Browse Prior Art Database

SECURE, DISTRIBUTED, AND EFFICIENT DEPLOYMENT OF MACSEC KEYS WITHIN A DATACENTER

IP.com Disclosure Number: IPCOM000249979D
Publication Date: 2017-May-11
Document File: 5 page(s) / 123K

Publishing Venue

The IP.com Prior Art Database

Related People

Dave Persaud: AUTHOR [+2]

Abstract

Presented herein are techniques for securely exchanging/deriving identical Media Access Control Security (MACsec) keys for a link connecting two or more switches. These techniques greatly simplify the management and propagation of MACsec keys and enable users to easily deploy unique per-link MACsec keys in a large data center or cloud environment.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 37% of the total text.

Copyright 2017 Cisco Systems, Inc. 1

SECURE, DISTRIBUTED, AND EFFICIENT DEPLOYMENT OF MACSEC KEYS WITHIN A DATACENTER

AUTHORS: Dave Persaud Sherman Ma

CISCO SYSTEMS, INC.

ABSTRACT

Presented herein are techniques for securely exchanging/deriving identical Media

Access Control Security (MACsec) keys for a link connecting two or more switches. These

techniques greatly simplify the management and propagation of MACsec keys and enable

users to easily deploy unique per-link MACsec keys in a large data center or cloud

environment.

DETAILED DESCRIPTION

MACsec is an Institute of Electrical and Electronics Engineers (IEEE) standard

authenticating and encrypting mechanism between MACsec capable devices which allows

encryption and decryption of data packets at line-rate. MACsec may be used on the links

connecting switches. In a datacenter there may be many such fabric links (e.g., hundreds

of leaf switches with direct connections to tens of spine switches). Conventionally, each of

these fabric links must be manually programmed with identical key information (identical

Connectivity Association Keys (CAK), or Pre-Shared Key (PSK) if the CAK is derived

from a PSK, and identical Connectivity Association Key Names (CKN)). The CAK is a

secret key and should not be compromised.

Copyright 2017 Cisco Systems, Inc. 2

Figure 1

Figure 1 above illustrates an example Clos network. There are two spine switches

201 and 202 each directly connected to four leaf switches 101-104. This results in the eight

fabric links listed below:

201_e1_101_e1

201_e2_102_e1

201_e3_103_e1

201_e4_104_e1

202_e1_101_e2

202_e2_102_e2

202_e3_103_e2

202_e4_104_e2

As mentioned above, each fabric link needs to be programmed with identical CAKs

and CKNs. For example, port e1 on spine 201 must use an identical CAK and CKN as port

e1 of leaf 101. However, there are many issues with manually programming CAKs and

CKNs. First, manually programming these keys is time consuming since each port has to

be programmed. Also, the user must keep track of which ports (e.g., on two switches) are

physically connected and make sure they are programmed with the identical key

information. In addition, any mismatch in MACsec key information can result in the

network link going down, which would affect the resiliency and performance of the

datacenter.

Copyright 2017 Cisco Systems, Inc. 3

The techniques described herein simplify and automate the MACsec key

distribution between switches. Two solutions are provided as follows.

Solution #1

Typically all network devices within a datacenter already have secure channels in

place for control traffic within the data center. These secure channels may be leveraged to

efficiently and securely exchange MACsec keys between link peers so as to secure all data

traffic within the data center.

For example, Application Centric Infrastructure (ACI) fabric have Secure Sockets

Layer (SSL) / Transport Layer Security (TLS) connections on each fabric link for control

traffic. This secure conn...