contact button

Wavelength Encryption Could Save You Millions. Here’s How.

headshot of Paul Momtahan

September 28, 2023
By Paul Momtahan
Director, Solutions Marketing

Organizations are under constant threat from cybersecurity attacks and data breaches. And while cybercrime is still behind the majority of attacks, other security threats include cyberespionage, cyberwarfare, and hacktivism. The cost of security breaches can be very high, and they can even threaten national security. According to IBM’s Cost of a Data Breach Report 2023, the global average cost of a data breach in 2023 was $4.45M. Furthermore, this average has increased significantly, up from $3.62M in 2017. In the United States, the average cost of a data breach is now close to $10M.

Another financial consideration related to security is the potential for large fines. Under the EU’s General Data Protection Regulation (GDPR) laws, fines for violations can be up to 20 million euros or up to 4% of a company’s total global turnover in the preceding fiscal year, whichever is higher. Under the California Consumer Privacy Act (CCPA), companies that become victims of data theft or other data security breaches can be ordered to pay between $100 and $750 per California resident – and there are almost 40 million residents in California!

Why Wavelength Encryption?

Encryption comparison: Layer 3 vs. Layer 2 vs. Layer 1Table 1: Encryption comparison: Layer 3 vs. Layer 2 vs. Layer 1

Encryption can play an important role in helping to thwart these attacks and breaches as part of a comprehensive security approach. Layer 1 wavelength encryption offers several advantages over encryption at other layers, including IPSec at the IP layer and MACsec at the Ethernet layer. These advantages include high throughput at low cost, low latency, greater efficiency with zero protocol overhead, and multi-protocol support, as shown in Table 1. These advantages make Layer 1 wavelength encryption ideal for multiple applications including secure data center interconnect (DCI), shown in Figure 1, and for offering encrypted wavelength services to enterprise, wholesale, and government customers.

Secure data center interconnect applicationFigure 1: Secure data center interconnect application

Infinera’s CHM6 Encryption Solution

CHM6 bulk Layer 1 encryptionFigure 2: CHM6 bulk Layer 1 encryption

Recognizing the benefits of Layer 1 encryption, Infinera provides the option of wire-speed bulk encryption on ICE6-enabled CHM6 Xponder sleds for the GX G42 Compact Modular Platform. As shown in Figure 2, encryption is available for all wavelengths and the associated client traffic. Encryption is supported at speeds up to 800 Gb/s per wavelength, with almost no impact to latency.

How Does It Work?

IKEv2-compliant CHM6 encryption process with X.509 certificatesFigure 3: IKEv2-compliant CHM6 encryption process with X.509 certificates

As shown in Figure 3, in order to provide a truly secure solution, CHM6 encryption consists of the following three steps:

Step 1: Authentication and Authorization

The first step in enabling an encrypted wavelength between CHM6s is for each end to authenticate and authorize the other. Compliant with Internet Key Exchange version 2 (IKEv2), this can be done in one of two ways: X.509 certificates or a pre-shared key (PSK). With the X.509 certificate option, before authentication and authorization can begin, the X.509 certificates must have been uploaded to the relevant GX G42 by the network operator, having been obtained from an appropriate certificate authority. The certificate is first checked to ensure that the encrypted communication has been authorized. Authentication is then made with a challenge and response. If authentication and authorization are successful, the next step, secure key exchange, can begin.

Step 2: Secure Key Exchange

While required for high-throughput, low-latency encryption applications, the challenge with symmetric encryption is the need to keep the shared data encryption key secret. To meet this challenge, the CHM6 encryption leverages elliptic curve Diffie-Hellman ephemeral (ECDHE) to create an identical shared key without the need to transmit any secret data. Furthermore, the data encryption key can be rotated from one minute to 60 minutes in one-minute increments, with no impact to data plane traffic during the key changeovers.

Step 3: Data Plane Encryption

With the shared data plane encryption key now obtained from the ECDHE key exchange, the wire-speed symmetric encryption can begin. The algorithm that the CHM6s use to encrypt the ODUC payload is AES-256-GCM. This is Advanced Encryption Standard (AES) with a 256-bit key and the Galois/Counter Mode (GCM) of operation, which provides data path integrity check and non-repudiation without any additional overhead.


With security threats and data breaches getting more sophisticated and costing millions of dollars for impacted organizations, having a comprehensive security toolkit for optical traffic has never been more important. By utilizing wavelength-level encryption, network operators can cost-effectively secure traffic with minimal impact on latency. Infinera’s encryption can play a pivotal role in helping to prevent future losses for you and your customers.

For more information on this important topic, download the new Infinera CHM6 Encryption application note.