Link Band Security: IEEE 802.1AE/af
To reiterate, accepting action arrangement basement from centralized threats is becoming
increasingly important. Accepted aegis solutions apply on attention the network
layer (Layer 3) and above. For example, a Defended Sockets Band (SSL) protects application
data, and IPsec protects arrangement band data. However, not abundant has been done to protect
the action network’s amount foundation—the abstracts articulation band (Layer 2). Any compromise
at Band 2 can be adverse to a network.
Previous capacity abundant abounding of the Band 2 attacks alignment from affecting the
control even protocols, such as Spanning Tree Protocol (STP) and ARP, to data-traffic
tampering. Furthermore, upper-layer aegis measures cannot anticipate or ascertain a Band 2
security breach.4 To body a defended and able-bodied arrangement infrastructure, you charge alpha by
building a defended and able-bodied foundation and move up the assemblage to apparatus security
solutions at college layers (depending on deployment needs). Accepting Band 2 is mandatory
and adulatory to any college akin aegis solution.
IEEE has proposed a accepted to defended LANs and MANs: 802.1AE (also referred to as
LinkSec or MACSec).5 It operates on the arrangement articulation level.
310 Chapter 18: IEEE 802.1AE
Current State: Affidavit with 802.1X
This area describes how 802.1AE and 802.1af extend the absolute IEEE 802.1X protocol
to accommodate affiliated abstracts aegis in accession to authentication. To absolutely accept and
appreciate the LinkSec aegis architecture, you charge accept what LinkSec is and its
key components; you charge additionally analyze the accepted accompaniment of arrangement aegis at the link
layer and how LinkSec extends it to body a able-bodied aegis apparatus for the entire
enterprise network.
As Chapter 17, “Identity-Based Networking Casework with 802.1X,” describes, 802.1X is
an IEEE accepted that is accessible in abounding industry articles today.6 Networking devices,
such as Band 2 and Band 3 Ethernet admission switches, wireless LANs (WLAN), APs,
WLAN controllers, and Band 2 Ethernet ports in routers, can use 802.1X/EAP to
authenticate entities abutting a network.
NOTE For added advice on identity-based arrangement casework with IEEE 802.1X, see
Chapter 17.
The afterward is a brief overview of the 802.1X Band 2 active affidavit archetypal and
its accepted limitations with account to what happens afterwards acknowledged authentication/
authorization.
The basal apriorism of this overview is that host accessories attempting admission are challenged for
valid accreditation afore they are accustomed arrangement connectivity. Afterwards it’s accurate and
authorized, the Band 2 about-face inspects admission cartage from the user on the authenticated/
authorized anchorage and filters frames, acceptance alone those with the accurate MAC address.
Although 802.1X is a awful recommended and capital basic for 802.1AE, it alone
cannot abode crooked admission to or anticipate the analytical of advice traversing
our networks.
Note the afterward analogy: A aegis bouncer at a architecture admission stops and validates
personnel to ensure that accustomed users admission the building. This does not anticipate personnel
from disobedient afterwards they accretion entry. This is accurate for 802.1X in the case of network
access. Afterwards a user authenticates and is accepted access, he can still misbehave.
Let’s attending at the case of what has been termed adumbration hosts (or back backing). This is
achieved back a aggregate media accessory (such as a hub) is placed inline amid a valid
supplicant (a user) and the 802.1X authenticator (Ethernet port), as Figure 18-2 shows.
Link Band Security: IEEE 802.1AE/af 311
Figure 18-2 Adumbration Hosts
In this scenario, the adumbration users charge to busybody the wire to admission the accurate user’s MAC
address and again bluff its cartage to accommodate that MAC address. Their packets are permitted
on the 802.1X accurate port. An 802.1AE-enabled Band 2 Ethernet about-face anchorage and
host arrangement interface agenda (NIC) prevents this behavior. In the 802.1AE scenario, only
packets with the accurate MAC abode and aegis affiliation (SA) are allowed. Because the
packets are encrypted, the ambitious adumbration users cannot busybody the wire to admission the MAC
address or SA of accurate users. As such, corrupt users affiliated to the hub cannot gain
network access, as Figure 18-3 shows. Additionally, because all cartage amid the valid
users are encrypted and arrested for integrity, all communications are assured to be 100
percent arcane and authentic.
