Tait P25 equipment released
Moderator: Queue Moderator
-
ASTROMODAT
- Posts: 1825
- Joined: Tue Nov 05, 2002 12:32 am
-
ASTROMODAT
- Posts: 1825
- Joined: Tue Nov 05, 2002 12:32 am
-
ASTROMODAT
- Posts: 1825
- Joined: Tue Nov 05, 2002 12:32 am
Thanks! I'd be very interested to know any of the details regarding how they handle encryption.
Also, would you please ask your friend how they load keys (e.g., via a PC versus a dedicated KVL thingy, etc.)?
BTW, hauling clear analog audio over microwave (or any sort of a private line) is usually highly frowned upon by the 3 and 4 letter agencies, even for low level stuff like DES or AES. It could very easily be intercepted and compromised in the clear between the mountain top repeater location and the dispatch point. For instance, a pair of cheapie bolt cutters (or a big screw driver for that matter) has you through the repeater shack door at the remote mountain top site. At that point, you hang your 600 ohm earphones on the back of the repeater, and away you go. You've got tons of time to work, even if they have a remote alarm.
With the external codec approach (e.g., DIU3000), this would only give the bad guy an encrypted path to try (and fail) to crack at the mountain top site.
My sense is that the Big Boys will not consider such an internal codec/encryption approach as acceptable for any use where they intend to have DES-OFB/AES. Clear audio at remote sites, and/or clear audio hauled to/from dispatch points to the repeater remote site, has traditionally been categorically unacceptable to the 3 and/or 4 letter Fed Agencies, and even for local PD's employing any sort of "serious" encryption. Up until now (and I have no reason to believe it has changed recently) Motorola has always remoted their encryption/decryption via the DIU3000 for just such security reasons. Motorola was not just doing it this way because they "wanted to," but due to hard requirements from their customers. This might turn out to be a prety big stumbling block for Tait, if indeed it is correct that they have placed their codec, and/or the encryption/decryption processes, inside of their repeater box.
I can't see where this saves anything from Tait's viewpoint. For most commercial P25 systems the customer has a remote link, such as a Telco 3002 4-wire PL circuit, between their repeater(s) and their dispatch point(s). The codec, and/or any encryption hardware, even a tiny UCM module, has to be bought and paid for whether it is physicaly located in the repeater box, or at a remote box (such as a DIU3000). The price should come out the same in the wash, although I know that Motorola's new repeater is planning to put such processing on less costly remote DSP. Still, it will be an external box with an IMBE/AMBE vocoder and UCM. This way, you've got true end-to-end encryption, and the cost should be a push whether you process internally (with the resultant security nightmare) or externally. And there's no way around the requirement for either a dedicated PL, or an Internet connection at both ends (in which case you would want the encryption/decryption to occure at each of the final end points). The only difference is where the codec and encryption process is physically handled.
Perhaps Tait is encrypting in software at a PC on each end of things, and then sending it encrypted over the Internet, or via a dedicated Intranet. That would be slick!! However, I do know that DVSI will NOT make available their IMBE/AMBE code to run on a PC, unless you buy their $20,000 eval board that is intended for developmental purposes only. This would be the rub that makes such a PC end-to-end approach infeasible. So, I guess I'm still confused as to how/why Tait would place the vocoder inside their repeater.
Also, would you please ask your friend how they load keys (e.g., via a PC versus a dedicated KVL thingy, etc.)?
BTW, hauling clear analog audio over microwave (or any sort of a private line) is usually highly frowned upon by the 3 and 4 letter agencies, even for low level stuff like DES or AES. It could very easily be intercepted and compromised in the clear between the mountain top repeater location and the dispatch point. For instance, a pair of cheapie bolt cutters (or a big screw driver for that matter) has you through the repeater shack door at the remote mountain top site. At that point, you hang your 600 ohm earphones on the back of the repeater, and away you go. You've got tons of time to work, even if they have a remote alarm.
With the external codec approach (e.g., DIU3000), this would only give the bad guy an encrypted path to try (and fail) to crack at the mountain top site.
