Encryption in high-speed optical networks

Similar documents
OptiDriver 100 Gbps Application Suite

OTN Technology, Standards and Applica7ons

Netherlands = Finland?

Layer 1 Encryption in WDM Transport Systems. Dr. Henning Hinderthür, PLM

Microsemi Optical Transport Networking (OTN) Processors ECI and Microsemi Partnership

Data Center Applications and MRV Solutions

Top-Down Network Design

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

WDM Systems and Applications

S Series Switches. MACsec Technology White Paper. Issue 1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

INTERNATIONAL LAW ENFORCEMENT HD CCTV NETWORK

Transport is now key for extended SAN applications. Main factors required in SAN interconnect transport solutions are:

Secure PTP - Protecting PTP with MACsec without losing accuracy. ITSF 2014 Thomas Joergensen Vitesse Semiconductor

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

1 COPYRIGHT 2013 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Understanding Layer 2 Encryption

Open Cloud Interconnect: Use Cases for the QFX10000 Coherent DWDM Line Card

100G MACsec Solution: 7500R platform

Securing Data-at-Rest

UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

SUCCESSFUL STRATEGIES FOR NETWORK MODERNIZATION AND TRANSFORMATION

Extending InfiniBand Globally

Applicability of OTN for NGFI / CPRI Fronthaul. Scott Wakelin Richard Tse Steve Gorshe - Microsemi

Safe City Transmission Solution

Top-Down Network Design

VPN Overview. VPN Types

Network Encryption. Dr. Michael Ritter. September 18 th, 2015

Designing Modern Optical Transport Networks

MRV Communications Inspiring Optical Networks for over 20 Years

Migration of TDM networks towards unified packet infrastructures. Wolfgang Fischer

AGILE OPTICAL NETWORK (AON) CORE NETWORK USE CASES

CS 428/528 Computer Networks Lecture 01. Yan Wang

Using Optical Transport in the Campus Environment

BRINGING PACKET-OPTICAL NETWORKING TO THE NEXT LEVEL THE TRANSMODE TM-SERIES

Photonic networks for defense

Innovations in Ethernet Encryption (802.1AE - MACsec) for Securing High Speed (1-100GE) WAN Deployments

Configuring the Satellite nv Optical Shelf System

Wireless LANs. ITS 413 Internet Technologies and Applications

Changing the Voice of

Optical Networking Solutions

-ZTE broadband metro network solution Electro-optical cross connection inducing higher value.

Choosing the Right. Ethernet Solution. How to Make the Best Choice for Your Business

Virtual Private Networks

A Practical Approach for Migrating DCI to 100G Transport Cisco Knowledge Network Series

THETARAY ANOMALY DETECTION ALGORITHMS ARE A GAME CHANGER

Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002

Universal Network Demarcation. Enabling Ethernet and wave services with the Nokia 1830 PSD. Application note. 1 Application note

Securing Your Most Sensitive Data

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

Differentiation in Flexible Data Center Interconnect

Connect & Go with WDM PON Ea 1100 WDM PON

Data center interconnect for the enterprise hybrid cloud

To Infinity and Beyond! : Why 40km+ links matter, and what HSSG might do about it

Real World Deployment Experience With 100G Optical Transport & 100GE Technologies. Sterling Perrin Senior Analyst Heavy Reading

Multiservice Optical Switching System CoreDirector FS. Offering new services and enhancing service velocity

CloudOptiX Transport Network Evolution in All-Cloud Era

THOUGHTS ON TSN SECURITY

Arista 7500E DWDM Solution and Use Cases

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

Hands-On Wide Area Storage & Network Design WAN: Design - Deployment - Performance - Troubleshooting

SD-WAN Deployment Guide (CVD)

Switching Types OTN MPLS-TP: VPWS MPLS-TP: VPLS CE: VLAN XC CE: Bridging SONET/SDH N/A

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

E1-E2 (EB) Chapter 4 MSPP

Networking interview questions

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

SENETAS ENCRYPTION KEY MANAGEMENT STATE-OF-THE-ART KEY MANAGEMENT FOR ROBUST NETWORK SECURITY

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

QUESTION: 1 You have been asked to establish a design that will allow your company to migrate from a WAN service to a Layer 3 VPN service. In your des

Adventures in Multi-Layer, Multi- Vendor Network Control. Wes Doonan Control Plane R&D July 2010

Secure Extension of L3 VPN s over IP-Based Wide Area Networks

Cisco 5921 Embedded Services Router

Contents. About Aliathon Why Aliathon? Markets Products Partners Contact Details.

