Validation of Encryption Devices over BGAN US Centric Interim Phase C Report (For Distribution at Inmarsat s Discretion)

Transcription

1 Validation of Encryption Devices over BGAN US Centric Interim Phase C Report (For Distribution at Inmarsat s Discretion) GD KG235 ViaSat KG-250 Taclane KG175 Thales DC2K Prepared by: AOS, Inc. March 23, 2006 Inmarsat Ltd. Proprietary Page 1 of 21

2 Contents 1 Executive Summary 3 2 Introduction Project Objectives 3 3 Selection of Encryption Devices and Deployment Scenarios 6 4 Glossary 7 5 Encryptors Tested 8 6 Equipment Configuration 8 7 Packet Switched Thales DC2k Testing via Thrane BGAN UT 10 8 Packet Switched Taclane KG-175 Testing via Thrane BGAN UT 12 9 Packet Switched ViaSat KG-250 Testing via Thrane BGAN UT Thales DC2K Retest & AOS Performance Enhancing Proxy (PEP) Summary of Test Results 19 Figures Figure 1 AOS-Inmarsat VPN PS Network 4 Figure 2 Thales DC2K BGAN Testing via IOR I-4 Satellite Config 10 Figure 3 Taclane KG175 BGAN Testing via IOR I-4 Satellite Config 12 Figure 4 ViaSat KG250 BGAN testing via IOR I-4 Satellite Config 14 Figure 5 Thales DC2K and AOS PEP Test Configuration 16 Tables Table 1 PS Encryption Test Data via Thales DC2K IP Encryptor 11 Table 2 PS Encryption Test Data via KG175 IP Encryptor 13 Table 3 PS Encryption Test Data via KG250 IP Encryptor 15 Table 4 Testing Data: Linux No PEP vs AOS PEP 17 Table 5 Testing Data: Windows XP Pro No PEP vs AOS PEP 17 Table 6 Testing Data: Windows versus Linux No AOS PEP 18 Table 7 Testing Data: Windows versus Linux With AOS PEP 18 Inmarsat Ltd. Proprietary Page 2 of 21

3 1 Executive Summary The primary objective of this study was to verify that USG Type 1 encryption equipment would function properly over the Inmarsat BGAN satellite network. Since there was no direct BGAN access from America, AOS collaborated with Inmarsat s Engineers to build a VPN network from Dallas, Texas to London, UK that would remote the BGAN UT s network connections. From the extensive testing performed via the AOS-Inmarsat VPN BGAN network there appears to be no impediment for the proper use of the Taclane KG175 (Type 1), ViaSat KG250 (Type 1) and the Thales DC2K IP encryptors on the Inmarsat BGAN network. The L3 KG240 and General Dynamics KG235 encryptors were not available at this time. AOS expects to have both encryptors ready for AOR I-4 testing by the end of March. The report that follows documents the BGAN satellite testing that has been performed via the Thrane Explorer 500 UT and the above IP encryptors. It should be noted that all BGAN testing was performed using background class IP. See Figure 1 for an overview of the AOS-Inmarsat VPN network. This is an Interim Phase-C report. Additional testing will be performed with other BGAN UT variants when the AOR I-4 satellite is available over the US A Linux-based testing platform enabled greater flexibility to adjust queue and window sizes, which helped to improve the consistency of results. These settings required modification in response to the high jitter and increased delay introduced by the ADSLbased VPN tunnel between London and Dallas. Properly adjusting the MTU settings throughout the network (PC, routers and encryptors) was essential to achieve maximum throughput both on Windows and Linux operating systems. The AOS-Inmarsat VPN network provided the most cost effective method of testing, but the high and variable latency produced erratic data transfer rates. Therefore it was agreed that only network connectivity via the encryptors would be documented in the interim Phase-C report. Throughput and encryption overhead values will be documented when AOR I-4 access is available. 2 Introduction Project Objectives AOS, Inc. has been contracted to provide a three-part study to assess the interoperability between BGAN services and a range of existing and future cryptographic equipment typically used by the US Government. The three-part study consists of: Inmarsat Ltd. Proprietary Page 3 of 21

