Encryption over gigabit carrier ethernet

encryption vlan cisco-catalyst macsec

My conclusion to this was to pipe VLAN trunks through EoIP tunnels and encapsulate those in hardware assisted IPSec. Two pairs of fairly inexpensive Mikrotik RB1100AHx2 routers proved capable of saturating a 1 Gbps connection while adding less than 1 ms latency.

I would like to encrypt traffic between two data centres. Communication between the sites is provided as a standard provider bridge (s-vlan/802.1ad), so that our local vlan tags (c-vlan/802.1q) are preserved on the trunk. The communication traverse several layer 2 hops in the provider network.

Border switches on both sides are Catalyst 3750-X with the MACSec service module, but I assume MACSec is out of the question, as I don't see any way to ensure L2 equality between the switches over a trunk, although it may be possible over a provider bridge. MPLS (using EoMPLS) would certainly allow this option, but is not available in this case.

Either way, equipment can always be replaced to accommodate technology and topology choices.

How do I go about finding viable technology options that can provide layer 2 point-to-point encryption over ethernet carrier networks?

edit:

To sum up some of my findings:

  • A number of hardware L2 solutions are available, starting at USD 60,000 (low latency, low overhead, high cost)

  • MACSec may in many cases be tunneled through Q-in-Q or EoIP. Hardware starting at USD 5,000 (low-medium latency, low-medium overhead, low cost)

  • A number of hardware assisted L3 solutions are available, starting at USD 5,000 (High latency, high overhead, low cost)


Solution 1:

I just did a quick search for "CESG layer 2 encryption" (CESG are a british government agency who specialise in assurance for computer systems), on Google, and found a few options on their list, there's at least one that'll do 1Gbit, and a few that'll do up to 10Gbit.

It'd probably (almost definitely) be overkill, but you'll find that there's quite a lot of milspec products that are capable of Layer 2 encryption, at quite high throughputs.

The first one I found is VLAN and MPLS agnostic, unsurprisingly, but I suspect they're bloody expensive.

Related

Free alternatives to M/Monit interface for the Monit systems management system [closed]
How to install GD library in php?
What is the purpose and uniqueness SHTML?
Pull remote branch into local repo with different name?
What's the point of input type in GraphQL?
"using namespace" in c++ headers [duplicate]
On showing dialog I get "Can not perform this action after onSaveInstanceState"
Automatically import modules when entering the python or ipython interpreter
How do you track record relations in NoSQL?
Difference between Variable and get_variable in TensorFlow
RegEx backreferences in IntelliJ
How to create major and minor gridlines with different linestyles in Python