Encryption and the application of Newton’s third law
Sir Isaac Newton once observed that for every action there is an equal but opposite reaction. Set something in motion but be prepared for the pushback this action will create. This is sage advice for service providers preparing their IP networks for 5G, IoT and Industry 4.0 — take advantage of the increased flexibility and openness these new architectures deliver but be prepared for the elevated network security risks that come along with these benefits.
Take mobile networks as an example. In early 2G and 3G deployments, private lines dominated connections from regional RANs to a centralized core, making security to some extent a feature of the network architecture. In the 3G/4G era, security vulnerabilities increasingly became a concern as service providers began to densify the RAN and in some cases leverage third-party networks for mobile transport. This opened up the data flowing through them to an increased level of risk of theft or manipulation.
Nokia’s IPsec gateway to the rescue
The solution was to encrypt all traffic connecting regional RANs with the centralized mobile core using IPsec. Nokia took early leadership in this space, building the industry’s first carrier-class IPsec gateway in its Nokia 7750 Service Router (SR). The 7750 SR met the unique scale, performance and availability requirements demanded by service providers, and is now securing the connectivity between the RAN and mobile core in the networks of some of the largest mobile operators around the world. The dominance of IPsec at the access side of mobile networks ensures it will remain an important tool in the encryption toolbox for mobile backhaul for years to come.
But as service providers look to reap the benefits of 5G, enabling a new generation of low-latency services and the network slicing architectures that support them, there will be a push for encryption to be performed at the flow/slice level, with significantly lower latency than what is possible with IPsec.
Achieving this will be especially challenging on the fixed side, where network encryption is not the universal fixture it is in mobile networks. Attacks against, and breaches of, fixed networks and the services they support have soared to new heights during the pandemic. Our growing dependence on our fixed connections for working and learning from home made them highly attractive targets. And the low latency revolution is just as strong in fixed as it is in mobile.
Enter MACsec encryption
One way to solve the latency problem is to use MACsec. Offering much lower latency and cost than IPsec, with similarly strong and standards-based encryption, it is designed to scale into the 400G era and beyond. MACsec is encryption at the MAC layer, where end-to-end encryption is possible at layer 2. In the IP, MPLS and segment routing world in which service providers operate, MACsec frames must be unencrypted and re-encrypted at every router to make routing and switching decisions based on IP or MPLS header possible. For end-to-end encryption, this can increase complexity as every router in the path must be MACsec capable.
ANYsec – extending encryption to all network layers and services
This is where ANYsec comes in. Like MACsec, ANYsec encryption is silicon based and implemented within the new FP5 network processor at the heart of our 7750 SR portfolio. We’ve gone one step further with ANYsec by extending this encryption capability to include IP, MPLS and segment routing networks, tightly integrating encryption and transport in the data path for any network layer and any service type. ANYsec works at the same scale and with the same any-to-any flexibility that has made IP and MPLS the dominant underlying technologies for building networks. This allows service providers to perform end-to-end encryption of all, or identified, network flows/slices at line rate, with MACsec-like latency, and without impacting the performance of anything else running on the same FP5 chipset.
So, what does this all mean for service providers? ANYsec transforms encryption from a capital-intensive project requiring significant advanced planning, to a network-resident capability that can be turned on at any time, for any flow, on any service, using any transport. It takes the “what if” worry around network encryption out of the equation by enabling service providers to deliver it wherever, whenever and however the inevitability of Newton’s third law pushes them to do so. We believe this is a significant milestone in the ongoing evolution of mission-critical IP networks.
Interested in learning more about ANYsec? Check out the ANYsec universal line-rate encryption application note.