Browse Prior Art Database

MACSEC AS SERVICE FOR BGP MPLS LAYER 3 VPN (L3VPN) CLIENTS

IP.com Disclosure Number: IPCOM000245393D
Publication Date: 2016-Mar-07
Document File: 13 page(s) / 2M

Publishing Venue

The IP.com Prior Art Database

Related People

Himanshu Madrele: AUTHOR

Abstract

Techniques are provided herein for using the Address Family Identifier/Subsequent Address Family Identifier (AFI/SFI) parameters of the Border Gateway Protocol (BGP) to provide MACsec as a service for L3 VPN clients.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 32% of the total text.

Page 01 of 13

MACSEC AS SERVICE FOR BGP MPLS LAYER 3 VPN (L3VPN) CLIENTS

  AUTHORS: Himanshu Madrele

CISCO SYSTEMS, INC.

ABSTRACT

    Techniques are provided herein for using the Address Family Identifier/Subsequent Address Family Identifier (AFI/SFI) parameters of the Border Gateway Protocol (BGP) to provide MACsec as a service for L3 VPN clients.

DETAILED DESCRIPTION

     Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for traffic on Ethernet links. Currently, MACSec is provided as a service for Layer 3 Virtual Private Network (L3 VPN) clients over Layer 2 VPN l2vpn/ Virtual Private LAN Service (VPLS) using services ports, such as in Cisco IOS XR. That is, it is necessary to use a L2 VPN/VPLS network to provide the MACSec as service for L3 VPN clients. For normal Multi-protocol Label Service (MPLS) L3 VPN, there is no way to support the MACsec as service.

    To provide the MACSec as service for L3 VPN clients over a normal MPLS VPNv4 network, the Border Gateway Protocol (BGP) can be extended for MACSec. The following is a use case. Service provided using the normal MLS L3 VPN service to the clients. On the request from the clients (CE-1-1,CE-1-2,CE-1-3 is in one VRF_A whereas CE2-1, CE2-2 and CE-2-3 is in another VRF_B), suppose VRF_A MACSec can be enabled for the client location CE-1-1,CE-1-2,CE-1-3. This invocation may happen only based on the time provided the duration and client may be charged only for that duration.

    The solution is proposed over MPLS L3 VPN and there is no need to enable VPLS/L2VPN to provide the MACSec service to the client. Therefore, it will not always be on. If the key chain of MACSec has suppose duration for 1 hour from 10:00 am to 11:00am, MACSec will be invoked from 10:00am to 11:00am only, and the rest of the time traffic will flow without MACSec encryption. There will not be any manual

Copyright 2016 Cisco Systems, Inc.
1


Page 02 of 13

configuration change needed in the proposed solution. BGP will automatically discover the MACSec peer. If the key chain permits the time then MACSec will encrypt the traffic; otherwise traffic will flow without MACSec encryption. MACSec must use the dynamic pool member of the MACSec hardware port to support this, so no physical port is used if the key chain is not active. Once the key chain is activated, MACSec encryption/decryption ports (service ports) will be assigned from the pool of MACSec ports.

    BGP implements the new address family as "macsec". This macsec address family will be attached with the VRF which is used for transporting the VPNv4 routes. A common line interface (CLI) can be provided as:
router bgp 100
address family macsec
neighbor x.x.x.x activate
neighbor x.x.x.x remote-as
neighbor x.x.x.x send community both
vrf A
macsec-service-profile
vrf X
macsec-service-profile
vrf Y
macsec-service-profile

    Parsing the RT and RD will be the same as used for VPNv4 routes so there will be no address leak and the MACsec session...