{"title":"对大规模以太网链路安全管理方法的再思考","authors":"Khan Ferdous Wahid","doi":"10.1109/LANMAN.2010.5507143","DOIUrl":null,"url":null,"abstract":"The expansion of Ethernet in service provider domain requires modification of its service models and management issues. Works are underway inside research community, but their main focuses on Quality of Service, failure recovery, scalability, reliable connectivity, resource utilization and traffic monitoring put security in isolation. As developed initially for a shared link communication, Ethernet lacks security feature. Standardized Media Access Control security (MACsec) provides segment-based security. Its link-constrained feature is constructed mainly for scalability, key-agreement simplicity and traffic analysis, but unsupported multi-segment confidentiality and integrity make the MACsec vulnerable and disqualify it for large Ethernet deployment where switches reside outside of secure premises. In this paper we pinpoint vulnerabilities remained in existing mechanism, and further classify security requirements for unicast and multicast frames. Moreover, we present arguments to support our classification and propose new security approaches using existing Ethernet-based protocols. Finally, we evaluate the performance of our secure data transmission.","PeriodicalId":201451,"journal":{"name":"2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Rethinking the link security approach to manage large scale Ethernet network\",\"authors\":\"Khan Ferdous Wahid\",\"doi\":\"10.1109/LANMAN.2010.5507143\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The expansion of Ethernet in service provider domain requires modification of its service models and management issues. Works are underway inside research community, but their main focuses on Quality of Service, failure recovery, scalability, reliable connectivity, resource utilization and traffic monitoring put security in isolation. As developed initially for a shared link communication, Ethernet lacks security feature. Standardized Media Access Control security (MACsec) provides segment-based security. Its link-constrained feature is constructed mainly for scalability, key-agreement simplicity and traffic analysis, but unsupported multi-segment confidentiality and integrity make the MACsec vulnerable and disqualify it for large Ethernet deployment where switches reside outside of secure premises. In this paper we pinpoint vulnerabilities remained in existing mechanism, and further classify security requirements for unicast and multicast frames. Moreover, we present arguments to support our classification and propose new security approaches using existing Ethernet-based protocols. Finally, we evaluate the performance of our secure data transmission.\",\"PeriodicalId\":201451,\"journal\":{\"name\":\"2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN)\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-05-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/LANMAN.2010.5507143\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LANMAN.2010.5507143","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Rethinking the link security approach to manage large scale Ethernet network
The expansion of Ethernet in service provider domain requires modification of its service models and management issues. Works are underway inside research community, but their main focuses on Quality of Service, failure recovery, scalability, reliable connectivity, resource utilization and traffic monitoring put security in isolation. As developed initially for a shared link communication, Ethernet lacks security feature. Standardized Media Access Control security (MACsec) provides segment-based security. Its link-constrained feature is constructed mainly for scalability, key-agreement simplicity and traffic analysis, but unsupported multi-segment confidentiality and integrity make the MACsec vulnerable and disqualify it for large Ethernet deployment where switches reside outside of secure premises. In this paper we pinpoint vulnerabilities remained in existing mechanism, and further classify security requirements for unicast and multicast frames. Moreover, we present arguments to support our classification and propose new security approaches using existing Ethernet-based protocols. Finally, we evaluate the performance of our secure data transmission.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