Wholesale Optical Product handbook. March 2018 Version 7

Coriant Metro Transport Solutions

ASPERA HIGH-SPEED TRANSFER. Moving the world s data at maximum speed

Trusted Platform Module explained

Expanding your network horizons

OpenWay by Itron Security Overview

Reflections on Security Options for the Real-time Transport Protocol Framework. Colin Perkins

Arista AgilePorts INTRODUCTION

AN ENGINEER S GUIDE TO TMoIP

ET4254 Communications and Networking 1

Time Synchronization Security using IPsec and MACsec

Wireless technology Principles of Security

Evolving Enterprise Networks with SPB-M

INNOVATIVE PACKET-OPTICAL NETWORKS FROM ACCESS TO CORE THE TRANSMODE TM-SERIES

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Alcatel-Lucent 1850 TSS Product Family. Seamlessly migrate from SDH/SONET to packet

Teradata and Protegrity High-Value Protection for High-Value Data

Decoding MPLS-TP and the deployment possibilities

Name of Course : E1-E2 CFA. Chapter 14. Topic : NG SDH & MSPP

Sharing Direct Fiber Channels Between Protection and Enterprise Applications Using Wavelength Division Multiplexing

T-301-I Positioning Your Network for 4G/LTE with Fiber and Wi-Fi Offload

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Virtual Private Networks (VPN)

BreezeACCESS VL Security

We are securing the past in a fast moving future. FOX605 multiservice platform.

THETARAY ANOMALY DETECTION

Transcription:

Encryption in high-speed optical networks

MRV at a Glance Designing and providing metro packet-optical solutions that power the world s largest networks Over $2B of field-proven installed base 1000+ GLOBAL CUSTOMERS Serving Metro networks: high-capacity cloud & data center connectivity, mobile backhaul and virtualized & programmable networks GLOBAL PRESENCE Founded in 1988 (NASDAQ: MRVC) R&D centers in USA and Israel HQ in Chatsworth, CA, USA 2

High profile data breaches in recent years 40 million credit and debit card accounts, as well as data on 70 million customers hacked 145 million customer accounts, including personal information stolen 200 million personal records breached 56 million credit card accounts and 53 million email addresses breached 80 million patient and employee records hacked 33 million user accounts exposed Tax records for 330,000 taxpayers stolen The payroll, tax and benefits information of nearly 640,000 companies exposed 500 million accounts stolen 2013 2014 2015 2016

Data breach statistics Data breach statistics Data breach cost statistics Almost 800 U.S. data breaches reported in 2015 U.S. government has spent $100 billion on cybersecurity over the past decade, and has $14 billion budgeted for cybersecurity in 2016 In 93% of breaches, attackers take minutes or less to compromise systems Only 38% of global organizations feel prepared for a sophisticated cyberattack 80% of analyzed breaches had a financial motive Impact from trade secret theft ranges from 1% to as much as 3% of a nation s GDP 68% of funds lost as a result of a cyber attack were declared unrecoverable Damaged reputation/brand Lost opportunities Average organizational breach cost $3.79M Security breach notification laws Who must comply with the law Definitions of personal information (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.) What constitutes a breach (e.g., unauthorized acquisition of data) Requirements for notice (e.g., timing or method of notice, who must be notified) Exemptions (e.g., for encrypted information) Almost 800 U.S. Data Breaches Reported in 2015

Data encryption at different network layers Application level encryption the end to end data encryption process is completed by the application that is used to generate or modify the data that is to be encrypted IP level encryption: Internet Protocol Security (IPsec) is a protocol suite that provides network (IP) layer security by authenticating and encrypting each IP packet of a communication session Ethernet level encryption: 802.1AE is the IEEE MAC Security standard (MACsec) that provides link layer security. Key management and the establishment of secure associations is specified by 802.1X-2010 Transport level encryption: when implemented within OTN frame is payload agnostic. Main advantages of L1 encryption include Directly integrated into the NE Low latency Wire speed data throughput 5