My sense is that the Big Boys will not consider such an internal codec/encryption approach as acceptable for any use where they intend to have DES-OFB/AES. Clear audio at remote sites, and/or clear audio hauled to/from dispatch points to the repeater remote site, has traditionally been categorically unacceptable to the 3 and/or 4 letter Fed Agencies, and even for local PD's employing any sort of "serious" encryption. Up until now (and I have no reason to believe it has changed recently) Motorola has always remoted their encryption/decryption via the DIU3000 for just such security reasons. Motorola was not just doing it this way because they "wanted to," but due to hard requirements from their customers. This might turn out to be a prety big stumbling block for Tait, if indeed it is correct that they have placed their codec, and/or the encryption/decryption processes, inside of their repeater box.
I can't see where this saves anything from Tait's viewpoint. For most commercial P25 systems the customer has a remote link, such as a Telco 3002 4-wire PL circuit, between their repeater(s) and their dispatch point(s). The codec, and/or any encryption hardware, even a tiny UCM module, has to be bought and paid for whether it is physicaly located in the repeater box, or at a remote box (such as a DIU3000). The price should come out the same in the wash, although I know that Motorola's new repeater is planning to put such processing on less costly remote DSP. Still, it will be an external box with an IMBE/AMBE vocoder and UCM. This way, you've got true end-to-end encryption, and the cost should be a push whether you process internally (with the resultant security nightmare) or externally. And there's no way around the requirement for either a dedicated PL, or an Internet connection at both ends (in which case you would want the encryption/decryption to occure at each of the final end points). The only difference is where the codec and encryption process is physically handled.
Perhaps Tait is encrypting in software at a PC on each end of things, and then sending it encrypted over the Internet, or via a dedicated Intranet. That would be slick!! However, I do know that DVSI will NOT make available their IMBE/AMBE code to run on a PC, unless you buy their $20,000 eval board that is intended for developmental purposes only. This would be the rub that makes such a PC end-to-end approach infeasible. So, I guess I'm still confused as to how/why Tait would place the vocoder inside their repeater.
If you've paid DVSI 100 grand for an IMBE license, you would have all of the information required to implement IMBE on any platform you choose, whether it be on a little microprocessor inside a radio, or on a PC.
I assume for a situation like you describe, I assume that's exactly it - you'd have a machine in a secure area, connected to the radio side of things via ethernet, handling the cryptography. Seeing as the radio traffic gets passed over the ethernet interface in digital form, that would be the way to do it.
I assume for a situation like you describe, I assume that's exactly it - you'd have a machine in a secure area, connected to the radio side of things via ethernet, handling the cryptography. Seeing as the radio traffic gets passed over the ethernet interface in digital form, that would be the way to do it.
-
ASTROMODAT
- Posts: 1825
- Joined: Tue Nov 05, 2002 12:32 am
I don't see where this is fundamentally different than using a DIU3000. DVSI will NOT allow a customer who pays a license fee for IMBE or AMBE to supply software to one (or more) of their customers so they can run IMBE/AMBE on their PC's. DVSI requires that such a customer either: 1) buy the expensive PC card, or 2) burn the IMBE/AMBE code onto a dedicated DSP. So, either way, a stock PC can NOT run IMBE/AMBE unless it is either equipped with the 1) DVSI card, or 2) it has an internal dedicated DSP, with supporting circuitry, that is burned with the DVSI code. Keep in mind that Motorola's subscriber sets (and DIU) "get" their IMBE from dedicated DSPs internal to the subscriber sets, which can have the firmware loaded under license, with every single load controlled under license, ala the FLASHport (or some such similar) process. This isn't Motorola just trying to make a buck on each P25 radio loaded with IMBE. This is a result of Motorola having to pay DVSI for EVERY SINGLE FLASHport involving the proprietary IMBE code, even with the up-front fee.
BTW, even with the significant up-front fee (and $100,000 is merely one of many popular rumors about what this up-front fee might be), this merely pays for the "priviledge" to be able to burn the DVSI code onto DSP. Motorola still pays a signifcant price to DVSI for every single FLASHport loaded. The up-front fee merely allows them to have the priviledge to burn the IMBE code to DSP, albeit Motorola still pays a per FlASHport fee to DVSI for every single FLASHport load they sell, be it a field uplift to IMBE, or an IMBE equipped radio configured with IMBE when it comes to life in the factory. Nobody knows the amount of these fees, as this is obviously proprietary and sensitive to the companies involved, as well it should be.
