wolverinetyagi, profile picture
Uploaded bywolverinetyagi
648 views

SDN and Named Data Networking Security

The document discusses the security implications of Software Defined Networking (SDN) and Named Data Networking (NDN), highlighting their architectures, advantages, vulnerabilities, and mitigation strategies. It addresses the centralized management and dynamic nature of SDN, while emphasizing NDN's content-centric approach and its benefits in security and routing. The conclusion suggests a paradigm shift towards securing content rather than just the communication channels.

Embed presentation

Software Defined Network & Named Data Network – Security Implications By: Anuj Tyagi http://packetflows.com
Organization: 1. What is Software Defined Networking ? 2. SDN Architecture 3. SDN advantages 4. Attacks and Mitigations on SDN 5. What is NDN ? 6. TCP/IP vs NDN 7. NDN packet types 8. TCP/IP vs NDN – security prospective 9. NDN lookup testbeds 10. Conclusion and future work
Software Defined Network • SDN decouple the data and control Plane, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications. - ONF
SDN Architecture
OpenFlow Channel • Used to exchange OpenFlow message between switch and controller • Switch can establish single or multiple connections to same or different controllers • A controller configures and manages the switch, receives events from switch, and send packets out the switch via this interface • The OpenFlow channel is TLS/TCP connection. Switch and controller mutually authenticate by exchanging certificates signed by site-specific private key
Why SDN ? • Complexity in the Network - Protocols are defined in isolation - migration challenges • Inconsistent policies - Difficult to apply consistent set of access, security, QOS and other policies • Inability to scale - Scaling challenges based on unpredictable traffic pattern • Vendor dependence - Lack of standards and open interfaces
Advantages of SDN • Centralized network provisioning • Holistic enterprise management • More granular security • Lower operating cost • Hardware savings and reduced capital expenditures • Easier Interoperability
Security Advantages of SDN SDN allows for creative new approaches to security 1. Traffic Filtering and shaping 2. Network slicing/multi-tenancy, isolation, network segmentation 3. DDOS mitigation 4. Network Access Control 5. Security traffic Monitoring 6. Moving Target Defense (MTD)
SDN Attack Surface • Controller uses protocol like OpenFlow to control switches, which are now only responsible for handling the data plane • When OpenFlow packet that doesn’t match forwarding rules, packet passed to the controller Attack : The SDN controller’s ability to control an entire network makes it a high value target. Attack on a vulnerable controller can have disastrous effect on the network
SDN Attack Surface Packet doesn’t match rules Control Plane Attack Data Plane Attack Traditional Network Control Plane Attack SDN Controller Data Plane DeviceData Plane Attack
SDN Attack Surface • DOS attack by spoofing northbound API messages and southbound flows • Attacker can create their own controller and gets network element to receive flows from that controller – spoofing flows from the legitimate controller • Attacking the DCI protocol – NVGRE, STT, VXLAN. These protocols lack authentication, with no encryption – this is either part of the protocol design or the way the vendor has implemented the protocol
SDN Vulnerabilities • NetConf API processes user-supplied XML/REST Conf • Example vulnerable code: https://lists.opendaylight.org/pipermail/bugs/2014-December/009794.html
Mitigation:
Topology Spoofing via host tracking • Most SDN controllers include host tracking, allowing hosts to migrate between different physical locations in the network • Host tracking is based on monitoring of Packet-In messages, and doesn’t require validation, authentication or authorization • An attacker can impersonate a host and make the SDN controller believe it has migrated to a physical network location controller by the attacker • For this, attacker must know the mac-address of the target host. Attacker need to send malicious message through a switch controlled by SDN controller. • Ref: http://www.internetsociety.org/sites/default/files/10_4_2.pdf
Mitigation of Topology Spoofing • Same research team developed path to mitigate it • A legitimate host migration involve port down before host migration finished. It would also mean that host would be unreachable at it’s old physical location after the migration complete • Currently, patched in FloodLight controller
DOS attack on ONOS packet deserializer • When OpenFlow switch encounter a packet that does not match any forwarding rules, it passes this packet to the controller for advice • Packet deserialization in ONOS throw exceptions when handling malformed, truncated or maliciously crafted packets • The exceptions were not caught and handled, which would result in the relevant switch being disconnected because exception occur in I/O thread
Security Mode Mitigation • Vulnerability in ONOS application could not exploited to perform actions that are not permitted by security mode ONOS. This is similar to protection SELinux provides for applications running on Linux System
Other hardening Approach • Use out of band (OOB) network for controlling traffic and secure protocol controller management and northbound communications • Closely monitor controller for suspicious activities • Use Data Center Interconnect(DCI) protocols that can use authenticate tunnel end points and secure tunneled traffic
Thank You ! Queries ?
Named Data Network – What is it ? • Using “name” instead of IP address to identify chunks of content instead of IP address • Originated in 2006 as content centric networking • Funded by NSF ( National Science Foundation) and 12 universities involved, part of ICN( Information Centric Network) • First NDN community meeting took place in Sep 2014
Institutes involved ?
NDN Packet Structure • Content name is the object identifier and most important part • Selector is an optional field indicating packet order, scope, preference etc. • Nonce is a random number assigned by Pending Interest Table
NDN Packet Structure… • Content name contains object identifier • Signature of producer is available to review for inconsistencies • Publisher key is required by the responding node • Data portion contain the information requested
Naming convention Hierarchical Structure IP vs NDN approach
NDN Forwarding Process
What NDN has produced so far ? • NDN Testbeds: http://ndnmap.arl.wustl.edu/
Example:
Attacks of TCP and Countermeasures by NDN • Sequence Number Attack - Attempt to predict the sequence number used to identify packets in a TCP connection SYN SYN-ACK ACK A B
NDN solution to TCP attack • No IP address information required • Object identifier takes its place • No information gleaned from identifier can be used to attack system
DNS Servers • Cache containing hostname IP information, source operating system, configuration information etc. • DNS spoofing occurs when IP address associated with trusted sites are replaced with the third party sources • Once used, the third party can be granted access to the system
NDN Solution… - Signature key returned contains information about the source - This information can be viewed by the information recipient to verify validity - If the information is invalid, it can be rejected without harming the system
Routing Loops A BC
Routing Loops A BC
Routing Loops A BC
Routing Loops A BC
NDN Solution… - Contains a random nonce - When packet is passed through PIT, nonce is cross-referenced against original interest packet - If interest packet is returned with a nonce matching one already in the PIT, it is discarded - No possible routing loop issue
Conclusion: A new way to think about security • Secure the Content, Not the Channel ! - SSL, VPN, SSH tunnel, TOR etc all provide secure channel - Users don’t really care if channel is secure or not. They care about data security • Require Authentication on all content - Security is not optional but part of architecture • Encrypt the content if you don’t trust the channel - Encryption is optional and applied where required
SDN and Named Data Networking Security

More Related Content

PPTX
Network protocols and vulnerabilities
byPrachi Gulihar
 
PPTX
Introduction to cyber forensics
byAnpumathews
 
PDF
DDoS Attack Detection & Mitigation in SDN
byChao Chen
 
PPTX
INTERNET SECURITY SYSTEM
byBhushan Gajare
 
PPTX
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
byRadware
 
PPTX
Time-based DDoS Detection and Mitigation for SDN Controller
byLippo Group Digital
 
PPT
Hacking Cisco
byguestd05b31
 
PPTX
Cyber security tutorial2
bysweta dargad
 
Network protocols and vulnerabilities
byPrachi Gulihar
 
Introduction to cyber forensics
byAnpumathews
 
DDoS Attack Detection & Mitigation in SDN
byChao Chen
 
INTERNET SECURITY SYSTEM
byBhushan Gajare
 
Radware DefenseFlow-The SDN Application That Programs Networks for DoS Security
byRadware
 
Time-based DDoS Detection and Mitigation for SDN Controller
byLippo Group Digital
 
Hacking Cisco
byguestd05b31
 
Cyber security tutorial2
bysweta dargad
 

What's hot

PPTX
Cyber security tutorial1
bysweta dargad
 
PPTX
Prensentation on packet sniffer and injection tool
byIssar Kapadia
 
PPTX
Network sniffers & injection tools
byvishalgohel12195
 
PPT
I ptable
bySandeep Gupta
 
PDF
CISSP Week 6
byjemtallon
 
PPT
group11_DNAA:protocol stack and addressing
byAnitha Selvan
 
PPT
Firewalls
byIsrael Marcus
 
PPT
Network Scanning Phases and Supporting Tools
byJoseph Bugeja
 
PPT
Lec 1 apln security(4pd)
bySantosh Khadsare
 
PPTX
Mitigating worm attacks
bydkaya
 
PDF
Packet sniffing & ARP Poisoning
byViren Rao
 
PDF
CISSP Week 7
byjemtallon
 
PPTX
Linux and firewall
byMhmud Khraibene
 
PDF
Network Forensics: Packet Analysis Using Wireshark
byn|u - The Open Security Community
 
PPT
Module 5 Sniffers
byleminhvuong
 
ODP
CISSP Week 21
byjemtallon
 
PDF
Sniffing via dsniff
byKshitij Tayal
 
PPT
Chapter 11
bycclay3
 
PPTX
11011 a0449 secure routing wsn
byMuqeed Abdul
 
PDF
Nachos Theoretical assigment 3
bycolli03
 
Cyber security tutorial1
bysweta dargad
 
Prensentation on packet sniffer and injection tool
byIssar Kapadia
 
Network sniffers & injection tools
byvishalgohel12195
 
I ptable
bySandeep Gupta
 
CISSP Week 6
byjemtallon
 
group11_DNAA:protocol stack and addressing
byAnitha Selvan
 
Firewalls
byIsrael Marcus
 
Network Scanning Phases and Supporting Tools
byJoseph Bugeja
 
Lec 1 apln security(4pd)
bySantosh Khadsare
 
Mitigating worm attacks
bydkaya
 
Packet sniffing & ARP Poisoning
byViren Rao
 
CISSP Week 7
byjemtallon
 
Linux and firewall
byMhmud Khraibene
 
Network Forensics: Packet Analysis Using Wireshark
byn|u - The Open Security Community
 
Module 5 Sniffers
byleminhvuong
 
CISSP Week 21
byjemtallon
 
Sniffing via dsniff
byKshitij Tayal
 
Chapter 11
bycclay3
 
11011 a0449 secure routing wsn
byMuqeed Abdul
 
Nachos Theoretical assigment 3
bycolli03
 

Similar to SDN and Named Data Networking Security

PDF
Security sdn
byPriya Singh
 
PPTX
Lqsqsssssssssssssssssssssssssssssssssssq18.pptx
bypfeprojet
 
PDF
SDN Security: Two Sides of the Same Coin
byZivaro Inc
 
PDF
SDN Security Talk - (ISC)2_3
byWen-Pai Lu
 
PPTX
Sdn pres v2-Software-defined networks
byahmad abdelhafeez
 
PDF
Denial of Service Attacks in Software Defined Networking - A Survey
byIRJET Journal
 
PPT
Security of software defined networking (sdn) and cognitive radio network (crn)
byAmeer Sameer
 
PDF
SDN-ppt-new
byGifty Susan Mani
 
PDF
DTS Solution - Software Defined Security v1.0
byShah Sheikh
 
DOCX
Software Defined Networking Attacks and Countermeasures .docx
byrosemariebrayshaw
 
PDF
Sdn&security
byCristiano Monteiro
 
PDF
TACTiCS_WP Security_Addressing Security in SDN Environment
bySaikat Chaudhuri
 
DOCX
SDN-Security
byParas Hematbhai Dudhatra
 
PDF
Final report
byRaja Farhat
 
PDF
OpenFlow Security Threat Detection and Defense Services
byEswar Publications
 
PPTX
SDN approach.pptx
byTrongMinhHoang1
 
PDF
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
byIRJET Journal
 
PDF
intro lect.pdfkkpkpkpkpkpjjkojkopjjojjoj
byAmolJoglekar5
 
PPTX
Foundation of Modern Network- william stalling
byJonathanWallace46
 
PDF
The dark side of SDN and OpenFlow
byDiego Kreutz
 
Security sdn
byPriya Singh
 
Lqsqsssssssssssssssssssssssssssssssssssq18.pptx
bypfeprojet
 
SDN Security: Two Sides of the Same Coin
byZivaro Inc
 
SDN Security Talk - (ISC)2_3
byWen-Pai Lu
 
Sdn pres v2-Software-defined networks
byahmad abdelhafeez
 
Denial of Service Attacks in Software Defined Networking - A Survey
byIRJET Journal
 
Security of software defined networking (sdn) and cognitive radio network (crn)
byAmeer Sameer
 
