Ethernet -Traffic Flow Security Don Fedyk LabN Consulting LLC. 5/22/2019 1
Rational • Privacy is increasingly important with network growth and dependency on data networks increases. • Implement methods to improve Privacy for IEEE 802.1 MACsec and for Ethernet Data Encryption devices. • Forming or joining a project to standardize a service format to address Privacy and enable fixed frames as well as variable frames. 5/22/2019 2
What we want to do: • Improve Privacy in MACsec by Moving Identifiable Information into the Secure Encrypted part of the frame. • Anonymize the frame behavior by: • Create a tunnel MAC SA/DA for a set of flows. Increasing • Hide MAC SA/DA using 802.1 AE MACsec secure data complexity • Tunnel frames constructed with a uniform size Varying • Bandwidth efficiency Efficiency • Aggregate frames in a single tunnel frame • Fragment user frames within a tunnel frame • Send frames at regular intervals even if there is no data • Build on MACsec EDEs 5/22/2019 3
Existing MACsec Frame (IEEE 802.1AE) Priority VLAN TAG User Data User Data Priority DA SA TAG SecTag Secure Data ICV Priority copied from Inner Tag to Outer Tag Identifiable information 5/22/2019 4
Functional ETT MACsec Frame Priority Red Network DA/SA ETT MTDU- Ethernet Tunnel DA SA VLAN TAG User Data 1 EtherType TAG DA SA VLAN TAG User Data 2 MTDU (User Data) VLANTag SecTag Secure Data ICV ETT DA ETT SA Ethernet Transport Tunnel Moved Fields Destination/Source address New Ethernet Transport Tunnel Fields 5/22/2019 5
Summary of Ethernet Headers MACsec Encrypted User Data User Data EtherType EtherType C-TAG User Data C-TAG EtherType EtherType S-TAG One Or S-TAG EtherType EtherType EtherType C-TAG More SA User Data SA EtherType DA Data PDUs DA S-TAG Length User Data EtherType EtherType Length MTDU-TAG SA C-TAG User Data EtherType DA EtherType EtherType C-TAG I-TAG Sec-TAG Sec-TAG User Data EtherType EtherType EtherType EtherType EtherType C-TAG S-TAG B-TAG C/S-TAG S/B-TAG EtherType EtherType EtherType EtherType EtherType EtherType SA SA SA B-SA SA SA/B-SA DA DA DA B-DA DA DA/B-DA E-TFS (proposal) 802.1 802.1Q 802.1ad 802.1ah 802.1AE 5/22/2019 6
Ethernet Transport Tunnels on Ethernet Data Encryption devices Red EDE Network Red Black EDE Network Network Red EDE Network Unidirectional Ethernet Transport Tunnels (ETTs) 5/22/2019 7
EDE-CC Today EDE-CC Bridged EDE-CC B2 Network Provider Customer Customer Edge Port Network B1,B2 Edge Port Port B1 EDE-CC B1,B3 Provider B3 data Network C-Tag Etype SecTag DA SA Port Black - Side Red - Side Black - Side data C-Tag DA SA data Red - Side C-Tag Etype SecTag C-Tag DA SA 5/22/2019
EDE-CC with E-TFS EDE-CC Bridged EDE-CC B2 Network Provider Customer Customer Edge Port Network B1,B2 Edge Port Port B1 EDE-CC B1,B3 Provider B3 Network data or MTDU C-Tag DA SA Etype SecTag DA SA Port Black - Side Red - Side Black - Side data C-Tag DA SA Red - Side data or MTDU C-Tag DA SA Etype SecTag C-Tag DA SA 5/22/2019
High Level Requirements • The solution must not limit EDE/802.1AE functionality, notably mapping of VLANs and priorities and possible support for multiple SecYs. • Red-side host and control addresses must not be exposed on the black- side/insecure port • The solution must not significantly impact network bandwidth availability or unbounded impact on network latency • The solution should allow for different implementation/deployment choices related to a specific deployment fixed frame size or transmission data rate. • Solution should minimize required configuration, e.g., minimize the receiver configuration. 5/22/2019 10
Existing MAC Security Tag SecTag 2 1 1 4 8 octets octets octets octets Octets (optional) Secure Data MACsec EtherType TCI AN SL PN SCI 1 0 0 0 1 0 0 0 1 1 1 0 0 1 0 1 V=0 ES SC SCB SH E AN 0 0 SL 5/22/2019 11
MAC Security Tag with MTDU (Only data MTU changes) 8 2 1 1 4 Octets (optional) octets octets octets octets Sec EtherType TCI AN SL PN SCI MDTU 1 0 0 0 1 0 0 0 1 1 1 0 0 1 0 1 MAC Tunnel Data Unit is the generic new format for secure data V=0 ES SC SCB SH E AN 0 0 SL New/Modified Field 5/22/2019 12
New MAC Tunnel Data Units (MTDU) ETT EtherType Offset Data Block Optional more Data Blocks Length DA SA MSDU (TAGs and Original User Data) Original MAC Frame MACsec Secure Data Unit New/Modified Field 5/22/2019 13
References [1] IEEE Std 802.1AE-2018, IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security. [2] Mick Seaman, Privacy considerations in bridged networks, White Paper http://www.ieee802.org/1/files/public/docs2018/e-seaman- privacy-in-bridged-networks-1018-v01.pdf Chris Hopps, “IP Traffic Flow Security”, draft-chopps-ipsecme-iptfs-00, Feb 2019. 5/22/2019 14
Glossary DA - Destination Address ICV - integrity check value E - E-bit encryption set bit IPsec - Internet Protocol Security EDE - Ethernet Data Encryption device MAC - Media Access Control EDE-CC - Ethernet Data Encryption device with red-side recognition of C- MACsec - Media Access Control Security TAGs and black-side addition and removal of C-TAGs MTDU – MAC Tunnel Data Unit EDE-CS - Ethernet Data Encryption device with red-side recognition of C- MTDU-TAG – MAC Tunnel Data Unit – New Tag for discussion TAGs and black-side addition and removal of S-TAGs EDE-M - VLAN-unaware Ethernet Data Encryption device operating as a MSDU – MACsec Service Data Unit Customer Bridge MSTP - Multiple Spanning Tree Protocol EDE-SS - Ethernet Data Encryption device with red-side recognition of S- PCP - Priority Code Point (IEEE Std 802.1Q) TAGs and black-side addition and removal of S-TAGs PN - Packet Number EISS - Enhanced Internal Sublayer Service SA - Secure Association or Source Address, as applicable ES - End Station Bit SAI - Secure Association Identifier E-TFS – Ethernet Traffic Flow Security SC – Secure Channel ETT – Ethernet Transport Tunnels SCB - Single Copy BroadcastSCISecure Channel Identifier FCS - frame check sequence SecTAG - MAC Security TAGSecYMAC Security Entity SL - Short Length 5/22/2019 15
Recommend
More recommend
