Abstract
We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.
Highlights
MACsec [41] is a widespread IEEE standard that protects the Layer 2 with cryptographic integrity checks or symmetric encryption
P4 switches are steered by a novel two-tier control plane that consists of local controllers running on all P4 switches that connect to a central controller
We presented a novel mechanism for link discovery using encrypted Link Layer Discovery Protocol (LLDP) packets and automated deployment of Media Access Control Security (MACsec) link protection
Summary
Csec [41] is a widespread IEEE standard that protects the Layer 2 with cryptographic integrity checks or symmetric encryption. F. Hauser et al.: P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN is the most widespread standard architecture and southbound protocol for SDN. Hauser et al.: P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN is the most widespread standard architecture and southbound protocol for SDN It consists of SDN switches with a fixed-function data plane that are steered by a central SDN controller. We propose to use an SDN controller to continuously monitor the network topology and set up MACsec on all detected links between switches. The control plane implements MAC address learning for packet switching, a novel mechanism for secure link discovery with encrypted LLDP packets, and automated deployment of MACsec. The appendices include a list of acronyms that are used in the paper
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
