macsec
play

MACsec Encryption for the wired LAN Networking Services Team, Red - PowerPoint PPT Presentation

Jan 20, 2024 •847 likes •1.33k views

Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) MACsec Encryption for the wired LAN Networking Services Team, Red Hat Sabrina Dubroca sd@queasysnail.net Netdev1.1, Seville, 2016

  1. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) MACsec Encryption for the wired LAN Networking Services Team, Red Hat Sabrina Dubroca sd@queasysnail.net Netdev1.1, Seville, 2016

  2. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Outline Introduction to MACsec (architecture, protocol, related standards) Linux kernel implementation Future work

  3. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) 1 Introduction 1 Introduction Overview Modes Protocol details

  4. Introduction Overview Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) What is MACsec IEEE standard (802.1AE-2006) for encryption over Ethernet Encrypt and authenticate all traffic in a LAN with GCM-AES-128

  5. Introduction Overview Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Why MACsec Security within LANs (layer 2) is pretty bad rogue DHCP/router advertisements ARP/ndisc spoofing IPsec is L3, cannot protect ARP/ndisc on untrusted links Cloud environment: VXLAN Encrypted VXLAN: encryption on the tunnel endpoints, not in the VM ⇒ Tenant has no control over the keys MACsec over VXLAN: encryption in the VM, doesn’t need to be aware of the underlay network

  6. Introduction Overview Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) MACsec concepts, architecture, and definitions Secure channel (SC) unidirectional channel from one node to many sequence of successive, overlapping secure associations Secure association (SA) within a SC every frame transmitted over MACsec belongs to one particular SA packet number and key are per-SA Security Entity (SecY) instance of the MACsec implementation within a node Uncontrolled port network interface providing insecure service MACsec is built on top of this

  7. Introduction Overview Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Configuration and relation with IEEE 802.1X option 1: admin can configure SC/SA/keys manually option 2: use 802.1X with MACsec extensions MKA (MACsec Key Agreement protocol) discovery of other MACsec nodes setup of SC/SA key generation and distribution synchronization of packet numbers

  8. Introduction Modes Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Encryption and integrity mandatory integrity+authenticity, optional encryption default crypto algorithm: GCM-AES authenticated encryption with additional data the entire MACsec packet is always authenticated admin can choose whether to use encryption no encryption, integrity/authenticity only: entire MACsec packet as additional data encryption + integrity/authenticity: ethernet + MACsec header as additional data, original payload is encrypted and authenticated

  9. Introduction Modes Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Strict validation Three possible validation modes for incoming packets: Strict Non-protected, invalid, or impossible to verify (no matching channel configured) frames are dropped Check These frames are counted as “invalid” and accepted, if possible Disabled Incoming frames are simply accepted, if possible Encrypted frames cannot be accepted without a matching channel and key

  10. Introduction Modes Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Replay protection each frame has a 32-bit packet number on RX, the node may validate the PN against the lowest PN it expects to get configurable replay window some amount of reordering is acceptable

  11. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Packet format (unprotected frame) Dest addr Src addr Ethertype User data · · ·

  12. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Packet format (protected frame) Dest addr Src addr MACsec Ethertype SecTAG (User) Ethertype Protected (user) data · · · ICV

  13. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Packet format (encrypted frame) Dest addr Src addr MACsec Ethertype SecTAG · · · Encrypted data · · · ICV

  14. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) SecTAG format 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 � MACsec EtherType TCI AN 0 SL Mandatory Packet Number � Optional SCI TCI tag control information AN association number (SA identifier, 2 bits) SL short length, non-zero for frame lengths under 64B SCI secure channel identifier, 64 bits 48 bits “system identifier” (MAC address) 16 bits “port number”

  15. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) SecTAG format: TCI field 0 1 2 3 4 5 6 7 V=0 ES SC SCB E C AN SC SCI present E Encrypted payload C Changed text

  16. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Interaction with other protocols and layers Eth Hdr VLAN Hdr Data Figure: unprotected VLAN frame Eth Hdr SecTAG VLAN Hdr Data ICV Figure: MACsec-protected VLAN frame VLAN tag is part of the encrypted payload

  17. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Packet handling: Transmit Eth Hdr Data Figure: Packet coming from the stack 1 push SecTAG 2 compute and append ICV 3 pass down to the underlying device Eth Hdr SecTAG Data ICV Figure: Packet passed down to the network

