Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
This framework is realized with<strong>in</strong> military communications by creat<strong>in</strong>g networks, each operat<strong>in</strong>g<br />
at a specific classification level. These networks may operate as multiple s<strong>in</strong>gle levels of<br />
security (MSLS) systems. Alternatively, they can operate as System High networks support<strong>in</strong>g<br />
all classifications at a given classification level or below. <strong>Networks</strong> operat<strong>in</strong>g at different<br />
classification levels are orthogonal to each other. For example, they are addressed, by def<strong>in</strong>ition,<br />
from address and nam<strong>in</strong>g spaces that are dist<strong>in</strong>ct (i.e., totally unrelated) to the address and<br />
nam<strong>in</strong>g spaces used by networks at all different classification levels.<br />
In general, networks operat<strong>in</strong>g at one classification level have no idea of the existence of<br />
networks operat<strong>in</strong>g at a different classification level. There are two exceptions to this rule:<br />
1. HAGs provide a controlled mechanism for some select communications to cross between<br />
networks operat<strong>in</strong>g at different classification levels (<strong>in</strong>formation downgrad<strong>in</strong>g and<br />
<strong>in</strong>formation upgrad<strong>in</strong>g). This <strong>in</strong>cludes appropriately mapp<strong>in</strong>g addresses between the<br />
dissimilar address spaces of the two networks. HAGs can “translate” between networks<br />
operat<strong>in</strong>g at different classification levels.<br />
2. Military COMSEC provides a mechanism to encapsulate and encrypt data packets so that<br />
they can be conveyed over networks operat<strong>in</strong>g at a different classification level (see<br />
figure 17).<br />
Workstation<br />
100.1.1.1<br />
RIPHRIPP<br />
Dest<strong>in</strong>ation 100.1.4.1<br />
Source 100.1.1.1<br />
EH<br />
RIPH RIPP<br />
EH<br />
Red IP Header & Payload<br />
ESP Header & Trailer<br />
Black IP Header<br />
RIPH RIPP<br />
EH<br />
RIPH RIPP<br />
EH<br />
Workstation<br />
100.1.4.1<br />
100.1.1.2<br />
Red IP<br />
(Secret)<br />
100.1.2.1<br />
COMSEC<br />
RIPH RIPP<br />
Dest<strong>in</strong>ation 200.1.4.1<br />
Source 200.1.1.1<br />
BIPH<br />
ESP<br />
RIPH<br />
RIPP<br />
ESP<br />
RIPH RIPP<br />
Dest<strong>in</strong>ation 100.1.4.1<br />
Source 100.1.1.1<br />
BIPH<br />
ESP<br />
RIPH<br />
RIPP<br />
ESP<br />
100.1.4.2<br />
Red IP<br />
(Secret)<br />
100.1.3.1<br />
COMSEC<br />
200.1.1.1<br />
200.1.4.1<br />
Black IP<br />
BIPH<br />
ESP<br />
RIPH<br />
RIPP<br />
ESP<br />
BIPH<br />
ESP<br />
RIPH<br />
RIPP<br />
ESP<br />
Black IP<br />
200.1.2.1 200.1.3.1<br />
Mobile Data Data L<strong>in</strong>k L<strong>in</strong>k<br />
EH*<br />
BIPH<br />
ESP<br />
RIPH RIPP<br />
ESP EH*<br />
EH*<br />
BIPH<br />
ESP<br />
RIPH RIPP<br />
ESP EH*<br />
Mobile Data Data L<strong>in</strong>k L<strong>in</strong>k<br />
Black Mobile Intranet 1<br />
Black Network<br />
Figure 17. The DoD COMSEC End-to-End Packet Flow (IPV4 Example)<br />
Current DoD COMSEC leverages the IETF’s IPsec standard, whose architecture is def<strong>in</strong>ed by<br />
RFC 4301. Specifically, it is based upon IPsec’s encapsulat<strong>in</strong>g security payload (ESP) (i.e.,<br />
RFC 4303) operat<strong>in</strong>g <strong>in</strong> tunnel mode. Tunnel mode refers to a packet from one network be<strong>in</strong>g<br />
56