Notice that either way, any off-the-shelf PC would need specific custom hardware equipment to reflect these license fees for each individual PC, or alternatively a dedicated DIU-like box would be required. The only difference is that the custom equipped PC would likely be able to theoretically do other things, albeit how many dispatchers use their PCs for anything but dispatching? They become a dedicated box in the final analysis anyway! This would involve a custom circuit pack (PCI board), or a PC that is manufactured with internal hardware containing such a custom (and licensed) DSP with DVSI's proprietary IMBE/AMBE code.
Now, how is this fundamentally different than a DIU3000? It isn't, as it still absolutely involves dedicated hardware, in terms of a board or a module inside the PC. Let's remember that the DIU3000 was designed 21 years ago (back in 1984), and the new Motorola repeater (which ships next quarter) has the DIU3000 implemented on DSP. But it still involves the IMBE code on DSP, which is a piece of hardware that either resides in a new box (albeit it's physically smaller than the 1984 DIU), or it resides in a custom DSP on a special dedicated board plugged into the PC.
The point is: A consumer will not be allowed by DVSI to load software into their PC and then be able to encode/decode IMBE/AMBE. Their vendor will need to either sell that customer a dedicated (licensed) board to plug into their PC, or the vendor will burn the IMBE/AMBE onto a custom DSP, which then will be placed inside of a custom equipped PC at their factory.
I think there is a misimpression that "new" P25 gear will somehow magically allow folks to use any Windows PC, and simply load a CD-ROM program with IMBE on it, and have a remote capability. Looks to me like nothing fundamentally changes here, in that you will still need an external box, and Motorola (and I assume others) will place it on DSP in a custom PC. Otherwise, the DVSI proprietary CODEC would wind up on the Internet in about 2 days, and they'd lose all control.
Anyways, given all of this, I can't imagine that the DVSI IMBE codec is inside of Tait's machine, as it must be remote from the repeater in order to have adequate encryption. Given this, they, too, must have an external box (as will Motorola next month), whether it takes the form of a "special" PC, or a small dedicated box, using a custom blown DSP.
Just my specualtion, as I can't discern from Tait's published specs and brochures where the codec is located, and/or how they are handling their encryption.
Perhaps mr. syntrx's contact can get ahold of a PDF, or the like, that would cover these aspects?
BTW, even with the significant up-front fee (and $100,000 is merely one of many popular rumors about what this up-front fee might be), this merely pays for the "priviledge" to be able to burn the DVSI code onto DSP. Motorola still pays a signifcant price to DVSI for every single FLASHport loaded. The up-front fee merely allows them to have the priviledge to burn the IMBE code to DSP, albeit Motorola still pays a per FlASHport fee to DVSI for every single FLASHport load they sell, be it a field uplift to IMBE, or an IMBE equipped radio configured with IMBE when it comes to life in the factory. Nobody knows the amount of these fees, as this is obviously proprietary and sensitive to the companies involved, as well it should be.
Notice that either way, any off-the-shelf PC would need specific custom hardware equipment to reflect these license fees for each individual PC, or alternatively a dedicated DIU-like box would be required. The only difference is that the custom equipped PC would likely be able to theoretically do other things, albeit how many dispatchers use their PCs for anything but dispatching? They become a dedicated box in the final analysis anyway! This would involve a custom circuit pack (PCI board), or a PC that is manufactured with internal hardware containing such a custom (and licensed) DSP with DVSI's proprietary IMBE/AMBE code.
Now, how is this fundamentally different than a DIU3000? It isn't, as it still absolutely involves dedicated hardware, in terms of a board or a module inside the PC. Let's remember that the DIU3000 was designed 21 years ago (back in 1984), and the new Motorola repeater (which ships next quarter) has the DIU3000 implemented on DSP. But it still involves the IMBE code on DSP, which is a piece of hardware that either resides in a new box (albeit it's physically smaller than the 1984 DIU), or it resides in a custom DSP on a special dedicated board plugged into the PC.
