This document discusses several concepts related to software defined networking (SDN) and the "Information Core." It begins with an overview of how SDN could enable capabilities like automated provisioning, global visibility, and continuity of government. It then describes several proof-of-concept projects demonstrating SDN capabilities, including on-demand cloud/network provisioning, encryption policy enforcement, and live VM migration between data centers while maintaining network traffic. The overall aim is to develop a globally orchestrated "Information Core" through SDN to improve agility, security and mission support.
Scaling API-first – The story of a global engineering organization
2016 10 31_mef_brief_nonotes_v2
1. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATIONUNITED IN SERVICE TO OUR NATION
UNCLASSIFIED
David Stern- DBC/ID/ID24
Agency SDx SME/Optics & IP Architect
david.j.stern.civ@mail.mil
NOVEMBER 9, 2016
Operationalizing & Securing the Information Core
UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
2. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Disclaimer
The information provided in these briefings is for general information
purposes only. It does not constitute a commitment on behalf of the
United States Government to provide any of the capabilities, systems or
equipment presented and in no way obligates the United States
Government to enter into any future agreements with regard to the same.
The information presented may not be disseminated without the express
consent of the United States Government. These briefings may also
contain references to United States Government future plans and
projected system capabilities. Mention of these plans or capabilities in no
way guarantees that the U.S. Government will follow these plans or that
any of the associated system capabilities will be available or releasable
to foreign governments.
3. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Serving Soldiers, Sailors, Airmen, Marines, & Coast Guard – Around the Globe
DEFENSE AND FEDERAL AGENCIES
Enterprise…Innovate, Build, Protect, and Contract
OFFICE OF THE SECRETARY OF DEFENSE
COMBATANT COMMANDS
WHITE HOUSE JOINT CHIEFS OF STAFF
COALITION ACTIVITIES
4. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Information Core Big Picture
DevOps
Compute
(SDC)
Storage
(SDS)
Network
(SDN)
NetOps
OPEX/HARDWARE CAPEX DEV OPEX/SOFTWARE
SDx
(new/refresh)
Automated
Provisioning
(existing)
Brownfield Greenfield
EFFECTS OPERATIONAL IMPROVEMENTS
AVAILABILITY
DEPLOYMENT COMPLEXITY
PROVE SLA RELIABILITY
EFFECTS FISCAL BUDGETARY REDUCTIONS
NETWORK CONSOLIDATION
LABOR REDUCTION
EFFECTS SERVICE IMPROVEMENTS
AUTOMATED PROVISIONING
GLOBAL REPOSITIONING
DYNAMIC MISSION PARTNER CAPABILITY
NOW IN THE REALM OF POSSIBLE
CAPABILITY DEVELOPMENT
EVERY DEVICE IS A SENSOR (EDIAS)
End to End (E2E) Visibility of EVERY device
On Demand Tap at EVERY device
CONTINUITY OF GOVERNMENT (COG)
COG Simulation/ Rehearsal
Dept./Agency Level Coop
GOVERNMENT CIRCUIT PROVISIONING
On Demand Last Mile
On Demand Cloud Services
On Demand Mission Networks
JWICS
SIPRNET
NIPRNET
PRIVATE/MPE
GLOBAL C2/VISIBILITY OF ALL ORCHESTRATORS (THROUGH CLASSIFICATION)
C2
AGILITY
CORE PROBLEM SDN SOLVES
Security
(SDS)
5. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATIONUNITED IN SERVICE TO OUR NATIONUNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
Automated Provisioning Capability
A Key Enabler for Software Defined Everything
6. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Automated Provisioning Capability Bottom Line (NOT SDN)
Automated Provisioning (AP) provides the ability to drastically
reduce provisioning times through customer based service
provisioning.
Automation results in a significant reduction in Tier I, II
technicians and provisioning personnel which reduces OPEX
requirements.
Automated Provisioning enables vendor neutral centralized
control services in:
– Legacy and Non-Standard Infrastructure
– Mission Partner Environment (MPE)
– Wide Area Networks
– Campus Area Networks
– Local Area Networks
LOWERS
FASTER
COSTS
EXPANDS
SERVICES
7. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Keys Points for the Automated Provisioning Capability
Customer order through DDOE/Storefront
– Provisioning goal (hardware available): 7 days
– Actual installation time: 30+ days
– Demonstrated with automation: 2 minutes!!
