Layer 1 Encryption in WDM Transport Systems
•
4 likes•6,718 views
This document discusses encryption in data center and fiber optic networks. It notes that Edward Snowden revealed that unencrypted communications are no longer safe. It then discusses how data centers secure physical access, hardware, software and fiber connections. It explains that encryption on the lowest network layer provides the highest security. The document presents ADVA's encryption solutions for 10G and 100G networks, including key lengths and management systems. It notes over 1,600 encrypted links are currently in operation across finance, government, healthcare and other industries.
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Layer 1 Encryption in WDM Transport Systems
Similar to Layer 1 Encryption in WDM Transport Systems (20)
More from ADVA
More from ADVA (20)
Recently uploaded
Recently uploaded (20)
Layer 1 Encryption in WDM Transport Systems
- 1. Layer 1 Encryption in WDM Transport Systems Dr. Henning Hinderthür, PLM
- 2. © 2014 ADVA Optical Networking. All rights reserved. Confidential.2 Security in Telco "What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default“ Edward Snowden - Guardian Interview, Moscow July 2014
- 3. © 2014 ADVA Optical Networking. All rights reserved. Confidential.3 Data Center Environment & Security APPS APPS
- 4. © 2014 ADVA Optical Networking. All rights reserved. Confidential.4 Data Center Environment & Security Physical Access to the Data Center APPS APPS
- 5. © 2014 ADVA Optical Networking. All rights reserved. Confidential.5 Data Center Environment & Security Hardware Security APPS APPS
- 6. © 2014 ADVA Optical Networking. All rights reserved. Confidential.6 Data Center Environment & Security Software Security APPS APPS
- 7. © 2014 ADVA Optical Networking. All rights reserved. Confidential.7 Data Center Environment & Security …and What About the Fiber Connection? APPS APPS
- 8. © 2014 ADVA Optical Networking. All rights reserved. Confidential.8 Fiber Optic Networks Tapping Possibilities Y-Bridge for service activities Fiber Coupling device Street cabinet How to get access? Where to get access? Splice boxes / cassettes (Outdoor / Inhouse) There are multiple ways to access fiber Protocol Analyzer
- 9. © 2014 ADVA Optical Networking. All rights reserved. Confidential.9 Encryption What is Key? • Highest level of security • Speed - Low Latency • 100% Throughput • No Jitter • Role Based Management (Multi Tenant Management for Carriers) Encryption on the lowest possible layer
- 10. © 2014 ADVA Optical Networking. All rights reserved. Confidential.10 Encryption Basics Key Lengths – Magnitude Number of grains in 1 m3 sand from the beach 240 Number of atoms in a human body 292 Number of atoms in the earth 2165 Number of atoms in the sun 2189 Number of atoms in the Milky Way 2226 Number of atoms in the universe 2259 AES 256
- 11. © 2014 ADVA Optical Networking. All rights reserved. Confidential.11 High Speed Encryption Modes Cisco Overlay Transport Virtualization (OTV) +82 Bytes MacSec +32 Bytes Cisco TrustSec +40 Bytes Bulk Mode (0 Bytes) • Hop-by-Hop only • Ethernet only • Overhead creates latency and throughput issues • Point-to-Point • Protocol/ I/F agnostic (Ethernet, FC, IB, Sonet/SDH) • Integrated Solution with lowest latency • Huge overhead • IP VPN Services • Cisco Nexus
- 12. © 2014 ADVA Optical Networking. All rights reserved. Confidential.12 Encryption Performance Comparison of Maximum Throughput Framesize / Bytes Throughput
- 13. © 2014 ADVA Optical Networking. All rights reserved. Confidential.13 Encryption Using G.709 / OTH Link Protocol 1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080 1 2 3 4 Column number OTU/ODU overhead ROW OPU overhead Encryption FEC areaEncrypted Payload OCH Overhead Och payload FEC data Optical channel frame structure 5TCE link protocol • Supports • OTU-2 • OTU-2e • OTU-2f AES 256 encrypted OPU2 payload Automatic key exchange using DH Key Exchange
