Layer 1 Encryption in WDM Transport Systems

Dr. Henning Hinderthr, PLM

2014 ADVA Optical Networking. All rights reserved. Confidential. 2

Security in Telco

"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default

Edward Snowden - Guardian Interview, Moscow July 2014

http://www.theguardian.com/technology/internet

2014 ADVA Optical Networking. All rights reserved. Confidential. 3

Data Center Environment & Security

APPS APPS

2014 ADVA Optical Networking. All rights reserved. Confidential. 4

Data Center Environment & Security Physical Access to the Data Center

APPS APPS

2014 ADVA Optical Networking. All rights reserved. Confidential. 5

Data Center Environment & Security Hardware Security

APPS APPS

2014 ADVA Optical Networking. All rights reserved. Confidential. 6

Data Center Environment & Security Software Security

APPS APPS

2014 ADVA Optical Networking. All rights reserved. Confidential. 7

Data Center Environment & Security and what about the Fiber Connection?

APPS APPS

2014 ADVA Optical Networking. All rights reserved. Confidential. 8

Fiber Optic Networks Tapping Possibilities

Y-Bridge for service activities

Fiber Coupling device

There are multiple ways to access fiber

Street cabinet

How to get access?

Where to get access?

Splice boxes / cassettes (Outdoor / Inhouse)

There are multiple ways to access fiber

Protocol Analyzer

2014 ADVA Optical Networking. All rights reserved. Confidential. 9

Encryption What is Key?

Highest level of security

Speed - Low Latency

100% Throughput

No Jitter

Role Based Management (Multi Tenant Management for Carriers)

Encryption on the lowest possible layer

2014 ADVA Optical Networking. All rights reserved. Confidential. 10

Encryption Basics Key Lengths Magnitude

Number of grains in 1 m3 sand from the beach 240

Number of atoms in a human body 292

Number of atoms in the earth 2165

Number of atoms in the sun 2189

Number of atoms in the Milky Way 2226

Number of atoms in the universe 2259

AES 256

2014 ADVA Optical Networking. All rights reserved. Confidential. 11

High Speed Encryption Modes

Cisco Overlay Transport Virtualization (OTV) +82 Bytes

MacSec +32 Bytes

Cisco TrustSec +40 Bytes

Bulk Mode (0 Bytes)

Hop-by-Hop only

Ethernet only

Overhead creates latency and throughput issues

Point-to-Point

Protocol/ I/F agnostic (Ethernet, FC, IB, Sonet/SDH)

Integrated Solution with lowest latency

Huge overhead

IP VPN Services

Cisco Nexus

2014 ADVA Optical Networking. All rights reserved. Confidential. 12

Encryption Performance Comparison of Maximum Throughput

Framesize / Bytes

Thro

ugh

pu

t

2014 ADVA Optical Networking. All rights reserved. Confidential. 13

Encryption using G.709 / OTH Link Protocol

1 .. 14 15 . 16 17 . 3824 3825 . 4080

1

2

3

4

Column number

OTU/ODU

overheadRO

W OPUoverhead

EncryptionFEC

areaEncrypted Payload

OCH Overhead Och payload FEC data

Optical channel frame structure

5TCE link protocol

Supports

OTU-2

OTU-2e

OTU-2f

AES 256 encrypted OPU2 payload

Automatic key exchange using DH

Key Exchange

2014 ADVA Optical Networking. All rights reserved. Confidential. 14

FSP 3000 Encryption Highlights

Protection Building Blocks

Authentication via initial authentication key to protect from man in the middle attacks

AES256 encryption to offer maximum data security

Diffie Hellman (DH) key exchange for secure encryption key generation

New encryption key every 1min/10mins for additional security

Key lifetime configurable

Lowest latency (100ns) while providing 100% throughput

http://moss/pub/marketing/3D Product Pictures/FSP_3000_SH7HU--NoBackground.pnghttp://moss/pub/marketing/3D Product Pictures/FSP_3000_SH7HU--NoBackground.png

2014 ADVA Optical Networking. All rights reserved. Confidential. 15

Universal Enterprise Mux-/Transponder

AES256 encryption

Dynamic key exchange every 10 minutes

5x Any Multi-service clients

Transparent / Framed mode

SDH Network variant 5TCE-PCN-8GU+AES10GS

10G Muxponder with Encryption 5TCE-PCN-10GU+AES10G

Network Interface

3x Client SFP

2x Client SFP/SFP+

Module

DWDM CWDM Grey

SFP

SFP

SFP

SFP (+)

SFP (+)

TD

M

Prop. framing OTN-, Eth-PM

GCC0

5x GbE 5x 1G/2G FC 3 x 4G FC 8G/10G FC 5G IB/10G IB STM-16/64 10GbE

Client Module

ODU2 Pluggable

SFP+

Network

OTU2

GFEC

STM-64

AES E

ncry

ption

CWDM Grey

Prop. framing

2014 ADVA Optical Networking. All rights reserved. Confidential. 16

Universal Enterprise Muxponder 100G

AES256 encryption with 2048bit key

Dynamic key exchange every 1 minute

Up to 10 x any multi-service

10GE, FC8/10/16, 5G Infiniband

40GE/100GE by means of 4x/10x 10GbE via break out cable (SR4, LR4 and SR10)

