private fiber security, large IPsec deployments [was: PRISM too much trouble? Get MUSCULAR]

[grarpamp]

On Wed, Oct 30, 2013 at 10:55 PM, coderman <coderman at gmail.com> wrote:
> On Wed, Oct 30, 2013 at 11:35 AM, Gregory Foster
> <gfoster at entersection.org> wrote:
>> ... According to a top secret accounting dated Jan. 9, 2013,
>> NSA’s acquisitions directorate sends millions of records
>> every day from Yahoo and Google internal networks ...
>> The NSA’s principal tool to exploit the data links is a
>> project called MUSCULAR, operated jointly with the
>> agency’s British counterpart, GCHQ. From undisclosed
>> interception points, the NSA and GCHQ are copying
>> entire data flows across fiber-optic cables that carry
>> information between the data centers...
>
>
> encryption between sites would eliminate the risk above on private
> fiber.  you can easily accomplish this today via various means. (some
> businesses already VPN over private dedicated fiber)
>
> if you wanted to protect every host in every data center end-to-end
> would you go with IPsec or OpenVPN or other?
>
> what is the largest IPsec deployment on record? (transport, not tunnel mode)
>
> how would you handle key management / key exchange for such a system?

Post the above to nanog.

Anyone can put 10G nics in router pc's and easily pass more than 1G..
But big fiber links are 10/40/100G per wave. You'd need some
very fast asic link encryptors for that or offload it to your hosts
doing ipsec between your cages/dc's. Yahoo, Google, etc may
peer but they almost certainly don't own the fiber they do it over,
the tier-n's they buy from do, or the raw fiber providers do. Though
they can often attach leased fiber direct to their shelves. These
questions are a bit mixed into different areas. You're either talking
bandwidth consumers trying to encrypt. Or the bandwidth providers
getting together to encrypt their backbones. Very different things.