Media Access Control (MAC) Security, often known as MACSec is a
IEEE standard based protocol for securing communication among the
trusted components of a 802.1 LAN. This function is an integral part of
and provides security to MACs defined in IEEE standard 802, 802.2 (LLC),
802.1D (Bridging), 802.1Q(VLAN) and 802.1X (PNAC).
Before we delve into more details, let's investigate why this is required. A LAN is a confined domain of networking components where all MACs can listen to broadcast messages sent by any MAC. In a switched LAN, a MAC sitting on a segment can listen to any messages transmitted by a MAC, regardless of the intended destination of the message.
It is therefore obvious that a rogue MAC can use the information contained in the transmitted messages for harmful acts or purpose. These include but not limited to,
The DoS is easy to detect. Any networking monitoring service will detect that the collision in the network is too high and finally detect the rogue MAC and remove it from the LAN.
It is the misuse of information that is most important to tackle. It is very hard to detect a MAC who is attached to a LAN in promiscuous mode, with the intention of stealing and misusing information. User Data protection can be handled by the end to end, application level security protocols (eg. IPSec), but the network configuration is highly desirable to be protected by any eavesdropping. For example,
A good compilation of VLAN attacks, including the ones descried above, are explained in this Cisco white paper.Before we delve into more details, let's investigate why this is required. A LAN is a confined domain of networking components where all MACs can listen to broadcast messages sent by any MAC. In a switched LAN, a MAC sitting on a segment can listen to any messages transmitted by a MAC, regardless of the intended destination of the message.
It is therefore obvious that a rogue MAC can use the information contained in the transmitted messages for harmful acts or purpose. These include but not limited to,
- Denial of service (DoS) attack
- The rogue MAC can simply not follow the backoff rule when collision happens and keep on transmitting on the LAN, thus blocking the entire network.
- The rogue MAC can transmit as soon as it detects transmission from some other MAC, causing intentional collision
- Misuse of the information
- A MAC can always be in promiscuous mode, accept all messages that it sees on the medium and pass on to upper layer, making all information subject to be misused. These information can range from non-encrypted user traffic to network configuration protocol messages.
The DoS is easy to detect. Any networking monitoring service will detect that the collision in the network is too high and finally detect the rogue MAC and remove it from the LAN.
It is the misuse of information that is most important to tackle. It is very hard to detect a MAC who is attached to a LAN in promiscuous mode, with the intention of stealing and misusing information. User Data protection can be handled by the end to end, application level security protocols (eg. IPSec), but the network configuration is highly desirable to be protected by any eavesdropping. For example,
- ARP protocol can be very easily compromised. Any MAC can claim to be associated with any IP address. Taking a step further, A MAC can impersonate another MAC and also claim association of an IP address it is not actually associated with.
- The spanning tree protocol can be disrupted by transmission of malicious information, for example claim of new root bridge, causing it not to converge efficiently or not at all
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml
Of course, solution for some attacks is to have physically separate network with trusted components. But in most cases that is practically impossible.
MACSec is designed to provide the next possible solution by securing messages present on the physical media. This prevents any rogue node to interpret the message and make use of the information contained in the message.
It is important to note that MACSec itself can not operate in itself to provide the promised services. It has to be used in conjunction with appropriate policies for complimentary and higher level protocol, and authentication and authorization framework and network management. IEEE 802.1af provides authentication and cryptographic key distribution framework.