The point is: A consumer will not be allowed by DVSI to load software into their PC and then be able to encode/decode IMBE/AMBE. Their vendor will need to either sell that customer a dedicated (licensed) board to plug into their PC, or the vendor will burn the IMBE/AMBE onto a custom DSP, which then will be placed inside of a custom equipped PC at their factory.
I think there is a misimpression that "new" P25 gear will somehow magically allow folks to use any Windows PC, and simply load a CD-ROM program with IMBE on it, and have a remote capability. Looks to me like nothing fundamentally changes here, in that you will still need an external box, and Motorola (and I assume others) will place it on DSP in a custom PC. Otherwise, the DVSI proprietary CODEC would wind up on the Internet in about 2 days, and they'd lose all control.
Anyways, given all of this, I can't imagine that the DVSI IMBE codec is inside of Tait's machine, as it must be remote from the repeater in order to have adequate encryption. Given this, they, too, must have an external box (as will Motorola next month), whether it takes the form of a "special" PC, or a small dedicated box, using a custom blown DSP.
Just my specualtion, as I can't discern from Tait's published specs and brochures where the codec is located, and/or how they are handling their encryption.
Perhaps mr. syntrx's contact can get ahold of a PDF, or the like, that would cover these aspects?
I went to a Tait demo at their Australian HQ and it was my interpretation that there is no CODEC in the base station. The unit was functionally the same as a Quantar.
If a DIU3000 could talk directly to the Tait couldn't be answered at the time. The unit did have VOIP, 600ohmn interfaces and an RS232 port for linking.
As a standalone repeater the Tait looks like an extremely viable option with a smaller size, lower cost and many supply voltage options. As a base running in a network some questions have to answered by Tait yet.
I liked their configuration software which has many alarms, stats and other features. It also is windows based and you don't need RS232 on your laptop to talk to the thing.
If a DIU3000 could talk directly to the Tait couldn't be answered at the time. The unit did have VOIP, 600ohmn interfaces and an RS232 port for linking.
As a standalone repeater the Tait looks like an extremely viable option with a smaller size, lower cost and many supply voltage options. As a base running in a network some questions have to answered by Tait yet.
I liked their configuration software which has many alarms, stats and other features. It also is windows based and you don't need RS232 on your laptop to talk to the thing.
-
ASTROMODAT
- Posts: 1825
- Joined: Tue Nov 05, 2002 12:32 am
Even as a stand alone repeater, we need to understand where the codec is. It is critical that the codec be remote from the repeater, if one needs to meet serious encryption needs/requirements of the Feds and large metro PDs. I agree that this might not be a problem for an agency that needs P25 and has no intentions of ever encrypting. However, I think many P25 systems will find they need encryption, at least at some future point. Who knows how soon it will be before the DHS requires PDs with big P25 systems to implement DES-OFB and/or AES so they can have interoperability?
I don't think the DIU3000 will be compatible as the associated ASTRO signaling is proprietary to Motorola.
Boylo, is there any way you could contact Tait and ask them about these issues?
I don't think the DIU3000 will be compatible as the associated ASTRO signaling is proprietary to Motorola.
Boylo, is there any way you could contact Tait and ask them about these issues?
All Police and Federal Govt agencies in Australia that use P25 are running encryption to various levels. (Most Federal use 100%).
As a customer we are looking at the Tait as a Quantar replacement mainly because of cost, age and reliability issues with our elderly Quantars and Quantros. The Tait repeater does not have a CODEC and like you we wanted to understand how we could interconnect it to our existing network.
As you state the DIU3000 is a non option so Tait either have to ignore that or come up with their own CODEC and interface.
I will let you know when Tait tell us the answer.
As a customer we are looking at the Tait as a Quantar replacement mainly because of cost, age and reliability issues with our elderly Quantars and Quantros. The Tait repeater does not have a CODEC and like you we wanted to understand how we could interconnect it to our existing network.
As you state the DIU3000 is a non option so Tait either have to ignore that or come up with their own CODEC and interface.
I will let you know when Tait tell us the answer.