4 2.1 Phase A Prioritization with justification of circuit switch (CS) and packet switch (PS) encryption devices likely to be deployed with BGAN UT s at commercial launch. The study recommended modifications to BGAN UT and core network to ensure long term compatibility with the encryption equipment under test. Relevant peripherals and applications for after BGAN launch were listed in order of importance. 2.2 Phase B A plan was developed to test all packet switched encryptors. Since there was no BGAN direct access from the US an Internet Virtual Private Network (VPN) was constructed between Inmarsat London, UK and AOS Dallas, Texas. The VPN network was required to remote the BGAN network interfaces since only IOR BGAN access was available at this time. The encryptors under test, with necessary Internet routing equipment, was located at AOS Dallas and the BGAN UT, with coordinating Internet routing equipment, was located at Inmarsat London. See the below Figure 1 for a diagram of the VPN PS test network: East Tunnel West Tunnel Figure 1: AOS-Inmarsat VPN PS Test Network Inmarsat Ltd. Proprietary Page 4 of 21

5 2.2.1 The PS testing objective was to ensure that the encryptors under test would operate properly over the BGAN network. A matrix utilizing File Transfer Protocol (FTP) tests, with and without encryption, was constructed to calculate encryption overhead values through the BGAN network. Using Performance Enhancing Proxy (PEP) software was to be implemented to verify if BGAN network speeds would be increased if used No circuit switched testing was performed since there was no economical synchronous serial transmission vehicle between the two test sites. Circuit switched equipment testing will be done at a later date once US BGAN access is available. 2.3 Phase C Once the above PS test network was operational BGAN testing was to be performed using each encryptor through each BGAN UT. All unclassified test setup information will be supplied. Test results were to be summarized and encountered problems and solutions were to be highlighted. The test results were to include: Typical end-to-end connection success rate Typical connection time (if applicable) Observed average throughput (if applicable) Average overhead observed UT interface configuration settings Crypto configurations setting (non-classified settings only) Three reports will be developed; For Distribution at Inmarsat s Discretion For Distribution to Inmarsat Personnel Only For Distribution to US Government Personnel Only Inmarsat Ltd. Proprietary Page 5 of 21

6 3 Selection of Encryption Devices and Deployment Scenarios The proposed encryption equipment was to be evaluated within each of the proposed scenarios. The four scenarios were: Scenario 1: Forward Presence in Theatre (Reconnaissance Operations) Scenario 2: Early Entry and Secondary Comms for Coalition Operations Scenario 3: Communications in Support of Logistics (Land) Scenario 4: Remote Forward Operations After careful review on how AOS US Government clients use their encrypted communications in the field a consolidation of the above scenarios was done. Basically, the encryption users fell into two groups; Group 1: Quickly deployed reconnaissance or remote forward operation groups that need very small and lightweight encryption/communications equipment. Size, weight and equipment power requirements matter for this group. Group 2: More stationary operations. This group would be typical of secondary comms and logistical support groups. For this group equipment size, weight and power requirements is not of primary importance. Therefore, the scenarios to be considered for this study are: Scenario 1: Recon and remote forward operations where small and lightweight encryptors will be primary consideration Scenario 2: Coalition operation and logistics support where greater encryptor size and weight will not be considered a detriment It should be noted that the above scenarios will not have any effect on how the encryptors will be tested. The primary factor on which encryptor will best for one of the above scenarios will be dictated by size, weight and power requirements. Besides these physical characteristics the data throughput and overall and easy of use will be important to the field user. If all other data handling characteristics are equal, experience has proven that the first encryptors to be deployed to the field are the smaller and lighter units. Therefore, the expected IP Type 1 encryptor deployment priority (from first to last) would be in the following order: KG250, KG175, KG235 and KG240. This priority list will continue to change as smaller, lighter and more versatile Type 1 encryptors become available. Inmarsat Ltd. Proprietary Page 6 of 21

