Layer 1 Encryption in WDM Transport Systems

Dr. Henning Hinderthür, PLM

© 2014 ADVA Optical Networking. All rights reserved. Confidential.2

Security in Telco

"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default“

Edward Snowden - Guardian Interview, Moscow July 2014

© 2014 ADVA Optical Networking. All rights reserved. Confidential.3

Data Center Environment & Security

APPS APPS

© 2014 ADVA Optical Networking. All rights reserved. Confidential.4

Data Center Environment & SecurityPhysical Access to the Data Center

APPS APPS

© 2014 ADVA Optical Networking. All rights reserved. Confidential.5

Data Center Environment & SecurityHardware Security

APPS APPS

© 2014 ADVA Optical Networking. All rights reserved. Confidential.6

Data Center Environment & SecuritySoftware Security

APPS APPS

© 2014 ADVA Optical Networking. All rights reserved. Confidential.7

Data Center Environment & Security…and What About the Fiber Connection?

APPS APPS

© 2014 ADVA Optical Networking. All rights reserved. Confidential.8

Fiber Optic NetworksTapping Possibilities

Y-Bridge for service activities

Fiber Coupling device

Street cabinet

How to get access?

Whereto get access?

Splice boxes / cassettes (Outdoor / Inhouse)

There are multiple ways to access fiber

Protocol Analyzer

© 2014 ADVA Optical Networking. All rights reserved. Confidential.9

EncryptionWhat is Key?

• Highest level of security

• Speed - Low Latency

• 100% Throughput

• No Jitter

• Role Based Management (Multi Tenant Management for Carriers)

Encryption on the lowest possible layer

© 2014 ADVA Optical Networking. All rights reserved. Confidential.10

Encryption BasicsKey Lengths – Magnitude

Number of grains in 1 m3 sand from the beach 240

Number of atoms in a human body 292

Number of atoms in the earth 2165

Number of atoms in the sun 2189

Number of atoms in the Milky Way 2226

Number of atoms in the universe 2259

AES256

© 2014 ADVA Optical Networking. All rights reserved. Confidential.11

High Speed Encryption Modes

Cisco Overlay Transport Virtualization (OTV) +82 Bytes

MacSec +32 Bytes

Cisco TrustSec +40 Bytes

Bulk Mode (0 Bytes)

• Hop-by-Hop only

• Ethernet only

• Overhead creates latency and throughput issues

• Point-to-Point

• Protocol/ I/F agnostic (Ethernet, FC, IB, Sonet/SDH)

• Integrated Solution with lowest latency

• Huge overhead

• IP VPN Services

• Cisco Nexus

© 2014 ADVA Optical Networking. All rights reserved. Confidential.12

Encryption PerformanceComparison of Maximum Throughput

Framesize / Bytes

Thro

ughp

ut

© 2014 ADVA Optical Networking. All rights reserved. Confidential.13

Encryption Using G.709 / OTH Link Protocol

1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 4080

1

2

3

4

Column number

OTU/ ODUoverheadR

OW OPU

overheadEncryption

FECareaEncrypted Payload

OCH Overhead Och payload FEC data

Optical channel frame structure

5TCE link protocol

• Supports • OTU-2• OTU-2e • OTU-2f

AES 256 encryptedOPU2 payload

Automatickey exchangeusing DH

Key Exchange

© 2014 ADVA Optical Networking. All rights reserved. Confidential.14

FSP 3000 Encryption Highlights

Protection Building Blocks

• Authentication via initial authentication key to protect from “man in the middle” attacks

• AES256 encryption to offer maximum data security

• Diffie Hellman (DH) key exchange for secure encryption key generation

• New encryption key every 1min/10mins for additional security

• Key lifetime configurable

• Lowest latency (100ns) while providing 100% throughput

© 2014 ADVA Optical Networking. All rights reserved. Confidential.15

• Universal Enterprise Mux-/Transponder

• AES256 encryption

• Dynamic key exchange every 10 minutes

• 5x Any Multi-service clients

• Transparent / Framed mode

• SDH Network variant 5TCE-PCN-8GU+AES10GS

10G Muxponder with Encryption5TCE-PCN-10GU+AES10G

Network Interface

3x Client SFP

2x Client SFP/SFP+

Module

DWDM CWDMGrey

SFPSFPSFP

SFP (+)SFP (+)

TD

M

Prop. framingOTN-, Eth-PM

GCC0

5x GbE5x 1G/2G FC3 x 4G FC8G/10G FC5G IB/10G IBSTM-16/6410GbE

Client Module

ODU2 Pluggable SFP+

Network

OTU2

GFEC

STM-64

AES

Encr

yp

tion

CWDMGrey

Prop. framing

© 2014 ADVA Optical Networking. All rights reserved. Confidential.16

• Universal Enterprise Muxponder 100G

• AES256 encryption with 2048bit key

• Dynamic key exchange every 1 minute

• Up to 10 x any multi-service

• 10GE, FC8/10/16, 5G Infiniband

• 40GE/100GE by means of 4x/10x 10GbE via break out cable (SR4, LR4 and SR10)

