8 minute read
“Security” has many meanings depending on the context and it has
become a vital piece in many areas including, but not limited to, information,
finance, homeland, people, food, network, social, health, etc.
When it comes to ICT and Telecoms, security is used at many levels. These include securing the networks, systems, DCs, hardware, software, traffic, control planes, data planes, management planes etc.
If the data plane and traffic are considered (to understand the difference between data plane and control plane, check this video), we can think of the popular ISO OSI stack or the TCP/IP stack, which are modular designs of the data plane with abstraction, and the different layers to see the implementations of security for communication channels established at these layers.
When it comes to ICT and Telecoms, security is used at many levels. These include securing the networks, systems, DCs, hardware, software, traffic, control planes, data planes, management planes etc.
If the data plane and traffic are considered (to understand the difference between data plane and control plane, check this video), we can think of the popular ISO OSI stack or the TCP/IP stack, which are modular designs of the data plane with abstraction, and the different layers to see the implementations of security for communication channels established at these layers.
As it is
usually not practical to secure an entire network against physical access,
preventing disruption and data loss arising from transmission and reception by
unauthorized devices is a vital capability to have. What we achieve ultimately
is the confidentiality, integrity and
authenticity of traffic being communicated. In fact, it is mostly the
application data that we need to make secure.
If the OSI stack is considered, security can be implemented for
traffic/application data at different levels. These mostly include Physical, Data Link, Network and Application
layers.
If we consider a simple network link (point to point) working on OSI principles, our objective is to send some application data (aka payload) to and from with respective to the two ends. In packet networking, where the layer 2 (data link) is mostly Ethernet and layer 3 (network) is mostly IP, these communications happen through a series of encapsulations (adding headers (and sometimes footers/trailers)) and decapsualtions (removing headers (and sometimes footers/trailers)) from application layer to physical layer and then from physical layer to application layer respectively. These headers consists of different information, values, identifications etc.
If we consider a simple network link (point to point) working on OSI principles, our objective is to send some application data (aka payload) to and from with respective to the two ends. In packet networking, where the layer 2 (data link) is mostly Ethernet and layer 3 (network) is mostly IP, these communications happen through a series of encapsulations (adding headers (and sometimes footers/trailers)) and decapsualtions (removing headers (and sometimes footers/trailers)) from application layer to physical layer and then from physical layer to application layer respectively. These headers consists of different information, values, identifications etc.
When we want to secure the data being transported over the
communication channel, we usually use different encryption mechanisms to
encrypt the data before being put on to the channel. The reverse - decryption,
is performed at the other end to retrieve the original data.
Encryption is the process of encoding a message or information (aka cypher text) so that only authorized party/ies can access it. Although encryption does not itself prevent interference, it denies the intelligible (aka clear text) content to a would-be interceptor.
There are many ways to do encryption, usually using modern block cypher symmetric secret key algorithms (ex:- DES – Data Encryption Standard, 3DES – Triple DES, AES – Advanced Encryption Standard). Encryption can be performed at any layer, including layer 1 (physical), layer 2 (data link), layer 3 (network) and even layer 7 (application). Although the layer 1 encryption is not end-to-end with respect to the application, it can provide high throughput, low latency and high efficiency.
As we move up in the stack, the bandwidth efficiency decreases, while both overheads and latency increase. However, if application level encryption is considered, it is end-to-end.
Media Access Control Security (MACsec) and Internet Protocol Security (IPsec) are two such mechanisms used in layer 2 and layer 3 of the OSI stack. IPsec is commonly heard while MACsec is not.
Both of these work by adding additional header information (and sometimes trailers) relevant to encryption, keys etc. to the existing headers. Let’s look at MACsec first.
Encryption is the process of encoding a message or information (aka cypher text) so that only authorized party/ies can access it. Although encryption does not itself prevent interference, it denies the intelligible (aka clear text) content to a would-be interceptor.
There are many ways to do encryption, usually using modern block cypher symmetric secret key algorithms (ex:- DES – Data Encryption Standard, 3DES – Triple DES, AES – Advanced Encryption Standard). Encryption can be performed at any layer, including layer 1 (physical), layer 2 (data link), layer 3 (network) and even layer 7 (application). Although the layer 1 encryption is not end-to-end with respect to the application, it can provide high throughput, low latency and high efficiency.
As we move up in the stack, the bandwidth efficiency decreases, while both overheads and latency increase. However, if application level encryption is considered, it is end-to-end.
Media Access Control Security (MACsec) and Internet Protocol Security (IPsec) are two such mechanisms used in layer 2 and layer 3 of the OSI stack. IPsec is commonly heard while MACsec is not.
Both of these work by adding additional header information (and sometimes trailers) relevant to encryption, keys etc. to the existing headers. Let’s look at MACsec first.
MACsec
Like any other Ethernet related standard, MACsec
is also defined under IEEE. IEEE
802.1AE is the relevant
standard. Published in 2006, the standard is over 10 years old, although we
don’t get much to hear about MACsec compared to IPsec. It is applicable to
local and metropolitan area networks.
Therefore, the main applications of MACsec is seen in DC environments. Carrier Ethernet and Metro Ethernet environments can also implement MACsec if necessary.
Therefore, the main applications of MACsec is seen in DC environments. Carrier Ethernet and Metro Ethernet environments can also implement MACsec if necessary.
The standard specifies provision of connection-less user data confidentiality, data integrity and data origin
authenticity by media access independent protocols and entities that operate
transparently to MAC Clients. The MACsec
Key Agreement Protocol (MKA) specified in IEEE 802.1X discovers mutually authenticated MACsec peers, and
elects one as a Key Server that distributes the Symmetric Secure Association Keys (SAKs) used by MACsec to protect
frames. The current standard is IEEE
802.1AE-2018.