7 4 Glossary List of Abbreviations AES BGAN CEF CN COMSEC CS FNBDT FTP IOS HSD IP IPSec ISDN HAIPIS HTTP HTTPS MMI MTU PEP PIX PS POTS RTT STE SBU SDM SOW SP STU TCP UT USG VPN Advanced Encryption Standard Broadband Global Area Network Cisco Express Forwarding Core Network Communications Security Circuit Switched Future Narrow Band Digital Terminal File Transfer Protocol Internetwork Operating System (Cisco) High Speed Data Internet Protocol IP Security Protocols Integrated Services Digital Network High Assurance IP Interoperability Specifications Hyper Text Transfer Protocol HTTP Secure Man Machine Interface Maximum Transmission Unit Performance Enhancing Proxy Private Internet Exchange (Cisco) Packet Switched Plain Old Telephone Service Round Trip Time Secure Terminal Equipment Sensitive but Unclassified System Definition Manual Statement of Work Service Provider Secure Telephone Unit Transmission Control Protocol User Terminal United States Government Virtual Private Network Inmarsat Ltd. Proprietary Page 7 of 21

8 5 Encryptors Tested 5.1 The IP encryptors that have been tested to date via the Inmarsat/AOS BGAN VPN circuit are the Thales DC2K (non Type 1), Taclane KG175 (Type 1) and the ViaSat KG250 (Type 1) 5.2 One of the Taclane KG235 (Type 1) IP encryptors failed during setup and will not be available for retest until mid-march. The KG235 failure was due to an internal clock error. New software and keying materials are en route to repair the defective KG235. The KG235 s failure is not related to the BGAN testing. 5.3 The L3 KG240 IP encryptors (Type 1) will not be available until the end of March. 5.4 The ViaSat KIV21 serial/ip encryptor will be tested when direct AOR I-4 BGAN access is available. 6 Equipment Configuration 6.1 Thrane Explorer 500 UT Software release 1.01 This terminal is currently at the Inmarsat lab in London. The unit has been configured by Inmarsat s Network Engineers. 6.2 The BGAN MMI is not being used in our current configuration. 6.3 The Inmarsat Performance Enhancement Proxy (PEP) software was NOT used during this report s testing. AOS s SkyPipe (PEP) was used exclusively during this interim Phase-C testing. Testing was performed with and without SkyPipe. 6.4 Since there was no BGAN direct access from the US an Internet VPN network was constructed between Inmarsat London, UK and AOS Dallas, Texas. Cisco 1712 and 2620 series routers were used to build the VPN tunnel connections. See Figure 1 for a diagram of the VPN PS test network. The current Cisco IOS in use is See the Appendix for router configurations. 6.5 Linux versus Windows Computer Operating Systems (OS) Linux was selected as the OS for the test PCs, as it could provide fine control of TCP buffers and window sizes. This only became important because of the significant combined latency of the commercial ADSL service used for the VPNs coupled with satellite delay. On this unusual test platform, an optimized Linux platform provided more consistent FTP throughput results. Inmarsat Ltd. Proprietary Page 8 of 21

