| AT TOP | DOWN | ||
|---|---|---|---|
| Integrated Services Provisioning Across Cryptographic Boundaries | |||
| Ayyagari,Arun | The Boeing Company | ||
| Foster,Michael | The Boeing Company | ||
| Brewer,Orlie | The Boeing Company | ||
| Department of Defense (DoD) policies require the use of High Assurance Internet Protocol Encryptor (HAIPE) devices that provide cryptographic isolation between data in red security enclaves. This segmentation of the network at cryptographic boundaries impacts the operation of QoS mechanisms. The QoS mechanism that is presently compatible with HAIPE is Differentiated Services (DiffServ). While DiffServ provides Per Hop Behavior (PHB) management, end-to-end Per Domain Behavior (PDB) QoS provisioning via Integrated Services (IntServ) across both the red and black security enclaves is required for specific real-time traffic flows. A key challenge in the deployment of IntServ within a HAIPE environment is that currently the Type of Service (ToS) byte in IPv4, which includes the 6-bit DiffServ Code Point (DSCP) and the Explicit Congestion Notification (ECN) may be bypassed across the red/black boundaries. IntServ Resource ReSerVation Protocol (RSVP) is based on end-to-end signaling and the current HAIPE specification does not allow for RSVP signaling to be bypassed across cryptographic boundaries. Since RVSP signaling traffic is not bypassed, it does not allow for IntServ based QoS provisioning within the core Black network. This leads to the challenge of defining a mechanism by which IntServ/RSVP can be supported within the core Black network. We built upon our prior work on dynamic DiffServ network QoS management framework by developing IntServ implementation that operates across HAIPE boundary. The objective of our effort was to allow for individual IntServ/RSVP sessions on the red security enclave to be aggregated into a finite set of dynamically instantiated IntServ/RSVP sessions between the ingress and egress nodes within the black security enclave. We used a simple policy based management whereby the RSVP daemon on the ingress black node would monitor the DSCP values on its outbound ports to initiate the creation or deletion of aggregated IntServ/RSVP sessions to the appropriate egress black node, which are dynamically resized based on traffic demand and network state. This approach allowed for end-to-end IntServ across HAIPE boundaries. In addition we also leverage ECN bypass across red/black boundaries to inform nodes on the red side if there is a router within the black network that is unable to allocate resources to reserve enough bandwidth for the amount of traffic that is currently flowing through an aggregated RSVP session. | |||
| Orlie Brewer received a BS degree in Mathematics from the University of Oklahoma in 1978, an MS degree in Computer Science from the University of Oklahoma in 1986, and an MS degree in Applied Mathematics from the Unversity of Washington in 1994. He has been an Operational Communications Officer in the United States Marine Corps, a Programmer at the National Severe Storm Laboratory, a Scientific Assistant in the Mathematics and Computer Science Department at Argonne National Laboratory, and is currently an Advanced Computer Technologist at The Boeing Company. His interests include Network Quality of Service. | |||