Document was created and updated in subsequent revisions earlier than 2018-08-24 by Vinh Nguyen at canvinh@gmail.com
There
was a discussion for setting up communications for military when they deployed
at a location with a single Radio Base Station (RSB) tower and a control box.
It then evolved to setting ups similar communications at a military base.
The
proposal diagram or design probably isn’t flexible, but the requirement or
setup supports deployment of a single (compact) RBS tower and its RBS control box
or more RBS towers and RBS control boxes.
In
case that military or search/rescue team required more features than a single
RBS control box offered, they should add a central server, i.e. another small
box.
Most
of equipment is “public-used” equipment except the packet analyzer, military
satellite, and dynamic encryption algorithms. The RBS is a regular RBS using a
special frequency band allocated to military instead of 5G frequency used in
public. By using most of equipment used in public, the cost of system
development and equipment would be less expensive.
Figure 1. A
model of equipment network at a military base
B.
RBS and its control box
We
can use a 5G’s RBS including internal RAN to support Internet or VoIP
communications. With RBS such as an APY with internal RAN, the system would be
compact for deployment in a battle or search/rescue zone. This RBS would be
configured to use another frequency band allocated to military.
The
RBS would have 2 output cables, one for regular voice and one for IP
communication (output from RAN). There would be 2 special cards connecting
those outputs to an RBS control box, which is like a computer server such as
EMS server.
The
control box could offer simple telephone communications to its mobile phones as
well as text messaging. Basically it functions is limited as compared to a
telecom switch. The control box would take care of dynamic encryption with its
mobile phones connecting via the RBS. The control box could offer simple
broadcasting a message by voice or texts to all mobile phones connecting to its
RBS.
Mobile
users could talk or communicate directly to staff at the RBS control box.
C.
Mobile Phone
Mobile
phones are also used special frequency band with limited functionality such as
voice communication, voice over IP, web browsing, dynamic encryption, etc.
There
should be 2 interfaces or dial pads on each mobile phone. The users would use a
dial pad to make regular calls to internal users at the base or using the other
dial pad to make outgoing (friend’s) calls using VoIP on the mobile phone. By separating 2 dial pads the software
development, system settings, and network managing tasks would be easier.
Friend’s
VoIP and Internet browsing would be redirected to the Internet Gateway, where a
simple packet analyzer implemented to provide better security.
D.
Satellite modem and router (Gateway)
There
are cases that a staff base wanted to call another staff stationed in another
base. Calls or texts would be redirected to the satellite modem and router,
where messages would be relayed by military satellite networks.We assumed that military equipment is better in security than Internet.
The long distance calls from a base to another base could also be VoIP (VoLTE) calls routed to the Internet Gateway using Internet network instead of satellite gateway. It’s up to system providers and military to pick a solution. This VoLTE option instead of regular voice calls could save military from buying special boxes to convert RBS voice messages at the receptionist’s landline or VoIP phone. Security and performance of voice calls using either gateway could be the same. Those calls would be rung on receiving mobile phone using VoLTE to make system design simpler.
This
central server is like a simple version of co-located MSC/HLR and SCP/IN. It
offers coordination and managing of all RBS control boxes and its mobile users.
The central server only offers essential features to mobile users, i.e. it’s
not a full version of a collocated MSC-HLR or SCP/IN.
The
central server also equipped with dynamic encryption to communicate with all RBS
control boxes through a local area network. This didn’t imply that the local
area network is unsecured, but it is a useful setting in case that the central
server and RBS boxes are located far apart and communicate with each other via
a wireless LAN or a satellite LAN.
Central
control box could broadcast voices or messages to all mobile users, a group of
mobile users, or several groups of mobile users connecting to different RBS.
The settings must be pre-configured by an interface.
F.
Miscellaneous features
1.
Local call or call to another base
The
central server has a database for all phone numbers of staff in their base as
well as most (remote) dialed phone numbers of staff in other bases. If the list
of (remote) phone numbers is very long, they could only specify the receptionist
phone numbers at other bases, where calls would be redirected by an operator or
PBX at remote locations. When a mobile user calls to another base, the RBS control box sends a usual message to the central server to enquire a routing path. The return message from the central server would be the IP of the satellite modem and router or a gateway indicator (described later) to specify the satellite router plus required information. The RBS control box would relay voice calls toward the satellite modem and router for communications.
