Networking

06:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

New Protocols Secure Layer 2

802.1AE protects traffic on the wire with no hit to performance.

Physical layer security is viewed by most IT professionals as a low-priority problem because cables are run behind walls or in ceilings, beyond the accessibility of most people. Wiring closets and data centers often are locked, and anyway, there are easier ways to subvert a network than by recabling it.

That said, if you could protect traffic on the wire with no hit to performance, would you do so?

You'll be answering that question in the next few years as two new network security protocols come to a switch near you. Together, these two protocols--IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV--will help secure Layer 2 traffic on the wire. 802.1AE is a completed standard and will be appearing soon in hardware. 802.1X-REV could be ratified as early as the first quarter of next year.

Cisco's December 2007 announcement of its network-wide security program, dubbed TrustSec, brought the 802.1AE protocol into the limelight. 802.1AE ensures the integrity and privacy of data between peers at Layer 2. The enhancements in 802.1X-REV automate the authentication and key management requirements for 802.1AE.

802.1AE protects data in transit on a hop-by-hop basis (see diagram, "Security In Short Hops", below), ensuring that the frames are not altered between Layer 2 devices such as switches, routers, and hosts. Organizations have the option of encrypting frames that traverse the wire, but in theory, there are few reasons not to encrypt. We say "in theory" because of the potential performance impact encryption has on switch capacity and delay.

The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards. 802.1AE implementations must conform to performance characteristics defined in the standard. 802.1AE doesn't specify hard times--rather, the maximum delay of 802.1AE processing is relative based on the time it takes to spit the bits onto the wire. On a 100-Mbps network, that's less than a millisecond for a 1,500-byte frame. Cumulatively, the impact should be negligible.

The downside is that any products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic.

802.1AE isn't a replacement for Layer 3 VPNs, such as IPsec or PPTP. 802.1AE ensures that frames are protected from eavesdropping and manipulation at Layer 2 between peers. All traffic passing between two switches is protected using the same security parameters.

diagram: Security In Short Hops

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Hot Topics
11
Open Source Vs. Open Enough
Bob Laliberte, ESG senior analyst,  7/18/2014
5
Do We Need 25 GbE & 50 GbE?
Jim O'Reilly, Consultant,  7/18/2014
4
Guide: The Open Compute Project and Your Data Center
James M. Connolly, Editor in Chief, The Enterprise Cloud Site,  7/21/2014
White Papers
Register for Network Computing Newsletters
Cartoon
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed