Embed Size (px)
Citation preview
®
IEEE 802.1ae & Legacy Technologies
IEEE 802.1ae & Legacy Technologies
Ken GrewalKen Grewal
• 2 •®
AgendaAgenda
Problem StatementProblem Statement
Technologies ImpactedTechnologies Impacted
RecommendationsRecommendations
• 3 •®
Problem StatementProblem Statement
802.1AE services802.1AE services Data Integrity – over entire frameData Integrity – over entire frame
Data Confidentiality – beyond MACsec headersData Confidentiality – beyond MACsec headers Obscures VLAN, L3, L4, + headers + dataObscures VLAN, L3, L4, + headers + data
Impacts existing deployed platform technologiesImpacts existing deployed platform technologies
• 4 •®
Layered model and existing industrial baseLayered model and existing industrial base OSI Layered model presents abstract model where OSI Layered model presents abstract model where
each layer operates independentlyeach layer operates independently
Existing industrial products process several layers.Existing industrial products process several layers. All deployed communication products seek for All deployed communication products seek for
processing power gain and energy power reduction.processing power gain and energy power reduction.
Partial layers transparency may drive efficient Partial layers transparency may drive efficient products and cause system processing gain and products and cause system processing gain and over all power reduction.over all power reduction.
Worldwide deployed industrial products access Worldwide deployed industrial products access TCP/IP header above upper level applications in TCP/IP header above upper level applications in 802.3 frames. 802.3 frames.
• 5 •®
In-Line manipulation of L2+ dataIn-Line manipulation of L2+ data Complex End node System & Comm. design calls for “in-line” Complex End node System & Comm. design calls for “in-line”
manipulation of Layer 2+ Payload in hardware.manipulation of Layer 2+ Payload in hardware. DMTF sanctioned Manageability (ASF, IPMI, others) commonly DMTF sanctioned Manageability (ASF, IPMI, others) commonly
uses same MAC address as general traffic, but separate IP uses same MAC address as general traffic, but separate IP addresses.addresses.
– Manageability packets must be directed to Out-of-band processing by hardware to guarantee persistence of management under any platform OS or functionality state.
Efficient use of DMA’s, Memory, Cache, Interrupts has driven Efficient use of DMA’s, Memory, Cache, Interrupts has driven Controller based manipulation of Payload for nearly a decade. Controller based manipulation of Payload for nearly a decade.
– Packet classification per Layer 3,4,5 fields, or per some host based multithreading optimization algorithm
Tasking to Hardware Programmable engine should not be Tasking to Hardware Programmable engine should not be assumed.assumed.
– Feasible & often used.– But unnecessarily grows power and cost, and presents scalability challenges.
• 6 •®
TCP/IP level access needsTCP/IP level access needs Need to read the TCP/IP data without encapsulation Need to read the TCP/IP data without encapsulation
protocols knowledge.protocols knowledge. Accessing TCP/IP level directly is a wide industrial Accessing TCP/IP level directly is a wide industrial
practice used for several applicationspractice used for several applications RSS – directing packet for the processing in the RSS – directing packet for the processing in the
multiprocessor environment according to the TCP/IP multiprocessor environment according to the TCP/IP headerheader
TCP offload functionalityTCP offload functionalityTCP Checksum offloadTCP Checksum offloadTCP/IP header/data splitterTCP/IP header/data splitter
Upper layer data supportUpper layer data supportiSCSI offloadiSCSI offload
Remote DMA (RDMA)Remote DMA (RDMA) General packet management / redirectionGeneral packet management / redirection
• 7 •®
MPDU FormatMPDU FormatMPDU = MACsec protocol data unitMPDU = MACsec protocol data unit
• 8 •®
Possible OptionsPossible Options Do not use AE on end stations supporting these legacy Do not use AE on end stations supporting these legacy
functions (client / server)functions (client / server) Unlikely, as industry trends push for more securityUnlikely, as industry trends push for more security
Use AE without data confidentialityUse AE without data confidentiality Impractical in all GEOs + confidentiality should be policy Impractical in all GEOs + confidentiality should be policy
based and not product basedbased and not product based Provide HW assist for AE in all impacted technologiesProvide HW assist for AE in all impacted technologies
This is the intent, but need a migration path.This is the intent, but need a migration path. Modify AE to accommodate visibility into upper layer protocolsModify AE to accommodate visibility into upper layer protocols
ONLY needed as a migration path, for deployed technology ONLY needed as a migration path, for deployed technology basebase
Future technologies / products can factor in AE as neededFuture technologies / products can factor in AE as needed
• 9 •®
Possible changes in AEPossible changes in AE
Flexible encryption offsetFlexible encryption offset 1 bit to control presence / absence of offset field in frame1 bit to control presence / absence of offset field in frame
Future versions of protocol can deprecate this bit, as Future versions of protocol can deprecate this bit, as neededneeded
Control channel negotiation of encryption offset field – Control channel negotiation of encryption offset field – 802.1AF yet undefined, so can easily accommodate this.802.1AF yet undefined, so can easily accommodate this.
Fixed encryption offsetsFixed encryption offsets A set of well defined encryption offsetsA set of well defined encryption offsets
Negotiated via control channelNegotiated via control channel
Current AE frame format not impacted – only control Current AE frame format not impacted – only control channel impactedchannel impacted
• 10 •®
Fixed encryption offsetFixed encryption offset Cannot accommodate all packet format / protocol permutations!Cannot accommodate all packet format / protocol permutations! Two primitives consideredTwo primitives considered
IPv4 + Upper layer protocolsIPv4 + Upper layer protocols Ether type = 2 OctetsEther type = 2 Octets IP Header (no options) = 20 OctetsIP Header (no options) = 20 Octets Min (TCP / UDP / SCTP / etc, ports) = 8 OctetsMin (TCP / UDP / SCTP / etc, ports) = 8 Octets
Total = 2 + 20 + 8 = 30 OctetsWith VLAN = 2 + 4 + 20 + 4 (Only ports for TCP/UDP/…) = 30 Octets
IPv6 + Upper layer protocolsIPv6 + Upper layer protocols Ether type = 2 OctetsEther type = 2 Octets IP Header (no options) = 40 OctetsIP Header (no options) = 40 Octets Min (TCP / UDP / SCTP / etc, ports) = 8 OctetsMin (TCP / UDP / SCTP / etc, ports) = 8 Octets
Total = 2 + 40 + 8 = 50 OctetsWith VLAN = 2 + 4 + 40 + 4 (Only ports for TCP/UDP/…) = 50 bytes
30/50 Octet encryption offset (negotiated via control channel)30/50 Octet encryption offset (negotiated via control channel)
• 11 •®
RecommendationsRecommendations
Option 1Option 1 Flexible offset not plausible at this stage of AEFlexible offset not plausible at this stage of AE
Option 2Option 2 Set of fixed encryption offsets (0/30/50)Set of fixed encryption offsets (0/30/50) Support L2/3/4 header exposure for IPv4/6Support L2/3/4 header exposure for IPv4/6 No modifications to current AE frame formatNo modifications to current AE frame format
Some textual changes reflect optional offsetsSome textual changes reflect optional offsets Control Channel (802.1AF) can negotiate offsetsControl Channel (802.1AF) can negotiate offsets
• 12 •®
Questions?Questions?
