Operators consider the optical transport network secure since there is no direct access to the data-plane. However, Wikileaks and Snowden disclosures have proven this assumption wrong. Customers demand data encryption e.g. when interconnecting data centers. One possible solution is to take security measures at the gateway adding costs. Another solution is to encrypt data on OTU/ODU layer, which could raise interworking issues since such solutions might use reserved overhead bytes. However, the ODU path layer allows to setup secure communication channels end-to-end even across operator’s boundaries. While the optical transport network is standardized neither methods for key exchange, nor overhead for key transport have been defined. In this paper a standards compliant solution will be presented to overcome these issues.
A protocol running between the edge nodes of the optical transport network has been defined, capable to support various key distribution mechanisms (e.g. Diffie-Hellman, PKI) in order to exchange a session key used to encrypt and authenticate the communication between the involved edge nodes. This is a precondition to exchange the keys needed by the ODU encryption engine to encrypt the data stream on the ODU layer. The protocol also supports re-keying, periodically or on request. Essential characteristic of the protocol is the support for a hitless key exchange mechanism of the ODU encryption engine. Traffic interruption caused by protection switching or service preemption is considered by the protocol and adequate measures are implemented.