IPsec (Layer 3) Encryption IPsec enables the encryption of individual packets that make up traffic flows in the IP domain. Authentication headers are added on a per packet basis and are used to validate access to the encrypted data IPsec offers a true standards-based end-to-end encryption solution that is agnostic to the underlying physical network equipment in place routers, optical transport equipment, etc. IPsec has several potential limitations IPsec by definition does not support non-ip traffic flows, including datacenter storage protocols such as Fiber-Channel and Infiniband There is also a performance vs. cost and power trade off related to incremental processing (CPU) and associated memory resources The additional overhead necessary to secure each packet results in packet size expansion which in turn results in increases in network latency and wasted bandwidth on optical fiber networks

MACsec (L2) Encryption MACsec security architecture comprises two components: A control plane that provides an authenticated key agreement protocol as defined in 802.1X A data plane for secure transport of payloads (802.1AE compliant) in order to protect the upper protocol data Hop-by-hop security architecture (this puts some constraints on its applicability) Excludes native support for non-ethernet client types Connectionless data integrity Data origin authenticity Confidentiality

OTN Terminology If it is a signal being transmitted between two points on a wavelength, it s an OTU If it s the payload within the OTU that s being switched, multiplexed, or otherwise moved around, it s an ODU You will probably never hear the term OPU 8

OTN (L1) encryption OTN encryption refers to encrypting the OPUk payload OTN encryption does not change the ODUk frame format Optimized network efficiency & latency OTN encryption offers 100% throughput regardless of the underlying client type or frame-size of packet-based traffic Multi-service capability Maximum network deployment flexibility and scalability

Throughput versus Encryption Methods OTN encryption offers 100% throughput regardless of the underlying client type or framesize of packet-based traffic L2/L3 solutions on the other hand increase latency considerably which has negative impact on user experience IPsec (L3) encryption offers a granular, per device or per user policy. Enterprises can leverage more traditional Layer 3 IPsec encryption utilizing high-speed switching technology and fast pipes MACsec (L2) encryption is a high-performance security option that offers some advantages over Layer 3 in some scenarios, particularly in network environments that require low-latency, high-volume data transmission of voice, video and other latency sensitive traffic OTN (L1) encryption offers 100% throughput regardless of the underlying client type or frame-size of packet-based traffic.

Line side OTN encryption IPsec (L3) encryption offers a granular, per device or per user policy. Enterprises can leverage more traditional Layer 3 IPsec encryption utilizing high-speed switching technology and fast pipes MACsec (L2) encryption is a high-performance security option that offers some advantages over Layer 3 in some scenarios, particularly in network environments that require low-latency, highvolume data transmission of voice, video and other latency sensitive traffic OTN (L1) encryption offers 100% throughput regardless of the underlying client type or frame-size of packet-based traffic.

Line-side versus Client-side (service) OTN encryption OTN Trunk encryption encryption at the wavelength level, such as 10G, 100G or 200G wavelengths Typically deployed in point-to-point WDM network configurations and single end-customer deployment scenarios Example: leased wavelength encrypted transport service or an encrypted Datacenter Interconnect (DCI) service SUB-Wave OTN encryption encrypting lower-rate clients prior to multiplexing into higher-rate unencrypted wavelengths traffic flows are encapsulated into encrypted OTN containers and traverse the network independently, addressing the requirement for end-to-end security of individual data traffic sources individual sub-wavelength traverse the networks independently, without the need to decrypt higherrate wavelengths and therefore compromise the security of sub-wavelength traffic

MRV Encryption enabled transport OD-TXP-QC2D OptiDriver 100G transponder 100GE & OTU-4 transponder Access: QSFDP28 Line: CFP2 OD-3MXP200-QC2D Triple 200G muxponder 3 200G muxponders on a single module Access: QSFP28 Line: CFP2 Encryption features OD-1MXP200-QC2D 200G muxponder - 2x100G over 200G Single height/dual wide module Line: CFP2 Digital Optical Line Interface Access: 2 x 100G QSFP28 Encryption latency Block Cipher mode supported Authentication mode Encryption facilities Payload Encryption supported Key Exchange Facilitation Key Life Time AES256 @ 180ns Counter mode (CTR), Galois/Counter mode (GCM) Galois (GMAC) Sub-wave Encryption / Trunk Encryption OPUflex/0/1/2/3/4 Support for Current and Next key per engine User configurable (by # of frames)

NASDAQ: MRVC Thank you www.mrv.com benelux@mrv.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback