home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Collection of Internet
/
Collection of Internet.iso
/
protocol
/
osdir_3.txt
< prev
next >
Wrap
Text File
|
1991-07-10
|
20KB
|
420 lines
[ PROTOCOLS:OSDIR-3.TXT ] [ OJ, 5/86 ]
THE UNDER SECRETARY OF DEFENSE
WASHINGTON D.C. 20301
10 March 1983
MEMORANDUM FOR THE MILITARY DEPARTMENTS
DIRECTORS, DEFENSE AGENCIES
DIRECTORS, JOINT STAFF, OJCS
SUBJECT: Defense Data Network (DDN) Implementation
References: (a) Dep Sec Def Memorandum, Subject: Termination of
AUTODIN II, 2 April 1982
(b) DTACCS Memorandum, Subject: AUTODIN II Phase I
Decision Paper and OSD Guidance for Data Network
Developments, 16 July 1975
This memorandum directs the implementation of the Defense Data
Network (DDN) in accordance with Reference (a). This memorandum replaces
the previous guidance contained in Reference (b). The Director, Defense
Communications Agency (DCA) is overall Program Manager for DDN.
In order to ensure that DDN is implemented as an operationally
and economically effective program, the following areas must receive
expeditious attention:
(1) The user system requirements for all DoD data communication
systems must be confirmed. This must include accurate
operational and technical information.
(2) System users must select interfacing methods as well as
the timeframes required for their systems to connect
to the DDN.
(3) An effective cost recovery scheme which provides for
equitable user service costs must be established.
The enclosure hereto contains Guidance and Program Direction
applicable to DDN and other DoD Data Networks, and tasking in support
of the Defense Data Network Program (to be reviewed by DUSD (C3I) on
a continuing basis).
In order to assure success of the DDN, a DDN Coordinating
Committee has been established, chaired by the Director of Information
Systems with membership from the OJCS, Services, and appropriate
Defense Agencies. Intensive and continuing management support from
every echelon will be required to make this vital effort a success.
Richard D. DeLauer
GUIDANCE AND PROGRAM DIRECTION APPLICABLE TO THE
DEFENSE DATA NETWORK AND OTHER DoD DATA NETWORKS
References: (a) Dep Sec Def Memorandum, Subject: Termination of
AUTODIN II, 2 April 1982
(b) DTACCS, Memorandum, Subject: AUTODIN II Phase I Decision
Paper and OSD Guidance for Data Network Developments,
16 July 1975
(c) DUSD (C3I) Memorandum, Subject: Defense Data Network
-- Security Architecture Options, 10 May 1982
(d) Director of DCA Memorandum, Subject: Defense Data Network,
-- Security Architecture Options, 19 Nov 1982
(e) Director of NSA Memorandum, Subject: DoD Policy on
Standardization of Host-to-Host Protocols for Data
Communications Networks, 23 March 1982
I. Applicability of Program Guidance and Direction
This guidance shall be applicable to the Office of the Secretary of
Defense, the Joint Chiefs of Staff, Military Departments, and Defense
Agencies. The definition and scope of the Defense Data Network (DDN)
will be updated or redefined as dictated by changes in user requirements,
technological developments, and economic factors. Evolution of the DDN
as a Defense Communications System (DCS) element will be governed by the
DCS Five Year Plan (FYP) process. Any major changes in the scope,
schedules, cost, or composition of the network must be reviewed and
approved by DUSD (C3I).
II. Definition of the DDN
DDN is a data communications service which will utilize packet technology
as its primary switching technique to fulfill the data communications
needs of the DoD. The DDN is the data communications service of the
Defense Communications System (DCS). The DDN Program Plan, revised
19 May 1982, and augmented by the DDN Security Architecture Reports,
(Ref d and e) provides a comprehensive description of the initial
planning for the network.
III. Program Strategy for Data Networks
The DDN will supply data communications services in support of critical
military operational systems, including WWMCCS and intelligence systems,
general purpose ADP and other command based systems and data networks,
which have requirements for long-haul data communication services. The
DDN will provide connectivity for these subscriber systems with the goal
of maximum potential for interoperability.
