cisco transport layer encryption
TRANSCRIPT
Kyle Hollasch
Product Marketing Manager – Optical Systems and Transceivers Group
3 March 2015
Cisco Transport Layer Encryption
Who Do We Trust?
Scientists
NGOs
UN
Religious Groups
National Companies
Press / Media
National Government
Global Companies
52
29
17
16
10
4
2
-2
+-|
0
Net Trust* in InstitutionsAverage of 22 Countries, 2012
Source: GlobeScan Radar Report, 2013
Trusted Business
Partner6.2 5.9 5.7 4.55.8 5.25.35.7 5.7 4.5 4.45.2
Base: 201 213 167 79157 134115164 67 65 5534*
Mean Ratings
Source: Marketing Impact Study, 2014
Unmatchable Trust is Foundational to Cisco
• Security is more than just a feature
• It must be embedded in all aspects of product development and manufacturing.
• Chambers in Q2 earnings call: White label not much of a threat due to security.
Trust Must Be Earned Everyday
Company Culture
Trustworthy
Vendor
Policies Processes Technologies
Genuine Products with Embedded Security
Supply Chain Security
Trustworthy
Solutions & Services
• There is a false level of trust in private &
leased circuits over MAN or WAN.
• Contrary to popular belief, fiber is easily
tapped.
• Optical systems are analog, and adjust to
varying parameters, therefore intrusion is
difficult to detect.
• Encryption traditionally requires a dedicated
device, or licensing per application, client, or
protocol.
• Has traditionally also incurred latency,
throughput degradation, CPU consumption.
The Challenge - Secure WAN and DCI Transport
Cisco Confidential 5© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Transport Encryption Architecture
NCS 2000 Transport Encryption Architecture
3rd Party DWDM
Cisco Private DWDM
Leased OTN Services
Dark Fiber
Ethernet
Fibre
Channel
SONET / SDH
OTN
Ethernet
Fibre
Channel
SONET/SDH
OTN
Securing Your Data Before it Leaves the Building
OTN
Overhead
OTN
Overhead
Why OTN Encryption?
OTN is a Layer 1 Transparent Encapsulation Protocol
OC-192 Fibre Channel 10 GE OTU-2
Encrypting the OTN Payload Ensures Transparency and Interoperability
OC-768 40 GE OTU-3
OTU-4100 GEOTN Payload
Cisco Confidential 8© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Transport Encryption Hardware
10G Transport:5 x 10G Encrypting Transponder
• Five independently encrypted 10G streams. Multi-protocol support
• Grey (SR, LR, ER, ZR) or DWDM (fixed or tunable) line side optics
100G / 200G Transport:Multi-rate Encrypting Muxponder
• 100G CPAK SR/LR client or 10G / 40G multiplexed payload
• Pairs with coherent DWDM trunk card for transport over 100G or 200G wavelength
NCS 2000 Transport Encryption Portfolio
Transport Encryption Functionality
10G Encryption 100G Encryption
Multi-Rate
MXP
DWDM
Trunk
QSFP
QSFP
SFP+
SFP+
100G / 200G
Trunk
CPAK100G
5 x 10G Encrypting
Transponder
40G or 4x10G
10G
10G
40G or 4x10G
10G
10G
10G
10G
10G
Certifications
Wire Speed Encryption (WSE)10G Multi-Rate OTN / DWDM Encryption Card
AlgorithmsHardware
Single slot card
Integrated Transponder
Functionalities
Secure storage and device
identity
Tamper evident module
FIPS 140-2 level 2 Certified
Common Criteria Certified
Key Exchange over G.709
GCC2 using TLS and ECDH
AES-256 Payload Encryption
Card Authentication
GMAC Frame Authentication
Multiple Simultaneous Operating Modes
Encrypted 10G Transponder
Encrypted 10G Muxponder (10G Muxponder upstream)
Encrypted 10G without DWDM
Unencrypted 10G Transponder
Unencrypted Regenerator
Multi-Rate Muxponder Line Card
• 10G, 40G, and 100G client card
• 2 x 10G SFP+, 2 x 40G QSFP+, and 1 x 100G CPAK ports
• 10G & 40G clients can be aggregated to the backplane or to the
CPAK port
• Clients can be aggregated to 100G or 200G DWDM trunk
• Aggregated client signal can be encrypted (2H 2015)
Multi-Rate
Muxponder
Nx10G
Nx40G
100G
Client(s)
100/200G
WDM Line Card
100G or 200G
Wavelength
100G
100G
Multi-Rate
MXPDWDM
Trunk
CPAK
100G DWDM Encryption Configurations
100G Encrypted
Transponder Client
QSFP
SFP+
Multi-Rate
MXPDWDM
Trunk
QSFP
SFP+
100G
100G Encrypted
Muxponder Client
QSFP
SFP+
Multi-Rate
MXPDWDM
Trunk
QSFP
SFP+
CPAK CPAK
200G
200G DWDM Encryption Configurations
200G Muxponder Client(with CPAK on Trunk Card)
QSFP
SFP+
QSFP
SFP+
CPAK
200G
200G Muxponder Client(no CPAK on Trunk Card)
Multi-Rate
MXPDWDM
Trunk
Multi-Rate
MXP
40G (or 4x10G)
10G
Multi-Rate
MXP
40G (or 4x10G)
10G
100G
Multi-Rate
MXP
100GE Encrypted
OTU-4
Multi-Rate
MXP
Encrypting Muxponder Back-to-Back 100G Encryptor
100G Grey Encryption Configurations
NCS 2000 Unmatched Encryption Form Factor and Density
NCS 200210 x 10G
1 x 100G
NCS 200630 x 10G
3 x 100G
2 x 200G
NCS 201575 x 10G
7 x 100G
5 x 200G
• Higher Densities and Rates
• Further Integration
• Muxponding
• Transponding
• Encryption
• Licensable Features
Looking Forward …
100G, 10x10G
100G, 10x10G
50/100/200/250G
Cisco Confidential 19© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Transport Encryption Use Cases
Use Cases – Private Cisco DWDM
Fully Integrated DWDM Wavelength Over Cisco DWDM
Cisco NCS 2000
NCS 2000
Encryption
Existing or New
ROADM
10G
10G / 100G / 200G
Wavelength
40G
100G
Use Cases – 3rd Party DWDM
Grey Wavelength over 3rd Party DWDM (with Transponder)
NCS 2000
Encryption3rd Party DWDM System
OTU-2
or
OTU-4
10G
40G
100G
DWDM (Alien) Wavelength Over 3rd Party DWDM
NCS 2000
Encryption3rd Party DWDM System
OTU-2
or
OTU-4
10G
40G
100G
Other Use Cases
Grey Wavelength Over Leased Carrier Transport
Grey Wavelength Over Private Dark Fiber
Leased
Carrier
Transport
NCS 2000
Encryption
10G
40G
100G
OTU-2
or
OTU-4
NCS 2000
Encryption
10G
40G
100G
OTU-2
or
OTU-4
• Encryption is more than just a software or hardware feature, it’s the culmination of a company culture and trusted best practices from design through supply chain and manufacturing.
• L1 encryption overcomes the difficulties of previous generations of encryption - low latency, high throughput, protocol agnostic, integrated functionality.
• Transport market will eventually shift to the iPhone / Android model of encryption – expected by customers and enabled by default.
Summary
