IP Encryption Testing over Inmarsat
advertisement
17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Validation of Encryption Devices Over BGAN US Centric for Inmarsat Release (AOR Testing – Packet Switched Encryptors) Prepared by: Greg True Martin O’Briskie January 29, 2007 AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 1 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Contents 1 2 3 4 5 6 7 8 9 10 Executive Summary Introduction Reference Documents Encryptors to be Tested Glossary – List of Abbreviations Packet Switch Type-1 Encryption Testing via BGAN I-4 6.1 Equipment required for PS Type-1 Configuration 6.2 Equipment Settings for PS Type-1 Configuration 6.3 Test Results for GD KG-175 Mini-Taclane 6.3.1 Test Results w/Thrane 500 and KG-175B 6.3.2 Test Results w/Hughes 9201 and KG-175B 6.4 Test Results for ViaSat KG-250 6.4.1 Test Results w/Thrane 500 and KG-250 6.4.2 Test Results w/Hughes 9201 and KG-250 6.5 Mobile-to-Mobile BGAN Operation and ViaSat KG-250 6.6 Test Results for the GD KG-235 6.6.1 Test Results w/Thrane 500 and KG-235 6.6.2 Test Results w/Hughes 9201 and KG-235 Thales DC2K IP Encryption and GRE Tunnel 7.1 Equipment required for DC2K via GRE Tunnel Configuration 7.2 Equipment Settings for DC2K PS non-Type-1 Configuration 7.3 Test Results for non-Type-1 Thales DC2K 7.3.1 Test Results w/Thrane 500 and DC2K 7.3.2 Test Results w/Hughes 9201 and DC2K Summary of Test Data 8.1 Summary of Thrane Explorer 500 Test Data 8.2 Summary of Hughes 9210 Test Data Encryptor Working Configurations Summary of Test Results 4 5 5 5 6 7 7 7 8 8 9 11 11 12 13 14 14 15 16 16 16 17 17 18 19 19 19 20 21 Figures Figure 1 Figure 2 Figure 3 Packet Switch Encryption Testing via BGAN I-4 Configuration BGAN Thrane 500 UT to Thrane 500 UT (Mobile-to-Mobile) GRE PS Testing via BGAN I-4 Configurations for DC2K AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary 7 13 16 Page 2 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Encryptors to be tested Thrane UT Baseline Data Test Card w/o KG-175 Thrane UT and KG-175B Test Card (MTU=800) Thrane UT and KG-175B Test Card (MTU=1184) Thrane UT and KG-175B Test Card (MTU=1424) Hughes UT Baseline Data Test Card w/o KG-175 Hughes UT and KG-175B Test Card Thrane UT Baseline Data Test Card w/o KG-250 Thrane UT and KG-250 Test Card Hughes UT Baseline Data Test Card w/o KG-250 Hughes UT and KG-250 Test Card Thrane 500 UT to Thrane 500 UT and KG-250 Test Card Thrane UT Baseline Data Test Card w/o KG-235 Thrane UT and KG-235 Test Card Hughes UT Baseline Data Test Card w/o KG-235 Hughes UT and KG-235 Test Card Thrane UT GRE Tunnel Baseline Data Test Card w/o DC2K Thrane UT and DC2K via GRE Tunnel Test Card Hughes UT GRE Tunnel Baseline Data Test Card w/o DC2K Hughes UT and DC2K via GRE Tunnel Test Card Summary of Thrane Explorer 500 Test Data Summary of Hughes 9201 Test Data 5 8 8 9 9 10 10 11 11 12 12 13 14 14 15 15 17 17 18 18 19 19 Appendix A B Cisco Configuration for GRE Tunnels for Thrane 500 UT Cisco Configuration for GRE Tunnels for Hughes 9201 UT 23 26 AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 3 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Executive Summary This report is a continuation of the Interim Phase C “Validation of Encryption Devices over BGAN US Centric” report submitted on March 23, 2006. During this current phase of the project direct access to the BGAN network via the AOR I-4 satellite was possible. As before, the primary objective of this study was to verify that USG Type-1 encryption equipment functions properly over the Inmarsat BGAN satellite network. The four packet switched encryptors being evaluated were the General Dynamics KG175B Mini-Taclane, the General Dynamics KG-235, the ViaSat AltaSec KG-250 and the Thales DC2K. The L3 KG-240 Red Eagle IP encryptor and circuit switched encryptors will be detailed in a future report. From the extensive testing performed via the AOR I-4 Inmarat BGAN satellite network there appears to be no impediment for the proper use of these encryptors. This report documents the BGAN satellite testing that has been performed via the Thrane Explorer 500 and Hughes 9201 UT and the above IP encryptors. It should be noted that all BGAN testing was performed using background class IP. No streaming class IP tests are included in this report. No Performance Enhancing Proxy (PEP) software was used to accelerate data throughput speeds in this report. See Figure 1 for an overview of the BGAN with Type-1 encryption testing network. The KG-175B, KG-235 and KG-250 Type-1 IP encryptors were tested with direct connection to the BGAN terminal. However, the Thales DC2K non-Type-1 IP encryptors would not exchange encryption keys properly without running within a Cisco Generic Routing Encapsulation (GRE) tunnel. The GRE tunnel setup and associated DC2K testing with the GRE tunnel is discussed in section 7. It should be noted that although the Type 1 encryptors under test did not require an intermediary router to operate the user needs to check with their local network security personnel to verify Transec/COMSEC requirements. U.S. Government users may contact AOS for a restricted version of this report that details the configuration settings for all Type-1 encyptors used in this report. The BGAN data throughput rates were measured by using a DOS FTP script developed by Inmarsat’s engineering staff. The script provided an automated FTP program that downloaded and uploaded ten 1MB, 3MB and 5MB JPEG files. The 3MB test results have been recorded in this report. To minimize the size of this report all data throughput tests have been condensed to show minimum, maximum and average data rates. The standard deviation was provided for all data kilobit-per-second (Kbps) readings to give the reader a better idea of what data fluctuations took place during the specific data transfer. AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 4 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 2 Introduction AOS, Inc. was contracted to assess the interoperability between BGAN services and a range of existing and future cryptographic equipment typically used by the US Government. This contract specifically addresses encryption testing via Inmarsat’s AOR I-4 BGAN satellite. 3 Reference Documents See Inmarsat Contract No. INM/06-4198/JB 4 Encryptors to be tested Manufacturer Available Tested this Report Circuit Switched Data - ISDN UDI STE KIV7 OmniXi STUIII Model 1100 Sectera Wireline L3 SafeNet L3 AT&T General Dynamics Yes Yes Yes Yes Yes No No No No No Packet Switched Services DC2K IP Encryptor * KG-175B Mini-Taclane KG-235 Sectera INE KG-250 KG-240 Red Eagle Thales General Dynamics General Dynamics ViaSat L3 Yes Yes Yes Yes TBD Yes Yes Yes Yes No Encryption Equipment *Non type-1 variant to be tested Table 1 – Encryptors to be tested AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 5 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 5 Glossary – List of Abbreviations AES BGAN CEF CN COMSEC CS FNBDT FTP IOS HSD IP IPSec ISDN HAIPIS HTTP HTTPS Kbps MB MMI MTU PEP PIX PS POTS RTT STE SBU SDM SOW SP STU TCP UT USG VPN Advanced Encryption Standard Broadband Global Area Network Cisco Express Forwarding Core Network Communications Security Circuit Switched Future Narrow Band Digital Terminal File Transfer Protocol Internetwork Operating System (Cisco) High Speed Data Internet Protocol IP Security Protocols Integrated Services Digital Network High Assurance IP Interoperability Specifications Hyper Text Transfer Protocol HTTP Secure Kilo Bits Per Second Megabyte Man Machine Interface Maximum Transmission Unit Performance Enhancing Proxy Private Internet Exchange (Cisco) Packet Switched Plain Old Telephone Service Round Trip Time Secure Terminal Equipment Sensitive but Unclassified System Definition Manual Statement of Work Service Provider Secure Telephone Unit Transmission Control Protocol User Terminal United States Government Virtual Private Network AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 6 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6 Packet Switched Encryption Equipment Testing via BGAN I-4 Single satellite hop (Ping RTT delay 950ms to 1300ms) The Packet Switched (PS) test arrangement is configured as in Figure 1 below: Figure 1 – Packet Switched Encryption Equipment Testing via BGAN I-4 Configuration 6.1 The equipment required for this Packet Switched configuration is: 2 each IP Encryptors (KG-175, KG-235 and KG-250) 1 each Computer with Windows XP Pro SP2 w/DOS FTP script (Client PC) 1 each Computer with Linux FC4 Samba ProFTPD (Server PC) 1 each T1 high speed Internet connections with static IP’s 1 each HNS 9201 and Thrane Explorer 500 BGAN UT’s with static IP’s 2 each BGAN SIM cards. Inmarsat provided airtime for testing Used DOS FTP script for all 3MB data transfers 6.2 Equipment Settings for Figure 1: Thrane Explorer UT set for ‘Modem Mode’ operation Client/Server computer MTU settings at 1400 unless noted otherwise Encryptor settings: See ‘Encryptor Working Configurations’ on page 20 and Tables See above Figure 1 for IP address scheme AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 7 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6.3 Test results for the KG-175B (Mini-Taclane) Type-1 encryptor are reported below. 