Presentation is loading. Please wait.

Presentation is loading. Please wait.

NASA MSFC Mission Operations Laboratory MSFC NASA MSFC Mission Operations Laboratory HOSC Payload Ethernet Gateway (HPEG) HOSC Service Supporting IP Access.

Published byAdrian Hoover Modified over 8 years ago

Similar presentations

Presentation on theme: "NASA MSFC Mission Operations Laboratory MSFC NASA MSFC Mission Operations Laboratory HOSC Payload Ethernet Gateway (HPEG) HOSC Service Supporting IP Access."— Presentation transcript:

1 NASA MSFC Mission Operations Laboratory MSFC NASA MSFC Mission Operations Laboratory HOSC Payload Ethernet Gateway (HPEG) HOSC Service Supporting IP Access to Payloads

2 NASA MSFC Mission Operations Laboratory MSFC Page 2 Capabilities  Provides access to ISS payloads using standard network protocols and services  Provides Cadre tools to control/limit access to payloads via user authorization and system controls  Provides Cadre tools to monitor user activity

3 NASA MSFC Mission Operations Laboratory MSFC Page 3 Definition of Terms  User IP address  The user’s real IP address  Destination IP address  The real IP address of the onboard destination  NAT  Network Address Translation  Ground Node ID  Required by some services as part of the protocol. Currently, only required by CFDP. Uniquely identifies a ground CFDP node. To support static onboard configuration of CFDP, each assigned Ground Node ID will be mapped to a specific Onboard NAT IP address

4 NASA MSFC Mission Operations Laboratory MSFC Page 4 Definition of Terms  Space Node ID  Required by some services as part of the protocol. Currently, only required by CFDP. Uniquely identifies a payload’s CFDP node.  HPEG Proxy IP address  IP address assigned to the user at run-time to access a specific onboard destination  Dynamic – assigned from address pool when starting an HPEG session with a specific payload

5 NASA MSFC Mission Operations Laboratory MSFC Page 5 Definition of Terms  HPEG Onboard NAT IP address  IP address allowed by the onboard network  Used for NATing the source address in the user’s IP packets  Dynamic or Static  Dynamic – If user is not authorized for any service that requires a Ground Node ID, address is assigned from address pool when the HPEG Service is started. This address will be used for all subsequent payload sessions.  Static – If user is authorized for a service that requires a Ground Node ID (e.g. CFDP), address is assigned based on the selected Ground Node ID. Users may have more than one Ground Node ID assigned. This address will be used for all subsequent payload sessions.  Protocol  The type of an IP packet  tcp, udp, icmp

6 NASA MSFC Mission Operations Laboratory MSFC Page 6 Definition of Terms  Service  IP communication method over a particular protocol and an optional port  ssh (tcp/22)  Proxy ARP (ARP – Address Resolution Protocol)  Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Used by the HPEG Service to route the Proxy IP to the correct login server.

7 NASA MSFC Mission Operations Laboratory MSFC Page 7 Rules of the Road  HPEG Service is available as a standard ERIS service defined in POIC to Generic User Interface Definition Document, V2-Secured Services (PGUIDD), SSP-50305  Supported by both TReK and EPC  Supports custom applications meeting interfaces defined in the PGUIDD  HPEG service may be started after valid EHS login, role and MOP selection  HPEG only provides the underlying infrastructure to utilize IP services for payload access  Payload Developer (PD) must provide their own service client applications (e.g. ssh client, ping client, etc)  Exception: Both EPC and TReK provide a CFDP client

8 NASA MSFC Mission Operations Laboratory MSFC Page 8 Rules of the Road  Only HOSC authorized services are allowed  cfdp (udp/4560)  ssh (tcp/22)  rdp (tcp/3389)  https (tcp/443)  ping (icmp)  Network Instruments Observer (HOSC Cadre Only)  tcp/25903  tcp/25901  Each service must be authorized by the HOSC Customer Service Team (CST) prior to use by the end user  Additional services may be allowed and must be coordinated with the HOSC CST