- 14. © 2014 ADVA Optical Networking. All rights reserved. Confidential.14 FSP 3000 Encryption Highlights Protection Building Blocks • Authentication via initial authentication key to protect from “man in the middle” attacks • AES256 encryption to offer maximum data security • Diffie Hellman (DH) key exchange for secure encryption key generation • New encryption key every 1min/10mins for additional security • Key lifetime configurable • Lowest latency (100ns) while providing 100% throughput
- 15. © 2014 ADVA Optical Networking. All rights reserved. Confidential.15 • Universal Enterprise Mux-/Transponder • AES256 encryption • Dynamic key exchange every 10 minutes • 5x Any Multi-service clients • Transparent / Framed mode • SDH Network variant 5TCE-PCN-8GU+AES10GS 10G Muxponder with Encryption 5TCE-PCN-10GU+AES10G Network Interface 3x Client SFP 2x Client SFP/SFP+ Module DWDM CWDM Grey SFP SFP SFP SFP (+) SFP (+) TDM Prop. framing OTN-, Eth-PM GCC0 5x GbE 5x 1G/2G FC 3 x 4G FC 8G/10G FC 5G IB/10G IB STM-16/64 10GbE Client Module ODU2 Pluggable SFP+ Network OTU2 GFEC STM-64 AESEncryption CWDM Grey Prop. framing
- 16. © 2014 ADVA Optical Networking. All rights reserved. Confidential.16 • Universal Enterprise Muxponder 100G • AES256 encryption with 2048bit key • Dynamic key exchange every 1 minute • Up to 10 x any multi-service • 10GE, FC8/10/16, 5G Infiniband • 40GE/100GE by means of 4x/10x 10GbE via break out cable (SR4, LR4 and SR10) 100G Metro Muxponder with Encryption 10TCE-PCN-16GU+AES100G Network DWDM CFP 10x Client SFP+ Module GMP ODUFlex Client Module ODU4 DWDM CFP Network OTU4 config. EFEC OTN PM AESEncryption CWDM Grey SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ 10x 10GbE (WAN/LAN) 10x 8G FC 8x 10G FC 7x 16G FC 10x STM-64/OC-192 10x 5G IB 4x 28G DWDM (96ch C-band)
- 17. © 2014 ADVA Optical Networking. All rights reserved. Confidential.17 Layer 1 Encryption Solution Suite AES 10G Encryption AES 100G Encryption 40GbE 100GbE FC 16G FC 10G 10GbE STM-64/OC-192 FC 8G IB 5G FC 4G STM-16/OC-48 FC 2G FC 1G GbE 1G–5G5G–15G40G100G
- 18. © 2014 ADVA Optical Networking. All rights reserved. Confidential.18 Encryption Management & Operations
- 19. © 2014 ADVA Optical Networking. All rights reserved. Confidential.19 Data Center Networks Encryption Management for Private Networks 3rd Party NE 3rd Party NE 3rd Party NE FSP NM Server FSP EM or LCT/CLI FSP NM Clients LAN Scenario 1 - User of encryption is the operator of equipment DCN Crypto Manager running on FSP NM
- 20. © 2014 ADVA Optical Networking. All rights reserved. Confidential.20 Data Center Networks Encryption Management for Private Networks 3rd Party NE 3rd Party NE 3rd Party NE Scenario 2 - Encryption user does not own the network FSP NM Server FSP NM Clients LAN DCN GUI Server running NM client apps Customer A WWW. Crypto Manager running on GUI Server
- 21. © 2014 ADVA Optical Networking. All rights reserved. Confidential.21 Crypto Management Management Levels Provided • Operational management • Deals with all operational aspects (FCAPS) • User access is handled on the NCU • Security management • Control of all security relevant activities • Separated from operational management • Access control handling on the AES Muxponder not on the NCU • Security relevant activities are performed using the security relevant credentials • ROOT users have no access to security management
- 22. © 2014 ADVA Optical Networking. All rights reserved. Confidential.22 Encryption over OTN Networks
- 23. © 2014 ADVA Optical Networking. All rights reserved. Confidential.23 5TCE-PCN+AES10G5TCE-PCN+AES10G Site B LAN Site A LAN n*1GbE, 10GbE STM-64c OTU-2e STM-64c OTU-2e OTN Network Carrier Managed Service Encryption over OTN Networks 1GbE & 10GbE Services n*1GbE, 10GbE FSP Network & Crypto Manager
- 24. © 2014 ADVA Optical Networking. All rights reserved. Confidential.24 10TCE-PCN-16GU+AES100G10TCE-PCN-16GU+AES100G Site B LAN Site A LAN Multi rate Multi rate GCC2 used for key exchange & other functions Setup via ECC (GCC0) or an external DCN connection Encryption over OTN Networks 10GbE, 40GbE, 100GbE Services LR10R OTU-4 111,809 Gb/s LR10R OTU-4 111,809 Gb/s FSP Network & Crypto Manager OTN Network Carrier Managed Service