6.3.1 Thrane Explorer 500 UT Baseline Testing without KG-175B: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 76.14 66.60 72.54 330.56 377.92 348.21 21.1 113.23 88.25 96.76 217.04 278.48 257.76 28.8 Test Notes: Baseline Tests BGAN: Thrane Explorer 500 f/w 1.06 in modem mode Test Set started at: 2006 10 27 15:30:23 Test Iterations: 3 Table 2 – Thrane Explorer 500 UT Baseline Data Test Card without KG-175B Encryptor Thrane Explorer 500 UT and KG-175B testing (KG-175B MTU set to 800): BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 259.48 100.54 200.40 96.96 250.32 139.60 55.1 Upload/Put Time (sec) Kbps 221.90 94.00 119.52 113.44 267.68 224.72 47.8 Test Notes: Encryptor - GD KG-175B Mini-Taclane Type 1 IP encryptor with MTU size set to 800; Rel R3.1V4 BGAN: Thrane Explorer 500 f/w 1.06 in modem mode Test Set started at: 2006 10 26 18:48:14 Test Iterations: 10 Table 3 – Thrane Explorer 500 UT and KG-175B Test Card (KG-175B MTU set to 800) AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 8 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Thrane Explorer 500 UT and KG-175 testing (KG-175B MTU set to 1184): BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 183.64 191.98 232.49 46.32 131.12 101.64 25.5 Upload/Put Time (sec) Kbps 220.76 93.22 112.76 114.00 269.92 238.24 46.6 Test Notes: Encryptor - GD KG-175B Mini-Taclane Type 1 IP encryptor with MTU size set to 1184; Rel R3.1V4 BGAN: Thrane Explorer 500 f/w 1.06 in modem mode Test Set started at: 2006 10 26 22:20:37 Test Iterations: 10 Table 4 - Thrane Explorer 500 UT and KG-175B Test Card (KG-175B MTU set to 1184) Thrane Explorer 500 UT and KG-175 testing (KG-175B MTU set to 1424): BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 100.99 94.70 96.81 249.20 265.76 260.08 5.8 117.64 94.12 100.17 213.92 267.36 252.96 19.8 Test Notes: Encryptor - GD KG-175B Mini-Taclane IP encryptor with MTU size set to 1424 (Max); Rel R3.1v4 BGAN: Thrane Explorer 500 f/w 1.06 in modem mode Test Set started at: 2006 10 26 23:54:07 Test Iterations: 10 Table 5 - Thrane Explorer 500 UT and KG-175B Test Card (KG-175B MTU set to 1424) AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 9 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6.3.2 Hughes 9201 UT Baseline Testing without KG-175B Encryptor: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 59.55 59.46 59.50 Test Notes: Baseline Testing BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 10 27 13:07:44 422.56 423.20 422.96 0.3 Upload/Put Time (sec) Kbps 147.66 92.07 110.84 170.40 273.36 238.32 48.0 Test Iterations: 3 Table 6 – Hughes 9201 UT Baseline Data Test Card without KG-175B Encryptor Hughes 9201 UT and KG-175 Encryptor testing: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 94.67 93.23 93.81 265.84 269.92 268.24 1.3 126.53 93.58 102.28 198.88 268.96 248.64 24.4 Test Notes: Encryptor - GD KG-175B Mini-Taclane IP encryptor with MTU size set to 1424 (max); Rel R3.1v4 BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 10 27 13:55:23 Test Iterations: 10 Table 7 – Hughes 9201 UT and KG-175B Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 10 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6.4 Test results for the ViaSat AltaSec KG-250 Type-1 encryptor is reported below: 6.4.1 Thrane Explorer 500 UT Baseline Testing without KG-250: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 64.09 57.28 60.14 Test Notes: Baseline Testing BGAN: Thrane Explorer 500 f/w 1.06 Test Set started at: 2006 11 08 18:04:29 392.64 439.36 418.88 13.44 Upload/Put Time (sec) Kbps 82.39 71.76 74.71 305.44 350.64 337.44 13.68 Test Iterations: 10 Table 8 – Thrane Explorer 500 UT Baseline Data Test Card without KG-250 Encryptor Thrane Explorer 500 UT and KG-250 Testing: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 75.13 63.57 67.91 334.96 395.84 371.68 20.1 154.39 92.24 104.38 162.96 272.80 246.80 32.7 Test Notes: Encryptor - ViaSat AltaSec KG-250, MTU 1344 Red Side, 1500 Black side, f/w 1.3.95 BGAN: Thrane Explorer 500 f/w 1.06 Test Set started at: 2006 11 08 15:07:58 Test Iterations: 10 Table 9 - Thrane Explorer 500 UT and KG-250 Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 11 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6.4.2 Hughes 9201 UT Baseline Testing without KG-250: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 58.86 56.38 58.40 Upload/Put Time (sec) Kbps 427.60 446.32 431.49 14.84 Test Notes: Baseline Testing BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 11 09 14:32:52 120.87 69.20 83.12 208.16 363.68 311.97 49.54 Test Iterations: 10 Table 10 – Hughes 9201 UT Baseline Data Test Card without KG-250 Encryptor Hughes 9201 UT and KG-250 testing: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 72.64 71.88 72.33 346.40 350.08 347.92 1.18 Upload/Put Time (sec) Kbps 744.13 89.20 329.68 33.84 282.16 147.68 110.34 Test Notes: Encryptor - ViaSat AltaSec KG-250, Red MTU 1344, Black MTU 1500, f/w 1.3.95 BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 11 08 20:55:36 Test Iterations: 10 Table 11 – Hughes 9210 UT and KG-250 Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 12 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6.5 Mobile-to-Mobile BGAN Operation and KG-250 Testing - Double satellite hop (Ping RTT 1720ms to 1920ms) Thrane Explorer 500 UT to Thrane Explorer UT and KG-250 testing configuration BGAN UT Tested: Thrane Explorer 500 Thrane IP 161.30.180.252 (Modem Mode) Thrane IP 161.30.191.1 (Modem Mode) IP Encryptor AOS HQ Dallas 10.200.200.1/24 10.10.1.1/24 Burum BGAN E/S IP Encryptors KG175B KG250 10.200.200.2/24 10.10.1.2/24 Figure 2 - BGAN Thrane 500 UT to Thrane 500 UT (Mobile-to-Mobile) Configuration: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 206.34 136.79 162.83 122.00 184.00 158.58 24.64 145.36 137.91 141.00 173.12 182.48 178.52 2.69 Test Notes: Encryptor - ViaSat AltaSec KG-250 IP encryptor, MTU 1344 Red Side, 1500 Black side, f/w 1.3.95 Thrane Explorer 500 f/w 1.06 Test Set started at: 2006 11 16 17:26:54 Test Iterations: 10 Table 12 - Thrane 500 UT to Thrane 500 UT and KG-250 Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 13 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6.6 Test results for the GD KG-235 type-1 encryptor is reported below: 6.6.1 Thrane Explorer 500 UT Baseline Testing without KG-235: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 59.30 54.17 55.87 Test Notes: Baseline Testing BGAN: Thrane Explorer 500 f/w 1.06 Test Set started at: 2006 11 16 00:17:25 424.40 464.56 450.81 13.14 Upload/Put Time (sec) Kbps 71.60 70.09 70.52 351.44 359.04 356.87 2.70 Test Iterations: 10 Table 13 - Thrane Explorer 500 UT Baseline Data Test Card without KG-235 Encryptor Thrane Explorer 500 UT and KG-235 Testing: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 64.98 62.96 63.77 387.28 399.68 394.66 4.15 165.90 98.79 116.65 151.68 254.72 224.62 40.86 Test Notes: Encryptor - GD KG-235, MTU not configurable, Config ver 3.3, h/w version 284678.0 BGAN: Thrane Explorer 500 f/w 1.06 Test Set started at: 2006 11 14 14:01:34 Test Iterations: 10 Table 14 - Thrane Explorer 500 UT and KG-235 Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 14 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 6.6.2 Hughes 9201 UT Baseline Testing without KG-235 Encryptor: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 60.86 56.48 57.94 Test Notes: Baseline Testing BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 11 13 16:13:21 413.52 445.52 434.56 9.00 Upload/Put Time (sec) Kbps 113.51 74.80 89.16 221.68 336.48 286.96 35.04 Test Iterations: 10 Table 15 - Hughes 9201 UT Baseline Data Test Card without KG-235 Encryptor Hughes 9201 UT and KG-235 Testing: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 69.02 67.72 68.28 364.64 371.60 368.56 2.38 283.90 96.71 130.74 88.64 260.24 219.28 59.79 Test Notes: Encryptor: GD KG-235, MTU not configurable, Config version 3.3, h/w version 284678.0 BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 11 14 16:00:44 Test Iterations: 10 Table 16 - Hughes 9210 UT and KG-235 Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 15 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 7 Thales DC2K IP Encryptor (non-Type-1) and GRE Tunnel Single satellite hop (Ping RTT 950ms to 1300ms) The PS test arrangement with Thales DC2K is configured as in Figure 3 below: BGAN UT’s to be tested: HNS 9201 Thrane Explorer 500 Thrane IP 161.30.180.252 (Modem Mode) HNS IP 192.168.128.101 Cisco 1720 Router Cisco 2600 Router Cisco routers provide GRE Tunnel IP 12.191.85.83 Public Internet 192.168.155.1/24 192.168.155.2/24 IP Encryptor 192.168.122/1/24 192.268.122.2/24 10.10.1.1/24 AOS HQ Dallas 10.200.200.1/24 IP Encryptors DC2K 10.10.1.2/24 Burum BGAN E/S T1 Internet Access AOS Dallas 10.200.200.2/24 Figure 3 - The GRE Packet Switched Testing via BGAN I-4 Configuration for DC2K 7.1 The equipment required for this CS configuration is: 2 each Thales DC2K IP Encryptors 1 each Computer with Windows XP Pro SP2 w/DOS FTP script (Client PC) 1 each Computers with Linux FC4 Samba ProFTPD (Server PC) 1 each T1 high speed Internet connections with static IP’s 1 each HNS 9201 and Thrane Explorer 500 BGAN UT’s with static IP’s 2 each BGAN SIM cards. Inmarsat provided airtime for testing Used DOS FTP script for all 3MB data transfers 7.2 Equipment Settings for Figure 3: Thrane Explorer UT set for ‘Modem Mode’ operation See Appendix for Cisco Router GRE tunnel configurations Client/Server computer MTU settings at 1400 unless noted otherwise DC2K Encryptor settings: See ‘Encryptor Working Configurations’ on pg 20 & Tables See above Figure 3 for IP address scheme AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 16 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 7.3 Test results for the Thales DC2K non-Type-1 encryptor are reported below. 7.3.1 Thrane Explorer 500 UT Baseline testing of Cisco GRE tunnel without DC2K: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 89.39 63.35 71.73 Upload/Put Time (sec) Kbps 281.52 397.28 356.27 41.69 207.03 92.40 121.33 34.12 121.52 272.32 220.70 49.08 Test Notes: Baseline Testing of GRE tunnel BGAN: Thrane Explorer 500 f/w 1.06 Test Set started at: 2006 10 30 18:36:45 Test Iterations: 10 Table 17 – Thrane Explorer 500 UT GRE Tunnel Baseline Test Card w/o DC2K Thrane Explorer 500 UT with Thales DC2K via GRE Tunnel: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 308.19 62.60 92.34 81.68 402.00 343.04 92.96 143.02 92.79 105.38 176.00 271.20 244.16 34.02 Test Notes: Thales DC2K IP encryptor through GRE tunnel BGAN: Thrane Explorer 500 f/w 1.06 Test Set started at: 2006 10 25 23:42:20 Test Iterations: 10 Table 18 – Thrane Explore 500 and Thales DC2K via GRE Tunnel Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 17 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 7.3.2 Hughes 9201 UT Baseline testing of Cisco GRE tunnel without Thales DC2K: BGAN I-4 Tests FTP Transfer Rates Download/Get Time (sec) Kbps FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation 66.62 65.77 66.20 377.76 382.64 380.13 2.0 Upload/Put Time (sec) Kbps 93.19 92.62 92.48 270.00 271.68 272.11 1.9 Test Notes: Baseline Testing of GRE tunnel BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 11 07 16:14:30 Test Iterations: 3 Table 19 – Hughes 9201 UT GRE Tunnel Baseline Test Card w/o DC2K Hughes 9201 UT with Thales DC2K via GRE Tunnel: BGAN I-4 Tests FTP Tests Min Data Rate Max Data Rate Avg Data Rate Std Deviation FTP Transfer Rates Download/Get Upload/Put Time (sec) Kbps Time (sec) Kbps 208.48 197.88 201.00 120.72 127.20 125.23 1.67 117.68 92.95 105.30 213.84 270.72 241.82 26.19 Test Notes: Thales DC2K IP encryptor through GRE tunnel BGAN: Hughes 9201 f/w 3.6.1.0 Test Set started at: 2006 10 31 14:35:50 Test Iterations: 10 Table 20 – Hughes 9201 UT and Thales DC2K via GRE Tunnel Test Card AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 18 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 8 Summary of Test Data 8.1 Summary of Thrane Explorer 500 Test Data: Thrane Exp 500 3MB Data KG-175 DC2K (via GRE) KG-250 KG-235 Baseline Test Date 10/27/2006 10/30/2006 11/8/2006 11/16/2006 Download Avg 348.21 356.27 418.88 450.81 Std Dev 21.10 41.69 13.44 13.14 Upload Avg 257.76 220.70 337.44 356.87 Std Dev 28.80 49.08 13.68 2.70 Upload Avg 252.96 244.18 246.80 224.62 Std Dev 19.80 34.02 32.70 40.86 Upload Avg 238.32 272.11 311.97 286.96 Std Dev 48.00 1.90 49.54 35.04 Upload Avg 248.64 241.82 147.68 219.28 Std Dev 24.40 26.19 110.34 59.79 Encrypted KG-175 DC2K (via GRE) KG-250 KG-235 Test Date 10/26/2006 10/25/2006 11/8/2006 11/14/2006 Download Avg 260.08 343.04 371.68 394.66 Std Dev 5.80 92.96 20.10 4.15 Table 21: Summary of Thrane Explorer 500 Test Data 8.2 Summary of Hughes 9201 Test Data: Hughes 9201 3MB Data KG-175 DC2K (via GRE) KG-250 KG-235 Baseline Test Date 10/27/2006 11/7/2006 