Monday 9 July 2012

Why MACSec

Media Access Control (MAC) Security, often known as MACSec is a IEEE standard based protocol for securing communication among the trusted components of a 802.1 LAN. This function is an integral part of and provides security to MACs defined in IEEE standard 802, 802.2 (LLC), 802.1D (Bridging), 802.1Q(VLAN) and 802.1X (PNAC).

Before we delve into more details, let's investigate why this is required. A LAN is a confined domain of networking components where all MACs can listen to broadcast messages sent by any MAC. In a switched LAN, a MAC sitting on a segment can listen to any messages transmitted by a MAC, regardless of the intended destination of the message.

It is therefore obvious that a rogue MAC can use the information contained in the transmitted messages for harmful acts or purpose. These include but not limited to,
  • Denial of service (DoS) attack
    • The rogue MAC can simply not follow the backoff rule when collision happens and keep on transmitting on the LAN, thus blocking the entire network.
    • The rogue MAC can transmit as soon as it detects transmission from some other MAC, causing intentional collision
  • Misuse of the information
    • A MAC can always be in promiscuous mode, accept all messages that it sees on the medium and pass on to upper layer, making all information subject to be misused. These information can range from non-encrypted user traffic to network configuration protocol messages.

The  DoS is easy to detect. Any networking monitoring service will detect that the collision in the network is too high and finally detect the rogue MAC and remove it from the LAN.

It is the misuse of information that is most important to tackle. It is very hard to detect a MAC who is attached to a LAN in promiscuous mode, with the intention of stealing and misusing information. User Data protection can be handled by the end to end, application level security protocols (eg. IPSec), but the network configuration is highly desirable to be protected by any eavesdropping. For example,
  • ARP protocol can be very easily compromised. Any MAC can claim to be associated with any IP address. Taking a step further, A MAC can impersonate another MAC and also claim association of an IP address it is not actually associated with.
  • The spanning tree protocol can be disrupted by transmission of malicious information, for example claim of new root bridge, causing it not to converge efficiently or not at all
A good compilation of VLAN attacks, including the ones descried above, are explained in this Cisco white paper.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml

Of course, solution for some attacks is to have physically separate network with trusted components. But in most cases that is practically impossible.

MACSec is designed to provide the next possible solution by securing messages present on the physical media. This prevents any rogue node to interpret the message and make use of the information contained in the message.

It is important to note that MACSec itself can not operate in itself to provide the promised services. It has to be used in conjunction with appropriate policies for complimentary and higher level protocol, and authentication and authorization framework and network management. IEEE 802.1af provides authentication and cryptographic key distribution framework.

Introduction

In this blog I will attempt to explain MACSec from purely technical angle. The IEEE Standard can be a bit confusing if you do not have through knowledge of MAC architecture and misinterpreted, causing non-productivity.

By no means it is an attempt to replace the reading and thorough understanding of the 802.1AE standard itself. You can use this blog as a resource that attempts to explain and simplify some concepts and overall architecture, as depicted in the standard.

It will be explained step by step over multiple posts, each focused on a specific subject/topic/concept.


I hope to conclude the series in 2 week's time. Given that time frame, I won't be able to produce good quality pics for explaining things. I will use pics to explain concepts wherever required, But those pics will likely be hand drawn.