Overview MACsec D2.0 IEEE 802.1 Interim May 2004 Allyn Romanow
advertisement
Overview MACsec D2.0 IEEE 802.1 Interim May 2004 Allyn Romanow Outline • • • • • • • • Disposition of comments for D1.2 Changes in D2.0 – Re-org of material Cipher Suite changes – no null C.S., E bit Keys EPON Parameter enhancements Deployment, Debugging, Other Management SecY Operation, Interface with KaY 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems Re-organization of Material (Intro notes to current draft) • Cl 8 SecY Operation <-> cl 10 MACsec protocol • State machine – cl 15 • EPON support in cl 8.4 • Cl 7 -> cl 11 MACsec in Systems (ES & B), cl 16 Securing Networks (LAN & PB) 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems Keys • Master Key – pre-shared or established by authentication, longer lived • Secure Association Key (SAK) – – – – Key for the SA, short lived Sometimes called transient key Shared, private key Get a new one from Master Key when PN wraps, or timer expires – Need to store 3 SAKs 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems Interoperability, Migration • Previously, Null Cipher Suite • Now, through management controls, E bit saying whether there is encryption, cl 10.1 SecY Overview, E bit is bit 3 in TCI • Got rid of Null Cipher Suite and Include Tag- reduces unnecessary complexity 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems EPON • Single Copy Broadcast SCB 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems Management • Controls, monitors, reports • Maintains and uses info for – – – – The SecY The CA Each SC in the CA Each SA that supports and SC • Operational parameters include – MAC status (cl 6.4)-- MAC_Enabled, MAC_Operational – Point to point (cl 6.5) --operPointToPointMAC, AdminPointToPoint MAC 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems SecY Management Parameters • SecY Parameters – List of Cipher Suites – C. S. selected • Cipher Suite Parameters – – – – Confidentiality Provided- E bit C.S. identifier Secure data length- user data length ICV length 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems SecY Management Parameters • CA Parameters – Transmit SC – List of Receiver SCs • Transmit SC – SCI – EncodingSA – EncipheringSA 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems SecY Management Parameters • Receiver SC – SCI Transmit or Receive – SAs(set of 4) – Statistics • Transmit SA – – – – – SCI AN InUse? SAK Next PN 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems SecY Management Parameters • Receive SA – – – – – SCI AN In use? SAK LastValidatedPN? 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems Deployment & Debugging 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems MacSEC Operation Priority Priority* Priority** DA, SA DA, SA DA, SA SecTAG SAK (Key) PN, SCI SCI 2 AN MACsec AAD SAK (Key) PN, SCI DA, SA 1 SecTAG PN DA, SA transmit AN SecTAG SCI SCI AN PN receive 3 MACsec AAD VALID PlainText (User Data) PROTECT CipherText (Secure Data) VALIDATE PlainText (User Data) ICV TRANSMIT RECEIVE Priority can be changed by media access method or receiving system and is not protected Functions 7/26/2016 1 Lookup Key and next PN for transmit SA identified by AN 2 Lookup Key PN for receive SA identified by SCI, AN 3 Discard if received frame not VALID. Discard if replay check of PN for receive SA identified by SCI, AN fails. Updated replay check. IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems SecY Overview M_UNITDATA.request(..) M_UNITDATA.request(..) M_UNITDATA.indication(..) ) Uncontrolled Port (Insecure Service Access Point) ISS ( ) Controlled Port (Secure Service Access Point) LMI ( M_UNITDATA.indication(..) Secure Frame Generation Cipher Suite(s) PROTECT VALIDATE ISS ( ) Secure Frame Verification Common Port (Insecure Service Access Point) M_UNITDATA.indication(..) M_UNITDATA.request(..) 7/26/2016 IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems KaY Direct Use of SecY Uncontrolled ( ) Uncontrolled Port (Insecure ISS Service Access Point) LMI KaY ( ) Uncontrolled Port (Insecure Service Access Point) ISS ( ) Controlled Port (Secure Service Access Point) LMI SecY SecY Mgmt ISS 7/26/2016 ( ) IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems Common Port (Insecure Service Access Point) KaY Use of SecY Uncontrolled and Controlled ( ) Uncontrolled Port (Insecure ISS Service Access Point) ( ) Controlled Port (Secure Service Access Point) ( ) Controlled Port (Secure Service Access Point) LMI KaY ( ) Uncontrolled Port (Insecure Service Access Point) ISS LMI SecY SecY Mgmt ISS 7/26/2016 ( ) Common Port (Insecure Service Access Point) IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems SecY Operation Uncontrolled Port M_UNITDATA.request(..) Controlled Port M_UNITDATA.request(..) ( ) M_UNITDATA.indication(..) ISS ( ) ISS LMI M_UNITDATA.indication(..) Secure Frame Selector SecY Mgmt DA, SA, priority, User Data, [FCS] Cipher Suite(s) PROTECT VALIDATE Secure Frame PlainText Generation : (User Data) SA & PN MACsec AAD assignment, (DA,SA,SecTAG) SecTAG ICV coding, cryptographic protection SCI, PN Key User Data Encryption User Data Decryption PlainText (User Data) Secure Frame Verification : SecTAG decoding, SC & SA MACsec AAD (DA,SA,SecTAG) identification, replay check, ICV cryptographic validation, SCI, PN validate replay check Key CipherText (Secure Data) Integrity Check Calculation Integrity Check Verification Verification Transmit Parameter SASet Key Verification Receive Parameter SASet Key priority DA, SA FCS regen. MPDU Transmit Multiplexer Receive Demultiplexer ( ) ISS Common Port M_UNITDATA.indication(..) M_UNITDATA.request(..) 7/26/2016 priority VALID DA, SA MPDU DA, SA, User Data priority CipherText (Secure Data) FCS FCS regen. IEEE802.1 LinkSec May 2004 Allyn Romanow, Cisco Systems
