P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN

P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN

We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN tech...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:arXiv.org 2019-04
Hauptverfasser: Hauser, Frederik, Schmidt, Mark, Häberle, Marco, Menth, Michael
Format: Artikel
Sprache:eng
Schlagworte:
Automation
Change detection
Computer Science - Networking and Internet Architecture
Cybersecurity
Encryption
IP (Internet Protocol)
Keying
Routers
Switches
Topology
Virtual private networks
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title arXiv.org
container_volume
creator Hauser, Frederik
Schmidt, Mark
Häberle, Marco
Menth, Michael
description We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.
doi_str_mv 10.48550/arxiv.1904.07088
format Article
fullrecord <record><control><sourceid>proquest_arxiv</sourceid><recordid>TN_cdi_arxiv_primary_1904_07088</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2210211049</sourcerecordid><originalsourceid>FETCH-LOGICAL-a958-51a57ec828b5a5e6be37f1f28ca78599ce71da58a92dcb1d2a9eae232c6900d3</originalsourceid><addsrcrecordid>eNotj0FPwjAYhhsTEwnyAzzZxPOw_bpurTcCiiagJBCvy7euYAm02A11_94Jnt7LkyfvQ8gNZ8NUScnuMf64ryHXLB2ynCl1QXogBE9UCnBFBnW9ZYxBloOUokfeF2kyH41rax7opPW4d4auwiHswqal8-BdE6LzG4q-ohNskM6wtZEuYmisaVzw9Ns1H_SsoM7TzrecvF6TyzXuajv43z5ZPj2uxs_J7G36Mh7NEtRSJZKjzK1RoEqJ0malFfmar0EZzJXU2ticVygVaqhMyStAbdGCAJNpxirRJ7dn66m5OES3x9gWf-3Fqb0j7s7EIYbPo62bYhuO0XeXCgDOgHOWavEL36Naxg</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2210211049</pqid></control><display><type>article</type><title>P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN</title><source>arXiv.org</source><source>Free E- Journals</source><creator>Hauser, Frederik ; Schmidt, Mark ; Häberle, Marco ; Menth, Michael</creator><creatorcontrib>Hauser, Frederik ; Schmidt, Mark ; Häberle, Marco ; Menth, Michael</creatorcontrib><description>We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.</description><identifier>EISSN: 2331-8422</identifier><identifier>DOI: 10.48550/arxiv.1904.07088</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Automation ; Change detection ; Computer Science - Networking and Internet Architecture ; Cybersecurity ; Encryption ; IP (Internet Protocol) ; Keying ; Routers ; Switches ; Topology ; Virtual private networks</subject><ispartof>arXiv.org, 2019-04</ispartof><rights>2019. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,777,781,882,27906</link.rule.ids><backlink>$$Uhttps://doi.org/10.1109/ACCESS.2020.2982859$$DView published paper (Access to full text may be restricted)$$Hfree_for_read</backlink><backlink>$$Uhttps://doi.org/10.48550/arXiv.1904.07088$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Hauser, Frederik</creatorcontrib><creatorcontrib>Schmidt, Mark</creatorcontrib><creatorcontrib>Häberle, Marco</creatorcontrib><creatorcontrib>Menth, Michael</creatorcontrib><title>P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN</title><title>arXiv.org</title><description>We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.</description><subject>Automation</subject><subject>Change detection</subject><subject>Computer Science - Networking and Internet Architecture</subject><subject>Cybersecurity</subject><subject>Encryption</subject><subject>IP (Internet Protocol)</subject><subject>Keying</subject><subject>Routers</subject><subject>Switches</subject><subject>Topology</subject><subject>Virtual private networks</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2019</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GOX</sourceid><recordid>eNotj0FPwjAYhhsTEwnyAzzZxPOw_bpurTcCiiagJBCvy7euYAm02A11_94Jnt7LkyfvQ8gNZ8NUScnuMf64ryHXLB2ynCl1QXogBE9UCnBFBnW9ZYxBloOUokfeF2kyH41rax7opPW4d4auwiHswqal8-BdE6LzG4q-ohNskM6wtZEuYmisaVzw9Ns1H_SsoM7TzrecvF6TyzXuajv43z5ZPj2uxs_J7G36Mh7NEtRSJZKjzK1RoEqJ0malFfmar0EZzJXU2ticVygVaqhMyStAbdGCAJNpxirRJ7dn66m5OES3x9gWf-3Fqb0j7s7EIYbPo62bYhuO0XeXCgDOgHOWavEL36Naxg</recordid><startdate>20190415</startdate><enddate>20190415</enddate><creator>Hauser, Frederik</creator><creator>Schmidt, Mark</creator><creator>Häberle, Marco</creator><creator>Menth, Michael</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20190415</creationdate><title>P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN</title><author>Hauser, Frederik ; Schmidt, Mark ; Häberle, Marco ; Menth, Michael</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a958-51a57ec828b5a5e6be37f1f28ca78599ce71da58a92dcb1d2a9eae232c6900d3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2019</creationdate><topic>Automation</topic><topic>Change detection</topic><topic>Computer Science - Networking and Internet Architecture</topic><topic>Cybersecurity</topic><topic>Encryption</topic><topic>IP (Internet Protocol)</topic><topic>Keying</topic><topic>Routers</topic><topic>Switches</topic><topic>Topology</topic><topic>Virtual private networks</topic><toplevel>online_resources</toplevel><creatorcontrib>Hauser, Frederik</creatorcontrib><creatorcontrib>Schmidt, Mark</creatorcontrib><creatorcontrib>Häberle, Marco</creatorcontrib><creatorcontrib>Menth, Michael</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>arXiv Computer Science</collection><collection>arXiv.org</collection><jtitle>arXiv.org</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Hauser, Frederik</au><au>Schmidt, Mark</au><au>Häberle, Marco</au><au>Menth, Michael</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN</atitle><jtitle>arXiv.org</jtitle><date>2019-04-15</date><risdate>2019</risdate><eissn>2331-8422</eissn><abstract>We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><doi>10.48550/arxiv.1904.07088</doi><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier EISSN: 2331-8422
ispartof arXiv.org, 2019-04
issn 2331-8422
language eng
recordid cdi_arxiv_primary_1904_07088
source arXiv.org; Free E- Journals
subjects Automation
Change detection
Computer Science - Networking and Internet Architecture
Cybersecurity
Encryption
IP (Internet Protocol)
Keying
Routers
Switches
Topology
Virtual private networks
title P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-17T21%3A05%3A36IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_arxiv&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=P4-MACsec:%20Dynamic%20Topology%20Monitoring%20and%20Data%20Layer%20Protection%20with%20MACsec%20in%20P4-SDN&rft.jtitle=arXiv.org&rft.au=Hauser,%20Frederik&rft.date=2019-04-15&rft.eissn=2331-8422&rft_id=info:doi/10.48550/arxiv.1904.07088&rft_dat=%3Cproquest_arxiv%3E2210211049%3C/proquest_arxiv%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2210211049&rft_id=info:pmid/&rfr_iscdi=true