Embed Size (px)
Citation preview
www.thalesgroup.com OPEN
Military Message Handling System
HFIA, KJELLER 8 SEP 2017 Bengt R. Kristiansen, Øyvind Jonsson
www.thalesgroup.com OPEN
MMHS used in HF networks
3 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Minimum Military Requirements
▌ Built-in support for priority and security
Should be designed-in from the start
Access control
Security evaluated
▌ Guaranteed delivery, supervised by the system
All messages must be accounted for
May need Traffic Operators to handle delivery problems
▌ Support military workflow
Drafter/Releaser roles
Organizational messaging
Automatic distribution
4 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Messaging standards
▌ ACP 127 still needed for many years
Communication with submarines and surface ships
Communication with NATO (AIFS)
▌ STANAG 4406 defined by NATO as the MMHS standard
Transported between end-users
All participating entities understand semantics (e.g. priority)
STANAG 4406 designed to handle ACP 127 elements/procedures
Strategic and tactical (PMUL, DMP) versions
▌ SMTP needed (e.g. BFEM), but does not fully support military messaging
RFC 6477 can map attributes to header fields, but no network service
Clients are allowed to discard «unknown» header fields
5 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
HF-related requirements
▌ Store-and-forward needed for handling several waveforms
E.g. adaptive data rate
E.g. unreliable or slow links
▌ Must handle unidirectional channels (e.g. broadcast, EMCON)
PMUL (STANAG 4406 Annex E, ACP 142) retransmission strategy
▌ Must handle slow channels (currently 50-600 bit/s)
Vital to reduce overhead (screening, vetting etc)
▌ Must adapt to specifics of cryptos/modems/medium
Long turnaround delays due to interleaving, frame structure and some radios
Flow control issues
Crypto sync
www.thalesgroup.com OPEN
The XOmail MMHS products
7 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
The XOmail Product Family - Overview
▌ A complete messaging solution for
the modern cyber defence
▌ 7 components sharing a common
core
8 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
XOmail Core characteristics (1)
▌ Common platform for all XOmail products
Kernel functions do not depend on 3rd-party components
- End-of-life insurance
- Evaluation and enhancement possible
Moderate hardware requirements (allowing cheaper hw)
- "If it runs Windows, it runs XOmail"
▌ Built as a secure system
Designed and built with military and security functionality from the start
All objects have security labels, all subjects have clearance
- Controlled access
▌ Built-in priority handling
Internal queues, external connections
9 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
XOmail Core characteristics (2)
▌ Integrated, secure Electronic Mail for the professional user
Official messaging (Organization to Organization)
Configurable E-mail (Person to Person)
▌ Formal message handling
All messages entered into a Journal
Messages can be archived for later inspection
All users are given a specific security clearance
All users are given specific access rights
▌ PKI integration
Industry-standard interfaces (PKCS #11)
Integrated with several PKI products
DEP-A
Central Archive
USER 2USER 1
DEP-B
Distribution
Rules
USER 4USER 3
From MTA
InfoAction
Action
10 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
The XOmail product family members
▌ XOmail Military Messaging
Advanced solution for headquarters and tactical cells
▌ XOmail Client
Military messaging tool
▌ XOmail Admin
Management tool
▌ XOmail ACP 127 Gateway
Connecting legacy systems
▌ XOmail SMTP Gateway
Connecting to email systems
▌ XOmail Broadcaster
Exchanging messages with ships and submarines
▌ XOmail Afloat
Military messaging on board
▌ XOmail Central Archive
Archival and retrieval solution
▌ XOmail ACP 145 Gateway
Connecting to other nations
▌ XOmail Guard (2018)
High assurance security gateway
11 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
XOmail Broadcaster
▌ XOmail Broadcaster product
Extensive protocol support
- Legacy protocols, ACP 127/176
- STANAG 4406 incl Annex E (e.g. SATCOM)
- STANAG 5066, BFEM (SMTP)
BRASS functionality
- Surface/submarine broadcast
- Screening, vetting, re-runs, schedules etc
- Traffic lists, status messages
- Ship-Shore, MRL
BRASS EO functionality
- Modernized protocol suite (e.g. PMUL)
- Tactical directory
12 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
