Layer 1 Encryption in WDM Transport Systems Dr. Henning Hinderthür, PLM
Security in Telco "What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default Edward Snowden - Guardian Interview, Moscow July 2014 2
Data Center Environment & Security APPS APPS 3
Data Center Environment & Security Physical Access to the Data Center APPS APPS 4
Data Center Environment & Security Hardware Security APPS APPS 5
Data Center Environment & Security Software Security APPS APPS 6
Data Center Environment & Security and what about the Fiber Connection? APPS APPS 7
Fiber Optic Networks Tapping Possibilities Where to get access? Street cabinet Splice boxes / cassettes (Outdoor / Inhouse) How to get access? Y-Bridge for service activities Fiber Coupling device There are multiple ways to access fiber 8 Protocol Analyzer
Encryption What is Key? Highest level of security Speed - Low Latency 100% Throughput No Jitter Role Based Management (Multi Tenant Management for Carriers) Encryption on the lowest possible layer 9
Encryption Basics Key Lengths Magnitude Number of grains in 1 m 3 sand from the beach 2 40 Number of atoms in a human body 2 92 Number of atoms in the earth 2 165 Number of atoms in the sun 2 189 Number of atoms in the Milky Way 2 226 Number of atoms in the universe 2 259 AES 256 10
High Speed Encryption Modes Point-to-Point Protocol/ I/F agnostic (Ethernet, FC, IB, Sonet/SDH) Integrated Solution with lowest latency Bulk Mode (0 Bytes) Hop-by-Hop only Ethernet only Overhead creates latency and throughput issues MacSec +32 Bytes Cisco TrustSec +40 Bytes Huge overhead IP VPN Services Cisco Nexus Cisco Overlay Transport Virtualization (OTV) +82 Bytes 11
Throughput Encryption Performance Comparison of Maximum Throughput Framesize / Bytes 12
ROW Encryption using G.709 / OTH Link Protocol 5TCE link protocol Supports OTU-2 OTU-2e OTU-2f OCH Overhead Och payload FEC data Optical channel frame structure Column number 1.. 14 15. 16 17. 3824 3825. 4080 1 Key Exchange 2 3 OTU/ODU overhead OPU overhead Encrypted Encryption Payload FEC area 4 Automatic key exchange using DH AES 256 encrypted OPU2 payload 13
FSP 3000 Encryption Highlights Protection Building Blocks Authentication via initial authentication key to protect from man in the middle attacks AES256 encryption to offer maximum data security Diffie Hellman (DH) key exchange for secure encryption key generation New encryption key every 1min/10mins for additional security Key lifetime configurable Lowest latency (100ns) while providing 100% throughput 14
10G Muxponder with Encryption 5TCE-PCN-10GU+AES10G AES Encryption Universal Enterprise Mux-/Transponder AES256 encryption Dynamic key exchange every 10 minutes 5x Any Multi-service clients Transparent / Framed mode SDH Network variant 5TCE-PCN-8GU+AES10GS 3x Client SFP 2x Client SFP/SFP+ Network Interface CWDM Grey SFP SFP SFP SFP (+) SFP (+) Client 5x GbE 5x 1G/2G FC 3 x 4G FC 8G/10G FC 5G IB/10G IB STM-16/64 10GbE TDM Prop. framing Prop. framing OTN-, Eth-PM GCC0 Module Module ODU2 STM-64 OTU2 GFEC Network Pluggable SFP+ DWDM CWDM Grey 15
100G Metro Muxponder with Encryption 10TCE-PCN-16GU+AES100G AES Encryption Universal Enterprise Muxponder 100G AES256 encryption with 2048bit key Dynamic key exchange every 1 minute Up to 10 x any multi-service 10GE, FC8/10/16, 5G Infiniband 40GE/100GE by means of 4x/10x 10GbE via break out cable (SR4, LR4 and SR10) Network DWDM CFP 10x Client SFP+ CWDM Grey SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ SFP+ Client 10x 10GbE (WAN/LAN) 10x 8G FC 8x 10G FC 7x 16G FC 10x STM-64/OC-192 10x 5G IB GMP ODUFlex Module Module ODU4 config. EFEC OTN PM OTU4 Network DWDM CFP 4x 28G DWDM (96ch C-band) 16
Layer 1 Encryption Solution Suite 100GbE 40GbE FC 16G FC 10G 10GbE STM-64/OC-192 FC 8G IB 5G FC 4G STM-16/OC-48 FC 2G FC 1G GbE AES 100G Encryption AES 10G Encryption 1G 5G 5G 15G 40G 100G 17
Encryption Management & Operations 18
Data Center Networks Encryption Management for Private Networks Scenario 1 - User of encryption is the operator of equipment LAN FSP EM or LCT/CLI DCN FSP NM Server FSP NM Clients 3 rd Party NE 3 rd Party NE 3 rd Party NE Crypto Manager running on FSP NM 19
Data Center Networks Encryption Management for Private Networks Scenario 2 - Encryption user does not own the network LAN WWW. FSP NM Server FSP NM Clients GUI Server running NM client apps DCN Customer A 3 rd Party NE 3 rd Party NE 3 rd Party NE Crypto Manager running on GUI Server 20
Crypto Management Management Levels Provided Operational management Deals with all operational aspects (FCAPS) User access is handled on the NCU Security management Control of all security relevant activities Separated from operational management Access control handling on the AES Muxponder not on the NCU Security relevant activities are performed using the security relevant credentials ROOT users have no access to security management 21
Encryption over OTN Networks 22
Encryption over OTN Networks 1GbE & 10GbE Services FSP Network & Crypto Manager Site A Site B LAN OTN Network Carrier Managed Service LAN n*1gbe, 10GbE STM-64c OTU-2e STM-64c OTU-2e n*1gbe, 10GbE 5TCE-PCN+AES10G 5TCE-PCN+AES10G 23
Encryption over OTN Networks 10GbE, 40GbE, 100GbE Services FSP Network & Crypto Manager GCC2 used for key exchange & other functions Setup via ECC (GCC0) or an external DCN connection Site A Site B LAN OTN Network Carrier Managed Service LAN Multi rate LR10R OTU-4 111,809 Gb/s LR10R OTU-4 111,809 Gb/s Multi rate 10TCE-PCN-16GU+AES100G 10TCE-PCN-16GU+AES100G 24
Layer 1 Encryption In Operation 25
Where ADVA-Encryption is in Operation ADVA sells ~10% of layer 1 encryption into Government > 150 links ADVA sells ~16% of layer 1 encryption into Other large industry > 250 links ADVA sells ~10% of layer 1 encryption into HealthCare > 150 links ADVA sells ~62% of layer 1 encryption into Finance > 1.000 links ADVA sells ~2% of layer 1 encryption into Utilities > 50 links Department of Business Innovation & Skills: 2013 Information Security Breaches Survey www.gov.uk/bis 1.600 x 10G encrypted links in operation 62% Finance (50 customers) 10% Government (13 customers) 10% Healthcare (7 customers) 10% Large Industry (14 customers) 4% Cloud SPs (9 customers) 4% other industry 2% Utilities (3 customers) 26
Thank You info@advaoptical.com IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited. The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation. Copyright for the entire content of this presentation: ADVA Optical Networking.