9 6.6 Encryption equipment configuration: The following reports contain the specified encryptor configuration settings The For Distribution to US Government Personnel Only test report contains all encryptor configuration instructions The For Distribution to Inmarsat Personnel Only test report will provide the Thales DC2K encryptor configuration instructions The For Distribution at Inmarsat s Discretion test report has no encryptor configuration instructions. 6.7 SkyPipe Performance Enhancing Proxy (PEP) Software SkyPipe is a proprietary AOS, Inc. software application optimized for TCP traffic over secure satellite links. SkyPipe features IPSec compliant, 256-bit AES encryption VPNs. SkyPipe can be terminated to a Cisco PIX or security IOS. SkyPipe can be furnished as a software client or as a pocket-sized, USB-powered external hardware device. See Figure 5 on page 16 for a typical implementation of the client/server architecture. SkyPipe substitutes the TCP protocol with a highly efficient and reliable UDPbased protocol that is especially designed to maximize data transfer over highdelay and loss-intensive networks such as satellite and radio links. The SkyPipe Performance Enhancing Proxy (PEP) supports multiple standard application protocols, including HTTP, HTTPS, FTP, SOCKS, and protocol-independent port forwarding. The PEP software assumes that the client/server application software can support a proxy. The PEP can also operate in a transparent mode via an external hardware device, thus eliminating the need for the client/server PEP software. SkyPipe also utilizes HTTP prefetching, further enhancing transfer of HTTPbased data thus drastically increasing web traffic performance and download times for web pages. Basic router functionality, including Network Address Translation (NAT) and on-the-fly compression saves the user bandwidth and money. Since all remote SkyPipe clients need to communicate with a local server, public SkyPipe servers will be available from various satellite service providers. Private servers are also available and can be installed at user facilities. SkyPipe is a particularly timely solution for users of the new Inmarsat BGAN high-speed data service and ideally suited for those who will employ Government encryption devices to secure their mobile networks. US Government/Type 1 hardware encryption devices are afforded an additional layer of security by double wrapping of traffic. Inmarsat Ltd. Proprietary Page 9 of 21

10 7 Packet Switched Encryption Equipment Testing via BGAN I-4 Encryptor: Thales DC2K (non-type 1) BGAN UT: Thrane Explorer 500 at Inmarsat UK The test arrangement will be configured as in Figure 2 below. East Tunnel West Tunnel Figure 2 Thales DC2K BGAN Testing via IOR I-4 Satellite Configuration 7.1 The equipment required for this PS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver each Thales DC2K IP Encryptors 2 each Dell Desktop Computers with Linux Fedora Core 4 OS 1 each DSL high speed Internet connection with static IP s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version MMI not in use. 1 lot BGAN airtime for UT supplied by Inmarsat Inmarsat Ltd. Proprietary Page 10 of 21

11 7.2 The PS encryption tests to be performed via the BGAN I-4 configuration are described in the below Table 1 BGAN I-4 Tests for Thales DC2K IP Encryptor FTP File Transfer Data Rates - With Encryption (Note 1) No TCP PEP - Linux FC4 PC OS Via Thrane Explore 500 UT Download/Get Download/Get Upload/Put Upload/Put FTP Data= 1MB zipped pkg KB/s Kbps KB/s Kbps FTP Tests on Nov. 17, 2005 Test Test Test Test Test Test Test Test Test Test Average Kbps (Note 2) Range Kbps (Note 2) 55 to to 200 Network delay (Millisecs)= 1500 to 2000 Note 1: Please see section 6.5 for Host Operating System selection Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas Table 1 Packet Switched encryption test data via the Thales DC2K IP encryptor and the Thrane Explorer 500 UT over the BGAN IOR I-4 Satellite Inmarsat Ltd. Proprietary Page 11 of 21

12 8 Packet Switched Encryption Equipment Testing via BGAN I-4 Encryptor: Taclane KG175 (Type 1) BGAN UT: Thrane Explorer 500 at Inmarsat UK The test arrangement will be configured as in Figure 3 below: West Tunnel Figure 3 Taclane KG175 BGAN Testing via IOR I-4 Satellite Configuration 8.1 The equipment required for this CS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver each Taclane KG175 IP encryptors 2 each Dell Desktop Computers with Linux Fedora Core 4 OS 1 each DSL high speed Internet connection with static IP s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version MMI not in use. 1 lot BGAN airtime for UT supplied by Inmarsat Inmarsat Ltd. Proprietary Page 12 of 21

13 8.2 The PS encryption tests to be performed via the BGAN I-4 configuration are described in the below Table 2 BGAN I-4 Tests for Taclane KG175 IP Encryptor No TCP PEP - Linux FC4 PC OS Via Thrane Explore 500 UT Download/Get Download/Get Upload/Put Upload/Put FTP Data= 1MB zipped pkg KB/s Kbps KB/s Kbps FTP Tests on Nov. 17, 2005 Test Test Test Test Test Test Test Test Average Kbps (Note 2) Range Kbps (Note 2) 51 to to 136 Network delay (Millisecs)= 2013 to 2144 FTP File Transfer Data Rates - With Encryption (Note 1) Note 1: Please see section 6.5 for Host Operating System selection Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas Table 2 Packet Switched encryption test data via the Taclane KG175 IP encryptor and the Thrane Explorer 500 UT over the BGAN IOR I-4 Satellite Inmarsat Ltd. Proprietary Page 13 of 21