The DDN is designed to incorporate the maximum practical modularity and
flexibility in the backbone system and its various interfaces to
accommodate significant changes in the user requirements, in ADP and data
communications technology, and in the economic factors influencing this
program. Contractual and implementation planning for DDN must accommodate
variations in the number of switches to be implemented and in the overall
implementation schedule of the program. Every attempt must be made to
balance this flexibility against reasonable cost impacts to the backbone
system and the individual subscriber systems. It is essential that the
DDN planning be phased in a cohesive total program implementation that
is operationally and economically viable.
DUSD (C3I) memorandum, 10 May 1982, (Ref c) directed DCA and NSA to
conduct a review if the DDN Security Architecture alternatives for the
integration of the various subscriber communities that comprise the DDN.
Refs d and e describe the network security architectures that were
evaluated.
The approved DDN network security architecture contains two segments,
a classified segment and an unclassified segment. The two segments are
connected together via gates which allow use of the unclassified segment
backbone by the classified subscribers. DDN switches in the classified
segment (C2I network) are protected to the SECRET level and military
encryption devices are employed on all classified segment trunk and
access lines. All subscribers on the classified segment are connected
to the DDN via the Internet Private Line Interface (IPLI), or equivalent
end-to-end encryption (E3) devices. The unclassified segment (MILNET)
has switches in restricted locations and uses DES trunk encryption in
CONUS, and has switches in SECRET-cleared facilities and uses military
encryption devices on OCONUS trunk lines and on OCONUS-CONUS connections.
The software in the packet switches and monitoring centers will not
be reimplemented, but will be examined for security flaws and brought
under strict configuration control. This architecture is referred to
in the review as Option 2.2 -- WITH (with IPLIs on all classified hosts
and without reimplementation of network software.)
Near-term security for the DDN system will be provided through link
encryption of the circuits and segregation of different subscriber
communities. Provision of DES link encryption on the MILNET shall
proceed as expeditiously as possible, but implementation of systems
shall not be delayed solely because such encryption is not in place.
Every effort must be made to expedite the development of end-to-end
data encryption technology via the Internet Private Line Interface
(IPLI) and BLACKER Programs. The focus of these efforts should be
to provide host-to-host encryption protection. The BLACKER effort
should provide remote key distribution and a trusted (multilevel
secure) E3 device suitable for use on the DDN by programs such as
the Inter-Service/Agency AMPE, World-Wide Military Command Control
Systems (WWMCCS) Information Systems, and SACDIN.
The Director, DCA and all prospective users of the DDN should be
fully aware of the requirements of the Privacy Act of 1974, should
monitor all follow-on guidance deriving from this Act and related
legislation, and should plan for all appropriate changes to the
design or operation of their respective systems. The DDN already has
design features which provide for "command privacy" and which
will assist in minimizing problems from the perspective of "personal
privacy."
All DoD data communications systems are required to implement the DoD
Standard Host-to-Host Transmission Control and Internet Protocols
(TCP/IP) by Ref f. There are ongoing concerted efforts within the
government and industry to develop additional standardized data
communication protocols. These efforts must be monitored closely to
ensure that they meet the functional requirements fo the DoD and
whenever possible DoD protocols are in consonance with these efforts.
At the present time, the network access method supported by the DDN
is the 1822 interface with the Transmission Control and Internetwork
Protocols (TCP/IP). Consistent with our policy of using commercial
interface standards wherever possible, DCA is conducting an extensive
review in coordination with the National Bureau of Standards of the
various options in the X25 network access specifications. This review
and subsequent testing should result in a specification of the X25
options which will be supported by the DDN. Essential characteristics
of this specification will be efficient with TCP/IP, with existing
1822/TCP/IP implementations and with the DDN end-to-end encryption
capabilities. The wide diversity of incompatible X25 implementations
presently available or contemplated in the commercial market could
lead to serious operational problems for the DDN and its users. Until
the DDN X25 specification has been approved by the DoD Protocol Standards
Steering Group, no implementations of X25 will be authorized for use
on the DDN.
