Title: VALIANTSURF WikiInfo page

Release Date: 2014-12-28

Description: This undated page from NSA’s internal WikiInfo describes VALIANTSURF “the coverterm for the development of Data Network Cipher (DNC) exploitation capabilities in TURMOIL”: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: VALIANTSURF - Wikiinfo

The accredited security level of this system is: TOP SECRET//SI-GAMMA/TALENT KEYHOLE//ORCON/PROPIN/RELIDO/REL TO USA, FVEY *

TOP SECRET1/SI/10RCON1REL TO USA, FVEY

(U) VALIANTSURF

From Wikiinfo

(TS//SI//REL) VALIANTSURF is the coverterm for the development of Data Network Cipher (DNC)
exploitation capabilities in TURMOIL for integration into the TURBULENCE DNC thread. VALIANTSURF is
the preferred reference for all TURBULENCE DNC exploitation capabilities since the fact that NSA does
work with DNC's is classified "S//REL". The TURBULENCE DNC capability exploits communications
encrypted with DNC Internet Protocols.

Contents

■ 1 (U) Data Network Cipher (DNC) Classification

■ 1.1 (U) Official CES Classification Guide

■ 1.2 (U) Guidelines

■ 2 (U) DNC Protocols

■ 2.1 (U) IPsec

■ 2.2 (U) PPTP

■ 2.3 (U) HOOKED

■ 2.4 (U) CINDER

■ 2.5 (U) DNSC

■ 3 (U) TU DNC Products

■ 3.1 (S//SI//REL) IPSec DNC Products

■ 3.1.1 (U) Spin History

■ 3.1.2 (S//SI//REL) DNC Metadata Flow

■ 3.1.3 (TS//SI//ORCON//REL) DNC Decryption Flow

■ 3.1.4 (TS//S1//REL) DNC Survey Flow

■ 3.1.5 (S//SI//REL) DNC Analyze Flow

■ 4 (U) Requirements, Planning, and Reviews

■ 5 (U) Design Details

■ 5.1 (S//SI//REL) Architectural Taxonomy

■ 5.2 (U//FOUO) Current DNC Design Documents

■ 5.3 (U) Design Reviews and Technical Exchanges

■ 5.4 (U) Technical Documents

■ 5.5 (U) DNC Enterprise Messaging Fabric

■ 5.6 (S//SI//REL) DNC IKE SMG (Replaced Ike Analytic)

■ 5.7 (S//SI//REL) DNC IKE Analytic

■ 6 (U) C1ET Tasking

■ 7 (U) Test

■ 7.1 (S//SI//REL) DNC Metadata

■ 7.2 (TS//SI//REL) DNC Decrypt

■ 7.3 (U//FOUO) LONGHAULTest

■ 7.4 (U//FOUO) One CA Server Toggled among Multiple TURMOILS

■ 7.4.1 For more information. Contact one of these POCs

■ 8 (U) Deployments

■ 8.1 (U//FOUO) VALIANTSURF RFC and DR Needs for TURMOIL Baseline Deliveries 2011

■ 8.2 (U//FOUO) VALIANTSURF RFC and DR Needs for TURMOIL Baseline Deliveries 2010

■ 8.3 (U//FOUO) Live Dataflow

■ 8.4 (U//FOUO) TURMOIL Installations

■ 8.5 (U//FOUO) IPsec/lKE Metadata Routing

■ 8.6 (U//FOUO) IPsec/ESP Metadata Routing FALLOUT to TOYGRIPPE

■ 8.7 (S//SI//REL) VAO STATUS

■ 8.8 (U//FOUO) Deployments and Development systems

■ 8.9 (U//FOUO) C1ET Deployments

■ 8.10 (U//FOUO) Monitoring

■ 9 (U) Governance

■ 9.1 (U) DNC Thread Schedules

■ 9.2 (U) VALIANTSURF Thread Status Weekly Meetings 2012

■ 9.2.1 (U//FOUO) VALIANTSURF Activity Leads Status Review

■ 9.3 (U) Team Members

■ 9.4 (U) Stakeholders

■ 10 (U) VALIANTSURF Historical -

■ 10.1 (U//FOUO) Deployment Documents

■ 10.2 (U) Design Reviews and Technical Exchanges

■ 10.3 (U//FOUO) VALIANTSURF Activity Leads Status Review

■ 10.4 (U) VPN Thread Schedules

■ 11 (U) Pages of Interest

(U) Data Network Cipher (DNC) Classification

1 of 13

VALIANTSURF - Wikiinfo

(U) Official CES Classification Guide

■ (U//FOUO) CES CRYPTANAT YSTS 02-12

■ im/FOUm CLASSIFICATION G1T1DF FOR ECI PICARESQUE (P1Q) 02-10 (I

(U) Guidelines

■ (U//FOUO) The fact that NSA is interested in DNC is U//FOUO.

