Monday, October 14, 2013

The UK Government Public Services Network


The UK Government Public Services Network (PSN – formerly Public Sector Network) is a common communications network which connects Government and Public Sector organisations. This replaced a messy set of ad-hoc historical network connections.

The model for the PSN is the public Internet. Starting from the Internet’s architecture, standards and protocols the PSN has customised its own architectural variant with specialised network-network and network-user interfaces and defined security standards. Although very similar to the Internet both in concept and design, the PSN stands apart from it, barricaded behind security walls.

The specification for the PSN is not secret: it’s defined in this 160-page unclassified document available from the Internet:

Technical Domain Description Public Services Network Programme Version 4.0

The rest of this article is a brief summary of the Technical Domain Description document.

1. Architecture

Modern scalable IP networks are built to a three tier architecture. At the centre is a high-speed tier-1 core which provides the backbone connectivity. In the PSN this is called the Government Conveyancing Network (GCN) and is provided by a consortium of Service Providers (SPs) who interconnect using specified Network-Network Interfaces (NNIs). The public Internet uses the same model.

Connected to the core are the tier-2 aggregation networks. In the PSN jargon these are called Direct Network Service Providers (DNSPs). The DNSPs have standard NNIs to the GCN and user-network interfaces to their public sector customers.

Tier-3 is the access network connecting DNSPs to departments with their LANs, service requirements and many types of user-device. Also connected are specialised Service Providers offering: cloud services; voice, video and conferencing services; hosted email etc.

A diagram may make this clearer: the picture below shows the PSN architecture in the context of PSN performance monitoring.

  • GCNSP is a Government Conveyancing Network Service Provider
  • Diffserv is an IP standard for marking packets with their service priority (‘Differentiated Services’) which allows voice and video traffic to take priority over, say, background file transfers.
  • Performance Slices decompose the network for performance measurement purposes; the more general decomposition concept is that of a ‘slice’.

The PSN architecture

Carrier networks today do not simply forward IP packets. For greater control they use MPLS (Multi-Protocol Label Switching) as their forwarding mechanism, and the PSN does likewise.

MPLS allows multiple VPNs to be layered onto an IP network and the document goes into some detail to describe the PSN VPN structure: less than 70 transit VPNs are allowed for manageability reasons: 5 predefined [service, performance measurement, service test + two spare] plus 65 for special requests.

The PSN also permits two forms of MPLS VPN interconnect between GCNSPs at NNIs (option A: revert to IP; option B: link at the MPLS VPN level)

2. QoS

The PSN permits six service classes as shown in the diagram below. Note that Service Providers can use their own Diffserv marking scheme within their own networks: the PSN defines an interface standard.

PSN Service Classes

Basically we have Real Time (EF), Application classes 1-4 (AF) and Default = Best Effort (DF). The document continues by specifying performance management metrics and procedures in considerable detail – have to keep the SP contractors up to scratch!

3. IP Address Management

The PSN is an IPv4 network and uses public address space. The PSN borrows from the Department of Work and Pensions (DWP) which has the following IPv4 address space available for use:

Class A, Network, Mask

The DWP allocates /16 ( subnets from this range for allocation to government service providers (i.e. 256 networks [8 bits] each containing 65,536 hosts [16 bits]).

The intention is to allocate IL2 addresses from the bottom of this range going up, and IL3 (enhanced security) addresses from the top going down.

Note that the public-range IP addresses deployed in the PSN are not advertised to the Internet and are not routable from the public Internet. This is achieved, as in the corporate environment, by a security perimeter using firewalls.

4. Domain Name Service (DNS)

As with all networks, the PSN provides DNS. Given security concerns, the DNS deployment is protected with the DNS security extensions DNSSEC.

5. Telephony

The PSN mandates a basic IP telephony service based on SIP/SDP/RTP as shown in this diagram.

PSN Telephony

The features to be provided in Basic Call include: make a call, receive a call, hold and transfer; CLI is also required.

The G.711 and G.729 codecs must be supported.

Media and signalling border control functions must be established between Service Providers.

6. Security (IL2 and IL3)

The PSN operates at IL2 (2-2-4 with protective marking of PROTECT). The document discusses at great length how to create an IL3 overlay onto the PSN: in short, this is achieved mostly with IPsec tunnels, the same way a VPN would be set up on the public Internet.

The key architectural idea is that of an Encryption Domain (ED), a network under the control of a single Service Provider which maintains an encryption service. To connect multiple EDs together the PSN supports an Inter-Provider Encryption Domain (IPED). This is the familiar tier-1 tier-2, core and aggregation layer philosophy. Initially the IPED is expected to connect at least 12 EDs.

To minimise delay and complexity, the PSN requires a maximum of three encryption hops end-to-end thus: user-ED-IPED-ED-user. This rather cluttered diagram may make things clearer.

PSN architecture with Encryption Domains and IPED

IL3 accreditation is also permitted for applications using TLS (Transport Layer Security, previously SSL – Secure Socket Layer). This is the protocol used for secure websites (https) and for secure voice signalling (SIP over TLS). The preference however is to set up secure and stable IPsec VPNs.

The IL3 overlay network needs access to time synchronisation for security certificate validation – note that the operation of the IL3 overlay requires the full apparatus of a PKI.

There is a separate IL3 DNS system which can also see the IL2 DNS (but not conversely).

UK Government Security Impact Levels (for reference)

  • Impact Level 1 - Unclassified
  • Impact Level 2 - Protect
  • Impact Level 3 - Restricted
  • Impact Level 4 - Confidential
  • Impact Level 5 - Secret
  • Impact Level 6 - Top Secret

PSN Service Provider Obligations

The document concludes with the complete list of Service Provider obligations to be conformant with the PSN standards. Covering all the sections above, the total number of obligations is 156.