14 9 Packet Switched Encryption Equipment Testing via BGAN I-4 Encryptor: ViaSat KG250 (Type 1) BGAN UT: Thrane Explorer 500 at Inmarsat UK The test arrangement will be configured as in Figure 4 below: Figure 4 ViaSat KG-250 Testing via IOR I-4 Satellite Configuration 9.1 The equipment required for this PS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver each ViaSat KG250 IP Encryptors 2 each Dell Desktop Computers with Linux Fedora Core 4 OS 1 each DSL high speed Internet connection with static IP s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version MMI not in use. 1 lot BGAN airtime for UT supplied by Inmarsat Inmarsat Ltd. Proprietary Page 14 of 21

15 9.2 The PS encryption tests to be performed via the BGAN I-4 configuration are described in the below Table 3 BGAN I-4 Tests for ViaSat KG250 IP Encryptor No TCP PEP - Linux FC4 PC OS Via Thrane Explore 500 UT Download/Get Download/Get Upload/Put Upload/Put FTP Data= 1MB zipped pkg KB/s Kbps KB/s Kbps FTP Tests on Nov. 21, 2005 Test Test Test Test Test Test Test Test Average Kbps (Note 2) Range Kbps (Note 2) 96 to to 76 Network delay (Millisecs)= 2000 to 2150 FTP File Trasnfer Times - With Encryption (Note 1) Note 1: Please see section 6.5 for Host Operating System selection Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas Table 3 Packet Switched encryption test data via the ViaSat KG250 IP encryptor and the Thrane Explorer 500 UT over the BGAN IOR I-4 Satellite Inmarsat Ltd. Proprietary Page 15 of 21

16 10 Thales DC2K Retest and AOS Performance Enhancing Proxy (PEP) The test arrangement will be configured as in Figure 5 below: East Tunnel West Tunnel Figure 5 DC2K and AOS PEP Testing Configuration: 10.1 The equipment required for this PS configuration is: 3 each Cisco VPN Routers (1 router supplied by Inmarsat in UK). Cisco IOS ver each Thales DC2K IP Encryptors 2 each Desktop Server Computers with Linux Fedora Core 4 OS 1 each Laptop Computer with dual boot Windows XP Pro and Fedora Core 4 OS 1 each DSL high speed Internet connection with static IP s 1 each Thrane Explorer 500 BGAN terminal at Inmarsat UK test lab Software version MMI not in use. 1 each AOS EOS SkyPipe hardware client 1 lot BGAN airtime for UT supplied by Inmarsat Inmarsat Ltd. Proprietary Page 16 of 21

17 BGAN I-4 Tests for Thales DC2K IP Encryptor FTP Xfer Rates w/encryption (Note 1) No TCP PEP & Linux OS FTP Xfer Rates w/encryption (Note 1) AOS PEP & Linux OS FTP Gain No PEP vs AOS PEP Via Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/Put FTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % Gain FTP Tests on Feb. 13, 2006 Test Test Test Test Test Test Test Test Test Test Average Kbps (Note 2) Range Kbps (Note 2) 96 to to to to 304 Network delay (Millisecs)= 1500 to 2000 Note 1: Please see section 6.5 for Host Operating System selection Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas 10.2 Table 4 - Linux Client Computer - No PEP versus AOS PEP BGAN I-4 Tests for Thales DC2K IP Encryptor FTP Xfer Rates w/encryption No PEP & Win XP Pro FTP Xfer Rates w/encryption PEP & Win XP Pro PC FTP Gain No PEP vs AOS PEP Via Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/Put FTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % Gain FTP Tests on Feb. 13, 2006 Test Test Test Test Test Test Test Test Test Test Average Kbps (Note 2) Range Kbps (Note 2) 128 to to to to 250 Network delay (Millisecs)= 1500 to 2000 Note 1: Please see section 6.5 for Host Operating System selection Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas 10.3 Table 5 - Windows XP Pro Client Computer No PEP versus AOS PEP Inmarsat Ltd. Proprietary Page 17 of 21

