Ethernet -Traffic Flow Security Don Fedyk LabN Consulting LLC. - - PowerPoint PPT Presentation

ethernet traffic flow security
SMART_READER_LITE
LIVE PREVIEW

Ethernet -Traffic Flow Security Don Fedyk LabN Consulting LLC. - - PowerPoint PPT Presentation

Jan 22, 2023 552 likes •724 views

Ethernet -Traffic Flow Security Don Fedyk LabN Consulting LLC. 5/22/2019 1 Rational Privacy is increasingly important with network growth and dependency on data networks increases. Implement methods to improve Privacy for IEEE 802.1

slide-1
SLIDE 1

Ethernet -Traffic Flow Security

Don Fedyk LabN Consulting LLC.

5/22/2019 1

slide-2
SLIDE 2

Rational

  • Privacy is increasingly important with network growth and

dependency on data networks increases.

  • Implement methods to improve Privacy for IEEE 802.1 MACsec and

for Ethernet Data Encryption devices.

  • Forming or joining a project to standardize a service format to

address Privacy and enable fixed frames as well as variable frames.

5/22/2019 2

slide-3
SLIDE 3

What we want to do:

  • Improve Privacy in MACsec by Moving Identifiable

Information into the Secure Encrypted part of the frame.

  • Anonymize the frame behavior by:
  • Create a tunnel MAC SA/DA for a set of flows.
  • Hide MAC SA/DA using 802.1 AE MACsec secure data
  • Tunnel frames constructed with a uniform size
  • Bandwidth efficiency
  • Aggregate frames in a single tunnel frame
  • Fragment user frames within a tunnel frame
  • Send frames at regular intervals even if there is no data
  • Build on MACsec EDEs

Increasing complexity Varying Efficiency

5/22/2019 3

slide-4
SLIDE 4

Existing MACsec Frame (IEEE 802.1AE)

DA SA SecTag Secure Data ICV User Data VLAN TAG User Data Priority TAG Priority copied from Inner Tag to Outer Tag Identifiable information Priority

5/22/2019 4

slide-5
SLIDE 5

VLAN TAG User Data 2 DA SA

Functional ETT MACsec Frame

ETT DA ETT SA

SecTag Secure Data ICV MTDU (User Data) VLAN TAG User Data 1 Priority VLANTag Moved Fields DA SA

ETT EtherType

Ethernet Tunnel Ethernet Transport Tunnel Destination/Source address New Ethernet Transport Tunnel Fields Red Network DA/SA

MTDU- TAG

5/22/2019 5

slide-6
SLIDE 6

EtherType S-TAG EtherType C-TAG SA DA EtherType Length

Summary of Ethernet Headers

5/22/2019 6

EtherType SA DA User Data EtherType SA DA User Data C-TAG EtherType EtherType SA DA S-TAG EtherType EtherType User Data C-TAG EtherType B-SA B-DA S-TAG EtherType EtherType User Data C-TAG B-TAG I-TAG EtherType SA DA SA DA EtherType Sec-TAG EtherType EtherType C/S-TAG SA/B-SA DA/B-DA EtherType S/B-TAG EtherType Sec-TAG EtherType C-TAG User Data EtherType S-TAG EtherType C-TAG SA DA EtherType EtherType EtherType MTDU-TAG Length

One Or More Data PDUs 802.1 802.1Q 802.1ad 802.1ah 802.1AE E-TFS (proposal)

User Data User Data

MACsec Encrypted

slide-7
SLIDE 7

Ethernet Transport Tunnels on Ethernet Data Encryption devices

Red Network Red Network Red Network Black Network

EDE EDE EDE

Unidirectional Ethernet Transport Tunnels (ETTs)

5/22/2019 7

slide-8
SLIDE 8

data

EDE-CC Today

5/22/2019

B1 B2

SecTag DA SA C-Tag DA SA C-Tag

data

SecTag DA SA C-Tag

B3 B1,B2 B1,B3 Red - Side Bridged Network EDE-CC EDE-CC EDE-CC

Customer Edge Port Provider Edge Port Customer Network Port Provider Network Port

