the Institute of Electrical and Electronics Engineers (IEEE) Military Communications Conference 2007, Booz Allen Hamilton's Michael Molinari and Jonah Pezeshki walked through several possible solutions, including schemes for encrypting packet headers and data payloads with separate keys and sharing only the header keys with the PEP gateways.

"The ideal solution to the black-core problem would allow for a single end-to-end security association between sender and receiver, maintain a single end-to-end TCP connection between end hosts, allow the PEPs to be located as close to the satellite terminal as possible, and require no changes to either the [High Assurance IP Encryptor (HAIPE)] or to end user equipment," they concluded. "No solution today meets all of these criteria, and it is extremely unlikely that a solution meeting all of these criteria will ever be developed."

Despite such obstacles, DeSimone said the ultimate goal of the GIG is to provide flexibility that is lacking in many of today's military networks. Regardless of whether they are based on IP, they tend to be operated separately and only interoperate at application-specific gateways. That means that a gateway created to allow two agencies or departments to exchange e-mail messages does not automatically allow them to share other applications, such as instant messaging or video. In contrast, the Internet works because all the major Internet service providers have agreed to a set of ground rules for how they will exchange data at the packet level, and any new application that can be built on that foundation can get up and running immediately. Organizations that connect to the Internet may set their own firewall restrictions on what traffic they let in or out, but the backbone sticks to relatively application agnostic ground rules.

Benefiting military networks

The black-core architecture would do something similar for military networks, DeSimone said. In contrast, military networks run more like the early versions of Compuserve, America Online and other proprietary online services that could not interoperate except by special arrangement.

As conceived by DOD network architects, the black core would substitute cryptographic associations among network endpoints for the physical segregation of data on separate networks. Ultimately, there might be no need to maintain a rigid separation between, for example, Secure IP Router Network and the Unclassified but Secure IP Router Network or for the Army and Navy to build parallel network infrastructures. Once encrypted data channels are accepted as being just as secure and reliable, operating a black core on a common infrastructure should deliver big savings over running parallel networks.

As with other GIG concepts, such as convergence of voice and data networking, the black-core style of networking has already arrived in some places in DOD but is still far from universal. The National Security Agency has established a HAIPE specification for devices produced by multiple manufacturers that implement the military's version of IPsec, the protocol used in the commercial world to implement VPN connections.

HAIPEs are increasingly used to protect and segregate data from military IP networks in much the way that they would be in the GIG black-core architecture — only on a more limited scale and with more administrative constraints. For example, the Defense Intelligence Agency maintains administrative control over the top-secret Joint Worldwide Intelligence Communications System network, even while taking advantage of long-distance telecommunications service provided by DISA, by placing HAIPEs at both ends of the connection.

"Whenever you see people are using HAIPEs, they are taking a step toward realizing the GIG, because they are relying on IP encryption, and they are making use of IP interoperability," DeSimone said. But what needs to happen next is a move toward connecting these mini-black cores and making the connections "in the black" without the need for unencrypted red gateways. The transition to a more pervasive use of black-core networking might come incrementally rather than as a sweeping change in military network architecture.

"Will we ever get to one single ubiquitous black core?" DeSimone asked. "I can't say. But as a goal, kind of a simple talking point, the black core allows DOD to focus its efforts on what we're trying to get to."