11/9/2006 11/13/2006 Download Avg 422.96 380.13 431.49 434.56 Std Dev 0.30 2.00 14.84 9.00 Encrypted KG-175 DC2K (via GRE) KG-250 KG-235 Test Date 10/27/2006 10/31/2006 11/8/2006 11/14/2006 Download Avg 268.24 125.23 347.92 368.58 Std Dev 1.30 1.67 1.18 2.38 Table 22: Summary of Hughes 9201 Test Data AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 19 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 9 Encryptor Working Configurations 9.1 Thales DC2K IP Encryptor Configuration Settings All configurations are standard default settings; except for below IP Security screens: 9.1.1 Server IP Security screens (DC2K) Port Setup Private IP Address: 10.200.200.1 Private Mask: 255.255.255.0 Private Gateway: 0.0.0.0 Public IP Address: 192.168.122.2 Public Mask: 255.255.255.0 Public Gateway: 192.168.122.1 Private Network Selectors: Type: Range Address/From: 10.200.200.1 Mask/To: 10.200.200.10 Network Setup: Tunneling: 192.168.100.2 9.1.2 Client IP Security screens (DC2K) Port Setup Private IP Address: 10.10.1.1 Private Mask: 255.255.255.0 Private Gateway: 0.0.0.0 Public IP Address: 192.168.100.2 Public Mask: 255.255.255.0 Public Gateway: 192.168.100.1 Private Network Selectors: Type: Range Address/From: 10.10.1.1 Mask/To: 10.10.1.10 Network Setup: Tunneling: 192.168.122.2 9.2 Taclane KG-175 Encryptor Configuration Settings See “For Distribution to US Government Personnel Only” document for configuration settings. 9.3 ViaSat KG-250 Encryptor Configuration Settings Same as 9.2 above. 9.4 GD KG-235 Encryptor Configuration Settings Same as 9.2 above AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 20 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 10 Summary of Test Results - The objective of this report is to provide feedback to the Inmarsat user community regarding the compatibility of US Centric packet switched IP encryptors via the BGAN AOR I-4 satellite. During the course of this report only the Thrane Explorer 500 and Hughes 9201 BGAN UT’s were tested. The only IP encryptors available during the tests were the Thales DC2K, General Dynamics Mini-Taclane KG-175B, ViaSat KG-250 and General Dynamics KG-235. The L3 KG-240 Type-encryptor will be tested when available. The IP encryptor test data throughput measurements are tabulated in Tables 1 through 20. Tables 21 and 22 summarize all testing less the BGAN UT-to-UT testing as described on page 13. This data validates the DC2K, KG-175, KG-235 and KG-250 IP encryptor’s capability to pass encrypted data via the BGAN network. DOS FTP encrypted download speeds ranged from an average of 125 Kbps to 395Kbps, whereas, FTP uploads averaged from 148 Kbps to 253 Kbps. The October-November data throughput values were impressive considering the that fact that the BGAN system is a ‘shared’ network with an Internet back haul from the Burum BGAN earth station to the AOS’ Dallas, Texas testing location. These variables produced a round trip time (RTT) between 950ms to 1300ms over a single satellite hop test. Testing the non-Type-1 Thales DC2K IP encryptor required the addition of a Cisco Generic Routing Encapsulation (GRE) tunnel (see Figure 3) to allow proper exchange of encryption keys. Previous tests showed that if the transport network Cisco routers have Cisco Express Forwarding (CEF) enabled the DC2K’s would not exchange encryption keys due to the encryptors IPSec incompatibility with Cisco’s CEF. See Appendix A and B for router configuration instructions for BGAN operation via the Thrane Explorer 500 and Hughes 9201. Generally speaking most encryptors used the manufacturers default settings. Configuring the Type-1 KG-175B, KG-235 and KG-250 IP encryptors was straight forward except for the KG-235. Please see the US Government version of this report for detailed configuration instructions for all Type-1 encryptors. After configuring all administrative settings (i.e., red/black setup and handling keying materials) the encryptors would synchronize with each other within a minute. Various MTU settings were tried before the best possible settings were obtained. It should be noted that although the Type-1 encyrptors did not require an intermediary router to operate the user needs to check with their local network security personnel to verify Transec/COMSEC requirements. The above GRE tunnel concept may satisfy this requirement. The proper setting of the Maximum Transmission Unit (MTU) was important to insure the