The packet for satellite calls could in VoIP or regular voice calls. The satellite router would need to pack the packet in correct (satellite packet) format. Actually if it was a VoIP call, it could remove the IP header/footer and insert an indicator for the satellite receiver to add back the required IP header/footer before packet delivery.
There are 2 gateways in the diagram above. One gateway is for Internet communication, and another is for satellite communication. We don’t want a message passed or came out of the wrong gateway.
To ensure correct communication with a gateway, the network could specify a list of destination IP addresses in central server and at each gateway. However it would be easier for gateway to decide if a message was destined out by its gate, we could add a special byte or indicator in each packet.
For example, (calls another base) the central server, which was communicated by a RBS control box for a call, determined if a voice message was not for a local user, it could add an (satellite) indicator to inform the RBS control box in a return message. The RBS control box would insert that (satellite) indicator in each voice/data packet to send it over the LAN, e.g. indicator 1 for satellite and 2 for Internet Gateway. The correct (indicated satellite router) gateway would pick up the message unpack it, remove the indicator, and pack it again in correct format before sending out to the satellite in this case.
3. Local mobile calls
When
a mobile phone placed an internal call, the RBS control box would also send a
message to the central server to enquire the location of the called mobile
phone. The central server would return a message with last known location of
the called mobile user. The RBS control box would redirect voice calls to the destined
RBS control box. Because a military base is using private frequency band, thus
it could broadcast a mobile paging signal by all RBS if the last known location
was not correct.
The
delivery of text messages from an RBS to another RBS is similar as voice call
delivery.G. Incoming call from VoIP (Internet) gateway, landline phone server, or satellite router
By default incoming call from a gateway would be routed to the central server, which determined where that call should be destined, e.g. to an RBS or local land PBX. After receiving a message from the central server, the gateway would route that call to a correct destination source.
H. Some security measures
Mobile phones, RBS, RBS control box, central server for telecom, Internet gateway, and satellite router are equipped with a simple packet analyzer and dynamic encryption of packets to prevent fraudulent access to the network.
Mobile phone and RBS should only support communications by using the special frequency band allocated for military, i.e. military’s mobile phone doesn’t support frequency bands used in public such as other 5G phones. This limits exposure of military stuff in public telecom networks.
Mobile phones don’t support mobile router feature. This also limits connection of normal/civil laptop or tablets to a military phone.
Military should be allocated a unique set of encryption algorithms for all bases. However, each base could name each algorithm a different name as they like, because this would make guessing harder to hackers. Military doesn’t have any policy to allow free roaming by laptop/phone from a base to another base. A (military personnel) visitor should contact IT staff of a visiting base to get a temporary phone or specific settings in their phones for communications. It’d be easier to give visitor a temporary phone, i.e. visitor could forward their personal calls to this temporary phone while visiting the base for a few days.
As a base has limited number of staff or personnel and equipment, military IT could try to change name of encryption algorithms after a few months by updating all devices or equipment using a physical cable connecting to a server. Basically updating over the air should be avoided.
To offer comfort to visitors, a base could reserve a guest area that offers free Internet and landline (or VoIP) public phones to all visitors. The Internet network in this area would be separated from the internal network discussed above. This area also supports WiFi with shorter range, i.e. enough to cover the guest area, but didn’t reach outside residents or internal networks. This area is also equipped with a simple packet analyzer at the Internet gateway. After each use by visitors, the area’s networks should be scanned for all files being modified or created during its operation, i.e. detecting if any hacking tools had been installed. The guest area could be shut down if nobody used it. If it’s simple, IT could restore the system images of all equipment in the guest area to clean all possible hacking patches after each use.
A visitor could organize a presentation in the guest area. However it’s not as secure system as in the internal network. The presentation slides should be self-contained, i.e. doesn’t require Internet access. This would help to protect a guest’s laptop as it’s connected directly to a projector.
A visiting military officer wouldn’t have access or remote login back to his base by plugging his laptop into the internal network due to different encryption names. This is also to protect the remote network from unauthorized rlogin, and to avoid sending a visitor's userid and password over Internet or satellite network.
