High Assurance Internet Protocol Encryptor: Difference between revisions

Content deleted Content added

Inline

Revision as of 19:57, 25 February 2009

A HAIPE (High Assurance Internet Protocol Encryptor) is a Type 1 encryption device that complies with the National Security Agency's HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). The cryptography used is Suite A and Suite B, also specified by the NSA as part of the Cryptographic Modernization Program. HAIPE IS is based on IPsec with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt multicast data using a "preplaced key" (see definition in List of cryptographic key types). This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission. A HAIPE is typically a secure gateway that allows two enclaves to exchange data over an untrusted or lower-classification network.

Examples of HAIPE devices include

L-3 Communication's ^[1]HAIPE
- KG-245X 10Gbit/s,
- KG-245A fully-tactical 1 Gbit/s (HAIPE IS v3.0.2 and Foreign Interoperable)
- KG-240A fully-ruggedized 100 Mbit/s (HAIPE IS v3.0.2 and Foreign Interoperable)
- KOV-26 ^[1]Talon
ViaSat's AltaSec Products^[2]
- KG-250Cite error: The <ref> tag has too many names (see the help page)., and
- KG-255 [1 Gbit/s]^[3]
General Dynamics' ^[4] TACLANE KG-175.

Two of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: no support for routing protocols or open network management. A HAIPE is an IP encryption device, looking up the destination IP address of a packet in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings. By not supporting routing protocols the HAIPEs must be preprogrammed with static routes and cannot adjust to changing network topology. While manufacturers support centralized management of their devices through proprietary software^[5]^[6], the current devices offer no management functionality through open protocols or standards. Both of these limitations are due to be addressed in HAIPE IS version 3.0 due to be accredited in late 2008, but that date has slipped multiple times.^{[citation needed]} Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the ^[1]Common HAIPE Manager.

A couple of new HAIPE devices will combine the functionality of a router and encryptor when HAIPE IS version 3.0 is approved. General Dynamics has completed its TACLANE version (KG-175R), which house both a red and a black Cisco router, and both ViaSat and L-3 Communications are coming out with a line of network encryptors at version 3.0 and above. Cisco has dropped its plans for producing its own HAIPE device.^{[citation needed]}

There is a UK HAIPE variant that implements UKEO algorithms in place of US Suite A. EADS has entered the HAIPE market in the UK with its Ectocryp range ^[7]. Ectocryp Blue is HAIPE version 3.0 compliant and provides a number of the HAIPE extensions as well as support for network quality of service (QoS). Harris has also entered the UK HAIPE market with the BID/2370 End Cryptographic Unit (ECU)^[8].

In addition to site encryptors HAIPE is also being inserted into client devices that provide both wired and wireless capabilities. Examples of these include L-3 Communication's KOV-26 Talon and Guardian SME-PED, and Harris Corporation's ^[9] KIV-54 and PRC-117G ^[10] radio .

Sources

CNSS Policy #19 governing the use of HAIPE

References

^ ^a ^b ^c L-3 HAIPE Cite error: The named reference "L3" was defined multiple times with different content (see the help page).
^ ViaSat AltaSec KG-250
^ ViaSat KG-255 Datasheet
^ TACLANE Encryptor (KG-175)
^ ViaSat's VINE website
^ General Dynamics's GEM website
^ EADS Defence & Security Systems Ltd. wins prestigious secure communications award for encryption innovation
^ Harris UK BID/2370 ECU
^ Harris KIV-54
^ Harris PRC-117G

[L3-1] L-3 HAIPE Cite error: The named reference "L3" was defined multiple times with different content (see the help page).

[viasat-2] ViaSat AltaSec KG-250

[Viasat255datasheet-3] ViaSat KG-255 Datasheet

[ge-4] TACLANE Encryptor (KG-175)

[5] ViaSat's VINE website

[6] General Dynamics's GEM website

[dsn-7] EADS Defence & Security Systems Ltd. wins prestigious secure communications award for encryption innovation

