Transport networks are under continual demand to carry more information at higher speeds and lower costs, and optical networks are playing a critical role in addressing this demand. Optical transport networks provide an optical-based physical layer for transmitting information across the network. One of the main characteristics of optical transport networks is the use of frame structured digital bit streams to transport data across the network. The frames typically have a payload area and an overhead area, which contains control information. The frame overhead is analogous to the header of an Internet Protocol packet. The path through an optical transport network generally extends between two edge devices, which are generally referred to as path termination equipment (PTE). Along the path through the optical transport network reside any number of switches, regenerators, multiplexers, and the like. Frames traveling along the path from one PTE to another will pass through the intermediate devices.
There is a need to protect the confidentiality of the data carried by the frames as the frames travel through the optical network. In many instances, incoming data to be carried by the frames over the path is encrypted at an origination PTE before being transported over the path. The encrypted data is allocated to one or more frames and transported over the path. The intermediate nodes are not configured to decrypt or otherwise gain access to the encrypted data. Upon arriving at the termination PTE at the other end of the path, the encrypted data is extracted from the frames, decrypted, and converted to an appropriate format for further delivery.
Given the speed and complexity of optical transport networks, the use of symmetric encryption, where the same key is used for encryption and decryption, is preferred. With symmetric encryption, the same key must be provided to the encrypting and decrypting PTE. To ensure that the key used for encryption and decryption is not comprised, the key is periodically changed at the encrypting PTE and the decrypting PTE. Such changing requires the encrypting and decrypting PTEs to coordinate with one another to select a new key and determine when and how to change the key. The changing of the key poses logistical and operational issues, as special mechanisms must be provided to ensure that unauthorized entities do not gain access to the key. Such access could allow third parties to improperly retrieve and decrypt the data being carried over the optical transport network.
Existing techniques to provide and control the changing of keys being used at the PTEs have proven to be inefficient, complex, and costly. These techniques range from manually providing keys to the various PTEs to employing separate Operations, Administration and Maintenance (OAM) networks to provide keys to the PTEs and control the changing of keys at the PTEs. With manual provisioning, workers must physically travel to the PTEs to load keys and instructions for changing the keys. When a separate OAM network is used, the OAM network must be established and maintained apart from the optical transport network. Once the OAM network is provided, the PTEs may communicate with each other via the OAM network to share keys and control the changing of keys outside of the optical transport network. Alternatively, an OAM server that resides on the OAM network may be tasked with interacting with the PTEs to provide keys to the PTEs and control the changing of the keys.
In each of these manual or automated techniques, the keys are not shared or controlled within the confines of the optical transport network. Since key provision and control is provided outside of resources used by the optical transport network to transport data, these techniques are generally referred to as out-of-band techniques. Given the inefficiency, complexity, and cost associated with out-of-band techniques for key provisioning and control, there is a need for an alternative technique that overcomes the deficiencies of current out-of-band techniques for key provisioning and control.