Brocade is announcing two innovative interface modules for the MLXe routing platform that provides in-line IPsec and MACsec encryption services @ line-rate! These new encryption modules are the industry’s first in terms of providing L2 and L3 encryption services in a router chassis with no performance impact. As you may recall, I blogged about the need and challenges of encryption last year.
The IPsec interface module delivers 4x10GbE and 4x1GbE ports that can encrypt data using either IPsec (256-bit AES Suite B) or MACsec (128-bit) algorithms at wire speed. And the 8 ports can be link aggregated to create a simple, single, large 44Gbps pipe. Simple, pervasive securing of data in-fight.
The other announcement is a 20x10/1GbE interface module that provides 128-bit MACsec encryption at wire speed on all 20 ports; for an aggregated 200Gbps capability per line module. Any of the ports can support either 10GbE or 1GbE. What’s also cool about this module is that it retains the large LAG trunking capability of our other 10GbE modules; where we can support 64 10GbE ports in a single LAG, even with MACsec enabled. (Side note: I would very be curious to hear from customers on how many 10GbE ports they have in their LAG bundles. Please share your experiences in the comments section of this blog.)
Back to the question I asked in the blog title: What does this mean for SPs? There are a few answers to that simple question.
One - With the increasing requirement for data privacy and encryption services coming from your enterprise customers, now you can provide these services to them without any impact on network performance. Network level encryption, for the first time, now becomes a low risk proposition. This is a critical differentiator from encryption offerings from other vendors, as all of them come with an inherent performance hit. We chose a different angle than our competitors; in that, we are doing this encryption in hardware and its in-line, so there is no need to burn a line card slot for a “service module” nor is there a sacrifice in performance. The service module approach from our competitors provides limited performance and we have heard from customers where they have had to insert multiple service modules, each consuming an important line card slot, to get closer to the performance they need. With our offering, you can provide encryption services without a performance or chassis real estate compromise. Offering these encryption services to your enterprise customers could indeed be a differentiated “value add” for your business.
Two - You can encrypt your own internal traffic as well. It is now common practice for all Inter-DC links to be encrypted due to all the privacy concerns we are now experiencing. This is becoming table stakes in networks that have multiple data centers. It just makes sense. This is a very good use case for MACsec, as these links are typically Ethernet point-2-point links and it’s easy to turn on MACsec for these Inter-DC links and gain immediate 128-bit L2 encryption.
Three – Integrating programmatic capabilities with SDN is the next logical step. SDN would further reduce the OPEX associated with deploying encryption, as the SDN controller can be responsible for provisioning the router to determine which flows will be encrypted by IPsec. This would provide a very automated and dynamic encryption solution.
If you’re a Brocade MLXe customer today and want to ‘test drive’ the new IPsec or MACsec modules, please contact your Brocade Account Executive or drop an email to our Product Marketing guru, Ed O’Connell at: mailto:email@example.com.
If you’re not a Brocade customer today but want to have simple, scalable data privacy for data in-flight, give Brocade a call and ask for a test-drive.
If you happen to be at the NANOG 63 event in San Antonio, TX then please stop by the Brocade booth during the Beer n Gear event where we will be displaying these new modules. Both Ed and I will be there!