■ (S//REL) Just the fact that NSA does work with DNC is classified.

■ (S//REL) If the only information given is that you are a DNC expert or you work on DNCs, then the classification is
S//REL

■ (TS//S1//ORCON/REL) If the information given is that you decrypt DNCs, the classification is, at a minimum TS//SI
//ORCON//REL

■ (TS//S1//ORCON/REL) If the fact of DNC exploitation is mentioned or inferred (with or without mention of a specific
target or person), the classification is TS//SI//ORCON//REL

■ (TS//S1//ORCON/REL) The decryption results are classified, at a minimum, TS//SI//REL

(TS//SI//ORCON/REL) The classifications above are the minimum classifications. A higher classification may be required
depending on the rest of the content. For example, mentioning you work on DNCs is SECRET//REL but if you mention you work
on DNCs and are in CES, the classification should be TS//SI//ORCON//REL since CES deals with exploitation.

(U) DNC Protocols

(U) IPsec

(U) The IPsec DNC protocol suite comprises the following protocols:

■ (U) ISAKMP - Internet Security Association and Key Management Protocol (RFC 2407, RFC 2408)
provides an authentication and key exchange framework.

■ (U) IKE - Internet Key Exchange vl(RFC 2409) and v2(RFC 4306) provide an authentication and
key exchange mechanism.

■ (U) ESP - Encapsulating Security Payload (RFC 2406) provides traffic confidentiality (via encryption)
provides authentication and integrity protection.

■ (U) AH - Authentication Header (RFC 2402) provides integrity and authentication protection the includes immutable IP
header fields. This differs from ESP integrity protection that does not include the IP header.

(U) PPTP

(U) The Point-to-Point Tunneling Protocol (PPTP) was developed in 1996 by the PPTP Forum, comprised of Ascend
Communications, U.S. Robotics, 3Com, Copper Mountain Networks, ECI Telematics, and lead by Microsoft.

(U) The Microsoft implementation of PPTP (RFC 2637) permits the data link layer protocol, Point-to-Point Protocol (PPP) (see
STD-0051), to be tunneled through an IP network, encapsulated within an enhanced/modified Generic Routing Encapsulation
(GRE) transport protocol (IP Next Protocol 4 7). The contents of the PPP data is normally IP network protocol packets for a
private network, but can also carry any other Local Area Network (LAN) protocol, like Microsoft NetBEUI or Novell IPX/SPX.

(U) Microsoft PPTP (MS-PPTP) permits the encapsulated PPP data to be authenticated using either version 1 (RFC 2433) or
version 2 (RFC 2759) of the Microsoft extensions to the PPP Challenge Handshake Authentication Protocol (CHAP) (RFC 1994),
and to be encrypted using RC4 with key lengths of 40, 56, or 128 bits (RFC 3078, RFC 3079). The mode of the encryption is
negotiated and key lengths are exchanged using the PPP Compression Control Protocol (CCP) (RFC 1962).

(U) HOOKED

(TS//SI//REL) HOOKED HAND is a DNC protocol used in a commercial DNC product.

(U) CINDER

(TS//SI//REL) CINDERASH/TRACK are ESP-like protocols that use non-RFC defined fields.

(U) DNSC

(TS//SI//REL) DNSC is ...

SCARLETFEVER SSL Brief

(U) TU DNC Products

(S//SI//REL) IPSec DNC Products

(S//SI//REL) The TU DNC products are the outputs of four processing data flows:

■ (S//SI//REL) The TU DNC Metadata flow collects metadata about IPsec (IKE/ISAKMP and ESP) events then forwards the
metadata to follow-on SIGINT Development (SIGDEV) systems.

■ (TS//SI//REL) The TU DNC Decryption flow detects IPsec communications, selects by IP-Address, decrypts the traffic
selected for decryption, and re-injects the encapsulated (cleartext) content into TUFIMOIL for processing.

File: DNC IPSEC
Operation.jpg
(U) IPsec DNC
Operation

and optionally

2 of 13

VAL IANT S URF - Wikiinfo

■ (TS//SI//REL) The TU DNC Survey flow forwards to
XKEYSCORE all encapsulated (cleartext) sessions that are
selected by IP-Address for decryption by the TU DNC
Decryption flow that are also marked for SIGDEV.

■ (S//SI//REL) The DNC Analyze flow selects by IP-Address
IKE/1SAKMP and ESP packets that are then sessionized
and forwarded to PRESSUREWAVE for analysis.

