Published on January 23, 2008
Secure, Network-Centric Operations of a Space-Based Asset:Cisco Router in Low-Earth Orbit (CLEO) andVirtual Mission Operations Center (VMOC): Secure, Network-Centric Operations of a Space-Based Asset: Cisco Router in Low-Earth Orbit (CLEO) and Virtual Mission Operations Center (VMOC) Will Ivancic [email protected] 216-433-3494 Agenda: Agenda Why CLEO/VMOC overview Participating Organizations The Network Data Flow Timeline of Events CLEO/VMOC Lessons Learned Future Work New Capabilities NCO Experiences Why?: Why? Shared Network Infrastructure (Mobile-IP) $$$ Savings Ground Station ISP $400- $500 per satellite pass No salaries No heath benefits No infrastructure costs System Flexibility Greater Connectivity Relatively easy to secure TCP/IP suite COTS Standard Free tools Skilled professionals available Tested via general use by 100s of 1000s daily The Cisco router in low Earth orbit (CLEO): The Cisco router in low Earth orbit (CLEO) Put a COTS Cisco router in space Determine if the router could withstand the effects of launch and radiation in a low Earth orbit and still operate in the way that its terrestrial counterparts did. Ensure that the router was routing properly Implement mobile network and demonstrate its usefulness for space-based applications. Since the UK–DMC is an operational system, a major constraint placed on the network design was that any network changes could not impact the current operational network Virtual Mission Operations Center (VMOC): Virtual Mission Operations Center (VMOC) Enable system operators and data users to be remote Verify individual users and their authorizations Establish a secure user session with the platform Perform user and command prioritization and contention control Apply mission rules and perform command appropriateness tests Relay data directly to the remote user without human intervention Provide a knowledge data base and be designed to allow interaction with other, similar systems Provide an encrypted gateway for “unsophisticated” user access (remote users of science data) Virtual Mission Operations Center: Virtual Mission Operations Center VMOC evaluated five categories: VMOC evaluated five categories Does VMOC provide access to payload information for the warfighter? Can the field users request information from a platform or sensor? Can field users request information from existing databases? Can the VMOC demonstrate rapid response and reconfiguration of an IP based platform? Can the VMOC task platforms as required to get necessary information to the warfighter? Yes to all of the above! Mutually Beneficial Interests: Mutually Beneficial Interests Projects are complementary in their shared use of the Internet Protocol (IP) Overall goal of network-centric operations. (and NetCentric Operations) Participating Organizations: Participating Organizations CLEO/VMOC Network: mobile routing Home Agent (NASA Glenn) Segovia NOC ‘shadow’ backup VMOC-2 (NASA Glenn) UK-DMC/CLEO router high-rate passes over SSTL ground station (Guildford, England) primary VMOC-1 Air Force Battle Labs (CERES) Internet mobile router appears to reside on Home Agent’s network at NASA Glenn secure Virtual Private Network tunnels (VPNs) between VMOC partners ‘battlefield operations’ (tent and Humvee, Vandenberg AFB) low-rate UK-DMC passes over secondary ground stations receiving telemetry (Alaska, Colorado Springs) 8.1Mbps downlink 9600bps uplink 38400bps downlink other satellite telemetry to VMOC UK-DMC satellite CLEO onboard mobile access router CLEO/VMOC Network USN Alaska Data Flow: Data Flow Mobile Router Using Mobile-IPv4 and Triangular Routing Slide12: Home Agent (GRC) Battlefield Operations (Vandenberg AFB) Segovia NOC DMC-UK 2nd Ground Station VMOC-2 (GRC) SSTL VMOC-1 Open Internet VMOC Database Experiments Workstation Satellite Scheduler & Controller Remote Request Warfighter Requests image of Hong Kong Is Warfighter Authorized to view image of Hong Kong If image is available, return image, else get image Are you really Warfighter? Slide13: Home Agent (GRC) Battlefield Operations (Vandenberg AFB) Segovia NOC 2nd Ground Station VMOC-2 (GRC) SSTL VMOC-1 Open Internet VMOC Database Experiments Workstation Satellite Scheduler & Controller Schedule Request Request Image Check Satellite Resources and Notify VMOC when image will be available Notify Warfighter of the time when image will become available Slide14: Hong Kong SSTL Experiments Workstation Satellite Scheduler & Controller Command Satellite Command Satellite When in View Slide15: Home Agent (GRC) Battlefield Operations (Vandenberg AFB) Segovia NOC Mobile Router 2nd Ground Station VMOC-2 (GRC) SSTL VMOC-1 Open Internet Note, Mobile Router appears to reside on Home Agent’s Network VMOC Database Experiments Workstation Satellite Scheduler & Controller Image Transfer File Transfer Using Mobile-IPv4 (Triangular Routing) Slide16: Home Agent (GRC) Battlefield Operations (Vandenberg AFB) Segovia NOC Mobile Router 2nd Ground Station VMOC-2 (GRC) SSTL VMOC-1 Open Internet Note, Mobile Router appears to reside on Home Agent’s Network VMOC Database Experiments Workstation Satellite Scheduler & Controller Retrieve Image Retrieve Image for storage and redistribution Slide17: Home Agent (GRC) Battlefield Operations (Vandenberg AFB) Segovia NOC Mobile Router 2nd Ground Station VMOC-2 (GRC) SSTL VMOC-1 Open Internet Note, Mobile Router appears to reside on Home Agent’s Network VMOC Database Experiments Workstation Satellite Scheduler & Controller Redistribute Image Retrieve Image Notify Warfighter That Image is available Authenticate Warfighter Send Image Slide18: Home Agent (GRC) Battlefield Operations (Vandenberg AFB) Segovia NOC 2nd Ground Station VMOC-2 (GRC) SSTL VMOC-1 Open Internet VMOC Database Experiments Workstation Satellite Scheduler & Controller Image Transfer - Two Ground Stations File Transfer Using Mobile-IPv4 (Triangular Routing) Rate Mismatch Problem Desire is to buffer locally while in sight of the satellite then redistribute to the VMOC Slide19: Home Agent VMOC Open Internet VMOC Database Satellite Scheduler & Controller Ideal LARGE Image Transfer – Multiple Ground Stations (New Capability – Application Not Yet Developed) Ground Station 3 Ground Station 2 Ground Station 1 Timeline of Events (18 Months): Timeline of Events (18 Months) September 2002: Cisco approaches SSTL regarding placing Mobile Access Router onboard a spacecraft SSTL agrees to place on UK-DMC with integration to begin in December 2002 April 2003: Cisco approaches NASA Glenn Research Center (GRC) regarding interest in participation under joint research of existing NASA Space Act Agreement NASA Glenn visits NASA Goddard regarding ground station support GFSC definitely has the expertise GRC concerned about NASA’s ability to meet cost/schedule due to bureaucracy Security issues and motivation to “make this happen” without high level buy-in August 2003: Initial planning meeting at GRC with Air Force, Army, GD, Cisco, and Western DataCom to discuss network, design, implementation and schedule prior to visiting SSTL September 2003: Discussions with GSFC on cost and schedule (GRC has very limited budget) 27 September 2003: UK-DMC and sister satellites launched from Plesetsk. 15 October 2003: CLEO router power cycled during commissioning tests. Timeline of Events (18 Months): Timeline of Events (18 Months) December 2003: VMOC team visits SSTL to discuss network design and collaborative effort SSTL agrees in principle and indicates that they would be willing to modify their addressing scheme to accommodate mobile networking GRC and GD are pleasantly surprised (We will believe it when we see it!) Talk of March 2004 demonstration, pushed to June pre GRC’s insistence. January 2004: While waiting for the arrival of the engineering model …. GRC personnel worked on IPv4 mobile networking technologies including traversing Network Address Translation units. Continued discussions with GSFC, but only $100K available. Insufficient funds. GSFC suggests we try Universal Space Networks who is looking for IP satellite Timeline of Events (18 Months): Timeline of Events (18 Months) February 2004: Visited USN and got buy in to support second ground station. Used Military contract ending in April if no new work. Thus approximately 30 days to get in place. Took delivery of Engineering Model at GRC and tested as much of the network as possible – pass through software not yet written! VMOC kickoff meeting was held at Colorado Springs on February 11 through 13 Decision was made to place a third ground station in Colorado Springs for VMOC comparative analysis. Mentioned IPv6 mobility work – Army suggested we show this to OSD (in our spare time!) March 2004: Ordered Modems for grounds stations (3 Comtech COTS for downlink, 4 Amateur radio for uplink – due in April, build you own kit) Met with Army Battle Labs to discuss network design and addressing of the mobile component of the VMOC demonstration – the remote battle field command center. Comtech modem received While awaiting pass-through software completion, worked IPv6 mobility demonstration. General Dynamics is working VMOC in parallel – needs to integrate with GRC network. Timeline of Events (18 Months): Timeline of Events (18 Months) April 2004: CPFSK Amateur radios signed for at GRC, but lost! Reordered last two kits! USN under contract. April 27: Performed Secure mobile network demonstration of IPv4 and IPv6 to Dr. Wells and staff at OSD and ICNS conference April 28: Met with Integral Systems and USN to discuss network design for mobile routing. April 29: CLEO router activated and tested with console access. May 2004: CPFSK modem kits received, built and partially tested. USN requests modems with understanding that we have only partially tested them! SSTL Pass-through software and Saratoga file transfer software tested on EM. Virtual Flatsat implemented at GRC to allow 24x7 VMOC testing. May 11: First access to CLEO via console port via SSTL ground station Test were via SSTL machines controlled with RealVNC May 14: Pass-through software tested on UK-DMC. Telnet to CLEO now possible! May 21: 1st remote commanding of CLEO from GRC network using normal routing May 22: Sent Dave Stewart to England to get mobile networking operational. May 28: Mobile networking operational – unsecured, on open network Timeline of Events (18 Months): Timeline of Events (18 Months) June 2004: June 3: Mobile networking tested behind VPN firewall – secure mobile networking. June 4: SSTL schedules telemetry passes over Colorado and Alaska for June 8 -17 and router passes over SSTL for metric collection on June 7-11. June 8: USN ground station operational (low pass mode) and receiving telemetry June 10: Telemetry resender operational from USN and CERES June 7 – 11: Metric testing of VMOC and CLEO from Vandenberg Air Force Base. June 14 – 16: Public demonstration of VMOC and CLEO at Vandenberg. August 2004: Participate in Small Satellite Conference Telemetry from USN Alaska Ground station. December 22, 2004: