Security Strategies

Optical Encryption's Value Shouldn't Be a Secret

Someone once said networking is not just speeds and feeds: OK, a lot of people have said that. This phrase has been deployed in many different contexts, but it is often meant to convey that great value -- perhaps difference-making value -- can be found among the details, the product features that at first glance don't always influence buying decisions. Maybe they should.

Heading into 2016, the optical transport sector will be talking a lot about some of the following topics: evolution beyond 100G, metro aggregation schemes, data center interconnection and programmability. But encryption, specifically the capability of a given platform to support encryption of traffic at optical Layer 1, is another topic that should receive increasing attention.

Even as network security in general has become a hot topic in the past few years, we haven't heard so much about encryption in optical networks, although it is one of the most useful tools in the security toolbox. (Recent terrorist attacks have shed a controversial light on encryption technology in general, and elevated its profile, but more about that in a moment.)

Encryption is a well-established technology at upper layers of the OSI model (IP Sec encryption being used at Layer 3, for example). However, to date, it has not been commonly used at Layer 1, specifically in transport networks. But, as I found when researching the new Heavy Reading report, "The Lower the Better: Encrypting the Optical Layer," there is a growing market need for it, and clear practical benefits that can be realized by encrypting traffic at Layer 1. Yet, the market has barely begun to take advantage of these benefits.

This should change dramatically in 2016, thanks to the early work that has been done by a very short list of vendors that, amid all the talk of speeds and feeds, have aggressively marketed the encryption capabilities in their transport platforms; they have also done much of the heavy lifting educating about the benefits, with most of their work coming in the past 18 months. For other vendors, Layer 1 encryption support remains a work in progress, one that many of them are not quite ready to discuss (a few vendors I sought input from for the report declined to participate). But, in the coming year, that should also change as we see the short list of suppliers now supporting Layer 1 encryption grow quickly into a much longer list.

Getting back to the controversy: If there is anything that could prove to be a drag on this burgeoning market, it's the possibility that after recent terror attacks the industry is forced to seriously consider the reactionary call for encryption back doors -- capabilities that would allow governments or others to access otherwise encrypted communications. Regardless of how you feel about that, a lingering debate about it could confuse the market.

— Dan O'Shea, Analyst, Heavy Reading

Duh! 12/23/2015 | 10:50:56 AM
Re: What problem does it solve? My working assumption on NSA (and certain foreign counterparts) has always been that if they think they need it badly enough, they're going to get it.  The only thing in question is how hard they have to work for it. Whether they try to get it, and what they use it for, is a question in the legal and political domain, not the technology domain.

The problem with hop-by-hop encryption is that it only protects secrets across one link. Even if every link along the path is encrypted, the plaintext is vulnerable inside the switches and routers -- which are more easily attacked than fiber optic cable.

If you want to keep a secret, encrypt it end-to-end; hop-by-hop encryption is mostly redundant.. If you don't do that, you obviously don't care very much about it staying secret; hop-by-hop encryption solves a non-problem.

lanbrown 12/23/2015 | 1:28:23 AM
Re: What problem does it solve? It is not like you are going to go down to the electronics and get a 100G NIC to capture traffic with...at least not yet.


It has been reported that the NSA has been tapping some connections.  Adding in encryption makes those taps rather useless.  This wouldn't prevent the NSA from getting the data from the carrier.  Some carriers want encryption, others don't.


The likes of Google, Microsoft, Amazon, etc. had to encrypt their data after it was discovered that the NSA was snooping on some backbone traffic.  So while some carriers won't look at encryption, some companies want it.  Having it on the equipment prevents having to use external equipment to provide the encryption.


Take free cloud storage.  Don't you think that they do deduplication.  So when it is stored on disk, it could be unencrypted.  If it gets replicated, it too could be unencrypted.  This is just one example.
Sterling Perrin 12/22/2015 | 3:51:05 PM
Re: What problem does it solve? A couple of thoughts, if a service provider uses layer 1 encryption for traffic traversing its network, then it gives them the assurance that they won't be the source of breaches from their fiber network. Users may still want to encrypt their applications at higher layers, but there does seem to be a value in eliminating vulnerability in the fibers.

Vendors seem to be pitching layer 1 encryption as a piece to an overall strategy for service providers - not an either or scenario, but to also add layer 1 encryption.

On cost/complexity: I agree that that this could make other options more viable. But vendors aren't shooting for big mark-ups in pricing, and the trajectory could be that this ends up a standard feature ultimately (my speculation).

Mitch Wagner 12/22/2015 | 12:49:31 PM
Chilling effect Uncertaintly over whether government will mandate encryption backdoors is likely to slow down investment in encryption technology. 

This is separate from the issue of whether backdoors are a good idea. They're not; they're terrible. 
Duh! 12/21/2015 | 1:19:20 PM
What problem does it solve? Quote from RFC 3819:

"A consensus has emerged for what might be called a "security placement principle": asecurity mechanism is most effective when it is placed as close as possible to, and under the direct control of the owner of the asset that it protects.
A corollary of this principle is that end-to-end security (e.g., confidentiality, authentication, integrity, and access control) cannot be ensured with subnetwork security mechanisms. Not only are end-to-end security mechanisms much more closely associated with the end-user assets they protect, they are also much more comprehensive. For example, end-to-end security mechanisms cover gaps that can appear when otherwise good subnetwork mechanisms are concatenated. This is an important application of the end-to-end principle."

Followed by a debate over whether lower layer security mechanisms should be discouraged because they encourage complacency or encouraged because weak protection is better than none. Anybody who really cares about privacy and data integrity is going to use SSL/TLS.

So what is it about the optical PHY layer that is supposed to be protected by encryption? The "something is better than nothing" argument makes some sense with shared media (PON), but surely tapping a metro or core fiber requires quite a bit more sophistication than putting an ONT into promiscuous mode.

The other case for encryption in GPON is an identified vulnerablity to DOS attack by spoofing the scrambler to break 1's density. Not a problem with OTN, is it?

Encryption at 100G seems to be a lot of work for little added security, doesn't it?
Sign In