Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

Start now!
back to overview

We Do Magic Crypto with No Impact and No Performance Loss

Not surprisingly, every now and then I get a comment from a pushy $vendor rep who fails to mention that he works for a vendor, or that he happens to be their VP of Marketing. Here’s a gem I got late last year (no, I did not allow that comment to be published):

There are solutions out there that can use a single management platform for deploying fully transparent Layer 2, Layer 3 and Layer 4 encryption over ANY network for any-to-any communications requiring zero changes on the underlying infrastructure (routing, MTU adjustments etc.). Same HW devices can work over both L2 and L3 networks, no need to bring this crypto chaos in place, fragmented tools for various networks.

Think about this for a minute:

  • They claim to be doing encryption, so they need extra headers. There’s absolutely no way around it apart from the abominable idea of intercepting individual sessions, which creates as much state as NAPT does at the private/public network edge.
  • They claim they’re fully transparent, which cannot be true. You cannot use the same approach for layer-2 encryption, where the destination MAC should not change and for layer-3+ encryption, where the destination MAC has local significance.
  • They claim they don’t need MTU adjustments, which just means that they have to fragment and reassemble. Yeah, we know how well that works at high speeds and at scale.

I particularly like the No need to bring this crypto chaos bit – the guy was effectively trying to tell us (if I were stupid enough to leave his comment in place) to replace (potentially interoperable) explicit complexity with (totally proprietary) hidden complexity. There are situations where that might be desirable, but make sure you know what you’re doing – waiting for the vendor to bring your network back will be fun.

The second part of his comment was even better:

We at $vendor provide an option for the endusers to deploy encryption solutions over any multi-carrier multi-vendor network and FULLY and TOTALLY control the security policies and keys with zero impact on the existing applications performances or throughput.

Needless to say, they want to sell you boxes, and each box has specific performance limitations. So much for zero impact on performance.

However, one has to love the zero impact on throughput. How stupid do vendors think we are?


  1. "They claim to be doing encryption, so they need extra headers", would this be the case if they are using a stream cipher with OTP ;-)

    "However, one has to love the zero impact on throughput. How stupid do vendors think we are?"

    This gets touted a LOT.. MACsec is the most common 'VPN' technology that claims zero overhead..

    1. I haven't seen MacSec claimed to be a zero overhead VPN encryption technology. MacSec was developed to be cheap, fast and use existing LAN infrastructure. For a WAN VPN it is not a good idea to use MACSec, unless you are into a low-assurance solution. In terms of Ethernet encryption IEEE is roughly 10 years behind state-of-the-art.

  2. From the description it looks as this was a vendor who uses the term "zero trust" in its marketing.


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.