100G Metro Muxponder with Encryption 10TCE-PCN-16GU+AES100G

Network DWDM CFP

10x Client SFP+

Module

GM

P

OD

UFle

x

Client Module

ODU4 DWDM

CFP

Network

OTU4

config. EFEC OTN PM

AES E

ncry

ption

CWDM Grey

SFP+

SFP+

SFP+

SFP+

SFP+

SFP+

SFP+

SFP+

SFP+

SFP+

10x 10GbE (WAN/LAN) 10x 8G FC 8x 10G FC 7x 16G FC 10x STM-64/OC-192 10x 5G IB

4x 28G DWDM (96ch C-band)

2014 ADVA Optical Networking. All rights reserved. Confidential. 17

Layer 1 Encryption Solution Suite

AES 10G Encryption

AES 100G Encryption

40GbE

100GbE

FC 16G FC 10G

10GbE

STM-64/OC-192

FC 8G

IB 5G

FC 4G

STM-16/OC-48

FC 2G

FC 1G

GbE

1G

5

G

5G

1

5G

40G

100G

2014 ADVA Optical Networking. All rights reserved. Confidential. 18

Encryption Management & Operations

2014 ADVA Optical Networking. All rights reserved. Confidential. 19

Data Center Networks Encryption Management for Private Networks

3rd

Party NE

3rd

Party NE

3rd

Party NE

FSP NM Server

FSP EM or

LCT/CLI

FSP NM Clients

LAN

Scenario 1 - User of encryption is the operator of equipment

DCN

Crypto Manager running on FSP NM

2014 ADVA Optical Networking. All rights reserved. Confidential. 20

Data Center Networks Encryption Management for Private Networks

3rd

Party NE

3rd

Party NE

3rd

Party NE

Scenario 2 - Encryption user does not own the network

FSP NM Server

FSP NM Clients

LAN

DCN GUI Server running NM client apps

Customer A

WWW.

Crypto Manager running on GUI Server

2014 ADVA Optical Networking. All rights reserved. Confidential. 21

Crypto Management Management Levels Provided

Operational management

Deals with all operational aspects (FCAPS)

User access is handled on the NCU

Security management

Control of all security relevant activities

Separated from operational management

Access control handling on the AES Muxponder not on the NCU

Security relevant activities are performed using the security relevant credentials

ROOT users have no access to security management

2014 ADVA Optical Networking. All rights reserved. Confidential. 22

Encryption over OTN Networks

2014 ADVA Optical Networking. All rights reserved. Confidential. 23

5TCE-PCN+AES10G 5TCE-PCN+AES10G

Site B

LAN

Site A

LAN

n*1GbE, 10GbE

STM-64c OTU-2e

STM-64c OTU-2e

OTN Network Carrier Managed Service

Encryption over OTN Networks 1GbE & 10GbE Services

n*1GbE, 10GbE

FSP Network & Crypto Manager

2014 ADVA Optical Networking. All rights reserved. Confidential. 24

10TCE-PCN-16GU+AES100G 10TCE-PCN-16GU+AES100G

Site B

LAN

Site A

LAN

Multi rate Multi rate

GCC2 used for key exchange & other functions Setup via ECC (GCC0) or an external DCN connection

Encryption over OTN Networks 10GbE, 40GbE, 100GbE Services

LR10R OTU-4 111,809 Gb/s

LR10R OTU-4 111,809 Gb/s

FSP Network & Crypto Manager

OTN Network Carrier Managed Service

2014 ADVA Optical Networking. All rights reserved. Confidential. 25

Layer 1 Encryption In Operation

2014 ADVA Optical Networking. All rights reserved. Confidential. 26

Where ADVA-Encryption is in Operation

Department of Business Innovation & Skills: 2013 Information Security Breaches Survey www.gov.uk/bis

ADVA sells ~10% of layer 1 encryption into Government

> 150 links

ADVA sells ~62% of layer 1 encryption into Finance

> 1.000 links

ADVA sells ~10% of layer 1 encryption into HealthCare

> 150 links ADVA sells ~16% of layer 1 encryption into Other large industry

> 250 links

1.600 x 10G encrypted links in operation

62% Finance (50 customers) 10% Government (13 customers) 10% Healthcare (7 customers) 10% Large Industry (14 customers) 4% Cloud SPs (9 customers) 4% other industry 2% Utilities (3 customers)

ADVA sells ~2% of layer 1 encryption into Utilities

> 50 links

http://www.gov.uk/bis

info@advaoptical.com

Thank You

IMPORTANT NOTICE The content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright for the entire content of this presentation: ADVA Optical Networking.

http://www.linkedin.com/company/adva-optical-networkinghttp://twitter.com/ADVAOpticalNewshttp://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wallhttp://www.youtube.com/user/ADVAOpticalhttp://advaopticalnews.tumblr.com/http://www.slideshare.net/ADVAOpticalNetworking