Re: [Anima] MACsec as an alternative to L3-tunnels
Toerless Eckert <tte@cs.fau.de> Tue, 30 July 2019 20:42 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65589120089 for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 13:42:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22S7xiTstN6U for <anima@ietfa.amsl.com>; Tue, 30 Jul 2019 13:42:04 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D483512004D for <anima@ietf.org>; Tue, 30 Jul 2019 13:42:03 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id D094E54802C; Tue, 30 Jul 2019 22:41:58 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id C0914440041; Tue, 30 Jul 2019 22:41:58 +0200 (CEST)
Date: Tue, 30 Jul 2019 22:41:58 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Message-ID: <20190730204158.w7b7dviwk55cxfce@faui48f.informatik.uni-erlangen.de>
References: <DM6PR11MB3385255D58A133B186AA547EDBC60@DM6PR11MB3385.namprd11.prod.outlook.com> <20190724214603.llrersvrcgb4hy7p@faui48f.informatik.uni-erlangen.de> <20190724220015.sfzqxcozq4khc6ut@faui48f.informatik.uni-erlangen.de> <6709.1564009422@dooku.sandelman.ca> <20190725143632.5fktdhifgmtyx2gk@faui48f.informatik.uni-erlangen.de> <27695.1564184021@dooku.sandelman.ca> <20190729220921.j4y5oqtoj4hkfekg@faui48f.informatik.uni-erlangen.de> <18051.1564454793@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <18051.1564454793@localhost>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/IjxyHQpWstnymU9nZVsmkUG4tb8>
Subject: Re: [Anima] MACsec as an alternative to L3-tunnels
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2019 20:42:07 -0000
On Mon, Jul 29, 2019 at 10:46:33PM -0400, Michael Richardson wrote:
> It's not about keypair, it's about what IPsec would call the SPD, which is a
> way to select which traffic goes into which tunnel. I would also have
> expected it to be able to select based upon VLAN tag and destination ethernet
> type, but people said that wasn't so.
I think my reference was more to what chips can do as to what
necessarily existing standaerds may say. There is this one issue of
having an 802.1ae capable switch port connected via a hub to multiple
host, in which case you could imagine to use a different set of keys to
each host but the public vendor documentation i found was quite
inconclusive whether this actually works in todays products.
Your reference to IPsec is also another big question.
Right now, there is all this convoluted, 802.1x and AAA server MacSec
session setup mechanism. Which natively is asymmetric, and AFAIK,
the extensions to make it symmetric whee either done only very recently or are
still TBD in ieee. One solution is just to leverage all of this and
just declare that nodes need to use and trust their ACP domain
certificates - and be done. It would just be anothrer parallel ACP
secure channel mechanism beside IKEv2 and DTLS.
Personally i would love a simpler mechanism, but there is a different
simpler/nicer architectural solution and a simpler/nicer programmatic
solution: The simpler architectural mechanism is to tie MacSec into
IKEv2. But who would be the critical mass of people doing that work.
It's not easy. The simple pragmatic solution is to put ACP on top of
some ethertype like EAPoL and exclude it from 802.1x, build normal IPsec
ACP and then have small new ASA that simply auto-instantiate existing
MACsec for the data-plane.
> I would love to be told I'm wrong.
> I can see if one was building the minimum viable solution that can deal with
> state-level attackers on point to point fiber runs, that just encrypting
> everything works well.
The fiber runs in my apartment complex are in rooms open to the public.
No need to hire overpayed federal employees to plug a fiber snooping
device into them. And the city wide fibers are either on open poles or
in digging distance of shovels through somebody elses garden (learned
that from comcast workers that dug up those gardens too to find the
shovel made fiber cuts).
Sorry. not directly on-topic but hopefully entertaining.
If we want the least overhead solution, then its the last option i
mentioned. We did program that in tcl in a week as small ASA (send
random generated PSK to direct neighbor, auto-configure existing
MACsec to neighbor. Done). Of course this expects ACP to already be in
place, and if you can't exclude ACP from the MacSec encryption you have
to have a bit of logic in the ASA to avoid shooting yourself into the
feet.
Cheers
Toerless
> > if ACP can be separately encrypted from data-plane, but as long as ACP
> > is responsible to manage the encryption key, it can equally encrypt
> > both ACP and data-plane. Its just that right now, ACP is not optimized
> > for fast reconvergence, so a data-plane could converge faster and then
> > it might still need to wait for ACP. But thats solely a matter of
> > routing protocol and aliveness parameters of ACP/data-plane.
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
--
---
tte@cs.fau.de
- [Anima] FWD: ACME for devices side meeting Toerless Eckert
- [Anima] BRSKI<->ACME use case (was: Re: FWD: ACME… Toerless Eckert
- [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Brian E Carpenter