SDN-ppt-new
byGifty Susan Mani
 
DTS Solution - Software Defined Security v1.0
byShah Sheikh
 
Software Defined Networking Attacks and Countermeasures .docx
byrosemariebrayshaw
 
Sdn&security
byCristiano Monteiro
 
TACTiCS_WP Security_Addressing Security in SDN Environment
bySaikat Chaudhuri
 
SDN-Security
byParas Hematbhai Dudhatra
 
Final report
byRaja Farhat
 
OpenFlow Security Threat Detection and Defense Services
byEswar Publications
 
SDN approach.pptx
byTrongMinhHoang1
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
byIRJET Journal
 
intro lect.pdfkkpkpkpkpkpjjkojkopjjojjoj
byAmolJoglekar5
 
Foundation of Modern Network- william stalling
byJonathanWallace46
 
The dark side of SDN and OpenFlow
byDiego Kreutz
 

More from wolverinetyagi

PPTX
Smart body Object sensor networking
bywolverinetyagi
 
PPTX
Real time heart attack mobile detection iot use case for sdn
bywolverinetyagi
 
PPTX
Resilient integration of distributed high performance zones into the bel wue ...
bywolverinetyagi
 
PPTX
Data Center Interconnect
bywolverinetyagi
 
PDF
Access List in Networks
bywolverinetyagi
 
PPTX
Secure messaging using PKI
bywolverinetyagi
 
Smart body Object sensor networking
bywolverinetyagi
 
Real time heart attack mobile detection iot use case for sdn
bywolverinetyagi
 
Resilient integration of distributed high performance zones into the bel wue ...
bywolverinetyagi
 
Data Center Interconnect
bywolverinetyagi
 
Access List in Networks
bywolverinetyagi
 
Secure messaging using PKI
bywolverinetyagi
 

Recently uploaded

PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
apidays New York 2025 | AI in Application Security
byapidays
 

