Deciphering encryption: Choosing the best protection for your network
StoryOctober 15, 2008
Oren Barkai
ECI Telecom
Over the past few centuries, military means and methods have evolved in line with technology. Communication networks have become a crucial component of the military's day-to-day operation and with that, the growing need for their protection. With encryption as the basis of network protection, Oren compares the two most common methods, namely IPSec and Layer 2 encryption, with Layer 2 as the clear winner.
Modern-day warfare dictates that network-centric communications technology must be as much at the core of a successful military campaign as a strong battle plan and disciplined soldiers.
Accordingly, a network-centric communications infrastructure must have flexibility, agility, scalability, redundancy, and the ability to assimilate information security in key network layers (Figure 1). Integrated management is also required to allow shared situational awareness for all staff levels. But above all, network-centric communications infrastructures must be secured and protected - a formidable challenge when faced with numerous and potentially lethal security threats.
Figure 1
(Click graphic to zoom)
|
|
Through common standards platforms such as FIPS, ITU-T, IEEE, IETF, and others, administrators of military communication systems around the world are able to share and exchange knowledge about the most common threats. These threats include interception, or the gaining of access by an unauthorized party to sensitive assets; interruption, or the rendering useless of an asset of the system; modification, or the tampering of an asset by an unauthorized person; and fabrication, or the insertion of new objects into the system by an unauthorized party.
One of the most frequently used and most effective solutions for combating these network security threats is encryption, which is defined by the Israel Ministry of Defense as: "Scrambling of data, entirely or in part, by modifying the data or how it is transferred, using mathematical equations or algorithms, whether by means of a key or not".[1]
Defense against network threats comes at a price, and installing a proper encryption system can be costly. In certain cases, costs can reach as high as 10 percent of the total link costs. However, the challenge that many military network administrators face is not only managing encryption budgets and expenditures, but also finding an encryption platform that is highly effective and does not hold significant performance implications.
In the next sections, we will look at these performance implications, namely network complexity, jitter, and latency. We will also examine how Layer 2 solutions can overcome most of these drawbacks at a reasonable cost, and why they are a better alternative to the commonly used IPSec.
Encryption drawbacks: The ins and outs of network complexity
Network complexity has become a significant concern amongst network administrators as the use of modern IPSec encryption continues to grow. Reasons to note include:
- If IPSec Tunnel Mode is used, then a new IP header is created to mask the whole packet, meaning that the IP packet becomes larger and takes more time to pass through the route, thus process time increases. It also complicates the network as the operator needs to hold two sets of addresses (for encrypted packets and decrypted packets).
- Encryption usually works in point-to-point or point-to-multipoint connectivity. More links mean more encryption keys are required. This makes operations more complex and can cause human errors, leading to network malfunctions.
As an example, a voice over IP network requires that end-to-end latency is below 250 milliseconds (msec), a requirement that, in most cases, can be satisfied by design. In an example network, the longest span latency reaches a maximum of 200 msec. This is a characteristic latency between two remote nodes in a representative network.
However, if point-to-point encryption is introduced and there are several hops along the way, each hop represents twice the latency introduced by the encryptor. If an encryptor introduces 5 msec latency, it will only take seven hops before there is significant adverse impact on network performance.
Since maximum span reaches 200 msec and the span comprises seven hops, the combined latency becomes 270 msec (200 msec span latency + 5x14 encryptors latency = 270 msec). Being above the minimum required 250 msec latency level translates to rapid degradation of voice quality and ocasionally the rendering of inaudible conversations.
IPSec issues: Latency and jitter
The two other main drawbacks are latency and jitter. When using IPSec encryption as described in our previous example, packet size may change in a non-deterministic way. This change influences the network performance, mainly in terms of latency and jitter.
Figure 2 demonstrates that, apart from processing the information in the encryptor, the overall packet size of the new IPSec encrypted packet may vary. In this instance, not only does latency occur, but variations in packet size can also take place, introducing unnecessary jitter to the system.
