Configuration Guide for Cisco NCS 1014, IOS XR Releases 26.x.x

PDF

The need for high-speed encryption

Want to summarize with AI?

Log in

This section explains why high-speed encryption is critical for protecting data transmitted across network infrastructures.


Importance of network infrastructure security

Most of the emphasis on protecting networks today is focused on securing data within data centers. However, the infrastructure of networks that connect these data centers is equally vulnerable to calculated attacks.

Vulnerability of fiber-optic networks and the necessity of data encryption

As more sensitive information is transmitted across fiber-optic networks, cyber criminals are increasingly focused on intercepting data during its transit across these networks. With the rise in network or fiber-optic hacks, data protection is paramount. Encrypting any data that leaves data centers is becoming a crucial requirement for cloud operators.

Optical encryption

Optical encryption secures all data on the communications link in and out of a facility, rendering it undecipherable to hackers tapping into the fiber strand. Protecting data at high speeds or line rates is essential for data centers today.


Cisco NCS 1014 and OTNSec encryption

Cisco NCS 1014 introduces AES256-based OTNSec encryption for 100GE and 400GE clients. Encryption is supported on the 2.4T and 2.4TA cards.

Role of IKEv2 protocol

OTNSec encryption uses the Internet Key Exchange Version 2 (IKEv2) protocol to negotiate and establish IKEv2 and OTNSec Security Associations (SA). IKEv2 is used for device authentication in an encryption session and provides pre-shared keys (PSK) or RSA certificate-based authentication.

General communication channel

General Communication Channel (GCC) is control channel used within the OTN. NCS 1014 supports GCC0 link.

The IKEv2 datagrams are carried as payloads using the point-to-point protocol (PPP) over the GCC channel.

Implementation of IKE sessions

To implement this, an IKE session is established between two endpoints, Site A and Site B, for overhead control plane communication between the two data centers. Data is encrypted at Site A using OTNSec encryption and decrypted at Site B.

The recommended deployment is to have a single IKEv2 session running over a GCC0 channel per trunk port which creates the child Security Associations (SA) for each of the OTNSec controllers that are configured on the trunk port.

Figure 1. OTNSec site-to-site example and components