802.1AE plan aims to safeguards LANs

Because networks are vulnerable to configuration errors, miswiring and malicious attacks that can disrupt enterprise and service provider operations, it is essential for companies to apply multiple security mechanisms to protect their data, applications and network functions. The forthcoming IEEE 802.1AE standard helps prevent disruptions to Ethernet networks by protecting LAN devices from unauthorized communication.

The IEEE 802.1 Security Task Group is developing a suite of protocols to secure LANs. The principal one is IEEE 802.1AE Media Access Control Security (MACSec), which integrates security protection into wired Ethernet to secure LANs from attacks such as passive wiretapping, masquerading, man-in-the-middle and some denial-of-service attacks. MACSec is in the final stage of standardization and is expected to be published in early 2006.

MACSec helps assure ongoing network operations by identifying unauthorized stations on a LAN and preventing communication from them. It protects control protocols that manage bridged network and other data through cryptography techniques that authenticate data origin, protect message integrity, and provide replay protection and confidentiality. By assuring that a frame comes from the station that claimed to send it, MACSec can mitigate attacks on Layer 2 protocols.

The proposed standard safeguards communication between trusted components of the network infrastructure by providing hop-by-hop security. This distinguishes it from IPSec, which protects applications on an end-to-end basis. Network administrators make use of MACSec by configuring a set of network devices to use the protocol.

When a frame arrives at a MACSec station, the MACSec Security Entity (SecY) decrypts the frame if necessary and computes an integrity check value (ICV) on the frame and compares it with the ICV included in the frame. If they match, the station processes the frame as normal. If they do not match, the port handles the frame according to a preset policy, such as discarding it.

Web caching and network traffic management work because data is in the clear as it passes through LAN stations, making packet inspection possible. On egress, the SecY computes and appends a new ICV to the frame and encrypts it, if desired, before sending it out.

802.1AE provides encapsulation and the cryptography framework for Ethernet protection. It requires supporting protocols for key management, authentication and authorization. To meet this need, the IEEE is defining an additional standard, 802.1af MAC Key Security, an extension of 802.1X that manages short-lived session keys used to encode and decode messages. An initial key, or master key, is typically obtained by an external method such as 802.1X and IETF's Extensible Authentication Protocol. A third related protocol under development is 802.1AR, Secure Device Identity, which ensures the identity of the trusted network component.

The MACSec standard chooses to use an authentication and encryption cipher, Galois/Counter Mode (GCM) for AES 128, a mode of operation approved by the National Institute of Standards and Technology. GCM can be used for message integrity plus encryption or for message integrity alone. GCM-enabled encryption easily scales up to multigigabit line rates in economical hardware.

MACSec does not take the place of 802.11i, the security protocol for wireless LANs. Nor does it supplant the need to protect applications with end-to-end security protocols. MACSec's focus is on securing network operation.

How it works: 802.1AE

Romanow is a technical leader for Cisco. She can be reached at allyn@cisco.com.

Learn more about this topic

IEEE task force settles on expanded Ethernet frame size


Time for frame expansion?


The IETF's 802.1AE - Media Access Control (MAC) Security page

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)