– Capabilities are provisioned ON DEMAND
Labor Hour Reduction
– 5x OPEX reduction of Tier I, II & provisioning labor hours
for start, change, or disconnect
Automation = What/Where Knowledge
– Potential for Whole of Government Visibility
– Military Planners/Operators get current capabilities
• Actionable for real time execution
– DISA service managers get real time capabilities
• Actionable to pre-deploy more capacity
8. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATIONUNITED IN SERVICE TO OUR NATIONUNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
Information Core Capability
Software Defined Everything Implementation
9. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Information Core / Software Defined Enterprise
TODAY: DoD Information Network (DoDIN)
The globally interconnected, end-to-end set of
information capabilities for collecting,
processing, storing, disseminating, and managing
information on demand to warfighters, policy
makers, and support personnel.
GOAL: Information Core
The globally orchestrated, end-to-end set of
information capabilities for collecting,
processing, storing, disseminating, and managing
information on demand to warfighters, policy
makers, and support personnel.
Software Defined Everything collapses the current organizational and work domain
boundaries between Network, Compute, Storage and Security. Centralized orchestration
enables agility. Agility translates to Defensive and Offensive Cyber Maneuver.
10. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATIONUNITED IN SERVICE TO OUR NATIONUNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
Proof of Concepts in Lab
11. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Provider Edge: On Demand Cloud / Last Mile
11 Apr 16
Layer 2 & Layer 3
connectivity
Server
Cloud Computing Services
Last MileDISA Service Provider
Enterprise API
Security
Gateways
Enterprise
applications (API
controlled)
DISA API Client
Centralized
Orchestration
through
API integration
DoDIC
DISA Ft Meade Lab
IPT-PE
Service Provider
Network (Commercial,
DISA, other)
ON DEMAND
POC IN PROCESS
Existing MEF
Multiplexed UNI-N
Facing DISA
12. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Haywire - Policy Verification (Encryption)
100GbE MACSECCISCO
ASR9000
CISCO
ASR9000
10 x 10GbE BROCADE
MLXe
BROCADE
MLXe
10 x 10G INTERFACES (10 x 10 IPSEC TUNNELS)
o
BROCADE
MLXe 10GbE
IPSEC INTERFACE ETH2/4
1x10G INTERFACE
IPSEC TUNNEL 10.10.x.x
10.7.x.x
TRAFFIC
10 x 10GbE
TRAFFIC
CISCO
ASR9000
Te0/2/0/4
POC COMPLETED
13. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Haywire - Policy (Encryption) Enforcement
DoD FIRST!
Cyber Circuit BreakerSM
• Policy violation activates Cyber Circuit BreakerSM. Tool
provides authoritative topology to Orchestrator
• The Orchestrator shuts down the Interface on demand to
enforce policy (could be a human entering credentials)
• Policy fails at next collection as destination is no longer
reachable (another policy violation) due to the circuit
breaker
14. UNCLASSIFIED – APPROVED FOR PUBLIC RELEASE
UNCLASSIFIED
UNITED IN SERVICE TO OUR NATION
Handoff – Reliable VM Live Migration
CDC 1
CDC 2 Example of improved Cyber Maneuver - Reliable application
mission movement of VMs/Containers between Data Centers. May be
coupled with Defensive Cyber Operations (DCO) through dynamic
network reconfiguration.
Problem:
Traditional Live Migration results in the loss of network traffic
to/from compute resources while they are moving, especially
between data centers. This results in loss of traffic,
retransmission, resynchronization of encryption and other direct
customer experience impacts.
SDN Based Solution: (DISA Patent Pending) Using
OpenFlow® capable portions of a network, store traffic in transit
while compute assets are moving. Release traffic in order (or
optimized by flow) when move is completed.
BLUF: Orchestrator coordinates compute, storage, and network
together to produce a capability we could not achieve before (i.e.
using the network to store inflight data).
POC in Progress
Patent Pending