IV. Guidance for DoD Data Networks
A. Use of the DDN
All DoD ADP systems and data networks requiring data communications
services will be provided long-haul and area communications,
interconnectivity, and the capability for interoperability by the DDN.
Existing systems, systems being expanded and upgraded, and new ADP
systems or data networks will become DDN subscribers. All such
systems must be registered in the DDN User Requirements Data Base
(URDB). Once registered in the URDB, requests by a Service/Agency for
an exception to this policy shall be made to DUSD (C3I). Requests for
exceptions for joint interest systems shall be routed to DUSD (C3I)
through the JCS. Authorization for such special networks may be
granted by DUSC (C3I) on the basis of special economic or operational
considerations such as:
1. The nature of the data communications services required
cannot be satisfied by DDN or a reasonable modification thereto, or
2. Critical operational requirements necessitate immediate
implementation actions to provide a data communications service
earlier than can be available within the DDN implementation schedule,
or
3. The ADP system has time-phased requirements for
communications support which can be satisfied and justified, on
economic grounds, by an interim network with subsequent transition to
DDN when economically feasible.
The DDN Program Manager will, based on the latest information
contained in the URDB, prepare projections at several time intervals
(e.g., 6 months, one year, two years) of the future topology and data
flow characteristics for the networks that comprise the DDN. These
projections will be distributed for comment to the OJCS, Services and
Agencies. Every attempt will be made in these topology projections to
provide equivalent or better service to all current DDN subscribers.
Services/Agencies should carefully review these projections and
resolve any problems with the DDN program Manager. Only in case of
irresolvable problems should the matter be brought to the attention of
the DDN Coordinating Committee.
The DDN Program Manager will provide for informal electronic mail
capabilities of the MILNET similar to those presently on the ARPA
network. Provisions for funding these services through the
Communications Services Industrial Fund (CSIF) should be made
available as soon as possible.
Users are encouraged to connect general purpose ADP resources to the
DDN for the purpose of sharing computational resources with others of
the network. This provision includes the connection of commercially
available resources where appropriate.
B. Specific Network Guidance
1. ARPA Network
Those Service/Agency ADP systems that are currently connected to the
ARPA network or for which ARPA network connection is planned will form
the baseline for the unclassified portion of DDN which has been
designated the MILNET. The ARPA network will be partition into the
MINET and an Experimental Network as quickly as possible. Electronic
mail forwarding capabilities will be provided between the two networks.
Positive network access control measures will be implemented on the
MILNET and, once fully employed, will allow authorized MILNET users
full internet access to the Experimental Network but prohibit full
internet access to MILNET for the Experimental Network.
The CONUS switches in the MILNET will be located on restricted access
locations and use the DES encryption techniques on all trunks. OCONUS
switches will be located in SECRET cleared facilities and military
encryption devices will be used on all OCONUS trunks and all
OCONUS-CONUS connections.
The Experimental Network (which will retain the name ARPANET network)
will be utilized for computer network research and to test concepts to
be employed in the DDN. The Experimental Network will be managed and
operated by the DDN Program Office. Policies governing its operation
will be established by a Steering Committee composed of the DDN Program
Manager and sponsors of systems using the Network. The Chairman of this
Steering Committee will be appointed by the Director of the Defense
Advanced Research Projects Agency.
2. WWMCCS Intercomputer Network
The communications subsystem of the WIN is the basis for the
classified portion of the DDN. The DDN will provide service to the
WWMCCS ADP community under the direction of the JCS and in accordance
with a WIN-DDN Transition Plan to be developed by the DDN Program
Manager and the JCS. Department of Defense Intelligence Information
Systems and other classified subscriber communities will be added to
the WIN communications subsystem to form the C2I network as soon as
end-to-end encryption measures are available.
3. Movements Information Network
The USEUCOM Movements Information Network (MINET) will initially be
managed as a separate testbed network to determine if urgent
transportation requirements of the United States Military in Europe
can be satisfied by electronic means. As soon as the MILNET is
physically partition from the experimental network, the MINET
communications subnetwork will become an integral part of the MILNET.
