Comment by theideaofcoffee

This is a great writeup! Especially for those that may want to DIY it, the how and the why and all of that, and not have to shell out for carrier-quality Layer 1 encryption devices. Nice to see that even off-the-shelf components can do it with relative ease at those rates. Also nice to see sane sysctl tunes as well. Anything to make an adversary's day a bit harder. I low key love the explanation of old 10B5 taps, something that so well and truly dead, but the legacy carries on into everything new today.

This is actually a well-trodden area of datacenter interconnect (DCI) devices that do line-rate encryption (to crazy levels like 400G+) to protect those links that may have easily accessible fibers strung along poles, for instance, to prevent just the vampirism described in the post. Packetlight, Ciena, Infinera and others.