Post on 26-Sep-2020
Ethernet -Traffic Flow Security
Don Fedyk LabN Consulting LLC.
5/22/2019 1
Rational
• Privacy is increasingly important with network growth and dependency on data networks increases.
• Implement methods to improve Privacy for IEEE 802.1 MACsec and for Ethernet Data Encryption devices.
• Forming or joining a project to standardize a service format to address Privacy and enable fixed frames as well as variable frames.
5/22/2019 2
What we want to do:
• Improve Privacy in MACsec by Moving Identifiable Information into the Secure Encrypted part of the frame.
• Anonymize the frame behavior by:• Create a tunnel MAC SA/DA for a set of flows. • Hide MAC SA/DA using 802.1 AE MACsec secure data• Tunnel frames constructed with a uniform size• Bandwidth efficiency
• Aggregate frames in a single tunnel frame• Fragment user frames within a tunnel frame
• Send frames at regular intervals even if there is no data
• Build on MACsec EDEs
Increasingcomplexity
Varying Efficiency
5/22/2019 3
Existing MACsec Frame (IEEE 802.1AE)
DA SA SecTag Secure Data ICV
User Data
VLAN TAG User Data
Priority
TAG
Priority copied from Inner Tag to Outer Tag
Identifiable information
Priority
5/22/2019 4
VLAN TAG User Data 2DA SA
Functional ETT MACsec Frame
ETT DA ETT SA SecTag Secure Data ICV
MTDU (User Data)
VLAN TAG User Data 1
Priority
VLANTag
Moved Fields
DA SAETT EtherTypeEthernet Tunnel
Ethernet Transport Tunnel Destination/Source address
New Ethernet Transport Tunnel Fields
Red Network DA/SA
MTDU-TAG
5/22/2019 5
EtherTypeS-TAG
EtherTypeC-TAG
SADA
EtherType
Length
Summary of Ethernet Headers
5/22/2019 6
EtherTypeSADA
User Data EtherType
SADA
User Data
C-TAGEtherType
EtherType
SADA
S-TAGEtherType
EtherType
User Data
C-TAG
EtherType
B-SAB-DA
S-TAG
EtherType
EtherType
User Data
C-TAG
B-TAG
I-TAGEtherType
SADA
SADA
EtherTypeSec-TAG
EtherType
EtherTypeC/S-TAG
SA/B-SADA/B-DA
EtherTypeS/B-TAG
EtherTypeSec-TAG
EtherTypeC-TAG
User Data
EtherTypeS-TAG
EtherTypeC-TAG
SADA
EtherType
EtherType EtherTypeMTDU-TAG
Length
One OrMoreData PDUs
802.1 802.1Q 802.1ad 802.1ah 802.1AE E-TFS (proposal)
User DataUser Data
MACsecEncrypted
Ethernet Transport Tunnels on Ethernet Data Encryption devices
Red Network
Red Network
Red Network
Black Network
EDE
EDE
EDE
Unidirectional Ethernet Transport Tunnels (ETTs)
5/22/2019 7
data
EDE-CC Today
5/22/2019
B1
B2
SecTag DA SAC-Tag
DA SAC-Tagdata
SecTag DA SAC-Tag
B3
B1,B2
B1,B3
Red - Side
BridgedNetwork
EDE-CC
EDE-CC
EDE-CC
Customer Edge Port
Provider Edge Port
Customer Network Port
Provider Network Port
Black - SideBlack - Side Red - Side
Etype
C-Tag Etype
data
data or MTDU
data or MTDU
EDE-CC with E-TFS
5/22/2019
B1
B2
DA SA SecTag DA SA
DA SAC-Tagdata
SecTag DA SAC-Tag
B3
B1,B2
B1,B3
Red - Side
BridgedNetwork
EDE-CC
EDE-CC
EDE-CC
Customer Edge Port
Provider Edge Port
Customer Network Port
Provider Network Port
Black - SideBlack - Side Red - Side
Etype
DA SAC-Tag Etype
C-Tag
High Level Requirements
• The solution must not limit EDE/802.1AE functionality, notably mapping of VLANs and priorities and possible support for multiple SecYs.
• Red-side host and control addresses must not be exposed on the black-side/insecure port
• The solution must not significantly impact network bandwidth availability or unbounded impact on network latency
• The solution should allow for different implementation/deployment choices related to a specific deployment fixed frame size or transmission data rate.
• Solution should minimize required configuration, e.g., minimize the receiver configuration.
5/22/2019 10
Existing MAC Security Tag SecTag
MACsec EtherType TCI SCIAN SL PN
2 octets
1 octets
1 octets
4 octets
8 Octets (optional)
1 0 0 0 1 0 0 0 1 1 1 0 0 1 0 1
V=0 ES SC SCB SH E AN0 0 SL
Secure Data
5/22/2019 11
MAC Security Tag with MTDU (Only data MTU changes)
Sec EtherType TCI SCIAN SL PN
2 octets
1 octets
1 octets
4 octets
8 Octets (optional)
V=0 ES SC SCB SH E AN0 0 SL
MDTU
MAC Tunnel Data Unit is the generic new format for secure data
New/Modified Field
1 0 0 0 1 0 0 0 1 1 1 0 0 1 0 1
5/22/2019 12
New MAC Tunnel Data Units (MTDU)
ETT EtherType Offset Data Block Optional more Data Blocks
Length MSDU (TAGs and Original User Data)DA SA
Original MAC Frame
MACsec Secure Data Unit
New/Modified Field
5/22/2019 13
References
[1] IEEE Std 802.1AE-2018, IEEE Standard for Local and Metropolitan Area Networks: Media Access Control (MAC) Security. [2] Mick Seaman, Privacy considerations in bridged networks, White Paper http://www.ieee802.org/1/files/public/docs2018/e-seaman-privacy-in-bridged-networks-1018-v01.pdfChris Hopps, “IP Traffic Flow Security”, draft-chopps-ipsecme-iptfs-00, Feb 2019.
5/22/2019 14
GlossaryDA - Destination Address
E - E-bit encryption set bit
EDE - Ethernet Data Encryption device
EDE-CC - Ethernet Data Encryption device with red-side recognition of C-TAGs and black-side addition and removal of C-TAGs
EDE-CS - Ethernet Data Encryption device with red-side recognition of C-TAGs and black-side addition and removal of S-TAGs
EDE-M - VLAN-unaware Ethernet Data Encryption device operating as a Customer Bridge
EDE-SS - Ethernet Data Encryption device with red-side recognition of S-TAGs and black-side addition and removal of S-TAGs
EISS - Enhanced Internal Sublayer Service
ES - End Station Bit
E-TFS – Ethernet Traffic Flow Security
ETT – Ethernet Transport Tunnels
FCS - frame check sequence
ICV - integrity check value
IPsec - Internet Protocol Security
MAC - Media Access Control
MACsec - Media Access Control Security
MTDU – MAC Tunnel Data Unit
MTDU-TAG – MAC Tunnel Data Unit – New Tag for discussion
MSDU – MACsec Service Data Unit
MSTP - Multiple Spanning Tree Protocol
PCP - Priority Code Point (IEEE Std 802.1Q)
PN - Packet Number
SA - Secure Association or Source Address, as applicable
SAI - Secure Association Identifier
SC – Secure Channel
SCB - Single Copy BroadcastSCISecure Channel Identifier
SecTAG - MAC Security TAGSecYMAC Security Entity
SL - Short Length
5/22/2019 15