APPLICATION NOTE
BENEFITS OF INFINERA MTERA mTera ODU Payload Encryption ODU PAYLOAD ENCRYPTION Wire-speed Encryption with the Flexibility of Universal ■■ Maximize encryption performance with wire-speed AES-256-GCM encryption Switching of ODU payloads
According to the 2017 Cost of Cyber Crime Study conducted by the Ponemon Institute ■■ Minimize the risk of attack with secure and jointly developed by Accenture, the average organization in the seven countries key distribution over TLS, X.509 evaluated suffered 130 cyber security breaches, up 27 percent from the previous year, certificates and configurable key rotation with the average cost of these breaches now at $11.7 million USD. And while cyber crime is still behind the majority of attacks, cyber espionage, cyber warfare and hacktivism ■■ Differentiateyour services with the are also on the rise. Alongside other security technologies, encryption is instrumental in ability to add encryption to 100G, 10G and sub-rate leased line services with helping to thwart these attacks, with over 50 percent of internet traffic now encrypted any supported client interface type according to the same study. ■■ Deploy encryption for individual client REDUCE THE COST OF ENCRYPTION WHILE MINIMIZING services, with operator-provided or customer-provided certificates, or as LATENCY AND SCALING THROUGHPUT bulk encryption on line interfaces While encryption can be performed at different layers, encryption of the Optical Data Unit (ODU) payload, the Optical Payload Unit (OPU), at Layer 1 provides significant ■■ Transport encrypted traffic advantages over Internet Protocol Security (IPsec) encryption at Layer 3 in terms of high transparently over OTN switches and WDM line systems throughput at relatively low cost, minimized latency and the ability to support non-IP traffic. With no overhead, ODU payload encryption also offers better network efficiency relative to IPsec, which significantly increases the size of the packet header. Compared to Media Access Control Security (MACsec) Ethernet encryption at Layer 2, Layer 1 encryption benefits from the ability to support non-Ethernet protocols and offers better network efficiency with zero overhead. Recognizing the benefits of Layer 1 encryption, Infinera provides the option of wire-speed ODU payload encryption on the Infinera mTera Universal Transport Platform (UTP) with management of this function provided by the Infinera Transcend Chorus for Transport network management system.
Encryption IPsec MACsec ODU Payload Layer Layer 3 (IP) Layer 2 (Ethernet) Layer 1 (OTN) High Throughput at x ✓ ✓ Low Cost Low Latency x ✓ ✓ Protocol Overhead High Low Zero Multi-protocol x x ✓
Table 1 – Encryption Comparisons: IPsec vs. MACsec vs. ODU Payload COMBINE THE FLEXIBILITY OF UNIVERSAL SWITCHING WITH WIRE-SPEED ENCRYPTION Wire-speed ODU payload encryption is provided as an option on the mTera UTP. This feature requires the encryption-capable variants of the 400G/500G OSM hybrid OTN/packet switching modules. As the ODU overhead is not encrypted, the encrypted data can be transported transparently over Optical Transport Network (OTN) switches and wavelength-division multiplexing (WDM) line systems. Combining the mTera UTP’s universal switching of OTN, packet and SONET/SDH with wire-speed encryption, as shown in Figure 1, offers a more flexible and efficient solution relative to transponder/muxponder-based Layer 1 encryption solutions. Furthermore, high levels of service availability can be provided for encrypted services by leveraging the mTera UTP’s redundant common equipment and comprehensive set of network protection mechanisms.