(U) Spin History

(TS//SI//REL) Spin 9 efforts transitioned fielded DNC software
from the Red TURMOIL (TML) architecture to the Blue and
implemented a redesign of the decryption flow that reallocates
some functionality between TURMOIL and the DNC Attack
Orchestrator (VAO).

(TS//SI//REL) Spin 10 efforts started development of a
decryption capability that can be deployed to SMK, improved
DNC detection and processing capabilities, and developed the
DNC Analyze flow.

(S//SI//REL) DNC Metadata Flow

■ (TS//SI//ORCON//REL) The DNC Metadata Flow collects metadata about IKE/ISAKMP and AH/ESP events and forwards the
metadata to follow-on SIGINT Development (SIGDEV) systems.

■ (TS//SI//ORCON//REL) All IKE/ISAKMP packets seen in the incoming data are collected, bundled and then sessionized
within TURMOIL. Then the metadata is extracted, converted to ASDF and then sent to the ASDFReporter component within
TURMOIL. The ASDFReporter gathers all ASDF generated within TURMOIL and sends the bundles to FALLOUT via TUBE.
FALLOUT delivers the metadata records to the appropriate destinations. The IPSec IKE metadata all goes to TOYGRIPPE via
MAILORDER. TOYGRIPPE is a DNC analytic database in CES used by the cryptanalysts in conjunction with a vulnerability
database to determine exploitability.

■ (TS//SI//ORCON//REL) Sampled AH/ESP packets seen in the incoming data are collected, metadata is extracted per session,
and the metadata is converted to ASDF and sent to the ASDFReporter within TURMOIL. The ASDF records follow the same
paths as the IKE Metadata above.

S'

SECRET//COMINT//REL TO USA, FVEY
Internet Key Exchange (IKE)/ Internet Security Association Key Management Protocol (ISAKMP)

VSIKE-M02

T. MAILORDER |

C IPsec/lkE Metadata .
F ASDF 1

_____t

_____ TUBE

VSHKE-M01

T Socket Connection
C iPsecflKE Records
F SOTF

^ T - Transport |

— C = Content

TURMOIL F = Format |

FALLOUT

V*4KE-MP3

T MAILORDER
C: ip seen KE Metadata
F ASDF

(TS//SI//ORCON//REL) VPN IKE Metadata Dataflow

Q

SECRET//COMINT//REL TO USA, FVEY
^AuthenticatiorUteade^AH^^ncapsulat^

VS-ESP-MP1

T Socket Connection
C IPsec (ESP Metadata Bundles
F ASDF in SOTF

VS-E9P-MD2

T MAILORDER
C IPsec'ESP Metadata
' ASOF

___TUBE

I
I

FALLOUT

VS-Æ5P.MJS

T: MAILORDER
C. IPsecÆSP Metadata
F: ASDF

(TS//SI//ORCON//REL) VPN ESP Metadata Dataflow

(TS//SI//ORCON//REL) DNC Decryption Flow

■ (TS//SI//ORCON//REL) The DNC Decryption Flow detects and decrypts selected communications that are encrypted using
IPsec then reinjects the unencrypted packets back into TURMOIL Stage 1. TURMOIL Stage 1 applications process the
packets into sessions and when appropriate forwards the unencrypted content to follow-on processing systems. The DNC
eventing (PPF) components in TURMOIL detect all IKE/ISAKMP and ESP packets and queries KEYCARD for each unique
IKE exchange session and each unique ESP session to determine if the link should be selected for processing. Selection is
based on IP address. Decryption is attempted if either the source or the destination IP address is targeted for decryption in
KEYCARD (the KEYCARD tasking action is labeled "TRANSFORM" so as not to use the term "decrypt"). If KEYCARD returns
a hit for an IKE packet, then the IKE packet is sent to LONGHAUL where is is used to recover keys. If KEYCARD returns a
hit for an ESP packet, a key request is sent to LONGHAUL. The IPsec Security Parameter index (SP1) correlates IKE

3 of 13

VALIANTSURF - Wikiinfo

sessions with ESP sessions. A LONGHAUL response message will either return the key or indicate that a key could not be
recovered. If a key is recovered, the ESP packets are decrypted and re-injected into TURMOIL for further processing.

■ (TS//SI//ORCON//REL) All DNC Decryption functions and communications with LONGHAUL, specifically POISONNUT, the
Attack Orchestrator (and a DNC Metrics service via POISONNUT) are hosted on a specially configured and dedicated
TURMOIL processing host called a CA Server. All CA Service blade software is loaded and administered by CES approved
and CA Services authorized administrators. The CA server is firewalled and effectively functions as an extension of the CES
enclave. In the future all communications between the CA Server and the CES services (LONGHAUL, DNC Metrics) will be
a secure JMS messaging service based on the ISLANDTRANSPORT / 1SLANDHIDEAWAY infrastructure.