If you wanted to avoid hacking patches on a mobile phone or laptop, then don’t allow any installation of applications or games on a phone or laptop. Users could browse Internet to read news or play some web games. Any installation request from a laptop or mobile phone would require an approval by a system administrator. This could be done by software on a laptop/phone to notify a system server for any installation attempt. Unless it’s previously approved by a system admin, any installation attempts would fail.
J. An example of a mixed setting of communication lines
Depending on location of military camps, there could be mixed settings of communication lines between an RBS control box and its central server. WLAN could also be used as communication method in one of those RBS control box.
Figure 2. Mixed setting of communication lines.
Notes:
Notes:
* August 29, 2018: There are 4
types of useful LAN in this model, i.e. private LAN, Wireless LAN, satellite
LAN, and public Internet LAN.
Sometime it's better to use
public Internet line to connect a component to the system due to less possible
hacking connection to the communications. For example, wireless LAN would make
the hacking area around 50km square. So, using public Internet line to connect
a RBS control box to private LAN may reduce possible hacking points.
Costs of running a private cable
from a remote RBS control box to private LAN may be high, too.
If we looked at wiring connection
of Internet backbone, we could say optical fiber is more secured than traditional
cable for TV/Internet/phone, i.e. a residential fiber router could not reach
other fiber routers because there was a (underground) connection box in
between.
There could be a mixed setting
for network connection, i.e. a mix of wireless LAN, public Internet LAN,
satellite LAN, and private LAN for communications.
* September 7, 2018: There are 2
features that could be useful, i.e. mobile router and multi-band mobile phones.
However, each feature would open another gate into the mobile phone or internal
network.
Mobile phone acts as a wireless
modem/router to allow laptop, tablet, or other devices to connect to an RBS or
internal network. The mobile phone would authenticate those devices and approve
connection manually. This would prevent unauthorized connection to the mobile
phone. The mobile phone is then acted as a transfer station to allow those
device communicate with the RBS and internal network, i.e. those devices must
be able to handle encryptions used by the RBS and internal network.
Multi-band mobile phone would
allow military personnel to roam in public wireless network easily. How many
military personnel would use this feature? This also exposes the mobile phone
to public network.
* The idea of using Internet or
LAN protocol was to avoid running cables or digging holes everywhere. It's
crazy enough to maintain pack of Ethernet cables in an office. It would be
harder to run long cables connecting RBS Control boxes to Central Server and
other gateways. So, it's not really IoT.
It'd be easier to connect another
box to the LAN and system later. Most of computer systems support Internet or
IP protocol, btw.
* October 4, 2018: Military used
to have ear lope communication system, but this communication method is very
confusing as similar voices over the air, i.e. we can't be sure of the
identification of a talker. Each of us has unique ear lope's frequency for this
kind of communications.
In the current situation, fuckers
have a list of frequencies of each military personnel as well as many of us,
i.e. military officers and our self could be confused by those fuckers with ear
lope communications.
This led to the design of an commercial
RBS (military frequency to make it independent with a local 5G telephony) with
an RBS control box to provide local telephony communication to military
personnel in a zone. The only critical piece is to design a "tight and
secure" ear phone for communication with a phone handset. The ear phone
must be designed for military movement in a battle field, i.e. not easy to fall
out. The communication range between a handset and ear phone should be less
than 2 meters for secured communication. With ear phone, military personnel
could recognize voices of their commanders or friends easily.
Later on, demands came in for a
military base and city police. The settings of military camps spread out in
many locations, i.e. requirement for a mixed communication settings for RBS to
provide secure communications.
* October 5, 2018: If you thought
about issues that we've been through in the past 6 years, you would need
technical/protocol specifications for our system in order to trouble shoot
problems.
Many legacy military systems have
"deadly" bugs, but developers ran away. Other technical staff
couldn't fix problems, because there were no technical specifications. It's
like a huge black box.
5G RBS with military frequency
means military could use 5G technical specifications to trouble shoot.
Fuckers use helmets and neural
networks to peep (beep beep) our memory, thus we couldn't keep anything secret.
Having a specification to understand our system is a better choice.
It comes down to "packet
analyzer" to defend our networks, and "dynamic encryption" to
defend our communications. It would be better to design an encryption algorithm
in a secret way, thus fuckers couldn't crack it.
* WLAN in this post is wireless
LAN, i.e. not wide LAN.
No comments:
Post a Comment