CE Bridging MPLS-TP/H-VPLS OTN Switching CE Bridging CE Bridging UNIVERSAL CE VLAN XC OSM FABRICS OSM CE VLAN XC CE VLAN XC Modules Modules MPLS-TP/H-VPLS
MPLS-TP/VPWS MPLS-TP/VPWS OTN Switching MPLS-TP/H-VPLS Optional Optional OTN Switching ODU Payload ODU Payload Encryption Encryption MPLS-TP/VPWS
SONET SONET (STS-1 Switching) SSM2S SSM2S (STS-1 Switching) SDH Module Module SDH (VC-4 Switching) (VC-4 Switching)
Figure 1: Universal Switching with ODU Payload Encryption
DIFFERENTIATE AND GROW REVENUES WITH ENCRYPTED CLIENT SERVICES The mTera UTP’s encryption capability enables individual client services at the port level or virtual port level to be encrypted from end to end, providing a way for network operators to differentiate their services and grow revenues by charging their customers for this valuable add-on option. This type of encryption service is ideal for scenarios where the mTera UTP is physically in the same secure facility as the customer’s equipment, such as a colocation center, carrier hotel or carrier-neutral provider data center. In these scenarios, the mTera UTP typically provides wholesale connectivity services to other carriers; cloud connect services connecting enterprise servers to cloud services such as Amazon Web Services, Microsoft Azure and Google Cloud Platform or data center interconnect services connecting an enterprise’s servers in different data centers. Client service encryption is supported with both operator-provided certificates and customer-provided certificates, as shown in Figure 2. ADDRESS INTERNAL ENCRYPTION REQUIREMENTS WITH BULK ENCRYPTION Bulk encryption, as shown in Figure 2, is also supported with encryption of the ODU2 payload for a 10G wavelength, ODU4 payload for a 100G wavelength and the encryption of the two individual ODU4 payloads in a 200G wavelength. This provides the option to transport the encrypted ODU2 or ODU4 wavelengths from end to end. Another option is to bulk encrypt the line interfaces for transmission between switches hop by hop with the switching of unencrypted lower-order ODUs at the intermediate nodes. Bulk encryption can provide a simplified and scalable option for securing internal traffic when traversing vulnerable environments, including outside plant and third-party networks.
2 mTera ODU Payload Encryption Service Encryption with Operator Certificates
Service 1 Service 1 Service 2 Service 2 Service 3 Service 3 Service 4 Service 4 Service 5 Service 5
ENCRYPTION
Service Encryption with Customer Certificates
Service 1 Service 1 Service 2 Service 2 Service 3 Service 3 Service 4 Service 4 Service 5 Service 5
ENCRYPTION
End-to-End Bulk Encryption
Service 1 Service 1 Service 2 Service 2 Service 3 Service 3 Service 4 Service 4 Service 5 Service 5
ENCRYPTION
Hop-by-Hop Bulk Encryption
Service 1 Service 1 Service 2 Service 2 Service 3 Service 3 Service 4 Service 4 Service 5 Service 5
ENCRYPTION ENCRYPTION ENCRYPTION
Figure 2: mTera UTP Encryption Options
MAXIMIZE SECURITY WITH WIRE-SPEED AES-256-GCM ENCRYPTION The mTera UTP’s data plane encryption is symmetric, meaning both ends, the encrypting end and the decrypting end, use the same key. The alternative to symmetric encryption is asymmetric encryption, which uses one key, typically private, to encrypt and another key, typically public, to decrypt. While this avoids the need to distribute private keys and provides a way to authenticate when the public key comes in a certificate signed by a trusted certificate authority (CA), asymmetric encryption is much more computationally intensive and therefore slower, with higher latency and higher power consumption. The less computationally intensive symmetric encryption is a much better choice for real-time high-bandwidth encryption.
More specifically, the symmetric encryption the mTera UTP uses to encrypt the ODU payload is AES-256-GCM. This is Advanced Encryption Standard (AES) with a 256-bit key and the Galois/Counter Mode (GCM) of operation. A 256-bit key giving 2256 (a 78-digit decimal number) possible keys is difficult to circumvent and would require trying different combinations of bits to find the key. Unlike other modes of operation, GCM also provides integrity and non-repudiation without any additional overhead.
3 mTera ODU Payload Encryption HELP AVOID ATTACKS WITH KEY DISTRIBUTION SECURED BY TLS AND X.509 CERTIFICATES The downside of symmetric encryption is the need to distribute the shared key. Keeping this key secret is critical, and the mTera UTP enables secure key distribution as follows. The mTera UTP uses X.509 certificates signed by a trusted third-party CA, such as Comodo, Symantec, GoDaddy, GlobalSign or DigiCert. These signed certificates contain the public key for the receiving party along with a hash of the certificate encrypted with the private key of the CA, enabling each end of the encrypted connection to be authenticated and then authorized. These certificates can be provided either by the network operator or, for added security, by the end customer and are uploaded to the appropriate mTera UTP by the network management system over the data communications network (DCN). If the network operator provides the certificates, one certificate is required per mTera UTP. In cases in which end customers provide their own certificates, one certificate would be provided per customer per mTera UTP, so an mTera UTP providing encrypted services for N customers would have N certificates.