SDN and Named Data Networking Security

  • 1.
    Software Defined Network& Named Data Network – Security Implications By: Anuj Tyagi http://packetflows.com
  • 2.
    Organization: 1. What isSoftware Defined Networking ? 2. SDN Architecture 3. SDN advantages 4. Attacks and Mitigations on SDN 5. What is NDN ? 6. TCP/IP vs NDN 7. NDN packet types 8. TCP/IP vs NDN – security prospective 9. NDN lookup testbeds 10. Conclusion and future work
  • 3.
    Software Defined Network •SDN decouple the data and control Plane, network intelligence and state are logically centralized, and the underlying network infrastructure is abstracted from the applications. - ONF
  • 4.
  • 5.
    OpenFlow Channel • Usedto exchange OpenFlow message between switch and controller • Switch can establish single or multiple connections to same or different controllers • A controller configures and manages the switch, receives events from switch, and send packets out the switch via this interface • The OpenFlow channel is TLS/TCP connection. Switch and controller mutually authenticate by exchanging certificates signed by site-specific private key
  • 6.
    Why SDN ? •Complexity in the Network - Protocols are defined in isolation - migration challenges • Inconsistent policies - Difficult to apply consistent set of access, security, QOS and other policies • Inability to scale - Scaling challenges based on unpredictable traffic pattern • Vendor dependence - Lack of standards and open interfaces
  • 7.
    Advantages of SDN •Centralized network provisioning • Holistic enterprise management • More granular security • Lower operating cost • Hardware savings and reduced capital expenditures • Easier Interoperability
  • 8.
    Security Advantages ofSDN SDN allows for creative new approaches to security 1. Traffic Filtering and shaping 2. Network slicing/multi-tenancy, isolation, network segmentation 3. DDOS mitigation 4. Network Access Control 5. Security traffic Monitoring 6. Moving Target Defense (MTD)
  • 9.
    SDN Attack Surface •Controller uses protocol like OpenFlow to control switches, which are now only responsible for handling the data plane • When OpenFlow packet that doesn’t match forwarding rules, packet passed to the controller Attack : The SDN controller’s ability to control an entire network makes it a high value target. Attack on a vulnerable controller can have disastrous effect on the network
  • 10.
    SDN Attack Surface Packetdoesn’t match rules Control Plane Attack Data Plane Attack Traditional Network Control Plane Attack SDN Controller Data Plane DeviceData Plane Attack
  • 11.
    SDN Attack Surface •DOS attack by spoofing northbound API messages and southbound flows • Attacker can create their own controller and gets network element to receive flows from that controller – spoofing flows from the legitimate controller • Attacking the DCI protocol – NVGRE, STT, VXLAN. These protocols lack authentication, with no encryption – this is either part of the protocol design or the way the vendor has implemented the protocol
  • 12.
    SDN Vulnerabilities • NetConfAPI processes user-supplied XML/REST Conf • Example vulnerable code: https://lists.opendaylight.org/pipermail/bugs/2014-December/009794.html
  • 13.
  • 14.
    Topology Spoofing viahost tracking • Most SDN controllers include host tracking, allowing hosts to migrate between different physical locations in the network • Host tracking is based on monitoring of Packet-In messages, and doesn’t require validation, authentication or authorization • An attacker can impersonate a host and make the SDN controller believe it has migrated to a physical network location controller by the attacker • For this, attacker must know the mac-address of the target host. Attacker need to send malicious message through a switch controlled by SDN controller. • Ref: http://www.internetsociety.org/sites/default/files/10_4_2.pdf
  • 15.
    Mitigation of TopologySpoofing • Same research team developed path to mitigate it • A legitimate host migration involve port down before host migration finished. It would also mean that host would be unreachable at it’s old physical location after the migration complete • Currently, patched in FloodLight controller
  • 16.
    DOS attack onONOS packet deserializer • When OpenFlow switch encounter a packet that does not match any forwarding rules, it passes this packet to the controller for advice • Packet deserialization in ONOS throw exceptions when handling malformed, truncated or maliciously crafted packets • The exceptions were not caught and handled, which would result in the relevant switch being disconnected because exception occur in I/O thread
  • 17.
    Security Mode Mitigation •Vulnerability in ONOS application could not exploited to perform actions that are not permitted by security mode ONOS. This is similar to protection SELinux provides for applications running on Linux System
  • 18.
    Other hardening Approach •Use out of band (OOB) network for controlling traffic and secure protocol controller management and northbound communications • Closely monitor controller for suspicious activities • Use Data Center Interconnect(DCI) protocols that can use authenticate tunnel end points and secure tunneled traffic
  • 19.
  • 20.
    Named Data Network– What is it ? • Using “name” instead of IP address to identify chunks of content instead of IP address • Originated in 2006 as content centric networking • Funded by NSF ( National Science Foundation) and 12 universities involved, part of ICN( Information Centric Network) • First NDN community meeting took place in Sep 2014
  • 21.
  • 22.
    NDN Packet Structure •Content name is the object identifier and most important part • Selector is an optional field indicating packet order, scope, preference etc. • Nonce is a random number assigned by Pending Interest Table
  • 23.
    NDN Packet Structure… •Content name contains object identifier • Signature of producer is available to review for inconsistencies • Publisher key is required by the responding node • Data portion contain the information requested
  • 24.
  • 25.
  • 26.
    What NDN hasproduced so far ? • NDN Testbeds: http://ndnmap.arl.wustl.edu/
  • 27.
  • 28.
    Attacks of TCPand Countermeasures by NDN • Sequence Number Attack - Attempt to predict the sequence number used to identify packets in a TCP connection SYN SYN-ACK ACK A B
  • 29.
    NDN solution toTCP attack • No IP address information required • Object identifier takes its place • No information gleaned from identifier can be used to attack system
  • 30.
    DNS Servers • Cachecontaining hostname IP information, source operating system, configuration information etc. • DNS spoofing occurs when IP address associated with trusted sites are replaced with the third party sources • Once used, the third party can be granted access to the system
  • 31.
    NDN Solution… - Signaturekey returned contains information about the source - This information can be viewed by the information recipient to verify validity - If the information is invalid, it can be rejected without harming the system
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
    NDN Solution… - Containsa random nonce - When packet is passed through PIT, nonce is cross-referenced against original interest packet - If interest packet is returned with a nonce matching one already in the PIT, it is discarded - No possible routing loop issue
  • 37.
    Conclusion: A newway to think about security • Secure the Content, Not the Channel ! - SSL, VPN, SSH tunnel, TOR etc all provide secure channel - Users don’t really care if channel is secure or not. They care about data security • Require Authentication on all content - Security is not optional but part of architecture • Encrypt the content if you don’t trust the channel - Encryption is optional and applied where required