Mobile networking operational via the USN ground station (High-rate pass) Summary - Timeline of Events: Summary - Timeline of Events NASA’s first opportunity to touch CLEO was May 11th, 2004 At best, satellite passes were: 1 per day, 3 days per week, 8 minutes per pass Cisco router testing next week (from actual email): Tues 11/05/2004: 10h05UTC pass (6:05 EDT) Wed 12/05/2004: 10h43UTC pass (6:43 EDT) Fri 14/05/2004: 10h20UTC pass (6:20 EDT) Successful VMOC metrics testing was performed June 7-11. It is highly doubtful this would have been possible without the use of IP! CLEO/VMOC Lessons Learned: CLEO/VMOC Lessons Learned The ability to have all the tools available in a full IOS on the onboard router proved invaluable Argument for slimmed-down IOS May be more robust or easier to qualify rigorously for the space environment. Argument for full IOS Removing functionality may result in less stable code rather than more stable code, as any change in software can affect the robustness of software and second. Full IOS has been tested daily by hundreds of thousands of users It is quite probable the functionality taken out will end up being the functionality one needs for some later, unforeseen configuration need. Mobile networking greatly simplifies network configurations at the ground stations and adds an extremely insignificant amount of overhead (three small packets per session for binding setup). Triangular routing is preferred if the rate on the terrestrial links cannot meet or exceed the rate of the downlink. Triangular routing along with new file transfer applications enables full utilization of the downlink. CLEO/VMOC Lessons Learned: CLEO/VMOC Lessons Learned The interface between asset owners will have to be identified and some special software written when sharing infrastructure Use of commercial standards (IP, Simple Object Access Protocol , XML) make implementing these software interfaces much quicker and easier than if noncommercial standard protocols were used. The engineering model of the onboard and ground assets is a necessity According to Universal Space Networks and Integral System Integration, there are products available for ground station TT&C that have become de facto industry standards. Using them will greatly simplify ground station integration and reduce costs. An example provided by USN and ISI: IN–SNEC’s CORTEX satellite telemetry products for ground stations Future Work: Future Work Use CLEO to move GPS reflectometry experiment data from a 3 Mbps solid state data recorder (SSDR) to an 8 Mbps SSDR Allows all data to be transmitted to ground in single pass Reducing power requirements and SSDRs can be turned off when empty Perform this multi-ground station large file transfer USN ground station modifications necessary for operation with the DMC satellites Application software needed to run a file transfer over multiple ground stations. SSTL commanding satellites through the USN ground system Require SSTL to modify its Mission Planning System to automatically check availability of USN assets (This may be happening via AFRL and SSTL contracts with USN) VMOC as Systems Coordinator and Security Manager for SSTL and USN assets IPv6-Compliant Satellite Onboard Router HAIPIS Encryptor IPv6 compliant instruments New Capabilities : New Capabilities Onboard router enables standard payloads to be placed on a local area network and be commanded and controlled using commercial standard Internet Protocols. VMOC’s distributed architecture provides for survivability and rapid reconfiguration Needed in the battlefield, science, and business environments. Enables remote secure command and control of spacecraft, sensors, and manned and unmanned aerial vehicles. By using commercial standard equipment and commercial standard protocols Competition and standardization results in significant cost savings Increases number of available assets Ground and Space assets may be available from multiple commercial and government providers Multiple assets results in more available contacts, greater contact time, and quicker response time Use multiple ground stations enables large file transfers to take place over multiple ground stations’ contact times Allows system implementers tremendous flexibility in the design of the space system Possible reduction of the downlink transmit rate and corresponding transmit power because of the increased contact time NCO Experiences: NCO Experiences Successful NCO has more to do with building trust relationships at the “people level” than it has to do with technology. Putting NCO in an operational system is the true test. This forces ALL security issues to be address! Internetwork Centric Operations, NCO across various networks owned and operated by various entities if far different the NCO within your own network. Everybody has to expose themselves to some degree. That degree has to be negotiated up front. I need to understand how your system works and you need to understand how my system works. Strengths and vulnerabilities are exposed to some degree. Internetworking NCO is like a marriage 50/50 is doomed to failure. 100% commitment is required by all parties. You MUST understand and accept the needs of the other parties. Patience and Persistence, Patience and Persistence, and more Patience and Persistence! Slide31: The compete technical report and this presentation are available at: http://roland.grc.nasa.gov/~ivancic/papers_presentations/papers.html We are always willing to bring the demonstration to you, if so desired.