private fiber security, large IPsec deployments [was: PRISM too much trouble? Get MUSCULAR]

[coderman]

On Wed, Oct 30, 2013 at 11:35 AM, Gregory Foster
<gfoster@entersection.org> wrote:
> ... According to a top secret accounting dated Jan. 9, 2013,
> NSA’s acquisitions directorate sends millions of records
> every day from Yahoo and Google internal networks ...
> The NSA’s principal tool to exploit the data links is a
> project called MUSCULAR, operated jointly with the
> agency’s British counterpart, GCHQ. From undisclosed
> interception points, the NSA and GCHQ are copying
> entire data flows across fiber-optic cables that carry
> information between the data centers...


encryption between sites would eliminate the risk above on private
fiber.  you can easily accomplish this today via various means. (some
businesses already VPN over private dedicated fiber)

if you wanted to protect every host in every data center end-to-end
would you go with IPsec or OpenVPN or other?

what is the largest IPsec deployment on record? (transport, not tunnel mode)

how would you handle key management / key exchange for such a system?