SECURE BRIDGING IN LARGE SCALE DEPLOYMENT OF ETHERNET

Khan Ferdous Wahid, Javier Rubio-Loyola

2010

Abstract

Considering the dominance of Ethernet with upcoming 100 Gbps line rate, service providers want to reduce their transport networks to simpler Layer-2 networks. Since existing Ethernet security mechanisms protect links in hop-by-hop basis, they cannot control access for disloyal authorized users in virtual or logical shared media infrastructure LANs. Also they leave data in clear inside intermediate systems, which increase threats when these systems are placed in public places. To address these critical security issues, we propose an authenticated on-demand secure bridging solution that can provide a point-to-point secure channel between Ingress and Egress Bridges across Bridged Ethernet network. To build such secure channel, we use Identity-based authenticated key agreement and signature protocol. Experimental results using our prototype software on a small multi-segment Ethernet network suggest that our solution is feasible, and guarantees secure bridging.

References

  1. Altunbasak, H., Krasser, S., Owen, H. L., Grimminger, J., Huth, H-P. and Sokol, J. (2005). Securing Layer 2 in Local Area Networks. In 4th International Conference on Networking. Reunion, France.
  2. Vyncke, E. and Paggen, C. (2007). LAN Switch Security: What Hackers Know About Your Switches. Cisco Press, Indianapolis, 1 edition.
  3. Furnell, S. (2004). Enemies within: the problem of insider attacks. Computer Fraud & Security, 7, 6-11. doi:10.1016/S1361-3723(04)00087-9
  4. Bhandari, R., Grewal, K. and Jha, P. (2006). Scalable, High Speed Layer 2 security using IEEE 802.1AE/af. http://whitepapers.techrepublic.com.com /abstract.aspx?docid=267180
  5. Kolodgy, C. J., Pintal, G. and Burke, B. E. (2008). Oracle Database Security: Preventing Enterprise Data Leaks at the Source. Retrieved December 11, 2009, from http://www.oracle.com/corporate/analyst/reports/infra structure/sec/209752.pdf
  6. IEEE Std 802.1AE - 2006. IEEE Standard for Local and Metropolitan Area Networks- Media Access Control (MAC) Security.
  7. IEEE P802.1AR/D2.0 - 2009. IEEE draft standard for Local and Metropolitan Area Networks- Secure Device Identity.
  8. IEEE P802.1X-2010 - Revision of 802.1X-2004. IEEE draft standard for Local and Metropolitan Area Networks- Port Based Network Access Control.
  9. Hess, F. (2003). Efficient Identity Based Signature Schemes Based on Pairings. In Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310-324. Springer, Heidelberg.
  10. Yuan, Q. and Li, S. (2005). A New Efficient ID-Based Authenticated Key Agreement Protocol. In Cryptology ePrint Archive: Report 2005/309.
  11. Boneh, D. and Franklin, M. (2001). Identity-based encryption from the Weil pairing. In Kilian, J. (ed.) CRYPTO 2001, LNCS, vol. 2139, pp. 213-229. Springer, Heidelberg.
  12. Frey, G. and Ruck, H. G. (1994). A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. In Mathematics of Computation, vol. 62, no. 206, 865-874.
  13. Ryu, E., Yoon, E. and Yoo, K. (2004). An efficient ID-based authenticated key agreement protocol from pairings. In Mitrou, N., et al. (eds.) Networking 2004, LNCS, vol. 3042, pp. 1458-1463. Springer, Heidelberg.
  14. Park, Y., Lee, W. Y. and Rhee, K. H. (2007). Authenticated On-Demand Ad Hoc Routing Protocol without Preshared Key Distribution. In Proceedings of the 2007 ECSIS Symposium on Bio-inspired, Learning, and Intelligent Systems for Security, Edinburg, pp. 41-46. Edinburgh, UK.
  15. Dutta, R., Barua, R. and Sarkar, P. (2004). Pairing-Based Cryptographic Protocols : A Survey. In Cryptology ePrint Archive: Report 2004/064.
  16. Arkin, O. and Anderson, J. (2003). EtherLeak: Ethernet frame padding information leakage. http://www.packetstormsecurity.org/advisories/atstake /atstake etherleak report.pdf
  17. Bruschi, D., Ornaghi, A. and Rosti, E. (2003). S-ARP: a Secure Address Resolution Protocol. In Proceedings of the 19th Annual Computer Security Applications Conference, pp. 66. Las Vegas, USA.
  18. Lynn, B. (2007). On The Implementation of Pairing-based Cryptosystems. Ph.D. Thesis. Stanford University. Retrieved March 29, 2009, from http://crypto.stanford .edu/pbc/thesis.pdf
  19. Lynn, B. (n.d.). PBC Library Manual 0.5.0. Retrieved March 29, 2009, from http://crypto.stanford.edu/pbc /manual.pdf
