ppt 4.3MB

Download Report

Transcript ppt 4.3MB 

Content Security on Optical Networks
iGrid 2005 San Diego
Optical Network Security
1. Reliable Connections
•
•
99%... 99.999% availability as required
Failures, floods, avalanches, backhoes,...
2. Accurate Management
•
Authorized, user-friendly,..
3. Encrypted Traffic
Why Encryption?
> Prevent interception of valuable IP or secret information.
• Movie production, government, healthcare, finance, corporate
> Preclude alteration or insertion of false data
> Secure Lightpaths.
• Banking, government
Where Encryption?
> Photonic layer 0
• Photonic methods are expensive and not very secure
> Layer 0 Lightpath from Tx to Rx
• Good for photonic networking between secure sites
• Unable to traverse a layer 1 network
> SONET path layer 1 Lightpath
• Able to transit metro and global networks
• Able to be switched at layer 1
• Must support arbitrary VCAT paths.
> Optical Ethernet Lightpath
• This demo does Packet by Packet encryption, including addresses.
> Layer 2 lightpath
• Need visibility of some fields of packet, or encapsulate
> Layer 3 SSL, IPsec
• Need visibility of encapsulating IP fields
> Application
• End user encryption is useful
• Latency and administration issues
0
Performance of iGrid Encryption Hardware
> Full OC-192/STM-64 10G throughput.
> One to twelve lightpaths with separate keys.
• 12 x GigE used to heavily load the OC-192 as 12xSTS-1-16V
> 400 ns added latency for AES-256 encryption
• Another 400 ns for decryption
> Integrated into the Nortel OME-6500 transport shelf.
> Packet by packet encryption
• No encryption of idle frames
• No overhead added to each packet
AES-256
> AES with a 256 bit key is the strongest encryption
standard published by the US government.
• When appropriately implemented, AES-256 is approved for
encryption of information classified US Top Secret.
> Encryption Method:
• Using a secret 256 bit key, a 128 bit counter value is encrypted to
form a new 128 bit word.
• This word is XORed with one word of the data stream.
• The counter is incremented, and the next word processed.
> Decryption Method:
• The Rx counter is synchronized to the Tx
• Using the matching key, invert the encryption.
http://en.wikipedia.org/wiki/AES,
http://www.nsa.gov/ia/industry/crypto_suite_b.cfm?MenuID=10.2.7
Demo US106 Topology
Amsterdam
Netherlight
San Diego
UCSD – CALIT2
University of
Illinois Chicago
Starlight Network
OME
Nortel
Ottawa Lab
OME
OME
OME
12xGigE
Visualization
Cluster
4xGigE
4xGigE
Source Data
Linux cluster
Electronic Visualization
Lab @ UIC
Tile Display Visualization
4xGigE
Source Data
Linux Cluster
Source Data
Linux Cluster
SARA