100G Metro Muxponder with Encryption10TCE-PCN-16GU+AES100G

NetworkDWDM CFP

10x Client SFP+

Module

GM

PO

DU

Fle

x

Client Module

ODU4 DWDMCFP

Network

OTU4

config. EFECOTN PM

AES

Encr

yp

tion

CWDMGrey

SFP+SFP+SFP+SFP+SFP+SFP+SFP+SFP+SFP+SFP+

10x 10GbE (WAN/LAN)10x 8G FC8x 10G FC7x 16G FC10x STM-64/OC-19210x 5G IB

4x 28GDWDM (96ch C-band)

© 2014 ADVA Optical Networking. All rights reserved. Confidential.17

Layer 1 Encryption Solution Suite

AES 10G Encryption

AES 100G Encryption

40GbE

100GbE

FC 16G

FC 10G

10GbE

STM-64/OC-192

FC 8G

IB 5G

FC 4G

STM-16/OC-48

FC 2G

FC 1G

GbE

1G

– 5

G5

G –

15

G4

0G

10

0G

© 2014 ADVA Optical Networking. All rights reserved. Confidential.18

Encryption Management & Operations

© 2014 ADVA Optical Networking. All rights reserved. Confidential.19

Data Center NetworksEncryption Management for Private Networks

3rd

PartyNE

3rd

PartyNE

3rd

PartyNE

FSP NMServer

FSP EMor

LCT/CLI

FSP NMClients

LAN

Scenario 1 - User of encryption is the operator of equipment

DCN

Crypto Managerrunning on FSP NM

© 2014 ADVA Optical Networking. All rights reserved. Confidential.20

Data Center NetworksEncryption Management for Private Networks

3rd

PartyNE

3rd

PartyNE

3rd

PartyNE

Scenario 2 - Encryption user does not own the network

FSP NMServer

FSP NMClients

LAN

DCNGUI Serverrunning NM client apps

Customer A

WWW.

Crypto Managerrunning on GUI Server

© 2014 ADVA Optical Networking. All rights reserved. Confidential.21

Crypto ManagementManagement Levels Provided

• Operational management• Deals with all operational aspects (FCAPS)• User access is handled on the NCU

• Security management• Control of all security relevant activities• Separated from operational management• Access control handling on the AES Muxponder not on the NCU• Security relevant activities are performed using the security

relevant credentials• ROOT users have no access to security management

© 2014 ADVA Optical Networking. All rights reserved. Confidential.22

Encryption over OTN Networks

© 2014 ADVA Optical Networking. All rights reserved. Confidential.23

5TCE-PCN+AES10G5TCE-PCN+AES10G

Site B

LAN

Site A

LAN

n*1GbE,10GbE

STM-64c OTU-2e

STM-64c OTU-2e

OTN NetworkCarrier Managed Service

Encryption over OTN Networks 1GbE & 10GbE Services

n*1GbE,10GbE

FSP Network &Crypto Manager

© 2014 ADVA Optical Networking. All rights reserved. Confidential.24

10TCE-PCN-16GU+AES100G10TCE-PCN-16GU+AES100G

Site B

LAN

Site A

LAN

Multi rate Multi rate

GCC2 used for key exchange & other functionsSetup via  ECC (GCC0) or an external DCN connection

Encryption over OTN Networks 10GbE, 40GbE, 100GbE Services

LR10R OTU-4 111,809 Gb/s

LR10R OTU-4 111,809 Gb/s

FSP Network &Crypto Manager

OTN NetworkCarrier Managed Service

© 2014 ADVA Optical Networking. All rights reserved. Confidential.25

Layer 1 Encryption in Operation

© 2014 ADVA Optical Networking. All rights reserved. Confidential.26

Where ADVA-Encryption is in Operation

Department of Business Innovation & Skills: 2013 Information Security Breaches Survey www.gov.uk/bis

ADVA sells ~10% of layer 1 encryption into Government> 150 links

ADVA sells ~62% of layer 1 encryption into Finance> 1.000 links

ADVA sells ~10% of layer 1 encryption into HealthCare> 150 links ADVA sells ~16% of layer 1

encryption into Other large industry> 250 links

1.600 x 10G encrypted links in operation

• 62% Finance (50 customers)• 10% Government (13 customers)• 10% Healthcare (7 customers)• 10% Large Industry (14 customers) • 4% Cloud SPs (9 customers) • 4% other industry • 2% Utilities (3 customers)

ADVA sells ~2% of layer 1 encryption into Utilities> 50 links

hhinderthuer@advaoptical.com

Thank You

IMPORTANT NOTICE

The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.