A protocol for Optical Data Unit service encryption

When interconnecting data centers encryption is required since the exchange data travel via public networks. The layer performing encryption has to be considered carefully. The obvious place, encrypting the packet stream at the gateway might not be always the best solution in terms of effort and costs. Another possible place to perform the encryption is at the ODU layer of the underlying transport network. This happens usually at the point where the data packets (e.g. 10GbE) are mapped into a transport data stream (e.g. ODU2e). Since this ODU path travels end to end independently from the OTUs used in between, encrypting this ODU stream at the mapping hardware using a synchronous algorithm would be advantageous. The challenge is to securely synchronize the encryption keys between the two involved nodes. The ODU path layer allows to setup secure communication channels end-to-end even across operator's boundaries. Currently, the optical transport network standard (G.709) does not foresee any overhead bytes for key synchronization. Having a communication channel between the two involved network nodes is a precondition to perform key synchronization (e.g. using Diffie-Hellman algorithm). Therefore re-using existing overhead bytes to create an inband communication channel is preferred. Based on that, a protocol has been defined, supporting key synchronization of the ODU encryption engine and performing a frame accurate (hitless) encryption key exchange.