P4-MACsec: Dynamic Topology Monitoring and Data Layer Protection with MACsec in P4-SDN
Frederik Hauser, Mark Schmidt, Marco H\"aberle, Michael Menth
TL;DR
P4-MACsec is a novel system that automates the deployment of MACsec security on P4 switches, enabling secure, dynamic, and efficient Layer 2 link protection with minimal performance impact.
Contribution
It introduces a data plane implementation of MACsec on P4 switches, a secure link discovery mechanism, and an automated deployment process for secure link management.
Findings
Prototype implemented on BMv2 P4 switch
Demonstrated secure link discovery and rekeying
Evaluated TCP throughput and latency impacts
Abstract
We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSoftware-Defined Networks and 5G · Advanced Optical Network Technologies · Internet Traffic Analysis and Secure E-voting