Re: [Anima] MACsec as an alternative to L3-tunnels
Toerless Eckert <tte@cs.fau.de> Thu, 25 July 2019 14:36 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCDEE1201CF for <anima@ietfa.amsl.com>; Thu, 25 Jul 2019 07:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pvhEyBM3t2G for <anima@ietfa.amsl.com>; Thu, 25 Jul 2019 07:36:36 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C398112016D for <anima@ietf.org>; Thu, 25 Jul 2019 07:36:36 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 3BC9A548342; Thu, 25 Jul 2019 16:36:32 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 2B5B9440041; Thu, 25 Jul 2019 16:36:32 +0200 (CEST)
Date: Thu, 25 Jul 2019 16:36:32 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Message-ID: <20190725143632.5fktdhifgmtyx2gk@faui48f.informatik.uni-erlangen.de>
References: <DM6PR11MB3385255D58A133B186AA547EDBC60@DM6PR11MB3385.namprd11.prod.outlook.com> <20190724214603.llrersvrcgb4hy7p@faui48f.informatik.uni-erlangen.de> <20190724220015.sfzqxcozq4khc6ut@faui48f.informatik.uni-erlangen.de> <6709.1564009422@dooku.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6709.1564009422@dooku.sandelman.ca>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/SbyDFIRoB7rDeV8pK4zauCk4Zmc>
Subject: Re: [Anima] MACsec as an alternative to L3-tunnels
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 14:36:45 -0000
First of all, there is obviously an ability to filter out packets
NOT to encrypt. Otherwise you would have a lot of problems negotiating
the encryption keys. To the best of knowledge, what MUST be supported
in ethernet chips is such filtering based on ethertype because thats
whats being used also in 802.1x, the basic security architecture. See
ACP draft section A.10.2
Secondly, i was told (and this is where i have not tried to validate),
that MacSec should equally be able to utilize multiple keypairs,
probably mapped by VLAN or ethertype. But the question of course is
whether you want/can expect that MACsec MIC chips have that feature.
So, the most simple solution would be to put all of ACP onto a separate
ethertype, run that all in software (including existing encryption)
and use MacSEC to HW encrypt all other traffic.
If you wanted to then also accelerate encrypted ACP with MACsec
itself, you would not actually use the new ethertype to encapsulate
the secure channel packets, but just negotiate a separate VLAN for
that. In which case you just use IKEv2 from the scure channel protocol
(as an example) to negotiate keys but instead of IPsec/ESP you use
MACsec/VLAN).
CHeers
Toerless
On Wed, Jul 24, 2019 at 07:03:42PM -0400, Michael Richardson wrote:
>
> I was asked to decode words mangled at the mic at Tuesday morning's ANIMA
> meeting.
> The word was "MACsec", and
> https://en.wikipedia.org/wiki/IEEE_802.1AE
> https://1.ieee802.org/security/802-1ae/
>
> provides a reasonable description, and probably the getieee mechanism
> might get you a copy for free, but IEEE doesn't have a URL that
> leads to the actual document. I did read it once.
> (One of the URLs in the wikipedia page leads to 404)
>
> https://ieeexplore.ieee.org/document/8585421
> might get you the document if you have a valid password, which
> I used to, but apparently not anymore.
>
> Given my newly acquired understanding that MACsec applies on a per-port
> basis, not on a per-VLAN basis, this means that it would be rather difficult
> to do peer discovery and security for a L2-bridged LAN.
>
> --
> ] Never tell me the odds! | ipv6 mesh networks [
> ] Michael Richardson, Sandelman Software Works | network architect [
> ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
>
>
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
--
---
tte@cs.fau.de
- [Anima] FWD: ACME for devices side meeting Toerless Eckert
- [Anima] BRSKI<->ACME use case (was: Re: FWD: ACME… Toerless Eckert
- [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Michael Richardson
- Re: [Anima] MACsec as an alternative to L3-tunnels Toerless Eckert
- Re: [Anima] MACsec as an alternative to L3-tunnels Brian E Carpenter