highest possible data transfer. While using a network protocol analyzer (Ethereal) the MTU’s on the computer, Cisco routers GRE tunnel and encryption equipment was adjusted for maximum data transfer. As in the case when adjusting the MTU value on AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 21 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 the KG-175B encryptor from 800 to 1424 the data throughput approximately doubled from 140Kbps to 260 Kbps; see section 6.2.1. Maximum data transfer would occur when packets were not being fragmented as they passed through the encryptor, router and computer interfaces. As a general rule all computer MTU’s were set to 1400 and both GRE network routers MTU’s were set to 1416. The DC2K, KG-175 and KG-250 MTU settings were 1400, 1424 and 1344/1500 (red/black interfaces) respectively. These values are documented on the test tables (Tables 1 to 20). Note that the MTU settings for the KG-235 are not configurable. Although not in the original scope of this work mobile-to-mobile test results were obtained with the ViaSat KG-250 encryptors and the Thrane Explorer 500 UT’s; see section 6.4 (page 13). Reasonable throughput data throughput speeds averaged 159 Kbps (download) and 179 Kpbs (upload). It should be noted that the test configurations used here were aimed at obtaining the best measurement of the abilities of the BGAN network. A computer user with a Windows based operating system and graphical based FTP clients, more typically available, may see markedly different results, in many cases lower. Those with questions should refer to Inmarsat’s Application notes (http://support.inmarsat.com/techsupport) for details regarding the test and setup of various FTP clients in order to insure maximum performance. The reader should note that this configuration used the standard BGAN IP server with a back haul through the public Internet, therefore, the variability in test results is not totally unexpected. For users who have restrictions on the use of the public Internet, private line services from Inmarsat’s Distribution Partners is available and should provide additional consistency and performance. This concludes the testing of the Thales DC2K, GD Mini-Taclane KG-175B, GD KG235 and ViaSat KG-250. BGAN Circuit Switched Type-1 encryption testing of the L3 STE, SafeNet KIV7, L3 Omni, AT&T STU-III, GD Sectera Wireline will now start with a report expected by the end of March 2007. This report will be supplemented with the results of the L3 KG-240 when the encryptor is available. AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 22 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Appendix A: Cisco Config for GRE tunnels for Thrane Explorer 500 Configuration for Cisco 2600 Terrestrial Router (Thrane Explorer 500 UT) GRE1#sh run Current configuration : 1149 bytes version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname GRE1 boot-start-marker boot-end-marker enable secret 5 $1$Ywbs$WdSjSL.J/JQ8cLyrY7QPD/ username cisco password 0 cisco no aaa new-model ip subnet-zero no ip cef no ip domain lookup ip dhcp pool local network 192.168.100.0 255.255.255.0 default-router 192.168.100.1 ip audit po max-events 100 interface Tunnel1 description Hub Tunnel endpoint ip address 172.18.18.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 161.30.180.252 interface FastEthernet0/0 ip address 12.191.85.83 255.255.255.192 duplex auto speed auto interface FastEthernet0/1 ip address 192.168.100.1 255.255.255.0 duplex auto speed auto router eigrp 100 redistribute static network 172.18.18.0 0.0.0.255 network 192.168.100.0 no auto-summary ip http server AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 23 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Appendix A Continued Cisco Configuration for GRE tunnels for Thrane Explorer 500 terrestrial router no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 12.191.85.65 ip route 172.16.1.0 255.255.255.0 192.168.100.2 line con 0 line aux 0 line vty 0 4 login local end Configuration for Cisco 1720 Client/Remote Router (Thrane Explorer 500 UT) Current configuration : 1549 bytes version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname GRE2 boot-start-marker boot-end-marker logging buffered 4096 emergencies mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip dhcp pool local network 192.168.122.0 255.255.255.0 default-router 192.168.122.1 dns-server 151.164.1.8 no