Q

TOP SECRET//COMINT//REL TO USA, FVEY

_Jnterne{J
TUBE

VPNS

T socket conn«»on
C Selected Application Sessions*
. F SOTF

note

' Selected Application Sessions
are oenufied and selected from
tlte decry pied packets extracted
from the VPN tunnel and inserted
into the TU RMOtL input stream

T MAILORDER

C Selected Application Sessons*

T F SOTF

EXOPUMP

VPM11______

T ITx (JMS)

C Selected Appt Sessions*
F XMUSOTF

PRESSURE-
__WAVE____.

î

Authenticatlor^eadenAH^^ncagsulatin^Securrt^a^lDac^ESP^

TURMOIL

VPN1

T Socket Connection
C Selector H1 QueryfResponse

^ r Binary...................

~ VPNI8

T Secure socket (SSL)

C PIO Blade Management

KEYCARD

---------------►! DQC /CES


Q
PIQ VPtW T ITS (JMS) 2 ça
Services C ike Messages
F IH(SOAP)
W
T ITx (JMS) UJ
C ESP Key Req/Res
F IH(SOAP) o

(TS//SI//ORCON//REL) VPN Decryption Dataflow

(TS//SI//ORCON//REL) Simple VALIANTSURF Dataflow

4 of 13

VALIANTSURF - Wikiinfo

DEPRECATED

TOP SECRETtfCOMINTOREL TO USA, FVEV

(TS//SI//ORCON//REL) VPN Decryption Sequence

5 of 13

VALIANTSURF - Wikiinfo

TOP SECRET/iCOMtNT'fREL TO FVEV
A«**" .« ono ci F» Mom» M*» FF W ' «IGSIG I«-- F I OFCE I KEVCARO F 'H 1 an- V HU 1 tfUL I T «0 » VAN
■ mean' FaMr*W

« ^
-F.a.tn. KACHA* TfUMSFOAM L * IMluf
n kc coMmnm i

s» rt Aceon- 7eiHIFC*til;- ...
*l| (IF C» ( F ^ ■ IF
KtfFHMU
* o* f ip k*i **#*••* i —JL»; „ it r
» SWKtDxiVirr, V

bOOCV t/~" e'ïîïïf--
—CetnpedFKim "DFID »J TUiMCWi PM HI CTOMJrfi) «*{«>• n(rt<5Crtromiw 1
' • » IMS
FI ***» OF© Cortrertc- I-'.'"

(TS//SI//ORCON//REL) Detailed Turmoil DNC Decryption Sequence Diagram

(TS//SI//REL) DNC Survey Flow

■ (TS//SI//REL) The DNC Survey Flow detects, decrypts selected communications that are encrypted using IPsec; then
sessionizes the unencrypted packets and sends the sessions to XKEYSCORE. The DNC eventing (PPF) components in
TURMOIL detects all IKE/ISAKMP and ESP packets and queries KEYCARD for each unique IKE exchange session and each
unique ESP session to determine if the link should be selected for processing. Tasking is based on IP address. Decryption is
attempted if either the source or the destination IP address is tasked for decryption in KEYCARD (the KEYCARD tasking
action is labelled "TRANSFORM" so as not to use the term "decrypt"). If KEYCARD returns a hit for an IKE packet, then the
IKE packet is sent to the POISONNUT(DNC Attack Orchestration) Service. If KEYCARD returns a hit for an ESP packet, a
key request is sent to POISONNUT. A POISONNUT response message will either return the key or indicate that a key could
not be recovered. If a key is recovered, the ESP packets are decrypted and re-injected into TURMOIL for sessionization. If
KEYCARD also associated a "SURVEY" action with the DNC Tunnel IP-Address the encapsulated sessions are sent to
XKEYSCORE. The DNC Survey flow requires that both "TRANSFORM" and "SURVEY" actions are assigned to a targeted
IP-Address.

■ (TS//SI//REL) All DNC Decryption functions and communications with POISONNUTfand a DNC Metrics service) are hosted
on a specially configured TURMOIL processor called a CA Server. All CA Server software is loaded and administered by CES
approved and CA Server authorized administrators. The CA Server is firewalled and effectively functions as an extension of
the CES enclave. In the future all communications between the CA Server and the CES services (POISONNUT DNC
Metrics) will use a secure JMS messaging service based on the ISLANDTRANSPORT/ ISLANDH1DEAWAY infrastructure.

6 of 13

VALIANTSURF - Wikiinfo

TOP S EC R ETOCO MIN TOREL TO USA, FVEY

V

(TS//SI//REL) VPN Survey Sequence

(S//SI//REL) DNC Analyze Flow

■ (TS//SI//REL) The DNC Analyze Flow selectively collects IKE/1SAKMP packets and raw, encryted ESP packets that are
sessionized and forwarded to PRESSUREWAVE for analysis. The DNC eventing (PPF) components in TURMOIL detect all
IKE/1SAKMP and ESP packets and queries KEYCARD for each unique IKE exchange and each unique ESP session to
determine if the link should be selected for analysis. Tasking is based on IP address. If KEYCARD returns an "ANALYZE"
action for any IPsec packet hit, then the IPsec packet is sessionized and sent to PRESSUREWAVE.

7 of 13

VALIANTSURF - Wikiinfo

SECRET//COMINT//REL TO USA, FVEY

Stage 0 TURMOIL KEYCARD TUBE

EH

IKE _
Packet”

01KE Select^
Query

IF[ ANALYZE ) *

IF[ ANALYZE ;

Eh

ESP _
Packet™

Like SelectÀ
** * Response^J

I

I

9—

Sessionize IKE

IF[ ANALYZE )

IF[ ANALYZE )

IKE Session«

¿^SP Select j
W Query “
jTESP Select^
" i Responsevr

-IKE Session«

EXOPUMP

PWv

0 Socket
(J) MAILORDER
Q ISLANDTRANSPORT (JMS)
(R) Secure Socket Layer (HTTPS)

-----ESP Sessio

r T

SECRET//COMINT//REL TO USA, FVEY

*ESP Session—

(TS//SI//REL) VPN Analyze Sequence

(U) Requirements, Planning, and Reviews
(U) Design Details

(S//SI//REL) Architectural Taxonomy

■ DNCA (Digital Network Crypt Applications) - branch

■ ROMULANALE - Name of project within DNCA that develops capabilities for the CAServer

■ GALLANTWAVE - DNSC project *and* thread on fielded systems, including TURMOIL and XKS (DeepDive)

■ GW Mission App - legacy capability on CAServer for DNSC decryption

■ ROMULANGAWK - ROMULANALE provided capability on CAServer for DNSC decryption in software

■ ROMULANGOWL - ROMULANALE provided capability on CAServer for DNSC decryption in hardware (pending)

■ VALIANTSURF - DNC project *and* thread on fielded systems, currently including only TURMOIL

■ MALIBU - DNC processing architecture for VALIANTSURF on TURMOIL using session based processing

■ PIQServices - capability on CAServer for DNC decryption under MALIBU

■ WAIMEA - DNC processing architecture for VALIANTSURF on TURMOIL using packet stream based processing. This
covers all configurations of the architecture (software and hardware)

■ WA1MEAVISAGE - DNC WAIMEA processing architecture with decryption performed in software

- ROMULANV1SAGE - ROMULANALE provided capability on CAServer for WA1MEAV1SAGE

■ WA1MEAVISE - DNC WAIMEA processing architecture with decryption performed in hardware

■ ROMULANV1SE - ROMULANALE provided capability on CAServer for DNC WAIMEAVISE

(U//FOUO) Current DNC Design Documents

■ MALIBU Architecture

■ WAIMEA Architecture

(U) Design Reviews and Technical Exchanges
(U) Technical Documents

■ (S//SI//REL) IPsec Sessionization

■ (S//SI//REL) HOOKED Sessionization

■ (S//SI//REL) CINDER Sessionization

■ (S//SI//REL) PPTP Sessionization

■ (S//SI//REL) New Protocol (IPsecESP,PPTP,HOOKED,CINDER) Specification

■ (TS//SI//REL) Turmoil Analysis for Increment 3

■ (TS//SI//REL) VPN IKE ASDF data flow ^

■ (TS//SI//REL) VPN IKE ASDF Sequence Diagram m

■ (TS//SI//REL) APEXWPN Data Flow —

■ (TS//SI//REL) APEXWPN Sequence Diagram —

8 of 13

VALIANTSURF - Wikiinfo

■ (TS//SI//REL) Turmoil VPN Decrypt Sequence Diagram



■ (TS//SI//REL) SPIN 15 VPN Story 1 •

■ (TS//SI//REL) Spin 15 TURMOIL Model ■

■ (TS//SI//REL) S31322 Branch VPN Brief*.

■ (TS//SI//REL) VS Monitoring

(U) DNC Enterprise Messaging Fabric

■ (S//SI//REL) VPN AMF(lTx)Fabric Diagram

(S//SI//REL) DNC IKE SMG (Replaced Ike Analytic)

■ (S) Description - The IKE SMG (Sesionized Metadata Generator) inherited the internal business logic of the IKE Analytic,
but was re-hosted as an iBridge service. There is no longer any connection to PRESSUREWAVE or METROTUBE. The
IKESMG runs as a CCM graph IPSECJKE MDATA with input from IPSEC EVENT TO BME via IOPort.

