Mission possible with network group encryption
Network group encryption (NGE) has just emerged as a powerful new MPLS-based encryption solution. Designed to ease and simplify end-to-end network encryption, NGE represents a compelling alternative to IPSec.
And the timing for NGE is right. With escalating threat levels worldwide, utilities, oil and gas, transportation and government agencies are rethinking their security implementations. Not surprisingly, encryption is an integral part of their plans. With smart applications, as well as legacy ones being deployed in mission-critical network infrastructures, operators also need security implementations capable of facilitating fully meshed, any-to-any or group connectivity models that carry a variety of TDM, Layer 2, and Layer 3 traffic.
Ideal characteristics of an MPLS-based encryption model
With this in mind, let’s look more closely at the ideal characteristics of an MPLS-based encryption model. Call it a wish list.
Seamless MPLS encryption
For starters, an ideal model should be able to handle all types of traffic types at all layers, including TDM, Ethernet streams, as well as IP. And it should be able to do this without first converting non-IP traffic to IP using IP encapsulation as is required with IPSec.
Additionally, an ideal MPLS-based encryption model would not undermine the inherent advantages of an IP/MPLS network, such as QoS, high availability, and MPLS tunneling functions. To maintain these advantages, performing the encryption directly on the MPLS packet payload fields is ideal.
Another requirement is that the MPLS-based encryption model be designed for any-to-any connectivity to support a fully meshed distributed network, if needed. While IPSec is the protocol of choice for mobile workers using a many-to-1, hub-and-spoke network, it does not scale easily to a fully-meshed model where deployed devices need to connect to each other.
To be sure, the any-to-any connectivity model can be adapted to the IPSec protocol, but it requires manually creating meshes with point-to-point links ― a labor intensive and time consuming activity.
Robust key management
Still another important requirement for an MPLS-based encryption model is a service-aware key manager that manages both the MPLS-based services and key distribution. A manager with these combined roles can easily figure out which nodes require which keys in a security domain.
To cater to internal organization security differences, or to implement security network partitions, the management of the keys can take a hierarchical, service-aware approach via the key groups. The MPLS services could be configured to use a specific key group, depending on the security policies of the group.
Figure 1. NGE key groups enable organizational grouping and security partitioning
Furthermore, to avoid traffic loss when transitioning old keys to new ones, the ideal MPLS-based model needs to employ a hitless rekeying procedure ― one that could accommodate large-scale rekeying without any bottlenecking.
High network efficiency
Finally, an ideal hardware encryption implementation should enable and promote high network efficiency. Here, the additional packet overhead of traditional encryption solutions can be reduced if the IP payload header or overhead typical of IP encapsulation is not added .
By encrypting all services in MPLS packets without further modification, an ideal encryption model allows core routers to seamlessly switch and route NGE MPLS packets because the packets remains transparent to these devices.
The uniqueness of network group encryption
The good news is that NGE delivers on all of these requirements and more because:
- IP and non-IP traffic are encrypted and decrypted only once natively as they traverse the network, which reduces overhead. This avoids traditional approaches where non-IP traffic must be converted to or encapsulated in IP and then encrypted using IPSec. By using a 4-byte encryption label rather than additional IPSec tunnel and GRE headers, network group encryption also saves bandwidth, particularly for mission-critical, constant bit rate services such as CCTV and SCADA traffic.
- Operators overcome the weaknesses of MACsec – an emerging alternative encryption method for multi-service traffic over an Ethernet link. Unlike MACsec, network group encryption doesn’t need to decrypt and re-encrypt traffic at each Ethernet hop. This reduces security risks at each hop, lowers latency, boosts core network efficiency, and avoids additional capital expenditure on encryption and decryption hardware.
- Operators don’t have to concern themselves with bottlenecking problems sometimes associated with the Internet Key Exchange protocol. This sometimes happens when a large number of endpoints configured in a security domain overtax a router. Network group encryption uses an SSH-based key distribution mechanism from the key manager. Operators are assured of minimal strain on routers because the key manager primarily implements key synchronization and updates. This further reduces the control plane overhead and maintenance required for network-wide encryption.
- Finally, NGE is performed by dedicated hardware acceleration to attain optimum router performance with negligible latency ― in the ballpark of low 10s of microseconds per encryption operation.
So be on the lookout for NGE. Network group encryption overcomes some of the challenges of traditional encryption solutions for mission-critical networks. It’s vital for meeting government security requirements such as the Critical Infrastructure Protection (CIP) standards from the North American Electric Reliability Corporation (NERC) ― and makes operations simple and easy to deploy.
 This can be done by using the Encapsulating Security Payload (ESP) format defined in IETF RFC 4303 to encrypt and authenticate MPLS payloads.
To contact the author or request additional information, please send an email to email@example.com.