Browse Prior Art Database

ENCRYPTION OVER ODU4

IP.com Disclosure Number: IPCOM000214462D
Publication Date: 2012-Jan-30
Document File: 8 page(s) / 223K

Publishing Venue

The IP.com Prior Art Database

Related People

Gilberto Loprieno: AUTHOR [+3]

Abstract

A method for Encryption and Authentication within a single ODU4 frame is provided. The resulting frame is fully compatible with the G.709 standard because payload bytes are used instead of ODUk overhead bytes.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 8

ENCRYPTION OVER ODU4

AUTHORS:

Gilberto Loprieno

Davide Codella

Federico Scandroglio

ABSTRACT

    A method for Encryption and Authentication within a single ODU4 frame is provided. The resulting frame is fully compatible with the G.709 standard because payload bytes are used instead of ODUk overhead bytes.

DETAILED DESCRIPTION

    Optical transport enables connectivity over very long distance (100 km and beyond). Since the fiber link is deployed outside of a building, the fiber is potentially exposed to tampering. A mechanism is provided to encrypt and authenticate within a frame formatted according to the Optical Data Unit version 4 (ODU4) of the Optical Transport Network (OTN) standard.

    Encryption and Authentication are specified for packet-based protocols such as IPSec or Fibre Channel. There is no template for OTN or other Time Division Multiplex (TDM) based protocols.

    IPSec defines Encapsulating Security Payload (ESP) Header for Encryption and ESP Trailer Integrity Check Value (ICV) for Authentication. Accordingly, the Inter Frames Gap (idle ordered_sets) is removed to make room for additional fields (tagging) to support Encryption and Authentication. In case of ODU4, the stuffing bytes (32 bytes) are filled with ESP Header and ESP Tailor bytes. 16 bytes of ESP header are transported over the stuffing bytes of the first two rows. 16 bytes of ICV are transported over the remaining stuffing bytes (rows 3 and 4). In this way all overhead that mimics IPSec is fit inside a single ODU4 frame.

Copyright 2012 Cisco Systems, Inc. 1


Page 02 of 8

    FIG. 1 illustrates the reference model for security. A standard packet is modified adding Security Tags, which contain the ESP Header (usually 16 bytes) required for encryption/decryption and ESP Tailor (16 bytes) used for ICV.

    FIG. 2 shows an example OPU4 frame mapping. The OPU4 payload for this mapping consists of 4 × 3800 bytes for client data and 4 × 8 bytes with fixed stuff. Groups of six hundred and forty (640) successive bits of the client signal are mapped into a group of 80 successive bytes of the OPU4 payload area under control of the GMP data/stuff mechanism. The groups of 80 bytes in the payload area are numbered from 1 to 190. In row 1 of the OPU4 frame the first 80-bytes will be labelled 1, the next 80-bytes will be labelled 2, etc. Each group of 80 bytes in the OPU4 payload area may either carry 640 client bits, or carry 640 stuff bits. The stuff bits are set to zero.

    FIG. 3 illustrates the basic concepts of the techniques to perform encryption over ODU4 by arranging the frame to support IPsec-type of security developed for packet traffic. This figure illustrates that the mapping is completely transparent, and particularly exhibits clock transparency, OTN backward compatibility and transparency to installed regenerator blocks.

    FIG. 4 shows a single OTU4 frame processed to support encryption. Stuffing bytes of OPU4 are used to transport 16 bytes ESP Header and 16 bytes ESP Trailer. Each...