ANYsec implementation design

ANYsec supports the following implementation design:

  • At the MKA signaling layer, ANYsec supports assigning the PSKs and the CAs to a group of segment routing (SR) tunnels. This assignment is known as encryption groups (EG) in ANYsec. Encryption groups support easy management of PSKs for ANYsec tunnels, because multiple tunnels can use the same PSK.
  • MKA is established per pair of peers, thereby allowing encryption of each tunnel with its own dedicated SAK. The use of a dedicated SAK per tunnel ensures a high level of security. For ease of management, ANYsec supports using PSKs per group of tunnels. However, for maximum security, the SAK is only supported per pair of peers.
  • ANYsec supports tunnel slicing using multi-instance IGP. Each slice is uniquely identified and a SAK is assigned per slice (per set of peers). ANYsec can also uniquely identify each LSP on each slice, and assign an EG to the LSPs through user configuration.
  • ANYsec uses the MKA Layer 2 protocol for signaling, which uses IEEE 802.1x for encapsulation. To transport MKA over IP in a Layer 3 network, ANYsec encapsulates MKA over IP/UDP. The UDP port uniquely identifies the MKA packets to the ANYsec peers. The IP header transports the MKA packet from one ANYsec PE to another ANYsec PE.

The following figure shows the ANYsec design implementation and related requirements.

Figure 1. ANYsec encryption implementation design and requirements