■ (S) Spin 17 - No Release. Initial version developed but not delivered to TURMOIL

■ (S) Spin 18 - Initial Release. Patched Version had verbose logging.

■ (S) Core 3.1- Part of ValiantSurf Shark feather. APEX processing removed. Sessionization by Exchange introduced.

■ (S) Core 4.x - Future release compliant with Schema version 8.

(S//SI//REL) DNC IKE Analytic

■ (S) Spin 15 - No Release. Verified Spin 14 V1AS runs successfully on Metrotube 2.3.1 (Metrotube Spin 15 version).

■ (U) OtherWikiLinks:

■ (U^^^^^^^Pj31321(CON) Analytic Developer

■ (S) VALIANTSURF Wiki

■ (S) VPN Metadata Flow diagram

■ (S) VpnlpsecVpnLargeDataCharacterization

■ (S) Spin 14 - Upgraded Spagic workflow to follow the robust PWV Retriever Pattern.

■ (S) Pattern Comprises separate service assemblies for Listener, Metadata Retriever, DataRetriever, Throttler, and DNC
wrapper.

■ (S) Error handling and VIAS logging capabilities added.

■ (S) APEX (DEMO) - Modified SOTF Parser and TGIF Record Factory to process Apex metadata.

■ (S) Spin 13 - Upgraded Spagic workflow to match Metrotube 2.1.

■ (S) Numerous bug fixes relating to Toygrippe content including Exchanges Types, Message Types, Phase2-Only,
missing transforms(see MadForge DNC-analytic project for details).

■ (S) Added capability to process Toygrippe file classification determined by DNC Metadata.

■ (S) Spin 12 - The VPN Analytic has been re-named as the VIAS (VPN IKE Analytic Service). In this spin, there were 2 major
changes.

■ (S) First, the analytic was converted to run in the Metrotube 2 framework, as a JSorcerer Service on the Metrotube
Service Bus.

■ (S) Second, the VIAS is now released by the ValiantSurf (DNC) team directly to Turbulence, where Spin 11 and earlier
versions were packaged by the DNC team, delivered informally to Metrotube Services who performed the software
release to Turbulence.

■ (S) Spin 11 and prior - VPN Analytic runs as a Metrotube 1 service.

■ (S) An improvement to the IkeSessionizer algorithm correctly matched up the initiator and responder by waiting for the
responder to return a non-ZRC (Zero Responder Cookie).

(U) CIET Tasking

■ (S//SI//REL) Tasking for TEC/MHS/CROSSCUT

(U) Test

VALlANTSURF/TestData

■ (S//SI//REL) RFCs Reguired forTML 18.1 and earlier releases «

■ (S//SI//REL) VALIANTSURF RFCs

(S//SI//REL) DNC Metadata

■ (S//SI//REL) Spinl4 VPN IKE Metadata Test Document •

■ (S//SI//REL) Spinl3 VPN IKE Metadata Test Document ■

■ (S//SI//REL) Spinl2 VPN IKE Metadata Test Document ■

9 of 13

VALIANTSURF - Wikiinfo

(TS//SI//REL) DNC Decrypt

■ (TS//SI//REL) Spin 12 VPN Decrypt Test Document ■

(U//FOUO) LONGHAUL Test

LONGHAUL Test Documentation Page

(U//FOUO) One CA Server Toggled among Multiple TURMOILS

(U//FOUO) This section describes a network design to have one CA server serve multiple TURMOILS. Note that a CA Server can
only communicate to one TURMOIL at a time.

Motivation:

1. Power/space/cooling limitations

2. Long lead time to gain approval to add CA Services servers

3. Hardware cost

4. Limits on public IP address space at some sites
Click for details on the CA Server Bank.

For more information. Contact one of these POCs

rML Network Engineer
CA Services Developer
TML Integration and Test
TURMOIL Lab Manager
T1 VS Thread Lead

(U) Deployments

VALIANTSURF Deployment Roles & Responsibilities

(U) CIET Deployment Overview

(U) VALIANTSURF Levels of Success

(U//FOUO) VALIANTSURF RFC and DR Needs for TURMOIL Baseline Deliveries 2011
(U//FOUO) VALIANTSURF RFC and DR Needs for TURMOIL Baseline Deliveries 2010