Black - Side Black - Side Red - Side

Etype C-Tag Etype

data

slide-9
SLIDE 9

data or MTDU data or MTDU

EDE-CC with E-TFS

5/22/2019

B1 B2

DA SA SecTag DA SA DA SA C-Tag

data

SecTag DA SA C-Tag

B3 B1,B2 B1,B3 Red - Side Bridged Network EDE-CC EDE-CC EDE-CC

Customer Edge Port Provider Edge Port Customer Network Port Provider Network Port

Black - Side Black - Side Red - Side

Etype DA SA C-Tag Etype C-Tag

slide-10
SLIDE 10

High Level Requirements

  • The solution must not limit EDE/802.1AE functionality, notably mapping of

VLANs and priorities and possible support for multiple SecYs.

  • Red-side host and control addresses must not be exposed on the black-

side/insecure port

  • The solution must not significantly impact network bandwidth availability
  • r unbounded impact on network latency
  • The solution should allow for different implementation/deployment

choices related to a specific deployment fixed frame size or transmission data rate.

  • Solution should minimize required configuration, e.g., minimize the

receiver configuration.

5/22/2019 10

slide-11
SLIDE 11

Existing MAC Security Tag SecTag

MACsec EtherType TCI SCI AN SL PN 2

  • ctets

1

  • ctets

1

  • ctets

4

  • ctets

8 Octets (optional) 1 0 0 0 1 0 0 0 1 1 1 0 0 1 0 1 V=0 ES SC SCB SH E AN 0 0 SL Secure Data

5/22/2019 11

slide-12
SLIDE 12

MAC Security Tag with MTDU (Only data MTU changes)

Sec EtherType TCI SCI AN SL PN 2

  • ctets

1

  • ctets

1

  • ctets

4

  • ctets

8 Octets (optional) V=0 ES SC SCB SH E AN 0 0 SL MDTU MAC Tunnel Data Unit is the generic new format for secure data New/Modified Field 1 0 0 0 1 0 0 0 1 1 1 0 0 1 0 1

5/22/2019 12

slide-13
SLIDE 13

New MAC Tunnel Data Units (MTDU)

ETT EtherType Offset Data Block Optional more Data Blocks Length MSDU (TAGs and Original User Data) DA SA Original MAC Frame MACsec Secure Data Unit New/Modified Field

5/22/2019 13

slide-14
SLIDE 14

References

[1] IEEE Std 802.1AE-2018, IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security. [2] Mick Seaman, Privacy considerations in bridged networks, White Paper http://www.ieee802.org/1/files/public/docs2018/e-seaman- privacy-in-bridged-networks-1018-v01.pdf Chris Hopps, “IP Traffic Flow Security”, draft-chopps-ipsecme-iptfs-00, Feb 2019.

5/22/2019 14

slide-15
SLIDE 15

Glossary

DA - Destination Address E - E-bit encryption set bit EDE - Ethernet Data Encryption device EDE-CC - Ethernet Data Encryption device with red-side recognition of C- TAGs and black-side addition and removal of C-TAGs EDE-CS - Ethernet Data Encryption device with red-side recognition of C- TAGs and black-side addition and removal of S-TAGs EDE-M - VLAN-unaware Ethernet Data Encryption device operating as a Customer Bridge EDE-SS - Ethernet Data Encryption device with red-side recognition of S- TAGs and black-side addition and removal of S-TAGs EISS - Enhanced Internal Sublayer Service ES - End Station Bit E-TFS – Ethernet Traffic Flow Security ETT – Ethernet Transport Tunnels FCS - frame check sequence ICV - integrity check value IPsec - Internet Protocol Security MAC - Media Access Control MACsec - Media Access Control Security MTDU – MAC Tunnel Data Unit MTDU-TAG – MAC Tunnel Data Unit – New Tag for discussion MSDU – MACsec Service Data Unit MSTP - Multiple Spanning Tree Protocol PCP - Priority Code Point (IEEE Std 802.1Q) PN - Packet Number SA - Secure Association or Source Address, as applicable SAI - Secure Association Identifier SC – Secure Channel SCB - Single Copy BroadcastSCISecure Channel Identifier SecTAG - MAC Security TAGSecYMAC Security Entity SL - Short Length

5/22/2019 15