Test Your Knowledge – Do you know the differences between Layer 2 Ethernet and Layer 3 IP encryption, and when you can use them together?

Not quite.
HAIPE stands for High Assurance Internet Protocol Encryptor. It is standardized by NSA and ensures government compliance with the latest security and interoperability requirements.

Correct!
HAIPE stands for High Assurance Internet Protocol Encryptor. It is standardized by NSA and ensures government compliance with the latest security and interoperability requirements.

Not quite.
HAIPE stands for High Assurance Internet Protocol Encryptor. It is standardized by NSA and ensures government compliance with the latest security and interoperability requirements.

Not exactly. The correct answer is EDE-CIS.
The current Layer 2 Ethernet interoperability standard for government use is Ethernet Data Encryption Cryptographic Interoperability Standard (EDE-CIS). This standard is enforced by NSA and ensures end users are adhering to the latest in security parameters and are interoperable regardless of manufacturer (similar to HAIPE for Layer 3). ESS (Ethernet Security Specification) is a legacy Ethernet encryption security standard that doesn’t support interoperability and is being replaced by EDE. MACsec is the commercial equivalent of EDE.

Correct!
The current Layer 2 Ethernet interoperability standard for government use is Ethernet Data Encryption Cryptographic Interoperability Standard (EDE-CIS). This standard is enforced by NSA and ensures end users are adhering to the latest in security parameters and are interoperable regardless of manufacturer (similar to HAIPE for Layer 3). ESS (Ethernet Security Specification) is a legacy Ethernet encryption security standard that doesn’t support interoperability and is being replaced by EDE. MACsec is the commercial equivalent of EDE.

Not exactly. The correct answer is EDE-CIS.
The current Layer 2 Ethernet interoperability standard for government use is Ethernet Data Encryption Cryptographic Interoperability Standard (EDE-CIS). This standard is enforced by NSA and ensures end users are adhering to the latest in security parameters and are interoperable regardless of manufacturer (similar to HAIPE for Layer 3). ESS (Ethernet Security Specification) is a legacy Ethernet encryption security standard that doesn’t support interoperability and is being replaced by EDE. MACsec is the commercial equivalent of EDE.

Correct!
Layer 3 IP protects voice and data across the network from encryptor to decryptor at the final destination. Layer 2 Ethernet protects voice and data from link-to-link. That means the data is encrypted, decrypted and then re-encrypted at each link (hop) until it reaches the final destination.

Not quite.
Layer 3 IP protects voice and data across the network from encryptor to decryptor at the final destination. Layer 2 Ethernet protects voice and data from link-to-link. That means the data is encrypted, decrypted and then re-encrypted at each link (hop) until it reaches the final destination.

Nice try.
One of the key benefits of Layer 3 technology is that it supports fine-grain configurability for routing and scalability, yet this occurs by adding non-user data or network info to the packet which introduces overhead. As throughput increases, overhead starts to impact performance. Layer 2 headers are smaller and have fewer configurable options; reducing processing time and latency. For high-speed performance, Layer 2 encryption is typically the preferred option as it better utilizes network bandwidth.

Correct!
One of the key benefits of Layer 3 technology is that it supports fine-grain configurability for routing and scalability, yet this occurs by adding non-user data or network info to the packet which introduces overhead. As throughput increases, overhead starts to impact performance. Layer 2 headers are smaller and have fewer configurable options; reducing processing time and latency. For high-speed performance, Layer 2 encryption is typically the preferred option as it better utilizes network bandwidth.

Not exactly.
In most large corporate and government WAN designs, a combination of Layer 2 and Layer 3 encryption technologies will be necessary, especially considering that available transport mediums will likely consist of public and private hardware. In these cases, routers and switches can be employed to process traffic between networks. VLAN tagging solutions, like TACLANE Agile VLAN, enables frame encapsulation, which allows the encryptor to support Layer 3 HAIPE and VLAN Tagged Layer 2 (Non-IP) traffic simultaneously.

Correct!
In most large corporate and government WAN designs, a combination of Layer 2 and Layer 3 encryption technologies will be necessary, especially considering that available transport mediums will likely consist of public and private hardware. In these cases, routers and switches can be employed to process traffic between networks. VLAN tagging solutions, like TACLANE Agile VLAN, enables frame encapsulation, which allows the encryptor to support Layer 3 HAIPE and VLAN Tagged Layer 2 (Non-IP) traffic simultaneously.

Not quite.
The answer is Layer 2 EDE. Securing connections between fixed sites or cloud infrastructures with large bandwidth needs often require fewer or dedicated links but greater bandwidth capability. Layer 2 Ethernet technology is typically the technology of choice on dedicated links because of its configuration simplicity and link speed performance.

Exactly!
Securing connections between fixed sites or cloud infrastructures with large bandwidth needs often require fewer or dedicated links but greater bandwidth capability. Layer 2 Ethernet technology is typically the technology of choice on dedicated links because of its configuration simplicity and link speed performance.

You got it.
This situation typically includes many end users/nodes that could be mobile and using any available IP network link to communicate or access information. Layer 3 IP technology is typically the technology of choice here because it provides better scalability to support hundreds to thousands of users, routing to reach mobile end points and its ability to use any available IP network transport medium.

Nice try.
The answer is Layer 3 HAIPE. This situation typically includes many end users/nodes that could be mobile and using any available IP network link to communicate or access information. Layer 3 IP technology is typically the technology of choice here because it provides better scalability to support hundreds to thousands of users, routing to reach mobile end points and its ability to use any available IP network transport medium.

Correct!
One of the key benefits that Layer 3 encryption offers is that it allows users to securely exchange data end-to-end over any network that can route IP packets (like the public Internet) and allows multiple Communities of Interests (COIs) to be carried by the same network. This flexibility is ideal for environments requiring scalability and mobility using various network paths for worldwide reachability.

Not quite.
The correct answer is Layer 3 HAIPE. One of the key benefits that Layer 3 encryption offers is that it allows users to securely exchange data end-to-end over any network that can route IP packets (like the public Internet) and allows multiple Communities of Interests (COIs) to be carried by the same network. This flexibility is ideal for environments requiring scalability and mobility using various network paths for worldwide reachability.

Close.
The answer is Layer 2 EDE. Layer 2 offers high-speed secure connections between an enterprise backbone and remote sites. While backhauling over IPsec is plausible, it has throughput limitations due to Layer 3 header encryption overhead and routing information processing.

Exactly right!
Layer 2 offers high-speed secure connections between an enterprise backbone and remote sites. While backhauling over IPsec is plausible, it has throughput limitations due to Layer 3 header encryption overhead and routing information processing.