Abstract

We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.

Highlights

  • MACsec [41] is a widespread IEEE standard that protects the Layer 2 with cryptographic integrity checks or symmetric encryption

  • P4 switches are steered by a novel two-tier control plane that consists of local controllers running on all P4 switches that connect to a central controller

  • We presented a novel mechanism for link discovery using encrypted Link Layer Discovery Protocol (LLDP) packets and automated deployment of Media Access Control Security (MACsec) link protection

Read more

Summary

INTRODUCTION

Csec [41] is a widespread IEEE standard that protects the Layer 2 with cryptographic integrity checks or symmetric encryption. F. Hauser et al.: P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN is the most widespread standard architecture and southbound protocol for SDN. Hauser et al.: P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection With MACsec in P4-Based SDN is the most widespread standard architecture and southbound protocol for SDN It consists of SDN switches with a fixed-function data plane that are steered by a central SDN controller. We propose to use an SDN controller to continuously monitor the network topology and set up MACsec on all detected links between switches. The control plane implements MAC address learning for packet switching, a novel mechanism for secure link discovery with encrypted LLDP packets, and automated deployment of MACsec. The appendices include a list of acronyms that are used in the paper

MACsec
LINK DISCOVERY IN SDN
PROTOTYPICAL IMPLEMENTATION WITH MININET
EXPERIMENT I
EXPERIMENT II
CONCLUSION

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.