Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

METHOD AND SYSTEM FOR TRANSPORTING MACSec KEY AGREEMENT OVER ALIGNMENT MARKERS

IP.com Disclosure Number: IPCOM000244029D
Publication Date: 2015-Nov-05
Document File: 9 page(s) / 356K

Publishing Venue

The IP.com Prior Art Database

Related People

Gilberto Loprieno: AUTHOR [+2]

Abstract

Mechanisms and systems are provided to support a Media Access Control Security MACsec Key Agreement MKA protocol exchanged between two secure network nodes using optical physical network interfaces Physical layer standards may divide the network traffic into a number of physical lanes Data transmitted in each physical lane carries an alignment marker AM The AM contains a virtual lane number for a portion of the traffic that is transmitted in a physical lane Since the AM contains duplicated information data bytes of the AM that carry duplicated information are used to create a channel for exchanging MKA protocol data

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 40% of the total text.

Page 01 of 9

METHOD AND SYSTEM FOR TRANSPORTING MACSec KEY AGREEMENT OVER ALIGNMENT MARKERS

  AUTHORS: Gilberto Loprieno Davide Codella

CISCO SYSTEMS, INC.

ABSTRACT

    Mechanisms and systems are provided to support a Media Access Control Security (MACsec) Key Agreement (MKA) protocol exchanged between two secure network nodes using optical physical network interfaces. Physical layer standards may divide the network traffic into a number of physical lanes. Data transmitted in each physical lane carries an alignment marker (AM). The AM contains a virtual lane number for a portion of the traffic that is transmitted in a physical lane. Since the AM contains duplicated information, data bytes of the AM that carry duplicated information are used to create a channel for exchanging MKA protocol data.

DETAILED DESCRIPTION

    MKA is a protocol transported over Ethernet with a specific EtherType (for example EAP 0x888E) that is utilized to exchange authentication and encryption information between two secure network nodes in order to manage and synchronize a secret key and to allow client authentication. For this purpose, MKA protocol data is typically tagged and Ethernet packets with MKA protocol data are added to the data traffic. In other words, MKA data is exchanged "in-band." Since MKA protocol data is not encrypted, the secure engine must inspect each packet to distinguish between regular data traffic and MKA protocol traffic. This increases the complexity of the digital architecture.

    The mechanisms and systems provided herein create a data communication channel over AMs that are defined by IEEE 802.3ba-2010. The data communication channel is created by replacing redundant bytes of the AM with MKA protocol data. As a result, MKA protocol data and regular encrypted data are not sharing the same

Copyright 2015 Cisco Systems, Inc.
1


Page 02 of 9

communication channel so that MKA protocol data is transported "out of band," (i.e., in a

different channel).

    In one example, the methods and systems described herein are provided for physical interfaces in accordance with the four-lane chip-to-module and chip-to-chip electrical specification (CAUI-4). Network traffic transmitted via a CAUI-4 interface is divided by virtual lanes by mean of alignment markers (AMs). Each AM has 8 bytes but only the first 4 bytes are meaningful while the second four bytes are simply complements of the first four bytes. One or more bytes of the AM used in the CAUI-4 interface are replaced in order to establish a Data Communication Channel (DCC) for exchanging MKA protocol data. This allows to create a channel for transporting multiples of 38 kbit/s. By replacing N bytes of the AM, it is possible to support a bandwidth of Nx38 kbit/s or N different channels supporting 38Kbit/s each.

    FIGs. 1-10 show as example a configurations of networking devices designed to aggregate Ethernet traffic without packet inspection.

    More specifically, FIGs. 1-10 illustrate different aspects of the two genera...