9 NASA MSFC Mission Operations Laboratory MSFC Page 9 Rules of the Road  HPEG service performs port checking on all forward and return packets  Packets containing unauthorized ports will be dropped with no notification to the user  TCP connections initiated from onboard to the user’s ground station are not supported  Port check will fail since the onboard source port will be random  UDP data from onboard to the user’s ground station is supported only when sent to the currently assigned Onboard NAT IP address on an authorized port

10 NASA MSFC Mission Operations Laboratory MSFC Page 10 Rules of the Road  If Ground Node ID is required for any of the user’s authorized services on any destination (e.g. CFDP), user must specify a Ground Node ID prior to accessing any payload via HPEG  User will not be allowed payload access until Ground Node ID has been specified  Only one HPEG Service may be started per ground station  A single HPEG Service supports access to all authorized payloads/services  Onboard CFDP Service  PD responsible for delivery and configuration of CFDP node  Payload user must login to payload if reconfiguration is required, e.g., ssh, rdp  TReK provides a CFDP console application available to payloads

11 NASA MSFC Mission Operations Laboratory MSFC Page 11 Rules of the Road  HOSC is authorized for 8Mb/s output to MCC  Aggregate bandwidth for all users  HOSC Cadre enables/monitors HPEG users  DMC monitors bandwidth usage per user  PRO must enable users prior to HPEG activities  PRO enables the HPEG subsystem  If disabled, payload sessions are terminated  Only scenario, where HPEG terminates sessions  HPEG does not terminate payload sessions during LOS conditions  Depending on protocol/service, connections may survive LOS periods

12 NASA MSFC Mission Operations Laboratory MSFC Page 12 Packet Routing Example

13 NASA MSFC Mission Operations Laboratory MSFC Page 13 Payload Access via HPEG Service  Start the ERIS HPEG Service  Login to ePVT (Login) server with username, RSA token and password  Select Role  Select MOP  Start the HPEG Service providing Out-of-Band connection information  HPEG Service provides a list of authorized Ground Node IDs, if applicable  User must select a Ground Node ID that is not currently in use  HPEG Service provides a list of all authorized payloads and services

14 NASA MSFC Mission Operations Laboratory MSFC Page 14 Payload Access via HPEG Service  HPEG Service provides the current user enablement  HPEG Service provides the current HPEG Subsystem status  HPEG enablement  Ku-Forward AOS/LOS  Ku-Return AOS/LOS  HPEG Service waits for an action by the user  Start a session with a payload  Stop a session with a payload  Terminate the HPEG Service  Upon a Start Session request, acquires an available Proxy IP address and provides it to the user  All services must use this IP Address to access payload

15 NASA MSFC Mission Operations Laboratory MSFC Page 15 Payload Access via HPEG Service  User accesses payload using preferred client (e.g. putty)  To terminate payload access, user issues a Stop Session request to the HPEG service  Allocated Proxy IP is returned to the available pool  To terminate the HPEG Service, simply terminate the Out- of-Band TCP connection  For more details on the interface to the HPEG service, reference the PGUIDD

16 NASA MSFC Mission Operations Laboratory MSFC Page 16 Payload Access via HPEG Service EPC HPEG Session Status UI

17 NASA MSFC Mission Operations Laboratory MSFC Page 17 Payload Access via HPEG Service HPEG User Monitor and Control UI Cadre/IST Tool

18 NASA MSFC Mission Operations Laboratory MSFC Page 18 Payload Access via HPEG Service Command System Management UI Cadre/IST Tool

19 NASA MSFC Mission Operations Laboratory MSFC Page 19 FAQ  Is this capability available today?  Yes. The Ku Forward capability is operational.  Are any payloads using this capability?  Yes. The AMS payload is currently using this capability.  Do I need any special software onboard or on the ground?  Not to flow the IP data. The HOSC provides software you can use to authenticate with the POIC and start the HOSC Payload Ethernet Gateway (HPEG) service that enables a path for your IP protocols. Once that has been done, standard IP protocols can be used between your ground software and flight software.  Exception: CFDP  EPC provides a CFDP ground client node  TReK provides both ground and payload CFDP nodes