  18. Introduction Protocol details Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Packet handling: Receive Eth Hdr SecTAG Data ICV Figure: Packet coming from the network 1 verify packet/SecTAG format 2 check packet number (replay protection, optional) just drop the packet, no feedback to a potential attacker helps defend against DoS attacks: don’t perform heavy computation on obviously wrong packets 3 decrypt/verify ICV 4 re-check packet number (replay protection after decryption) 5 remove ICV, pop SecTAG Eth Hdr Data Figure: Packet passed up the stack

  19. Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) 2 Implementation 2 Implementation First idea: Transparent mode Better idea: Full netdevice Implementation details

  20. Implementation First idea: Transparent mode Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Transparent mode: description configure MACsec directly on the (real) netdevice all packets that go through the device are transparently encrypted and decrypted advantages no extra overhead of adding more netdevices seemed easier from a configuration point of view looked like it would “just work” qdisc layer sees the original packet (no SecTAG, not encrypted)

  21. Implementation First idea: Transparent mode Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Transparent mode: problems needs hooks in the normal packet processing path ( __netif_receive_skb_core , xmit_one ) pretty much a non-starter makes it very hard to reject RX packets that were not encrypted (including DHCP) possible with hacks in various places to check that the packet was actually decrypted (clearly unacceptable) or let the user add filtering rules manually not really “transparent”

  22. Implementation First idea: Transparent mode Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Transparent mode: problems tcpdump becomes messy (both encrypted and unencrypted packets are captured) harder to properly handle VLANs unsolved question: how to use multiple TX channels setup rules that match the (unencrypted) TX packets then configure the MACsec encryption process to use a specific TX channel for these matched packets

  23. Implementation Second idea: Full netdevice Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February 10th-12th 2016. Seville, Spain) Full netdevice: description create a new netdevice for each TX channel on a specific device similar to VLANs or macvlans “parent” device sees only the raw packets ie, the encrypted/protected packets for all its children MACsec devices and all the non-protected traffic (802.1X, maybe also some normal LAN traffic) good match for the uncontrolled/controlled port model in the IEEE standards uses rx handler and ndo start xmit

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamic Session Key Agreement Brian Weis Overview IEEE 802.1AE-2006 (MACsec) IEEE

Dynamic Session Key Agreement Brian Weis Overview IEEE 802.1AE-2006 (MACsec) IEEE

Overview of IEEE 802.1X-REV Dynamic Session Key Agreement Brian Weis Overview IEEE 802.1AE-2006 (MACsec) IEEE 802.1X-REV MACsec Key Agreement MSEC WG IETF76 2 IEEE 802.1AE-2006 Referred to as MACsec for short (or

428 views • 19 slides
Next Generation Microprocessor Functional Prototype SpaceWire Router Validation Results Jonas

Next Generation Microprocessor Functional Prototype SpaceWire Router Validation Results Jonas

Next Generation Microprocessor Functional Prototype SpaceWire Router Validation Results Jonas Ekergarn, Jan Andersson, Andreas Larsson, Daniel Hellstrm, Magnus Hjorth Aeroflex Gaisler AB Roland Weigand ESA SpaceWire Conference 2013

283 views • 13 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
CDA 4253 FPGA System Design The PicoBlaze Microcontroller Hao Zheng Comp Sci & Eng U of

CDA 4253 FPGA System Design The PicoBlaze Microcontroller Hao Zheng Comp Sci & Eng U of

CDA 4253 FPGA System Design The PicoBlaze Microcontroller Hao Zheng Comp Sci & Eng U of South Florida Overview of PicoBlaze So:-core microcontroller in VHDL: portable to other plaAorms. Small: occupies ~20 CLBs. Respectable

424 views • 30 slides
SYSC3601 Microprocessor Systems Unit 6: Input/Output (I/O) Systems SYSC3601 1 Microprocessor

SYSC3601 Microprocessor Systems Unit 6: Input/Output (I/O) Systems SYSC3601 1 Microprocessor

SYSC3601 Microprocessor Systems Unit 6: Input/Output (I/O) Systems SYSC3601 1 Microprocessor Systems Topics/Reading 1. I/O Ports, design, and address decoding. 2. Programmed I/O structures 3. 82C55 - Programmable peripheral interface chip.

687 views • 35 slides
The new FCNB portal Bringing pension regulatory processes online Jake van der Laan, CIO At the

The new FCNB portal Bringing pension regulatory processes online Jake van der Laan, CIO At the

The new FCNB portal Bringing pension regulatory processes online Jake van der Laan, CIO At the end of this webinar, you should: have a good sense of how our new portal works understand the new functionality to be added soon relating to

769 views • 19 slides
From Furlough to Funding The portal is read y... but are YOU ? A MUST WATCH GUIDE FOR BUSINESSES

From Furlough to Funding The portal is read y... but are YOU ? A MUST WATCH GUIDE FOR BUSINESSES

From Furlough to Funding The portal is read y... but are YOU ? A MUST WATCH GUIDE FOR BUSINESSES ACCESSING THE HMRC CORONAVIRUS JOB RETENTION SCHEME PORTAL Providing 150+ SME s with co - sourcing solutions for their Numbers , People & S y

380 views • 36 slides
VOParis Data Centre Pierre Le Sidaner Observatoire de Paris COSADI Heidelberg, June 2013 1

VOParis Data Centre Pierre Le Sidaner Observatoire de Paris COSADI Heidelberg, June 2013 1

VOParis Data Centre Pierre Le Sidaner Observatoire de Paris COSADI Heidelberg, June 2013 1 VOParis Organisation Started 10 years ago to develop Virtual Observatory knowledge for data distribution at Observatoire de Paris Now a

407 views • 17 slides
New School Onboarding (2020-21 School Year) Information for School Administrators 1 NCSEAA

New School Onboarding (2020-21 School Year) Information for School Administrators 1 NCSEAA

New School Onboarding (2020-21 School Year) Information for School Administrators 1 NCSEAA Website Information for Nonpublic Schools: Forms and Processes Webinars and MyPortal Instructions Nonpublic School Portal MyPortal

353 views • 8 slides
Trinity uses nmap in the film The Matrix Reloaded to hack the city power grid Benjamin

Trinity uses nmap in the film The Matrix Reloaded to hack the city power grid Benjamin

Trinity uses nmap in the film The Matrix Reloaded to hack the city power grid Benjamin uses nmap in Who Am I - No System is Safe to compromise the local power company, causing a brief blackout Lisbeth uses nmap in the film The

710 views • 26 slides
Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th

Nmap/Zenmap/Metasploit/Armitage website: http://nmap.org/ http://www.metasploit.com April 20 th 2015 Only perform scans and exploitations after receiving permission from the owner of the machine/device. Nmap Purpose Scan a

671 views • 30 slides
CSE 484 / CSE M 584 Computer Security: iOS, Wireless Security & Wireshark TA: Adrian Sham

CSE 484 / CSE M 584 Computer Security: iOS, Wireless Security & Wireshark TA: Adrian Sham

CSE 484 / CSE M 584 Computer Security: iOS, Wireless Security & Wireshark TA: Adrian Sham adrsham@cs With material from Franzi and Bens slides Logistics / Reminders Tomorrow Ian will introduce more tools you will need for Lab #3

318 views • 11 slides
R can be easily obtained by a WiFi-integrated mobile device, ECENT advances in smartphones have

R can be easily obtained by a WiFi-integrated mobile device, ECENT advances in smartphones have

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 11, NO. 12, DECEMBER 2012 1983 Received-Signal-Strength-Based Indoor Positioning Using Compressive Sensing Chen Feng, Student Member , IEEE , Wain Sy Anthea Au, Shahrokh Valaee, Senior Member , IEEE

425 views • 11 slides
(Indoor) Localization of Sensors Motivation Astonishing growth of wireless systems in last

(Indoor) Localization of Sensors Motivation Astonishing growth of wireless systems in last

(Indoor) Localization of Sensors Motivation Astonishing growth of wireless systems in last years Wireless system used in large number of applications Wireless information access has become ubiquitous Gave rise to location-based

432 views • 42 slides
T HE ability to locate people and assets, to navigate beyond exhaustive search over subsets of

T HE ability to locate people and assets, to navigate beyond exhaustive search over subsets of

1 A Machine Learning Approach to Ranging Error Mitigation for UWB Localization Henk Wymeersch, Member, IEEE , Stefano Maran, Student Member, IEEE , Wesley M. Gifford, Student Member, IEEE , Moe Z. Win, Fellow, IEEE Abstract Location-awareness

