Tuesday, May 7, 2019

DMVPN phases




DMVPN is a secure network that exchanges data between sites without needing to pass traffic through an organization's headquarter virtual private network (VPN) server or router.











Multicast Source Discovery Protocol (MSDP)



During one of my Incredibly fun projects with BGP, I had to quickly and efficiently research, learn, and implement a new ( to me ) technology. While setting up my side of a BGP peer I also had to set up a Multicast Source Discovery Protocol (MSDP) peer. Of course, the service provider was like oh and not forget the MSDP config. Because the service provider uses Juniper equipment I start my search on the Juniper help pages.
The Multicast Source Discovery Protocol (MSDP) is used to connect multicast routing domains. It typically runs on the same router as the Protocol Independent Multicast (PIM) sparse-mode rendezvous point (RP). Each MSDP router establishes adjacencies with internal and external MSDP peers similar to the way BGP establishes peers. These peer routers inform each other about active sources within the domain. When they detect active sources, the routers can send PIM sparse-mode explicit join messages to the active source. 
The Juniper TechLibrary did a really great job of spelling it out for me. After that, the configuration was pretty smooth, with the exception of a mistyped password. luckily a quick look in the log showed an MSDP authentication error :)

blog.xuite.net/flytw1/

Monday, May 6, 2019

What is a TACLANE?


If you read my resume you will see that I work with “Tactical Local Area Network Encryption (TACLANE) devices”, or “Type 1 Encryptor “. TACLANES are High Assurance Internet Protocol Encryptor (HAIPE) Type 1 encryption devices that comply with the National Security Agency's (NSA) HAIPE IS (formerly the HAIPIS, the High Assurance Internet Protocol Interoperability Specification). I know that is a mouth-full of alphabet soup. What it means is these devices are typically used as secure gateways that allows two or more enclaves to exchange data over an untrusted or lower-classification network. The cryptography used is Suite A and Suite B, also specified by the NSA as part of the Cryptographic Modernization Program.

HAIPE IS is based on IPsec with additional restrictions and enhancements. One of these enhancements includes the ability to encrypt multicast data using a "preplaced key". This requires loading the same key on all HAIPE devices that will participate in the multicast session in advance of data transmission.