20 NASA MSFC Mission Operations Laboratory MSFC Page 20 FAQ  How do I get access to this capability?  Tell your Payload Integration Manager that you would like to use this capability. Your PIM will include this in your Payload Integration Agreement.  How can I test this capability?  The HOSC will be hosting a test environment. The process of PD CoFR and testing of IP Ku-Band Services is still being worked. Contact CST for more information  Can I interact with my payload any time I want?  Ku-Band Service activities are coordinated, scheduled, and posted to OSTP. The PRO is responsible for payload IP Ku- Band Service enablement.  Does HPEG buffer IP packets?  No

21 NASA MSFC Mission Operations Laboratory MSFC Page 21 FAQ  Are there any additional requirements placed on a payload when using this capability?  The ISS Program (PSRP) will define any unique safety requirements pertaining to a Payload’s use of Ku Forward as part of the payload Safety Review process.  What performance can I expect?  Plans are in place to perform benchmark tests and publish the results. This is scheduled for the last quarter of CY2015. These results will be posted on the TReK Web Site.  Do I need to modify my flight software to take advantage of IP services?  Payload must be configured/(service started) to run the appropriate required services; e.g. sshd, httpsd, etc

22 NASA MSFC Mission Operations Laboratory MSFC Page 22 FAQ  Can my payload initiate an IP session with my control center?  No. Under the current design, the HOSC does not support TCP connections that originate from the payload.  UDP from the Payload to the Ground is supported as long as the Payload uses the correct Onboard NAT IP assigned by the HPEG Service during initialization and an authorized port. IP address can be determined programmatically by the Payload software.  Are there file size limitations for uplink or downlink?  No  Will the Cadre have access to my payload for emergencies?  Must be coordinated with the HOSC

23 NASA MSFC Mission Operations Laboratory MSFC Page 23 FAQ  How do I know if my protocols are allowed?  Contact HOSC Customer Support Team. The PGUIDD details the current set of protocols which are supported. Others may be added as needs arise in the community.  Do I lose my payload connection during LOS periods?  The HPEG service does not terminate service during LOS. The connection to the payload may survive LOS periods depending on the configuration of the service being used  Is any IP data logged?  All IP data to a given payload will be logged in a WireShark- like capture file for analysis by HOSC Network Admin, if required for forensics  For ssh, key must be provided to the HOSC CST during approval process to assist in analysis

24 NASA MSFC Mission Operations Laboratory MSFC Page 24 FAQ  Are any other IP services available onboard?  Under CR 13876, the ISS program will be deploying Network Attached Storage (NAS) which is accessible by onboard systems/users. Data will be partitioned/protected by user. Protocols supported are NFS, https, and iSCSI, TFTP, DHCP. Others are available as well though most are insecure for ground to space communication. One payload has expressed an interest in the use of PXE boot allowing relatively quick recovery of a corrupted hard drive.  Does the HOSC support port tunneling?  Certain services such as ssh can encapsulate other services and create a tunnel for those services. As an example, ftp can be run across ssh and provide a secure file transfer mechanism. The HOSC does not inhibit this behavior.

25 NASA MSFC Mission Operations Laboratory MSFC Page 25 Future Enhancements  Add Delay Tolerant Network as an additional Ku-Forward service supported by HPEG  Currently being developed  HOSC DTN Gateway  Provides a DTN Node at the HOSC  EPC DTN Bundle Client  Provides capability to upload/download files via CFDP over bundle protocol  Interfaces to HOSC DTN Gateway only  Will be available for Increment 45  Evaluation currently underway to determine risks/benefits of only restricting IP protocols (udp, tcp, icmp, etc) and not underlying services

Download ppt "NASA MSFC Mission Operations Laboratory MSFC NASA MSFC Mission Operations Laboratory HOSC Payload Ethernet Gateway (HPEG) HOSC Service Supporting IP Access."

Similar presentations

CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.

Linux Networking TCP/IP stack kernel controls the TCP/IP protocol Ethernet adapter is hooked to the kernel in with the ipconfig command ifconfig sets the.
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.

23-Support Protocols and Technologies Dr. John P. Abraham Professor UTPA.
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.

1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Similar presentations

Ads by Google