Figure 2
(Click graphic to zoom by 2.3x)
|
|
Apart from jitter, let us assume that the network has 20 nodes (a small network), with each node connected to 3 other nodes. In this case, the routing tables comprise a maximum of 19 IP addresses at each node. Introduction of IPSec in tunnel mode means that an additional 19 or more (if we are using several keys between nodes) IP addresses will be required as we can also work in unprotected mode (for lower classified applications).
We therefore find ourselves faced with a serious and complex dilemma. If we use encryption, costs increase, performance suffers, and the network is saddled with numerous complexities, making it very difficult to manage. If we do not use encryption, costs are lower; however, the network is extremely vulnerable.
Analyzing possible solutions
It is commonly understood that military networks will not "function" without encryption as classified applications demand more and more network resources. Therefore, the solution is to find the best-performing and most cost-effective encryptor (Table 1). This system should include the following attributes:
Table 1
(Click graphic to zoom by 2.3x)
|
|
- High performance - minimum latency, maximum throughput possible
- Low in cost
- Minimal network implication - no change in IP address
- Maximum protection to the network - as low as possible on the Open Systems Interconnection Basic Reference Model (OSI Model) seven layers model of International Organization for Standardization (ISO). See again Figure 1.
Let us examine several options to see how they fit these requirements.
Since not employing an encryption system is not a realistic option for today's defense networks, and considering the poor performance of application-based encryption, let us turn our attention to transmission versus IP encryptors.
IPSec technology is a Layer 3 technology, which protects all layers from Network to Application. IPSec is today's common civil solution for Internet traffic securing and business-sensitive traffic solutions. Transmission encryption, on the other hand, is a Layer 2 technology, which protects all layers from the Data Link layer all the way to the Application layer.
For the sake of establishing the preferred method, ECI Telecom has conducted several trials with both transmission and IP encryptors in order to review both options and compare performances. The trial setup was based on a point-to-point link with traffic generator at both sides and load testing using changeable packet/frame size. This method was used to compare how Layer 2 and Layer 3 encryptors behave. Figure 3 shows an illustration of the trial setup.
Figure 3
(Click graphic to zoom by 2.3x)
|
|
The traffic generator created traffic marked as "Cleartext" with variable packet/frame size. Both encryptors were tested at different times, and the reports of the traffic generator were noted.
As already stated, it is acceptable for an encryptor to reduce the amount of traffic passing through it (limiting throughput). However, it is advised that the throughput would be as close to the actual Cleartext traffic as possible to minimize the performance issues. The trials were repeated several times, and the average test results are shown in Figure 4.
Figure 4
(Click graphic to zoom by 2.3x)
|
|
In parallel, ECI Telecom has also tested latency performance. For those tests, using the same test setup but measuring the latency of the link (passing through a Layer 2 encryptor and medium simulator), the medium simulator was set to 10 microseconds to eliminate influence on total link latency. The results of these trials are summarized in Table 2.
Table 2
(Click graphic to zoom by 1.9x)
|
|
It is evident from the test results that even though IPSec encryption results in acceptable latency and jitter performance, Layer 2 encryption has superior influence on network performance. Layer 2 encryption has better network protection and results in simplified network operation.
Layer 2 is "number 1"
Extensive testing by ECI Telecom showed that Layer 3 encryptors perform with an average latency of almost 2 msec coupled with variation (jitter) of 13 percent, while Layer 2 encryption has an improved latency performance 30 times over, with twice the stability in variation.
These results indicate that Layer 2 is a superior, more effective approach for the majority of today's military networks, which operate large multi-hop complex communication infrastructures. This provides them with an ultimate solution to balance both cost and performance, while securing their networks in greater depth.
Oren Barkai is senior system architect, Government & Defense Solutions, at ECI Telecom. He holds an MBA from the Technion - Israel Institute of Technology and a B.Sc. in Electrical Enginerring from Tel Aviv University. He is a former Major in the Israeli Defense Forces Signals Corps, and brings with him a decade of experience in military networks and security. Oren can be reached at Oren.barkai@ecitele.com.
ECI Telecom
+972 3 9266555
www.ecitele.com
References:
1. www.mod.gov.il/pages/encryption/governing.asp