18 BGAN I-4 Tests for Thales DC2K IP Encryptor FTP Xfer Rates w/encryption No PEP & XP Pro Client FTP Xfer Rates w/encryption (Note 1) No PEP & Linux OS FTP Gain No PEP Windows vs Linux Via Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/Put FTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % Gain FTP Tests on Feb. 13, 2006 Test Test Test Test Test Test Test Test Test Test Average Kbps (Note 2) Range Kbps (Note 2) 128 to to to to 144 Network delay (Millisecs)= 1500 to 2000 Note 1: Please see section 6.5 for Host Operating System selection Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas 10.4 Table 6 - Windows versus Linux Client Computer No AOS PEP BGAN I-4 Tests for Thales DC2K IP Encryptor FTP Xfer Rates w/encryption AOS PEP & XP Pro PC FTP Xfer Rates w/encryption AOS PEP & Linux OS FTP Gain With PEP - Window vs Linux Via Thrane Explore 500 UT Download/Get Upload/Put Download/Get Upload/Put Download/Get Upload/Put FTP Data= 1MB zipped pkg Kbps Kbps Kbps Kbps % Gain % Gain FTP Tests on Feb. 13, 2006 Test Test Test Test Test Test Test Test Test Test Average Kbps (Note 2) Range Kbps (Note 2) 96 to to to to 304 Network delay (Millisecs)= 1500 to 2000 Note 1: Please see section 6.5 for Host Operating System selection Note 2: Throughput results impacted by high latency and jitter introduced as a result of ADSL-based VPN tunnel between London and Dallas 10.5 Table 7 - Windows versus Linux Client Computer With AOS PEP Inmarsat Ltd. Proprietary Page 18 of 21

19 11 Summary of Test Results The primary goal of this interim report is to provide some initial feedback to the Inmarsat user community regarding the compatibility of US Centric IP encryptors via the BGAN IOR I-4 satellite. During the course of this report only the Thrane Explorer 500 BGAN UT was available for testing. The only IP encryptors available during the tests were the Thales DC2K, Taclane KG175 and ViaSat KG250. Additional BGAN UTs and encryption equipment will be available for testing in late March/April when BGAN access is available via the AOR I-4 satellite. The BGAN VPN communications link between AOS (Dallas) and Inmarsat (London) provided an economical testing vehicle. However, the VPN link did inject an additional variable delay due to the multiple router hop Internet connections. The asymmetrical (512Kb upload/5mb download) DSL Internet connection at Dallas added yet another variable to our testing. This ADSL line is an unmanaged and unqualified service that had no guaranteed Quality of Service (QoS). These ADSL factors, coupled with a high latency satellite circuit, produced erratic IP throughput measurements. The round trip time (RTT) over the VPN network varied from 1500 to 2200 milliseconds (ms). Due to these variables it was determined to limit the encryption testing to basic continuity measurements rather than trying to establish encryption overhead values. See Figure 1 on page 4 for an overview of VPN test network. Initial BGAN testing enabled us to characterize the impact of the unusually high jitter produced by the VPN test network. Some effects of latency could be counteracted by significantly increasing the queue lengths and window sizes (both send and receive) and it was found these changes could be made more easily on a Linux OS (Fedora Core 4) than Windows (2000 Pro or XP Pro). From a testing perspective, this produced more reliable data transfer at higher speeds and so all testing was performed on Linux computers. It should be noted that this measure was only needed to validate connectivity at such an early stage of the BGAN evolution, and the Windows TCP window sizes are sufficient for local BGAN operation. During the initial BGAN testing via the AOS-Inmarsat VPN we discovered that the Thales DC2K IP encryptors would not pass data traffic. This was due to the encryptors IPSec incompatibility with Cisco s CEF (Cisco Express Forwarding) being enabled. Once this feature was disabled in all three routers the Thales DC2K IP encyrptors properly passed encrypted data traffic. The proper setting of the Maximum Transmission Unit (MTU) was important to insure the highest possible data transfer. Using advanced satellite IP accelerators such as SkyPipe, MTU sizing and packet stuffing techniques are used to enhance performance. While using a network protocol analyzer (Ethereal) the MTU s on the computer, Cisco routers and encryption equipment was adjusted for maximum data transfer. Inmarsat Ltd. Proprietary Page 19 of 21