Port Status
EAPOL Start
EAP Request
EAP Response (with Accurate Credentials)
RADIUS-Accept
Campus LAN
AAA
Relay Accreditation to AAA via RADIUS
Wall Jack in
Conference Room
Authorized
Wiring Closet Switch
Valid User Who
Successfully
Authenticates
Non-Authenticated
Shadow Users
Unauthenticated &
Unauthorized Users
Supplicant
Authenticator Authentication
Server
1
2
3
4
5
6
7
312 Chapter 18: IEEE 802.1AE
Figure 18-3 Adumbration Hosts Blocked by 802.1AE
802.1X introduces a assertive akin of accountability through the logging provided by the
authentication, authorization, and accounting (AAA) server and syslogs on the 802.1X
access switch. The admission about-face provides advantageous advice (such as authenticator access
device, username, about-face port, MAC address, IP address, VLAN assignment, time, date,
and so on). Although this is advantageous to accommodate a assertive akin of accountability, it cannot be
used with 100 percent certainty. To agreement traceback, you charge accept the adeptness to prove
that a corrupt user hasn’t spoofed a MAC or IP address. 802.1AE provides the certainty
required for 100 percent traceback to the host accessory whether it is for accounting or
forensics.
To recap: For active networks, afterwards the applicant apparatus authenticates, no added measures
are bare to defended the abstracts traffic. In added words, the 802.1X archetypal provides for onetime
(or periodic) affidavit of the entity, but it does annihilation to assure the traffic. This
leaves the aperture accessible for abstracts cartage to be snooped, spoofed, or tampered with. The switch
won’t be able to analyze rogue cartage from accurate cartage because both flows accept the
same antecedent MAC abode of the accurate applicant machine.
LinkSec: Extends 802.1X
LinkSec extends the 802.1X archetypal by abacus key administration and data-protection phases.
This allows for affiliated abstracts aegis to adverse snooping/spoofing/tampering attacks
on cartage on a LinkSec-enabled link. LinkSec brings to active networks what WPA-2 has
already done for wireless.
To body a defended network, LinkSec incorporates the afterward three operations on each
network link:
802.1X Authenticated
802.1AE Encrypted with Single SA
802.1AE Ports
802.1AE NIC Authenticator
Supplicant
Invalid Traffic
Rejected
Port Status
Authorized
802.1AE Protected
Campus LAN
Wall Jack in AAA
Conference Room
Wiring Closet Switch
Valid User Who
Successfully
Authenticates
Authentication
Server
Link Band Security: IEEE 802.1AE/af 313
• Authentication. Entities on a articulation accurate agnate to 802.1X.
• Cryptographic key distribution. Cryptographic key actual is exchanged between
the accurate entities on a articulation to authorize a link-level SA.
• Abstracts acquaintance and integrity. Leverage the key material/SA to
cryptographically assure and accredit anniversary packet on the link. All cartage is
protected, behindhand of what appliance or band it belongs to.
The LinkSec aegis archetypal consists of two adulatory IEEE standards:
• 802.1af. Performs affidavit and cryptographic key administration amid aeon on
the aforementioned Band 2 link. This accepted is currently actuality defined. 802.1af is a protocol
that will be implemented in software agnate to 802.1X. It is a afterlight of 802.1X
standard.
• 802.1AE. Defines the anatomy format, encryption algorithm, abstracts authentication, and
frame processing. 802.1AE is absolutely defined. Industry articles now apparatus this
standard. Typically implemented in accouterments at the network-interface level.
Figure 18-4 shows an archetype of a LinkSec model.