X.509 Certificate Creation
Certificate Authority (CA)
Operator or Operator or Customer Customer Uploaded via NMS over DCN Uploaded via NMS over DCN
Key Distribution & Authentication
Key Rotation: 10 minutes - 24 hours
TRNG
Random Number
Authentication Authentication TLS 1.2
X.509 Certificate X.509 Certificate Shared Key Shared Key (AES-256) GCC (or DCN) (AES-256) Transmit/Encrypt End Receive/Decrypt End
Data Plane Encryption
Client ODU AES-256 Encrypted ODU Encrypted ODU AES-256 ODU Client
Encryption Decryption
Figure 3: mTera UTP Encryption Overview
Assuming the two mTera UTPs have already been authenticated by the network management system and have the appropriate X.509 certificates, the first step to enable an encrypted connection is to establish a Transport Layer Security (TLS) session using Diffie-Hellman and the X.509 certificates to create a shared key for the TLS session’s symmetric encryption and to authenticate and authorize the two ends of the encryption. Elliptic curve Diffie-Hellman (ECDH), which requires a much smaller key to provide the same level of security as non-elliptic curve Diffie-Hellman, is used with a 384-bit key. With the TLS session in place, the shared key for the AES-256 data plane encryption is provided by a true random number generator (TRNG) in the transmit module. The random number is then transmitted over the secure TLS session, which runs over the OTN in-band management general communication channel (GCC) (or the DCN). The key is changed at regular intervals, configurable from 10 minutes to 24 hours in one-minute increments, with no impact to data plane traffic during the key changeovers. Changing the key regularly helps to prevent attacks from sources attempting to analyze encrypted data because each key change minimizes the amount of data available for analysis. This key change also provides forward secrecy – if the key is compromised it cannot be used to decrypt previously recorded transmissions. In addition, as different keys are used for each direction, if any key were compromised it would only result in the ability to decrypt a single direction.
4 mTera ODU Payload Encryption DESIGNED TO MEET THE REQUIREMENTS OF FIPS 140-2 LEVEL 2 The Federal Information Processing Standards (FIPS) Publication 140-2 is a U.S. government computer security standard used to approve cryptographic devices. Level 1 provides basic security, with at least one approved algorithm or function but no physical security mechanisms. Level 2 adds physical security by requiring features that show evidence of tampering, such as tamper-evident coatings or seals that must be broken to attain physical access to the device, and by requiring the device to be impenetrable by light within the visible spectrum. The mTera UTP’s ODU payload encryption solution has been designed to meet Level 2 requirements, and certification testing is planned. SUMMARY Combining the mTera UTP’s universal switching with ODU payload encryption based on AES-256-GCM and secure key distribution over TLS with X.509 certificates and configurable key rotation provides network operators with a flexible solution ideal for offering encrypted client services between secure colocation facilities or for protecting internal traffic with bulk encryption on the mTera UTP’s line interfaces.
TECHNICAL SPECIFICATIONS
Deployment Options ODU Payload (Data Plane) Encryption Planned FIPS Certifications* • End-to-end client services with • AES-256-GCM (256-bit key, Galois/ • FIPS 140-2 Level 2 operator-provided certificates Counter Mode) • FIPS-certified encryption algorithm • End-to-end client services with • Encryption of ODU4 Payload (OPU4) (AES-256-GCM) customer-provided certificates and ODU2 Payload (OPU2) *Subject to successful certification testing • End-to-end bulk encryption TLS 1.2 • Hop-by-hop bulk encryption • Elliptic curve Diffie-Hellman (ECDH) with Management with Infinera Transcend ODU Payload (Data Plane) Key 384-bit key Chorus for Transport Management • X.509v3 certificates for authentication • Separate keys for A->Z and Z->A and authorization directions • Operator-provided certificates (one • Shared key generated by transmit per mTera UTP) or customer-provided module’s TRNG certificates (one per customer per mTera • Configurable key rotation interval: 10 UTP) minutes to 24 hours in one-minute • SHA384 hashing for message integrity increments and non-repudiation • Transmission of shared key over TLS 1.2, over GCC (or DCN)
© 2019 Infinera Corporation. All Rights Reserved. Infinera and logos that contain Infinera are trademarks or registered trademarks of Infinera Corporation in the United States and other countries. All other trademarks are the property of their respective owners. Statements herein may contain projections regarding future products, features, or technology and resulting commercial or technical benefits, which are subject to risk and may or may not occur. This publication is subject to change without notice and does not constitute legal obligation to deliver any material, code, or functionality and is not intended to modify or supplement any product specifications or warranties. 0008-AN-RevA-0419