Hacker News new | comments | show | ask | jobs | submit login

Right. Encryption in transit within a building at line rate (and more importantly low latency) is hard. To my knowledge, none of the providers do this currently, otherwise they'd be talking about it. This is us saying it's time to talk about it :).

Disclosure: I work on Google Cloud.




Military stuff uses "XOR the data with a secret keystream", which is zero latency (okay - more like 10 nanoseconds of latency), and can run arbitrarily fast.

The only disadvantage is one has to use a stream cipher, and those have fallen out of favor lately...


Is generating a cryptographically secure secret stream that fast?


You can do it fully in parallel. Imagine 1000 crypto units each producing 100 Mbps of key-stream. All on one ASIC.

Then all you need is to interleave the stream and XOR with the data to encrypt your 100Gbps stream.


If you want to, sure.


The latency isn't from the cipher; it's from touching the data an additional time. A NIC with inline encryption adds negligible latency but Google probably doesn't have those.


The problem is that Google (and all other large cloud providers) use an SDN, and so you can't just encrypt traffic at the NIC level -- you need to just encrypt the encapsulated overlay traffic, while leaving the underlay unencrypted (so that intermediate nodes can route the overlay network traffic).

There are a number of technologies that support this kind of thing at the kernel level, but 1) layering these onto an existing SDN is not trivial, and 2) the extra encoding/decoding will absolutely have a performance impact if you're trying to do it at line rate on a 10Gb NIC, e.g. see https://www.weave.works/blog/weave-net-performance-fast-data....


If anyone were to have those, it would be google.


Since they design their own NIC, Google certainly has the capability to include whatever features they want. Yet Andromeda appears to be implemented in software.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: