Rethinking the link security approach to manage large scale Ethernet network

2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN) Pub Date : 2010-05-05 DOI:10.1109/LANMAN.2010.5507143

Khan Ferdous Wahid

{"title":"Rethinking the link security approach to manage large scale Ethernet network","authors":"Khan Ferdous Wahid","doi":"10.1109/LANMAN.2010.5507143","DOIUrl":null,"url":null,"abstract":"The expansion of Ethernet in service provider domain requires modification of its service models and management issues. Works are underway inside research community, but their main focuses on Quality of Service, failure recovery, scalability, reliable connectivity, resource utilization and traffic monitoring put security in isolation. As developed initially for a shared link communication, Ethernet lacks security feature. Standardized Media Access Control security (MACsec) provides segment-based security. Its link-constrained feature is constructed mainly for scalability, key-agreement simplicity and traffic analysis, but unsupported multi-segment confidentiality and integrity make the MACsec vulnerable and disqualify it for large Ethernet deployment where switches reside outside of secure premises. In this paper we pinpoint vulnerabilities remained in existing mechanism, and further classify security requirements for unicast and multicast frames. Moreover, we present arguments to support our classification and propose new security approaches using existing Ethernet-based protocols. Finally, we evaluate the performance of our secure data transmission.","PeriodicalId":201451,"journal":{"name":"2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LANMAN.2010.5507143","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

The expansion of Ethernet in service provider domain requires modification of its service models and management issues. Works are underway inside research community, but their main focuses on Quality of Service, failure recovery, scalability, reliable connectivity, resource utilization and traffic monitoring put security in isolation. As developed initially for a shared link communication, Ethernet lacks security feature. Standardized Media Access Control security (MACsec) provides segment-based security. Its link-constrained feature is constructed mainly for scalability, key-agreement simplicity and traffic analysis, but unsupported multi-segment confidentiality and integrity make the MACsec vulnerable and disqualify it for large Ethernet deployment where switches reside outside of secure premises. In this paper we pinpoint vulnerabilities remained in existing mechanism, and further classify security requirements for unicast and multicast frames. Moreover, we present arguments to support our classification and propose new security approaches using existing Ethernet-based protocols. Finally, we evaluate the performance of our secure data transmission.

查看原文本刊更多论文

对大规模以太网链路安全管理方法的再思考

以太网在服务提供商领域的扩展需要修改其服务模型和管理问题。研究社区正在进行相关工作，但他们主要关注的是服务质量、故障恢复、可扩展性、可靠连接、资源利用和流量监控，这使安全性处于孤立状态。以太网最初是为共享链路通信而开发的，缺乏安全特性。标准化媒体访问控制安全(MACsec)提供基于段的安全性。它的链路约束特性主要是为了可伸缩性、密钥协议的简单性和流量分析而构建的，但不支持的多段机密性和完整性使MACsec容易受到攻击，并使其不适合大型以太网部署，其中交换机位于安全场所之外。本文指出了现有机制中存在的漏洞，并进一步对单播和组播帧的安全需求进行了分类。此外，我们提出论据来支持我们的分类，并提出使用现有的基于以太网的协议的新安全方法。最后，我们评估了我们的安全数据传输的性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN)

自引率

0.00%

发文量