Browse Prior Art Database

RADIUS BASED MACSEC CONTROL PLANE KEY PROVISIONING, KEY REFRESH AND QUARANTINING OF COMPROMISED NODES

IP.com Disclosure Number: IPCOM000247201D
Publication Date: 2016-Aug-16
Document File: 5 page(s) / 124K

Publishing Venue

The IP.com Prior Art Database

Related People

Hitesh K Maisheri: AUTHOR [+4]

Abstract

A Remote Authentication Dial-In User Service (RADIUS) based MACsec control plane key management functions are provided for automated key provisioning, automated key refresh and one click quarantining of compromised nodes. This solution leverages the readily available RADIUS server(s) in enterprise deployments for automated MACsec key management.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 01 of 5

RADIUS BASED MACSEC CONTROL PLANE KEY PROVISIONING, KEY REFRESH AND QUARANTINING OF COMPROMISED NODES

  AUTHORS: Hitesh K Maisheri Srivatsa Kumar Amjad Inamdar

Shailashree K

CISCO SYSTEMS, INC.

ABSTRACT

    A Remote Authentication Dial-In User Service (RADIUS) based MACsec control plane key management functions are provided for automated key provisioning, automated key refresh and one click quarantining of compromised nodes. This solution leverages the readily available RADIUS server(s) in enterprise deployments for automated MACsec key management.

DETAILED DESCRIPTION

     The Secure Connectivity Association Key (CAK) in the MACsec Key Agreement (MKA) protocol is managed using the following two methods:

    1. Extensible Authentication Protocol (EAP) over LAN (EAPoL) / IEEE 802.1x in access side of enterprise deployments and facilitates peer-to-peer communication.

    2. Manually provisioned Pre Shared Keys (PSK) in wide area network (WAN) deployments.

    The drawbacks of the EAPoL method is dependence on IEEE 802.11x and EAP, which complicates the deployability of the MACsec solution.

The drawbacks of the manual PSK based deployment are:

1. Key rollover, needing manual intervention.

2. Not scalable, needing to be manually provisioned on each node.
3. Error prone, which can lead to network disruption.

4. Lengthy and duplicate configuration on each MACsec nodes.

5. Quarantining of a compromised node is tedious.

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 5

    Presented herein is a solution that uses a RADIUS server for the initial provisioning of the MACsec control plane keys and refreshing of the keys. The key refreshes could be driven by a timer or just-in-time by an administrator via Change of Authorization (CoA).

FIG. 1

    FIG. 1 below illustrates a functional call flow for the RADIUS based key provisioning.

    The key downloaded as part of authorization on device boot up is protected via Encrypted Vendor Specific Attributes (VSA). The key downloaded also has an absolute start time and end time in UTC. At any given point, if a node requests for a key, if the key is nearing expiry (configurable threshold in the RADIUS server) then the next key also is provided by the RADIUS server (with start and end time). The current and the next key given can have a small time overlap to allow for hitless CAK rollover. In orde...