Skip to main content

EDGE-to-EDGE encryption

EDGE-to-EDGE encryption is a security feature for Anapaya EDGE appliances designed to enhance the protection of your network traffic as it traverses the SCION Internet. It ensures the confidentiality and integrity of your sensitive data by encrypting it before it leaves your network edge and decrypting it only when it reaches the destination network edge.

This feature seamlessly integrates with other Anapaya EDGE capabilities and leverages the inherent security of the SCION architecture, specifically its Control Plane Public Key Infrastructure (CP-PKI), along with the industry-standard IPsec Encapsulating Security Payload (ESP) protocol.

Key features of EDGE-to-EDGE encryption

  • Enhanced Security: Protects your data from eavesdropping and tampering while in transit over the SCION Internet.
  • Strong Authentication: Ensures that network traffic is only accepted from authorized Anapaya EDGE devices, safeguarding against impersonation and potential reflection attacks.
  • Simplified Key Management: Leverages the built-in SCION CP-PKI, eliminating the need for manual key distribution and complex certificate management between sites.
  • Flexible Configuration: Easily enable encryption for your entire network or selectively apply it to specific traffic domains based on your security requirements, configurable via the Anapaya Console or configuration files.
  • Seamless Integration: Works alongside other Anapaya EDGE features like path control, fast failover, and network engineering without disruption.

How it works

  1. Encryption/Decryption at the Edge: Anapaya EDGE devices at the source network encrypt outgoing data packets. These packets remain encrypted throughout their journey across the SCION Internet. Upon arrival, the Anapaya EDGE device at the destination network decrypts the packets.

  2. Authentication & Key Management (SCION CP-PKI): The system uses SCION's Control Plane PKI to establish authenticated connections between participating Anapaya EDGE devices. This PKI handles the administration of cryptographic keys and certificates, automatically deriving the necessary symmetric keys for encryption without requiring manual key exchange or complex certificate management.

  3. Secure Tunneling (IPsec ESP): The actual encryption of the data packets is performed using the IPsec Encapsulating Security Payload (ESP) protocol, a widely used standard that provides confidentiality, integrity, authenticity, and replay protection for network traffic.

Frequently Asked Questions (FAQ)

What encryption algorithm and protocol are used?

EDGE-to-EDGE encryption uses the IPsec Encapsulating Security Payload (ESP) protocol with AES-GCM-256 as the encryption algorithm. AES-GCM provides both confidentiality and data authenticity.

How does the key exchange work? How are keys managed?

Key exchange and management are handled automatically by leveraging SCION's Control Plane PKI (CP-PKI). The Anapaya EDGE devices use the CP-PKI to establish mutually authenticated QUIC connections between the tunnel endpoints (other EDGE devices). The symmetric encryption keys needed for the IPsec ESP tunnels are securely derived through these authenticated connections. This eliminates the need for manual pre-shared keys or complex certificate distribution between peers.

What is the default lifetime for the encryption keys?

The default lifetime for the encryption keys is 1 hour. After this period, the keys are automatically renegotiated to ensure continued security.

Can I use EDGE-to-EDGE encryption across organizations, e.g., partners?

Yes, it's designed for securing communication with partners as well. Since it uses the SCION CP-PKI for authentication, you don't need to manually exchange keys or certificates. Minimal coordination is required with partners to define the traffic domains and enable encryption.

Do I need special hardware?

EDGE-to-EDGE encryption is a software feature running on Anapaya EDGE devices. Ensure your Anapaya EDGE devices meet the performance requirements for your expected encrypted traffic load.

Is this feature available for all Anapaya EDGE versions?

EDGE-to-EDGE encryption is available for Anapaya EDGE Pro customers.