Let’s go little deep into understand how this
is done at the Ethernet frame level. Before that, let’s look at how a standard
Ethernet frame structure would look like. Ignoring the Preamble and Start of Frame
Delimiter (SFD), a standard IEEE 802.3 Ethernet frame structure would look
like below.
Fig. 01 -
Original Ethernet frame
Here, Payload (or Data) includes everything
starting from the IP header.
A MACsec frame structure would be similar to
the Ethernet frame structure, but includes additional frames/headers. 802.1 AE header is the main one. These
frames are encrypted and protected with Integrity
Check Value (ICV), which is added before the Frame Check Sequence (FCS) of the original Ethernet frame.
Fig. 02 - MACsec
frame
As we can see, though most of the frame is
authenticated, only few fields including the payload is encrypted. The reason
for not encrypting the source and destination MAC is obvious as it would
prevent finding the paths and forwarding of frames in the Ethernet environment,
if done otherwise.
IPsec
IPsec coming from IP side, the standards are
defined in multiple IETF RFCs. Similar to MACsec, IPsec also authenticates
and/or encrypts the data (packets) sent over an IP network, acting as a secure
network protocol. It includes protocols for establishing authentication between
the two ends at the beginning of a session and negotiation of cryptographic
keys to use during the session.
With respect to the application, IPsec is
usually end-to-end. This makes Virtual Private Networks (VPNs) possible across
the public Internet for example. It can also be used on many different devices
- routers, firewalls, hosts, servers, etc. Anyway, first we need two IPsec
peers that build the IPsec tunnel. To establish an IPsec tunnel, we use IKE (Internet Key Exchange) protocol.
Even though IKE builds the tunnels, it
doesn’t authenticate or encrypt user data. Therefore, we have to use two other
protocols. Thus there are two types of
IPsec security suits.
1.
ESP –
Encapsulating Security Payload
2.
AH –
Authentication Header
Both AH and ESP offer authentication and
integrity. But only ESP supports
encryption. Therefore, ESP is the most popular choice.
Both AH and ESP support two different operation modes:
1.
Tunnel Mode
2.
Transport Mode
Main difference between the two is that transport
mode uses the original IP header
while tunnel mode uses a new IP header.
Let’s look at the IP header first. For simplicity, let’s consider IPv4 (note that application of IPsec is different in IPv4 and IPv6). Being in Layer 3, IP packet only has a header (unlike the Layer 2 Ethernet frame which has a header and a trailer). In fact, the payload in the Ethernet frame is the IP packet.
Let’s look at the IP header first. For simplicity, let’s consider IPv4 (note that application of IPsec is different in IPv4 and IPv6). Being in Layer 3, IP packet only has a header (unlike the Layer 2 Ethernet frame which has a header and a trailer). In fact, the payload in the Ethernet frame is the IP packet.
Fig. 03 –
Original IP packet
Since the IP header has many fields, for
simplicity, let’s represent all fields as IP
Header. Here Data includes
everything starting from the TCP header.
Fig. 04 –
Simplified IP packet
Let’s try to understand the two IPsec
operation modes now, together with ESP and AH protocols.
Tunnel Mode
Tunnel mode encapsulates the whole IP packet by either encrypting,
authenticating or doing both. Encapsulation will be done with IPsec headers and
trailers using ESP. While both AH and ESP supports authentication, the way it
is performed is different. If encapsulation is performed, a new IP header is
prepended to the original IP packet so that the information about the
communication endpoints are not lost.
However, the fields in the new IP header are not protected for obvious reasons, similar to what is explained under MACsec.
However, the fields in the new IP header are not protected for obvious reasons, similar to what is explained under MACsec.
Below figure shows IPsec tunnel mode that uses
ESP header:
Fig. 05 – ESP
Tunnel Mode
Note that the whole IP packet is
encrypted and a new IP header is added. Otherwise, we will not be able to
perform IP forwarding and routing.
Here’s how the same with AH header:
Fig. 06 – AH
Tunnel Mode
Note that there’s no encryption in AH mode.
Transport Mode
Unlike the Tunnel mode, Transport mode only protects the payload (data). No
headers involved in encrypting and only the payload is encapsulated by IPsec
header and trailer. The original IP header remains the same, but IP Protocol field is changed to 50 for
ESP or 51 in case of AH.
Since it is required to restore the packet once decrypted, the original protocol value will always be saved in IPsec trailer.
Since it is required to restore the packet once decrypted, the original protocol value will always be saved in IPsec trailer.
Fig. 07 – ESP
Transport Mode
Here’s how the same with AH header:
Fig. 08 – AH
Transport Mode
Note that there’s no encryption in AH mode.
Following high level comparison can be made between MACsec and IPsec;
MACsec
|
IPsec
|
|
OSI layer
|
2
|
3
|
Addressing involves
|
MAC
|
IP
|
Data exchange entity authentication
|
✓
|
✓
|
Encryption
|
✓
|
✓ (only in ESP)
|
Bandwidth overhead
|
Low
|
high
|
Delay
|
Low
|
high
|
I hope it’s now clear to you what is MACsec, what is IPsec, their applications, comparison between two, different options for authentication and encryption, and some frame/packet level understanding as to how it is actually done.
If you are interested about updating your knowledge in general and
on digital, digital technologies, digital disruptions and digital marketing in
particular, you can check ARC Tube – The Knowledge Spark .
Anuradha Udunuwara, ARC Tube | @AnuradhaU
