Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

New Protocols Secure Layer 2: Page 2 of 2

THE REST OF THE STORY
802.1AE is only half the story, however, because it deals only with encryption and integrity--both of which require keys. 802.1X-REV provides key management--creation, distribution, deletion, and renewal of encryption keys.

802.1X-REV builds on 802.1X to support features like authentication of multiple devices on a single switch port and key distribution for 802.1AE devices. Rather than manually creating and installing keys in network devices, 802.1X-REV makes key management part of the protocol in a fashion similar to 802.11i or WPA/WPA2. 802.1AE also is extensible in that a vendor can add optional information into the 802.1AE header.

Many organizations' physical wiring has one physical LAN port per desk or cubicle, and 802.1X on a wired network was originally designed to be deployed on a one-host-per-port basis. However, it's now common for sites to have multiple hosts per port. For example, voice-over-IP phones have their own LAN port to plug into a desktop or laptop, which means two network devices per port. If there is only one port, it can be in only one of two states: authenticated (open) or unauthenticated (closed).

If the VoIP phone authenticates to the port, there's no point in using 802.1X because the port is always authenticated. If the desktop authenticates to the switch port, the port will be unauthorized and the phone will be cut when the desktop fails to authenticate.

Recognizing this is a problem, switch vendors provide workarounds such as allowing one unauthenticated device to be placed on a specific virtual LAN, but a subsequent device has to authenticate before getting access to the network. Cisco allows its Cisco Discover Protocol to pass through an 802.1X port, which allows discovered devices to access a designated VLAN. Switches such as the HP ProCurve allow multiple hosts to authenticate, and the switch creates virtual ports based on a device's MAC address and authentication state.

802.1X-REV addresses these issues by allowing multiple hosts to authenticate on a port. But authenticating multiple hosts isn't enough. If a workstation is connected to a VoIP phone and was properly authenticated, someone could simply clone the workstation's MAC address and connect to the network through that VoIP phone. The bogus workstation would have network access until 802.1X required a reauthentication.

THE LOWDOWN
THE PROMISE:
802.1AE offers integrity and privacy at Layer 2 so you can be sure that only authorized devices are connected to the network and that the data is kept from prying eyesand the encryption won't affect network performance. 802.1AE enables organizations to have multiple 802.1X supplicants attached to a network port.

THE PLAYERS:
IEEE is the standards body working on the specification. Switch vendors like Cisco, Extreme, and HP as well as NIC hardware vendors including Broadcom and Intel will have to build the capabilities into their products.

THE PROSPECTS:
802.1AE is a completed standard, so it's just a matter of time before we start to see it in switch hardware. 802.1X-REV, which may be ratified as early as the first quarter of next year, is needed to standardize the key management for 802.1AE. If your company is in the planning stages of a switch upgrade, it might be a good idea to put off deploying the access layer until your chosen vendor supports 802.1AE and 802.1X-REV.

Pairing 802.1X-REV with a workstation NIC that supports 802.1AE enables multiple hosts to be authenticated simultaneously, and each host can have its own encrypted session. More important, bogus workstations can't simply plug in, because the impersonators won't have the encryption keys and therefore can't communicate with the switch.

GET READY TO UPGRADE
Like all encryption technologies, 802.1AE will have an impact on network design. The new protocol will require hardware upgrades on your switches and, optionally, on network devices such as workstations, printers, and VoIP phones. In addition, 802.1AE's impact on passive monitoring is significant. If you use in-line taps to send network frames to a network analysis device like a packet analyzer or intrusion-detection system, 802.1AE encryption will render those monitoring devices blind. The only data available to the analysis device will be the MAC addresses and the security tag that's inserted between the MAC addresses and the encrypted Ethernet payload, called the MACsec Protocol Data Unit.

Switches can send duplicate frames to a mirror port on a switch so that packet analyzers and intrusion-detection systems can process the frames, but that is not a perfect solution. A mirror port can only transmit half the capacity of a full-duplex link. For example, a full-duplex 1-Gbps link is capable of sending and receiving 1 Gbps simultaneously, for a total capacity of 2 Gbps. But a mirror port can only transmit at 1 Gbps. If your combined send/receive traffic is greater than 1 Gbps, your analysis equipment will see dropped frames.

In addition, because everything in the original Ethernet frame except the MAC addresses are hidden from view, bump-in-the-wire network devices like transparent firewalls, traffic shapers, load balancers, and WAN optimizers won't be able to process the 802.1AE-protected frames.

In cases where access to Layer 2 data and above is required by a bump-in-the-wire device for network analysis, the alternatives are either not to use 802.1AE on that link, so the frames are unprotected, or for the device to have the same keys as the switches.