429 views • 9 slides
Layouts Dynamic layout Swing and Layout Managers Layout strategies 1 CS 349 - Layouts 2 CS

Layouts Dynamic layout Swing and Layout Managers Layout strategies 1 CS 349 - Layouts 2 CS

Layouts Dynamic layout Swing and Layout Managers Layout strategies 1 CS 349 - Layouts 2 CS 349 - Layouts Two Interface Layout Tasks 1. Designing a spatial layout of widgets in a container 2. Adjusting that spatial layout when container

921 views • 27 slides
Third d Gener eration n Position oning ng System em for U Undergroun und d Mine E

Third d Gener eration n Position oning ng System em for U Undergroun und d Mine E

Third d Gener eration n Position oning ng System em for U Undergroun und d Mine E Environm nments: An An upda update on pr on prog ogress Bingh inghao ao Li Li 1 , K Kai ai Zhao hao 2 , , Ser erkan an Say aydam am 2 , Chr

289 views • 17 slides
The Belief Roadmap: Efficient Planning in Belief Space by Factoring the Covariance Samuel

The Belief Roadmap: Efficient Planning in Belief Space by Factoring the Covariance Samuel

1 The Belief Roadmap: Efficient Planning in Belief Space by Factoring the Covariance Samuel Prentice and Nicholas Roy Abstract When a mobile agent does not known its position Decision Process (MDP). MDP-based planning through a perfectly,

496 views • 15 slides
Statistical model checking of hazards in an autonomous tramway positioning system Davide Basile 1

Statistical model checking of hazards in an autonomous tramway positioning system Davide Basile 1

Statistical model checking of hazards in an autonomous tramway positioning system Davide Basile 1 Alessandro Fantechi 1 Luigi Rucher 2 o 2 Gianluca Mand` 1 University of Florence 2

465 views • 20 slides
Computer Graphics (CS 543) Lecture 4 (Part 3): Viewing & Camera Control Prof Emmanuel Agu

Computer Graphics (CS 543) Lecture 4 (Part 3): Viewing & Camera Control Prof Emmanuel Agu

Computer Graphics (CS 543) Lecture 4 (Part 3): Viewing & Camera Control Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) 3D Viewing? Objects inside view volume show up on screen Objects outside view volume

557 views • 27 slides
Indoor Positioning: A Comparison of WiFi and Bluetooth Low Energy for Region Monitoring Alexander

Indoor Positioning: A Comparison of WiFi and Bluetooth Low Energy for Region Monitoring Alexander

Indoor Positioning: A Comparison of WiFi and Bluetooth Low Energy for Region Monitoring Alexander Lindemann, Bettina Schnor , Jan Sohre, Petra Vogel Potsdam University Institute of Computer Science Operating Systems and Distributed Systems

430 views • 29 slides
Relational Data Hierarchies CSC544 Why hierarchies?

Relational Data Hierarchies CSC544 Why hierarchies?

Relational Data Hierarchies CSC544 Why hierarchies? http://www.sci.utah.edu/~miriah/cs6630/lectures/L13-trees-graphs.pdf Scatterplots; dot plots; line charts, etc. Until now, our data points were independent of one another In

1.15k views • 61 slides
Distributed Systems Principles and Paradigms Chapter 06 (version October 3, 2007 ) Maarten van

Distributed Systems Principles and Paradigms Chapter 06 (version October 3, 2007 ) Maarten van

Distributed Systems Principles and Paradigms Chapter 06 (version October 3, 2007 ) Maarten van Steen Vrije Universiteit Amsterdam, Faculty of Science Dept. Mathematics and Computer Science Room R4.20. Tel: (020) 598 7784 E-mail:steen@cs.vu.nl,

741 views • 30 slides
2. Key elements for a 3D dose calculation engine: - voxel model of the patient - beam model -

2. Key elements for a 3D dose calculation engine: - voxel model of the patient - beam model -

ICTP S Chool On M Edical P Hysics For R Adiation T Herapy : D Osimetry And T Reatment P Lanning For B Asic And A Dvanced A Pplications 13 - 24 April 2015 Miramare, Trieste, Italy Treatment Planning Systems G. Hartmann EFOMP & German Cancer

837 views • 45 slides

More recommend