ip cef no ip domain lookup ip ips po max-events 100 no ftp-server write-enable username cisco password 0 cisco no crypto isakmp ccm interface Tunnel1 AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 24 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Appendix A Continued Cisco Config for GRE tunnels for Thrane Explorer 500 Client/Remote Router description Tunnel Endpoint ip address 172.18.18.2 255.255.255.0 tunnel source FastEthernet0 tunnel destination 12.191.85.83 interface BRI0 no ip address shutdown interface FastEthernet0 ip address 161.30.180.252 255.255.255.0 ip virtual-reassembly duplex auto speed auto interface FastEthernet1 interface FastEthernet2 interface FastEthernet3 interface FastEthernet4 interface Vlan1 ip address 192.168.122.1 255.255.255.0 ip nat inside ip virtual-reassembly router eigrp 100 network 172.18.18.0 0.0.0.255 network 192.168.122.0 network 192.168.128.0 no auto-summary ip classless ip route 0.0.0.0 0.0.0.0 161.30.180.251 ip http server ip http authentication local ip http secure-server ip nat inside source list 99 interface FastEthernet0 overload access-list 99 permit 192.168.122.0 0.0.0.255 control-plane line con 0 line aux 0 line vty 0 4 login local end AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 25 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Appendix B: Cisco Configuration for GRE tunnels for Hughes 9201 Configuration for Cisco 2600 Terrestrial Router (Hughes 9201 UT) GRE1#sh run Current configuration : 1149 bytes version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname GRE1 boot-start-marker boot-end-marker enable secret 5 $1$Ywbs$WdSjSL.J/JQ8cLyrY7QPD/ username cisco password 0 cisco no aaa new-model ip subnet-zero no ip cef no ip domain lookup ip dhcp pool local network 192.168.100.0 255.255.255.0 default-router 192.168.100.1 ip audit po max-events 100 interface Tunnel1 description Hub Tunnel endpoint ip address 172.18.18.1 255.255.255.0 tunnel source FastEthernet0/0 tunnel destination 161.30.180.252 interface FastEthernet0/0 ip address 12.191.85.83 255.255.255.192 duplex auto speed auto interface FastEthernet0/1 ip address 192.168.100.1 255.255.255.0 duplex auto speed auto router eigrp 100 redistribute static network 172.18.18.0 0.0.0.255 network 192.168.100.0 no auto-summary ip http server no ip http secure-server AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 26 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Appendix B Continued Cisco Configuration for GRE tunnels for Hughes 9201 UT Terrestrial router ip classless ip route 0.0.0.0 0.0.0.0 12.191.85.65 ip route 172.16.1.0 255.255.255.0 192.168.100.2 line con 0 line aux 0 line vty 0 4 login local end Configuration for Cisco 1720 Client/Remote Router (Hughes 9201 UT) sh run Current configuration : 1549 bytes version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption hostname GRE2 boot-start-marker boot-end-marker logging buffered 4096 emergencies mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ip dhcp pool local network 192.168.122.0 255.255.255.0 default-router 192.168.122.1 dns-server 151.164.1.8 no ip cef no ip domain lookup ip ips po max-events 100 no ftp-server write-enable username cisco password 0 cisco no crypto isakmp ccm interface Tunnel1 AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 27 of 28 www.aosusa.com 17817 Davenport Rd., Suite 225, Dallas, Tx Tel: +1 972 735 0101 Appendix B Continued Configuration for Cisco 1720 Client/Remote Router (Hughes 9201 UT) description Tunnel Endpoint ip address 172.18.18.2 255.255.255.0 tunnel source FastEthernet0 tunnel destination 12.191.85.83 interface BRI0 no ip address shutdown interface FastEthernet0 ip address 192.168.128.201 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto interface FastEthernet1 interface FastEthernet2 interface FastEthernet3 interface FastEthernet4 interface Vlan1 ip address 192.168.122.1 255.255.255.0 ip nat inside ip virtual-reassembly router eigrp 100 network 172.18.18.0 0.0.0.255 network 192.168.122.0 network 192.168.128.0 no auto-summary ip classless ip route 0.0.0.0 0.0.0.0 192.168.128.100 ip http server ip http authentication local ip http secure-server ip nat inside source list 99 interface FastEthernet0 overload access-list 99 permit 192.168.122.0 0.0.0.255 control-plane line con 0 line aux 0 line vty 0 4 login local end AOS, Inc. 17817 Davenport Rd., #225 Dallas, Texas USA Proprietary Page 28 of 28 www.aosusa.com