- 25. © 2014 ADVA Optical Networking. All rights reserved. Confidential.25 Layer 1 Encryption in Operation
- 26. © 2014 ADVA Optical Networking. All rights reserved. Confidential.26 Where ADVA-Encryption is in Operation Department of Business Innovation & Skills: 2013 Information Security Breaches Survey www.gov.uk/bis ADVA sells ~10% of layer 1 encryption into Government > 150 links ADVA sells ~62% of layer 1 encryption into Finance > 1.000 links ADVA sells ~10% of layer 1 encryption into HealthCare > 150 linksADVA sells ~16% of layer 1 encryption into Other large industry > 250 links 1.600 x 10G encrypted links in operation • 62% Finance (50 customers) • 10% Government (13 customers) • 10% Healthcare (7 customers) • 10% Large Industry (14 customers) • 4% Cloud SPs (9 customers) • 4% other industry • 2% Utilities (3 customers) ADVA sells ~2% of layer 1 encryption into Utilities > 50 links
- 27. hhinderthuer@advaoptical.com Thank You IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright © for the entire content of this presentation: ADVA Optical Networking.
Editor's Notes
- – not for every optical network encryption brings a benefit. In general security is interesting whenever there is a consolidation of services which are considered mission critical for the operator. Typically this is the case for data centers. In the end of my talk I will give a little overview that shows were we are effectively deploying optical encryption and you will see that industry - or you could say - Enterprise customers are a sweet spot. So lets have a look into a typical Enterprise / Data Center network:
- Most of the data center we talk about have a secure physical access, this means building are in one or the other way shielded against attacks from the outside world and there are security gates that make sure not everybody can enter the buildings.
- Due to those measures Data Center Hardware,…..Servers, Storage, Mainframes,…is protected. So due to teh fact that you have a physical security gateway a potential enemy can‘t just go there, steal HW or do HW reconfigurations.
- Talking about SW that is actually running on the HW. Also here Data Centers have security concepts….secure shells, separated IP domains, central authentification servers controlling who gets SW access to which device or part of the network by when and also providing passwords in a centralized way acc. to certain rules rather than individual operators providing access for everybody who knows the birthday of their wife.
- So that‘s all fine and well understood. But the point where those concepts don‘t have control is the point were the optical fiber leaves the data center building or the campus and in 99% of all cases crosses public ground where it is really difficult for the data center operator to make sure that only teh right poeple get access to this infrastructure.
- were can potential attackers get access to a fiber network? – because fiber operators have to continiously maintain their infrastructure they have street cabinets. Everybody know the grey boxes and can imagine how easy it is to open a street cabinet and get access to such a splice box that contains a group of fibers which are in-service. From there an attacker can either deploy such a little Y-bridge which tabs light permanently or he can use such a coupling device which makes use of the fact that whenever you start bending fibers light will leak out of the fiber core and can be collected and detected. OK- so that‘s how you get the light but how do you get to that data? I think we all know that. Wavelengths can get identified and filtered using standard ITU filters, transport protocols like G.709 are fully standardized and protocol analyzers will perfectly do the job of stripping them away and providing a payload signal. The cost for the equipment that you need to realize such a scenario is below 10k dollar.