[bid2370-8] Harris UK BID/2370 ECU

[harris-9] Harris KIV-54

[PRC-117G-10] Harris PRC-117G

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 5: / Line 5: @@
 * L-3 Communication's <ref name=L3>[http://www.l-3com.com/HAIPE L-3 HAIPE]</ref>[http://www.l-3com.com/HAIPE HAIPE]
 ** KG-245X 10Gbit/s,
-** KG-245A fully-tactical 1 Gbit/s, and
+** KG-245A fully-tactical 1 Gbit/s (HAIPE IS v3.0.2 and Foreign Interoperable)
-** KG-240A fully-ruggedized 100 Mbit/s
+** KG-240A fully-ruggedized 100 Mbit/s (HAIPE IS v3.0.2 and Foreign Interoperable)
 ** KOV-26 <ref name=L3>[http://www.l-3com.com/Talon L-3 Talon]</ref>[http://www.l-3com.com/Talon Talon]
 * [http://www.viasat.com/government-communications/information-assurance ViaSat's AltaSec Products]<ref name=viasat>[http://www.viasat.com/government-communications/information-assurance/altasec-kg-250 ViaSat AltaSec KG-250]</ref>
@@ Line 13: / Line 13: @@
 * [[General Dynamics]]' <ref name=ge>[http://www.gdc4s.com/content/detail.cfm?item=f3f0ef4c-cced-46b2-937e-69c42fd1fe3b TACLANE Encryptor (KG-175)]</ref> [[TACLANE]] KG-175.
-These devices use the current HAIPE IS version 1.3.5, which has a couple of notable limitations: no support for [[routing protocols]] or open [[network management]]. A HAIPE is an IP encryption device, looking up the destination IP address of a packet in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings.  By not supporting routing protocols the HAIPEs must be preprogrammed with [[static routing|static routes]] and cannot adjust to changing network topology.  While manufacturers support centralized management of their devices through proprietary software<ref>[http://www.viasat.com/government-communications/information-assurance/viasat-ine-manager-software-vine ViaSat's VINE website]</ref><ref>[http://www.gdc4s.com/content/detail.cfm?item=45b9abed-a178-486e-908b-28f858754155 General Dynamics's GEM website]</ref>, the current devices offer no management functionality through open protocols or standards. Both of these limitations are due to be addressed in HAIPE IS version 3.0 due to be accredited in late 2008, but that date has slipped multiple times.{{Fact|date=April 2008}} Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the <ref name=L3>[http://www.l-3com.com/HAIPE Common HAIPE Manager]</ref>[http://www.l-3com.com/HAIPE Common HAIPE Manager].
+Two of these devices are compliant to the HAIPE IS v3.0.2 specification while the remaining devices use the HAIPE IS version 1.3.5, which has a couple of notable limitations: no support for [[routing protocols]] or open [[network management]]. A HAIPE is an IP encryption device, looking up the destination IP address of a packet in its internal Security Association Database (SAD) and picking the encrypted tunnel based on the appropriate entry. For new communications, HAIPEs use the internal Security Policy Database (SPD) to set up new tunnels with the appropriate algorithms and settings.  By not supporting routing protocols the HAIPEs must be preprogrammed with [[static routing|static routes]] and cannot adjust to changing network topology.  While manufacturers support centralized management of their devices through proprietary software<ref>[http://www.viasat.com/government-communications/information-assurance/viasat-ine-manager-software-vine ViaSat's VINE website]</ref><ref>[http://www.gdc4s.com/content/detail.cfm?item=45b9abed-a178-486e-908b-28f858754155 General Dynamics's GEM website]</ref>, the current devices offer no management functionality through open protocols or standards. Both of these limitations are due to be addressed in HAIPE IS version 3.0 due to be accredited in late 2008, but that date has slipped multiple times.{{Fact|date=April 2008}} Both the HAIPE IS v3 management and HAIPE device implementations are required to be compliant to the HAIPE IS version 3.0 common MIBs. Assurance of cross vendor interoperability may require additional effort. An example of a management application that supports HAIPE IS v3 is the <ref name=L3>[http://www.l-3com.com/HAIPE Common HAIPE Manager]</ref>[http://www.l-3com.com/HAIPE Common HAIPE Manager].
 A couple of new HAIPE devices will combine the functionality of a router and encryptor when HAIPE IS version 3.0 is approved. General Dynamics has completed its TACLANE version (KG-175R), which house both a red and a black Cisco router, and both ViaSat and L-3 Communications are coming out with a line of network encryptors at version 3.0 and above.  Cisco has dropped its plans for producing its own HAIPE device.{{Fact|date=March 2008}}