20 Maximum data transfer would occur when packets were not being split into two packets as they passed through the encryptor, router and computer interfaces. As a general rule all computers, network routers and DC2K IP encryptors MTU s were set to 1280, 1416 and 1400 respectively. These values are documented on the test configuration Figures 2, 3 and 4. The IP encryptor test data throughput measurements are tabulated in Tables 1, 2 and 3. This data validates the DC2K, KG175 and KG250 IP encryptor s capability to pass encrypted data via the BGAN network. The initial data throughput values were disappointing but not unexpected due to the numerous variables and is almost certainly attributable to the high latency in the AOS-Inmarsat VPN circuit. FTP download speeds ranged from an average of 84Kbps to 113Kbps, whereas, FTP uploads averaged from 58Kbps to 139Kbps. Configuring all encryptors was straight forward. After configuring all administrative settings (i.e., red/black setup and handling keying materials) the encryptors would synchronize with each other within a minute. The AOS-Inmarsat VPN BGAN network did not produce any special encryptor configuration requirements. The MTU settings were the primary time consuming adjustment. Various MTU settings were tried before the best possible settings were obtained. All MTU settings will be re-validated when direct AOR I-4 access is available. AOS has previously used Performance Enhancing Proxy (PEP) software over the Inmarsat GAN networks using the Windows OS platform. Initial BGAN tests showed that using AOS PEP (SkyPipe) would obtain improved FTP reliability and data transfer speeds comparable to our non-pep Linux testing. During initial testing our PEP would not function in the Linux environment. However, in a recent development AOS has produced a Linux based PEP called SkyPipe EOS. This Linux based transparent capture solution has produced some remarkable results over the AOS-Inmarsat BGAN VPN. See the recent Thales DC2K test results on pages for actual test configuration and data. The PEP function is to primarily remove the issues of latency and thus get a more accurate estimate of throughput speeds. Additional Thales DC2K IP encryptor tests were performed with and without PEP and between the Windows and Linux platforms. Using SkyPipe with either a Windows or Linux client computer working into a Linux server produced very similar results of approximately 200Kbps download and approximately 242Kbps upload FTP data transfers. SkyPipe s improvement to FTP uploads is impressive. Without SkyPipe the FTP uploads for a Linux client computer averaged 109Kbps, whereas, a Windows client computer only averaged 42Kbps. No testing of Inmarsat s PEP was done during this time period. It is understood that Inmarsat s PEP will also improve upload BGAN characteristics. Inmarsat Ltd. Proprietary Page 20 of 21

21 This concludes this interim report. BGAN Packet Switched encryption testing will resume when AOR I-4 access is available. The AOR I-4 access is expected by mid April, At this time the Hughes 9201 and Nera WorldPro 1000 BGAN UT s should be available for testing. The KG235 and KG240 Type 1 USG encryptors are expected to be available at this same time. Data testing will be done with and without encryption, as well as, with and without PEP. Having direct access to the AOR I-4 BGAN satellite will make encryption IP overhead measurements practical and the results meaningful. When direct AOR I-4 access is available AOS will perform Circuit Switched (CS) testing using USG Type 1 serial link encryptors (i.e., the L3 STE, the SafeNet KIV7, STUIII, L3 OmniXp/Xi, Sectera Wireline and ViaSat KIV21). The Thales DC2K LX non Type 1 serial link encryptor will be tested to compare encryption overhead values. Inmarsat Ltd. Proprietary Page 21 of 21