XOmail Afloat
▌ Submarine and surface
▌ Main functions
Broadcast reception
Ship/shore and ship/ship
- Maritime Rear Links
- Channel status (CARB) monitor
- Re-broadcast
Tactical Directory
Connectivity to NATO and partners
STANAG 4406 Connections
▌ Full set of XOmail services
Workflow functions, Management, Directory integration etc
13 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Security evaluation
▌ Security evaluation of XOmail product family
Previous certificate applied to XOmail 14.2.4 (on Windows 2003)
- This version is past end-of-life due to Windows version
CC EAL 4 evaluation of XOmail gen 21 complete
Certificate expected Sep-Oct 2017
14 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Activities with NATO
▌ NATO Information Assurance Product Catalogue (NIAPC)
XOmail family products on NIAPC list
- https://www.ia.nato.int/niapc/Category/Email-Security-Suite_16
▌ NATO Approved Fielded Product List (AFPL)
XOmail 20 tested in Oct 2016 for entry to AFPL for a NS system
- Results not yet available
XOmail 21 to be tested in 2017 for entry to AFPL for another NS system
▌ NATO Basic Ordering Agreement (BOA)
In place Q1-2017
Applies to all XOmail product family members
Includes on-demand services
www.thalesgroup.com OPEN
Experience
16 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Experience with STANAG 4406 (1)
▌ Current XOmail users
Norway
- National strategic MMHS
- Broadcast centre (HF and VLF using ACP 127)
- Afloat under deployment (surface and submarine)
- Tactical MMHS
Denmark
- National strategic MMHS
Netherlands
- National strategic MMHS
- Broadcast centre (HF)
Italy
- Air Force strategic MMHS
- Joint strategic MMHS to be deployed
17 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Experience with STANAG 4406 (2)
▌ Current XOmail users (cont)
Spain
- National strategic MMHS under deployment
- Broadcast centre planned
- Afloat under consideration
NATO
- Part of ACCS (ACP 127 and SMTP Gateways)
- Part of BRASS Poland (ACP 127 Gateway)
▌ Interoperability testing
Successfully tested towards other vendors
Successfully tested over multiple bearers
- LAN, SATCOM, HF/VHF
18 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Using STANAG 4406 over HF (1)
▌ In use at broadcast centres in Norway and the Netherlands
Submarine communications
MRL circuits
(BRASS type circuits using ACP 127)
▌ Exercise/operation use with Norwegian Army
HF/VHF circuits
▌ Tested with several waveforms (and several modems/radios)
STANAG 5030
STANAG 5066 (IP client)
STANAG 4538/4539
STANAG 4285
19 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Using STANAG 4406 over HF (2)
▌ Strategic protocols unsuitable
Too many handshakes (changes of direction)
Too much overhead
Point-to-point only
▌ Tactical protocols (PMUL and DMP) well suited
Allow unidirectional channels (EMCON)
Connectionless, few handshakes
Low overhead (strategic around 2500 byte, PMUL around 600 byte, DMP around 20 byte)
PMUL designed for multicast/broadcast in addition to unicast
DMP designed for unicast, allows multicast
Error correction needed (ARQ or FEC)
20 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Using STANAG 4406 over HF (3)
▌ ACP 133 Directory Service
Regular protocols (X.500, LDAP) unsuited for disadvantaged networks
- Requires high reliability, high speed and two-way channels
- Forces time-consuming full update in case of errors
▌ Tactical Directory Service
XOmail provides a Tactical Directory Service
- Directory updates sent as messages
- Exploits built-in capabilities for use over slow/unreliable/unidirectional channels
Automatic or manual updates
Filtering to reduce amount of data
21 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Conclusion
▌ XOmail provides field-tested solutions for current HF usage
Full operation for many years, both shore-side and afloat
Legacy and current protocols
▌ XOmail supports future HF developments
Higher bandwidths
Automatic «best channel» selection
Follows and influences NATO standardisation
22 OPEN
This
do
cu
me
nt
ma
y n
ot
be
re
pro
du
ce
d, m
od
ifie
d,
ad
ap
ted
, p
ub
lish
ed
, tr
an
sla
ted
, in
an
y w
ay, in
wh
ole
or
in
pa
rt o
r d
isc
lose
d t
o a
th
ird
pa
rty w
ith
ou
t th
e p
rior
writt
en
co
nse
nt
of
Tha
les
- ©
Th
ale
s 2
01
5 A
ll rig
hts
re
serv
ed
.
Ref number- date
Name of the company/ Template : 87204467-DOC-GRP-EN-002
Thank you for your attention
Questions?
bengt.kristiansen AT thalesgroup.com, oyvind.jonsson AT thalesgroup.com
