The need for high-speed encryption
Importance of network infrastructure security
Most of the emphasis on protecting networks today is focused on securing data within data centers. However, the infrastructure of networks that connect these data centers is equally vulnerable to calculated attacks.
Vulnerability of fiber-optic networks and the necessity of data encryption
As more sensitive information is transmitted across fiber-optic networks, cyber criminals are increasingly focused on intercepting data during its transit across these networks. With the rise in network or fiber-optic hacks, data protection is paramount. Encrypting any data that leaves data centers is becoming a crucial requirement for cloud operators.
Optical encryption
Optical encryption secures all data on the communications link in and out of a facility, rendering it undecipherable to hackers tapping into the fiber strand. Protecting data at high speeds or line rates is essential for data centers today.
Cisco NCS 1014 and OTNSec encryption
Cisco NCS 1014 introduces AES256-based OTNSec encryption for 100GE and 400GE clients. Encryption is supported on the 2.4Tcard .
Role of IKEv2 protocol
OTNSec encryption uses the Internet Key Exchange Version 2 (IKEv2) protocol to negotiate and establish IKEv2 and OTNSec Security Associations (SA). IKEv2 is used for device authentication in an encryption session and provides pre-shared keys (PSK) or RSA certificate-based authentication.
General communication channel
General Communication Channel (GCC) is control channel used within the OTN. NCS 1014 supports GCC0 link.
The IKEv2 datagrams are carried as payloads using the point-to-point protocol (PPP) over the GCC channel.
Implementation of IKE sessions
To implement this, an IKE session is established between two endpoints, Site A and Site B, for overhead control plane communication between the two data centers. Data is encrypted at Site A using OTNSec encryption and decrypted at Site B.
The recommended deployment is to have a single IKEv2 session running over a GCC0 channel per trunk port which creates the child Security Associations (SA) for each of the OTNSec controllers that are configured on the trunk port.

Feedback