EDGE-to-EDGE Encryption

What is EDGE-to-EDGE Encryption?

EDGE-to-EDGE encryption is a security feature for Anapaya EDGE devices designed to enhance the protection of your network traffic as it traverses the SCION Internet. It ensures the confidentiality and integrity of your sensitive data by encrypting it before it leaves your network edge and decrypting it only when it reaches the destination network edge.

This feature seamlessly integrates with other Anapaya EDGE capabilities and leverages the inherent security of the SCION architecture, specifically its Control Plane Public Key Infrastructure (CP-PKI), along with the industry-standard IPsec Encapsulating Security Payload (ESP) protocol.

EDGE-to-EDGE encryption is available for Anapaya EDGE Pro customers.

How does it work?

  1. Encryption/Decryption at the Edge: Anapaya EDGE devices at the source network encrypt outgoing data packets. These packets remain encrypted throughout their journey across the SCION Internet. Upon arrival, the Anapaya EDGE device at the destination network decrypts the packets.

  2. Authentication & Key Management (SCION CP-PKI): The system uses SCION’s Control Plane PKI to establish authenticated connections between participating Anapaya EDGE devices. This PKI handles the administration of cryptographic keys and certificates, automatically deriving the necessary symmetric keys for encryption without requiring manual key exchange or complex certificate management.

  3. Secure Tunneling (IPsec ESP): The actual encryption of the data packets is performed using the IPsec Encapsulating Security Payload (ESP) protocol, a widely used standard that provides confidentiality, integrity, authenticity, and replay protection for network traffic.

Key Benefits

  • Enhanced Security: Protects your data from eavesdropping and tampering while in transit over the SCION Internet.

  • Strong Authentication: Ensures that network traffic is only accepted from authorized Anapaya EDGE devices, safeguarding against impersonation and potential reflection attacks.

  • Simplified Key Management: Leverages the built-in SCION CP-PKI, eliminating the need for manual key distribution and complex certificate management between sites.

  • Flexible Configuration: Easily enable encryption for your entire network or selectively apply it to specific traffic domains based on your security requirements, configurable via the Anapaya Console or configuration files.

  • Seamless Integration: Works alongside other Anapaya EDGE features like path control, fast failover, and network engineering without disruption.

Use Case: Site-to-Site VPN

Anapaya EDGE with EDGE-to-EDGE encryption provides a secure, reliable, and simplified alternative to traditional site-to-site VPN setups for connecting main offices, branch offices, and cloud services.

Consider the following example:

Setup

  1. Enable the EDGE-to-EDGE encryption feature globally:

    {
    "scion_tunneling": {
        "endpoint": {
            "encryption": {
                "enabled": true
            }
        }
    }
}

  2. Configure an IP-in-SCION tunneling domain that encompasses the main office, branch office, and cloud service:

     {
     "scion_tunneling": {
         "domains": [
             {
                 "name": "corporate_network",
                 "prefixes": {
                     "accept_filter": [
                         {
                             "sequence_id": 1,
                             "prefixes": [
                                 "192.168.10.0/24",
                                 "192.168.20.0/24",
                                 "192.168.30.0/24"
                             ],
                             "action": "ACCEPT"
                         },
                     ],
                     "announce_filter": [
                         {
                             "sequence_id": 1,
                             "prefixes": [
                                 "192.168.10.0/24",
                                 "192.168.20.0/24",
                                 "192.168.30.0/24"
                             ],
                             "action": "ACCEPT"
                         },
                     ]
                 },
                 "remote_isd_ases": [
                     // configure the remote ISD-ASes that correspond to the corporate sites
                 ],
                 "traffic_policies": [
                     // configure the desired policies
                 ],
                 "encryption": "ENABLED" // Enforce encryption for this domain
             }
         ]
     }
 }

  3. Apply the domain configurations to the EDGE appliances at the main office, branch office, and cloud service. You will potentially need to adjust the configuration depending on the specific network setup and requirements.

  4. Verify the encryption status and connectivity between the sites using the Anapaya Console or CLI. You can check the status of the tunnels and the encryption status for each domain:

    $ appliance-cli info tunneling
Endpoint:
Status: ✅

Domains:
- Name: corporate_network
    Status: passing     Encryption: enabled
    Prefixes Received: 2
    Prefixes Announced: 1
    ...

Frequently Asked Questions (FAQ)

How to upgrade an existing tunnel to EDGE-to-EDGE encryption without interruption?

To upgrade an existing tunnel to EDGE-to-EDGE encryption, you can follow these steps:

  1. Globally enable the encryption option in the scion_tunneling.endpoint.encryption section (if not already done so).

  2. Set the encryption option to OPTIONAL in the corresponding domain configuration. This will opportunistically encrypt traffic for the domain if and only if the remote tunnel endpoint also supports encryption, but will fallback to unencrypted traffic if not.

  3. Monitor the tunnel status either on Console or via CLI

     $ appliance-cli info tunneling

    Once the output shows Encryption: enabled, you can be sure that the remote side supports encryption and has it enabled.

  4. Finally, set the encryption option to ENABLED in the domain configuration. This will enforce encryption for the domain and all traffic will be encrypted and non-encrypted traffic will be dropped.

What encryption algorithm and protocol are used?

EDGE-to-EDGE encryption uses the IPsec Encapsulating Security Payload (ESP) protocol with AES-GCM-256 as the encryption algorithm. AES-GCM provides both confidentiality and data authenticity.

How does the key exchange work? How are keys managed?

Key exchange and management are handled automatically by leveraging SCION’s Control Plane PKI (CP-PKI). The Anapaya EDGE devices use the CP-PKI to establish mutually authenticated QUIC connections between the tunnel endpoints (other EDGE devices). The symmetric encryption keys needed for the IPsec ESP tunnels are securely derived through these authenticated connections. This eliminates the need for manual pre-shared keys or complex certificate distribution between peers.

What is the default lifetime for the encryption keys?

The default lifetime for the encryption keys is 1 hour. After this period, the keys are automatically renegotiated to ensure continued security.

Can I use EDGE-to-EDGE encryption across organizations, e.g., partners?

Yes, it’s designed for securing communication with partners as well. Since it uses the SCION CP-PKI for authentication, you don’t need to manually exchange keys or certificates. Minimal coordination is required with partners to define the traffic domains and enable encryption.

Do I need special hardware?

EDGE-to-EDGE encryption is a software feature running on Anapaya EDGE devices. Ensure your Anapaya EDGE devices meet the performance requirements for your expected encrypted traffic load.

Is this feature available for all Anapaya EDGE versions?

EDGE-to-EDGE encryption is available for Anapaya EDGE Pro customers.

If you are an Anapaya EDGE Pro customer, you can start using EDGE-to-EDGE encryption today. Contact Anapaya support or your account representative for further details on enabling and configuring this feature.