Additional users in Europe not covered in the original MINET planning
documents will be integrated into the MILNET communications subnetwork
by the DDN Program Manager in a manner not to degrade service to the
MINET testbed.
V. Tasking in Support of the Defense Data Network Program
A. Tasking for the Chairman, Joint Chiefs of Staff
1. Revision of various MOPs as required to comply with the
guidance contained herein, and publication of a new MOP addressing the
DDN.
2. Validate joint-interest user system requirements and
forward to DCA.
B. Tasking for the Director, Joint Staff
1. The Joint Staff should monitor the general progress of the
tasks identified in this enclosure and assist the DCA, Military
Departments, and other Defense Agencies as appropriate.
2. The Joint Staff should continue consideration of the
potential requirements of the Unified and Specified Commands which
might logically relate to the DDN program. This would include the
appropriate potential requirements for NATO interfaces, deployment of
switches, interfaces to tactical data systems, changes in the level of
survivability needed, and other longer range data communication
planning issues.
C. Tasking for the Directory, DCA
1. The Directory, DCA should accomplish the following tasks
and report to DUSD (C3I) as necessary.
(a) Develop, operate and manage the DDN on a
subscriber-to-subscriber basis.
(b) Confirm user system requirements in order to establish and
maintain a data base of data communications requirements for system
planning and sizing. This action should include both updated
projections based on the tasking included in other parts of this
enclosure and identification of the specific timeframes when candidate
user systems can be connected to the DDN.
(c) Develop and refine a reporting format which will allow the
Military Departments and Defense Agencies to provide the user
requirements data, tasked elsewhere in this enclosure, in a consistent
manner.
(d) Revies the technical concept of operation for each
candidate ADP system to ensure that the DDN can adequately support
these ADP system requirements.
(e) Coordinate with the appropriate agencies to ensure that
the DDN specification properly identify and fully address network
security and privacy requirements.
(f) Provide technical review and validation of the protocols,
interfaces, precedence, and security features of the DDN and the
impacts on user systems. This validation should be accomplished
through experimentation, consultation and coordination with the user
communities, and evaluation by recognized experts from government and
industry.
(g) Develop a network reporting system that provides clear
management visibility on network operations of the DDN.
(h) Develop effective cost recovery alternatives for the DDN
through the Communications Services Industrial Fund (CSIF) based on
equitable rates reflecting actual system usage to the maximum extent
feasible.
(i) Establish appropriate management thresholds which will
ensure early identification of major changes or problems in the program
costs of schedules.
(j) Investigate the potential use of network interfacing devices
which will minimize subscriber conversion and operational impacts.
(k) Assist the Military Departments and Defense Agencies in
accomplishing their designated tasks.
D. Tasking for the Military Departments and Defense Agencies
1. Develop and forward in a timely manner the required
information on all currently operational and planned ADP systems and ata
networks that require long-haul and area data communications support.
This information should be revised as necessary to keep the User
Requirements Data Base as accurate as possible.
2. Plan and program to assist the Director, DCA in the
implementation on the DDN and user systems.
3. Reassess current concepts of operations and reporting
instructions in light of the features and capabilities available
through the use of the DDN, and plan for possible improvements.
4. Carefully assess the security features of the DDN and
determine how to maximize their security protection. Although these
security features may be helpful for ADP system operations, they do
not solve the multilevel security problems of the ADP systems.
5. MILDEPs and Agencies are responsible for interfacing their
data communications systems to the DDN in accordance with DDN
interfacing specification. Where mutually agreed by MILDEPs/Agencies
and DCA, DCA will coordinate and manage the development of families of
network interfaces.
E. Additional Tasking for the Directors, National Security Agency
and Defense Intelligence Agency
Assist the Director, DCA in ensuring the security integrity of the
communications systems, including segregation of GENSER-SI traffic,
segregation of subscriber communities, Defense Switched Network
(AUTOVON) dial-up circuit protection procedures, overall network
security, and other appropriate areas of security.