■ (TS//SI//ORCON/REL) RFC DR Needs TURMOILBaselines •

(U//FOUO) Live Dataflow

TU FLE VPN Metadata Beacons

(U//FOUO) TURMOIL Installations



(U//FOUO) IPsec/IKE Metadata Routing

Site SIGAD TUBE MAILORDER PDDG TUBE MAILORDER Trigraph TUBE MAILORDER System Digraph System Route METROTUBE MAILORDER PDDG ME' ma: Trig
MHS LATTICE USJ-759 AH HXN 51 MHS-L1VE-T16 via NSAW 00 TYG
KY EXM 52 MHS-DEV-T16 via NSAW oo TYG
N/A N/A N/A MHS-DEV-T16 via Site Store KY TYG
MHS-STARQUAKE USJ-759A AH HXN 51 MHS-L1VE-T16 via NSAW 00 TYG

10 of 13

VAL IANT S URF - Wikiinfo

KY EXM 52 MHS-DEV-T16 via NSAW oo TYG
KY TYG QX MHS-DEV-T16 via Site Store N/A N/A
US-3150 RU EXN 51 G1-T16 via NSAW 00 TYG
DVN 52 G2-DEV-T16 via NSAW oo TYG
LPN 53 G3-LPT via NSAW 00 TYG
LPN 54 G4-LPT via NSAW 00 TYG
LPN 55 G5-LPT via NSAW oo TYG
DVN 56 G6-DEV-LPT via NSAW oo TYG
TEC USD-1001TEC BL EXM 51 TEC-T16 via NSAW oo TYG
YRS USF-787 MH EXM 51 YRS3-LPT via NSAW 00 TYG

(U//FOUO) IPsec/ESP Metadata Routing FALLOUT to TOYGRIPPE

FALLOUT Processing & Dataflow
FALLOUT Dataflow Statistics

Site SIGAD FALLOUT MAILORDER PDDG FALLOUT MAILORDER Trigraph TOYGRIPPE MAILORDER Trigraph FALLOUT MAILORDER System Digraph TUBE Upstream Source System Digraph (Source System Atom) Upstream Source System
MHS-LATTICE USJ-759 AH KLG TYF D0,D9 51 MHS-L1VE-T16
TYF D0,D9 52 MHS-DEV-T16
MHS-STARQUAKE USJ-759A KY KLG TYF D0,D9 51 MHS-L1VE-T16
TYF D0,D9 51 MHS-DEV-T16
US-3150 RU KLG TYF D0,D9 51 G1-T16
TYF D0,D9 52 G2-T16
TYF D0,D9 53 G3-LPT
TYF D0,D9 54 G4-LPT
TYF D0,D9 55 G5-LPT
TYF D0,D9 56 G6-LPT
TEC USDY001TEC BL KLG TYF D0,D9 51 TEC-T16
CROSSCUT US-3301 U6 KLG TYF
SARATOGA US-3167 IL KLG TYF
MUSCULAR DS-200B C4 KLG TYF
YRS USF-787 MH KLG TYF D0,D9 51 YRS 1-LPT
TYF D0,D9 52 YRS2-LPT
TYF D0,D9 53 YRS3-LPT

(S//SI//REL) VAO STATUS

POISONNUT Wiki

■ Last Updated Wed Mar 5 20:36:00 GMT 2008

■ RUNNING

11 of 13

VALIANTSURF - Wikiinfo

(U//FOUO) Deployments and Development systems

(U//FOUO) VALIANTSURF TURMOIL components are deployed directly to the TURMOIL systems.

(U//FOUO) The VALIANTSURF mission-application is deployed on the CAServer platform. See CAServer#Deployments for site
specific configuration.

(U//FOUO) CIET Deployments

Site Type Current TURMOIL Next TURMOIL Hardware CA Server Comment
JCE Dev Unknown Core 3.0.10 1-BCH none none
MHS ESO Dev Unknown TBD TBD none none
SMKG2 Dev 18.1.5 Core 3.0.10 TBD TBD none
SARATOGA Live 17.1 Core 3.0.10 TBD TBD none
MUSCULAR Live 18.1.1 18.1.5 TBD TBD none
SMK Live 17.1 Core 3.0.10 TBD TBD none
CROSSCUT Live 15.6.1 Core 3.0.10 TBD TBD none
MHS Live 15.6.1 Core 3.0.10 TBD TBD none
TEC Live 15.6.1 15.6.1 TBD TBD none

(U//FOUO) Monitoring

■ (U//FOUO) CA servers are monitored by the T3332 Data Operations Center (DOC)as part of their TU monitoring_

ÎS^ÇKKEYU)0^^1açkKe^iomeDag^^ççes^h^bDVie^^^R^J)O^^^^^^^^^^^^^^^^^J

■ (U//FOUO) The VALIANTSURF SOP used by the DOC VALIANT SURF Tab Special Instructions