  20. Eastlake, D. (2008). RFC: 5342 IANA Considerations and IETF Protocol Usage for IEEE 802 Parameters.
  21. Malkin, G. (1995). RFC: 1868 ARP Extension - UNARP.
  22. Trusted Computing Group. (2003). Retrieved August 13, 2009, from http://en.wikipedia.org/wiki/Trusted Computing Group
  23. PBC Library. (n.d.). Retrieved March 29, 2009, from http:// crypto.stanford.edu/pbc/
  24. Krovetz, T. (n.d.). Fast Cryptography. Retrieved December 16, 2009, from http://fastcrypto.org/
  25. Huang, J., Lee, J. and Li, H. (2008). A Fast FPGA Implementation of Tate Pairing in Cryptography over Binary Field. In The 2008 International Conference on Security and Management, pp. 3-9. Las Vegas, USA.
  26. NetFPGA. (n.d.). Retrieved January 29, 2010, from http://www.netfpga.org/
  27. Junjie, J. (2007). Bilinear Pairing (Eta T Pairing) IP Core. Retrieved December 08, 2009, from http://www.cs. cityu.edu.hk/~ecc/doc/etat datasheet v2.pdf
  28. Yang, B., Mishra, S. and Karri, R. (2005). A High Speed Architecture for Galois/Counter Mode of Operation (GCM). In Cryptology ePrint Archive: Report 2005/146 (2005).
  29. Friedman, D. and Nagle, D. (2001). Building Firewalls with Intelligent Network Interface Cards. Technical report CMUCS00173, Carnegie Mellon University.
  30. Otey, M., Parthasarathy, S., Ghoting, A., Li, G., Narravula, S. and Panda D. (2003). Towards NIC-based Intrusion Detection. In Proceedings of the ninth ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 723 - 728. Washington, USA.
  31. Altunbasak, H., Krasser, S., Owen, H. L., Grimminger, J., Huth, H-P. and Sokol, J. (2004). Addressing the Weak Link Between Layer 2 and Layer 3 in the Internet Architecture. In The 29th Annual IEEE Conference on Local Computer Networks (LCN), pp. 417-418. Florida, USA.
  32. Altunbasak, H. and Owen, H. L. (2007). Security Interlayering for Evolving and Future Network Architectures. In Proceedings of IEEE SoutheastCon 2007, pp. 615-620. Virginia, USA.
  33. Understanding and Configuring DHCP Snooping. Cisco IOS Software Configuration GuideRelease 12.1 (12c) EW. (n.d.). Retrieved January 06, 2010, from http: //www.cisco.com/en/US/docs/switches/lan/catalyst45 00/12.1/12ew/configuration/guide/dhcp.pdf
  34. Jerschow, Y. I., Lochert, C., Scheuermann, B. and Mauve, M. (2008). CLL: A Cryptographic Link Layer for Local Area Networks. In R. Ostrovsky, R. De Prisco, and I. Visconti (eds.) SCN 2008, LNCS, vol. 5229, pp. 21-38. Springer, Heidelberg.
  35. Lootah, W., Enck, W. and McDaniel, P. (2005). TARP: Ticket-based Address Resolution Protocol. In 21st Annual Computer Security Applications Conference, pp.106-116.
  36. Park, Y. and Rhee, K. H. (2009). An Authenticated OnDemand Routing Protocol with Key Exchange for Secure MANET. In IEICE Trans. Inf. & Syst., vol. E92.D, no. 5, pp. 810-817.
  37. Z úquete, A. and Marques, H. (2006). A Security Architecture for Protecting LAN Interactions. In S.K. Katsikas et al. (eds.) ISC 2006, LNCS. vol. 4176, pp. 311-326. Springer, Heidelberg.
  38. Wahid, K. F. (2010a). Maximizing Ethernet security by switch-based single secure domain. In Proceedings of the 7th International Conference on Information Technology : New Generations. Las Vegas, USA.
  39. Wahid, K. F. (2010b). Rethinking the link security approach to manage large scale Ethernet network. In Proceedings of the 17th IEEE Workshop on Local and Metropolitan Area Networks. New Jersey, USA.
  40. Federal Information Processing Standards Publication 197: Advanced Encryption Standard (AES). (2001). http:// www.csrc.nist.gov/publications/fips/fips197/fips-197. pdf
Download


Paper Citation


in Harvard Style

Ferdous Wahid K. and Rubio-Loyola J. (2010). SECURE BRIDGING IN LARGE SCALE DEPLOYMENT OF ETHERNET . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 251-260. DOI: 10.5220/0002992202510260


in Bibtex Style

@conference{secrypt10,
author={Khan Ferdous Wahid and Javier Rubio-Loyola},
title={SECURE BRIDGING IN LARGE SCALE DEPLOYMENT OF ETHERNET},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={251-260},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002992202510260},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - SECURE BRIDGING IN LARGE SCALE DEPLOYMENT OF ETHERNET
SN - 978-989-8425-18-8
AU - Ferdous Wahid K.
AU - Rubio-Loyola J.
PY - 2010
SP - 251
EP - 260
DO - 10.5220/0002992202510260