- OK. So I am a network operator and in order to protect against such a scenario I want to run encryption on my network. So what are the key criteria I have to look for? … …and as a result of a market analysis I will come to the conclusion that encryption should always be done on teh lowest possible layer. Not every operator has access to teh L1 therefore sometimes L2 or L3 solutions show better economics.
- Lets now talk a bit more about the concept of L1 encryption. As you might know there are lots of different encryption schemes and algorithms available. And it would be beyond teh scope of this session to introduce you to the way how all the different schemes really operate on the level of algorithms. But just one quick comparison here….Security levels scale with the complexity of the key. In the digital domain the key is always a number and key complexity is due to the size of this number. AES256 is a quasi-standard in encryption today. Researchers today believe that it can only be attacked by trial and error. The number of trials you need in order to have reasonable chance beeing successful is almost at the level of the number of atoms in the universe.
- Whats the difference between encryption on L3 – typically know as Ipsec – or encryption on L2 or encryption on L1? First of all the most obvious difference is …L1 encryption is protocol agnostic. So it can be applied to any prototcol in the data center and there are lots of different protocols present in today data center networks - not everything is Ethernet. But there is also a big difference in the way encryption inluences the transport. At this point you have to know that most encryption schemes are dynamic. That means keys are not static, they change automatically. In order to make sure that the remote location can follow this dynamic key exchange both location have to continiously exchange some data. …data that is generated by the encryption scheme itself. For a encrpytion scheme that is based on a protocol like L2 or L3 this means that you have to add an overhead. For example in IP – every IP packet has to carry an additional overhead that carries the pure encrpytion information. You see the orange areas in the pictures – those are teh encrpytion header that are added to the different protocols. Adding larger header to IP packet or MAC frames means that you limit teh effective throughput and also add latency. In contrast to that a L1 encryption that uses an available tranport protocol can just go to the header of that transport protocol and insert the relevant information. So you turn some bits of an idle pattern in an OTU2 frame into something meaningful. The impact to teh payload with regards to throughput is zero.
- What you see here is prototcol throught put an encrpyted system as a function of frame size. First – what is called ADVA encryption here is a L1 scheme…and you can – for everything that is L2 or L3 protocol based throuput scales with teh inverse frame size. Average framesize in today‘s internet traffic is about 300 to 400 bytes, source „NetworkWorld“. So we see typically 20% effects. But it can be even more for very small packets.
- The following OTU/ODU overhead bytes are used for the dynamic key exchange in our ADVA AES256 encryption solution: 10TCE-PCN-16GU+AES100G: GCC2 5TCE-PC(T)N-10G+AES10G: GCC1/2
- Lets have a look at teh networking aspects of such an encrpytion scheme. First of all – we do a so-called inflight encryption. This means – data in encryption on teh network side btu unencrypted at all clients ports. – completely symmetrical. In order to make sure that only those systems that are supposed to talk to eahc other are running the same encryption scheme the first thing that needed to establish such a scheme is authentification. This means that a so-called atuh. Key need to be provided to both systems and then they are allowed to talk to each other. This is done via some secure shells – can be in-band, can be out of band. Then the AES 256 scheme starts running between two individual cards. Every minute all keys will automatically change. In order to enable the remote location o follow this fast key exchange there is so called Deffie-Hellman that just enables the remote location to always generate the news key on ist own rather than transmitting key between the two sites. Payload transport is not at all affected or disrupted….
- Main focus of encryption over long distance OTN networks is on GbE and 10GbE LAN services. The following bytes are used with the STM-64c line interface: F2/3 bytes used for key exchange, latency & other functions Setup via ECC (DCCR) or an external DCN connection The following bytes are used with the OTU-2e line interface: GCC1/2 used for key exchange, latency & other functions Setup via ECC (GCC0) or an external DCN connection
- Main focus of encryption over long distance OTN networks is on Ethernet LAN services.
- Bar chart shows the sector spending on security in the UK.