■ (U//FOUO) During business hours, the DOC uses the following contact list: DOC business hours POC list#VAL!ANTSURF

■ (U//FOUO) DOC After Hours Call-in Procedures

■ (U//FOUO) VALIANTSURF CA Server Troubleshooting Guide

(U) Governance

(U) DNC Thread Schedules

(U) VALIANTSURF Thread Status Weekly Meetings 2012

(U//FOUO) VALIANTSURF Activity Leads Status Review

(S//SI//REL) The VALIANTSURF Leads Meeting reviews are held weekly on Mondays. The purpose of this review is to discuss the
major goals and status of activities taking place. Any roadblocks that would cause a failure in meeting the established goals
should be discussed at this time.

(U) Team Members

■ (U)^^^^^HS31322 Thread Lead

■ (U)^^^^^B/Rl,IDA/CCS(CON) Architecture Lead

■ (U)^^^^^^^^»S31322(Integree) Architecture Team

■ (U)^^^^^^^/S31322 Architecture Team

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

■ (U)

|S31322(CON) Systems Engineer
331322 Systems Engineer
I/S31322 Systems Engineer
I/S31322 SW Developer
31322 SW Developer
(S31322 SW Developer
|S31322 SW Developer
[/S31322(CON) SW Developer
IS313221CON1 SW Developer
31322 SW Developer
l/S31322(CON) CAS Deployment
|i/S31322(CON) Integration & Test Lead
IS31322(CON) Integration & Test Engineer
f/S31322(CON) Integration & Test Engineer
|/S31322(CON) Integration &Test Engineer

12 of 13

VALIANTSURF - Wikiinfo

S31322(CON) Integration & Test Engineer

Team Alias: DL Valiantsurf (mailto:

(U) Stakeholders

weekly

(U) VALIANTSURF Historical -

(U//FOUO) Deployment Documents

■ (S//SI//REL) Spin 11/12 Metadata Flow management ■

■ (U) Spin 9 VPN PIQ Blade Version Description Document (VDD) for MHS, YRS, TEC ■

■ (U) Spin 9 MHS PIQ Blade Baseline Change Request

■ (U) Spin 8 VPN TML Test Checklist 20070416 ■

■ (U) Spin 8 VPN MHS Checklist 20070416 ■

(U) Design Reviews and Technical Exchanges

■ (S//SI//REL) VPN TU IT meeting minutes 1 May 2009 -

■ (S//SI//REL) VPN/TUMMS requirements meeting minutes 23 April 2009 ■

■ (S//SI//REL) VPN TUBE Metadata Bundle Classification meeting minutes 3 April 2009 •

■ (S//SI//REL) Brief to YRS during TDY 17-21 Nov 2008

■ (S//SI//REL) Spin 12 TURBULENCE VPN Technical Review

■ (S//SI//REL) Spin 10 TURBULENCE VPN Technical Review Minutes •

■ (S//SI//REL) Spin 10 TURBULENCE VPN Technical Review

■ (S//SI//REL) Spin 10 VPN / ISLANDTRANSPORT / ISLANDH1DEAWAY Technical Exchange 20080124

■ (S//SI//REL) Spin 10 VPN / ISLANDTRANSPORT / ISLANDH1DEAWAY Technical Exchange 20080124

■ (S//SI//REL) Spin 9 TURBULENCE VPN Design Review

■ (S//SI//REL) Spin 9 TURMOIL VPN Design Review Minutes

■ (S//SI//REL) Spin 9 TURBULENCE VPN Design Review Minutes ' .

Meeting Minutes |
Meeting Agenda

(U//FOUO) VALIANTSURF Activity Leads Status Review

(S//SI//REL) The VALIANTSURF Activity Leads Status reviews are held bi-weekly on Mondays throughout the Spin. The purpose
of this review is to discuss the major goals and status of activities taking place. Any roadblocks that would cause a failure in
meeting the established goals should be discussed at this time.

(U) VPN Thread Schedules

■ (U//FOUO) Spin 11 VPN Sprint Schedule ■

■ (U//FOUO) Spin 10 VPN Sprint Schedule •

(U) Pages of Interest

■ (U//FOUO)

■ (U//FOUO)

Retrieved from
Category: VPN

TURMOIL VALIANTSURF
TURMOIL GALLANTWAVE

Derived From: SI Classification Guide, 02-01, Dated: 20060711
and NSA/CSSM l-52: Dated: 20070108
__________________________________________Declassify Qn: 2032Q1Q8

TOP SECRET//SI/JORCON/REL TO USA, FVEY

13 of 13

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh