Secure PTP - Protecting PTP with MACsec without losing accuracy. ITSF 2014 Thomas Joergensen Vitesse Semiconductor

Similar documents
Considerations for building accurate PTP networks for now and the future. Thomas Joergensen ITSF 2013 November 2013

Time Synchronization Security using IPsec and MACsec

THOUGHTS ON TSN SECURITY

Mobile Backhaul Synchronization

Testing Timing Over Packet With The Ixia Anue 3500

S Series Switches. MACsec Technology White Paper. Issue 1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

ETHERNET TIME & SYNC. In Telecoms, Power, Finance, Cars,... ITSF Budapest, Nov 2014

MetroEthernet Options

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF

Tales from the Base Station to the Substation. Delivering Phase ITSF 2013

Timing Measurements in Packet Networks. ITSF November 2006 Lee Cosart

PTP650 Synchronous Ethernet and IEEE1588 Primer

Synchronization in Mobile Backhaul

Effects of Residential Ethernet Standard on other 802.1/ Yong Kim

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Planning for time - deploying Telecoms Boundary Clocks

Examining the Practicality of Ethernet for Mobile Backhaul Through Interoperability Testing

Encryption in high-speed optical networks

Synchronous Ethernet based mobile backhaul integrated transport and synchronization management

Understanding Layer 2 Encryption

Network Encryption 3 4/20/17

NETWORK SERVICES: ETHERNET WAN ETHERNET SERVICES PRODUCT PORTFOLIO SUMMARY DOCUMENT

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Developing Standards for Metro Ethernet Networks

IP Security. Have a range of application specific security mechanisms

ISCOM2948GF-4C Intelligent Ethernet Service Aggregation

COMMUNICATION NETWORKS. FOX615/612 TEGO1 IEC GOOSE Proxy Gateway interface module.

White Paper: New Needs for Synchronization Testing in Next Generation Networks

CHALLENGES USING IEEE PRECISION TIME PROTOCOL (PTP) FOR HIGH ACCURACY TIME TRANSFER

1588v2 Performance Validation for Mobile Backhaul May Executive Summary. Case Study

Timing in Packet Networks. Stefano RUffini 9 March 2015

PERFORMANCE AND SCALABILITY OF NETWORKS SYSTEMS WITH (EMBEDDED) BOUNDARY CLOCKS

ITSF 2007 overview of future sync applications and architecture challenges

ISCOM RAX 711 (B) Ethernet Demarcation Device

Small and Macro Cell deployment Mobile Operator- A case Study. Anil K Reddy Director BD APAC

UNDERSTANDING SENETAS LAYER 2 ENCRYPTION TECHNICAL-PAPER

Applications of PTP in non-telecom networks. Anurag Gupta November 1 st -3 rd 2011, ITSF 2011

Configuring IP SLAs Metro-Ethernet 3.0 (ITU-T Y.1731) Operations

CALNEX PARAGON-X. Testing 1588v2 PTP

Testing SyncE with Xena s Advanced Timing Test Modules

Wireless technology Principles of Security

Differences between Financial and Telecom Network Environment. Kamatchi Gopalakrishnan Distinguished Engineer

TIME SYNCHRONIZATION TEST SOLUTION FROM VERYX TECHNOLOGIES

The functions, goals and benefits of 802.3ah OAM Ethernet Fiber Access with Network Interface Devices

ADVA FSP 150 ProVMe. Performance and Functionality Test Report. Introduction. VNF Lifecycle Management

Module Three SG. Study Guide. Exam Three Content Areas. Module Three. Chapter Seven, Backbone Networks

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

NGN Standards. The 5th International Telecom Sync Forum, ITSF London, November Stefano Ruffini Ericsson

ENTERPRISE CONNECTIVITY

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Packet-Based Primary Reference Source for Synchronizing Next Generation Networks

Performance Assurance Solution Components

Carrier Ethernet Installation. the Path to Excellence

Innovations in Ethernet Encryption (802.1AE - MACsec) for Securing High Speed (1-100GE) WAN Deployments

Status of ITU Q13/15 sync standards ITSF Jean-Loup Ferrant, ITU-T Q13/15 rapporteur

ENTERPRISE CONNECTIVITY

Enterprise. Nexus 1000V. L2/L3 Fabric WAN/PE. Customer VRF. MPLS Backbone. Service Provider Data Center-1 Customer VRF WAN/PE OTV OTV.

Gigabit Ethernet XMV LAN Services Modules

EZ ETHERNET A SIMPLE, EASY-TO-CONNECT ALTERNATIVE FOR LOW-BANDWIDTH ETHERNET ACCESS

LANCOM Techpaper Routing Performance

Update: Ethernet Time Transfer through a U.S. Commercial Optical Telecommunications Network ITSF 2016

Testing for SLA Compliance of business services over DOCSIS 3.1

Universal Network Demarcation. Enabling Ethernet and wave services with the Nokia 1830 PSD. Application note. 1 Application note

Technical Specification MEF 6. Ethernet Services Definitions - Phase I. June 2004

Carrier Ethernet Synchronization. Technologies and Standards

Configuring IP SLAs Metro-Ethernet 3.0 (ITU-T Y.1731) Operations

Central Office Testing of Network Services

Manual Key Configuration for Two SonicWALLs

Network Configuration Example

HP S1500 SSL Appliance. Product overview. Key features. Data sheet

Configuration and Management of Networks. Pedro Amaral

A Configuration Protocol for Embedded Devices on Secure Wireless Networks

CSCE 715: Network Systems Security

IEEE 802.1ah on Provider Backbone Bridges

Backbone Provider Bridging Networks A Highly Scalable VLAN (Multicast) Architecture

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Enterprise CORD. Marc De Leenheer, Andrea Campanella, ONF. CORD Build, QCT headquarters, San Jose November 10, 2017

The Micro Packet ONP: Leveraging Today s Optical Network For Next-Generation Ethernet Access

Sections Describing Standard Software Features

BreezeACCESS VL Security

L2CONNECT 2.0 E-ACCESS

Implementing MACsec Encryption

The Myricom ARC Series of Network Adapters with DBL

ETX-102 Carrier Ethernet Demarcation Device

xgenius Cutting edge Transmission & synchronization Tester

THE MPLS JOURNEY FROM CONNECTIVITY TO FULL SERVICE NETWORKS. Sangeeta Anand Vice President Product Management Cisco Systems.

Experimental Analysis of the Femtocell Location Verification Techniques

Networking interview questions

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Switching & ARP Week 3

Technical Specification MEF 1. Ethernet Services Model, Phase November 2003

IP SLA Service Performance Testing

ecpri Transport Network V1.0 ( )

CWNA Exam PW0-250 Certified Wireless Design Professional (CWDP) Version: 6.0 [ Total Questions: 60 ]

Wireless LANs. The Protocol Stack The Physical Layer The MAC Sublayer Protocol The Frame Structure Services 802.

Sections Describing Standard Software Features

Access network systems for future mobile backhaul networks

3 Data Link Layer Security

EPoC System Level Synchronization Transport 802.3bn Interim meeting - Phoenix

Substation. Communications. Power Utilities. Application Brochure. Typical users: Transmission & distribution power utilities

Transcription:

Secure PTP - Protecting PTP with MACsec without losing accuracy ITSF 2014 Thomas Joergensen Vitesse Semiconductor

Security issues with PTP It is possible to spoof time and attack PTP if the PTP traffic is unencrypted/unprotected Small cells are often placed in areas that do not provide physical protection Enterprise femtocells may use an existing Ethernet network in the buildings for both user traffic and PTP timing PTP for frequency (G.8265.1) is often running inside tunnels (EVCs) along with the customer traffic and the customer traffic must be encrypted There is no standard security protocol specified for PTP Annex K in IEEE1588-2008 is known to be flawed and will be deprecated in next revision of the standard Many government regulations require information to be encrypted 3GPP TS 33.320 requires that the time delivery to Home Node B must be delivered over a secure backhaul link. IEEE1588 2

Time Security Networks Operate on Precision Mobile Communications What if Network Time is Compromised? No access to network Calls will drop Poor coverage and throughput Smart Energy Time errors can trigger faults in power grid Financial / Trading Smart Order routing for large trades requiring simultaneous execution on multiple exchanges may not function properly Low latency security in conjunction with nanosecond-level time stamp synchronization is critical to network infrastructure 3

What about IPsec? IPsec is sometimes used today to protect the mobile user traffic But It can only protect IP traffic and G.8275.1 uses PTP over Ethernet directly IPsec prevents the use of 1-step hardware timestamping as PTPoIP is in the IP payload IPsec encryption/decryption at the end of the EVC creates very large Packet Delay Variation PDV happens outside the EVC and thereby not part of the SLA for the EVC connection Large PDV caused by IPsec decryption is preventing accurate timestamping after decryption 4

MACsec 101 MACsec is a layer 2 security protocol IEEE802.1AE Provides strong 128/256bit encryption or protection with using the GCM-AES cipher suite Uses IEEE802.1X for authentication MACsec protects against Passive wiretapping Masquerading (MAC address spoofing) Man-in-the-Middle attacks Certain Denial-of-Service (DOS) attacks Designed for implementation in hardware (high bandwidth, low latency) Under consideration for next release of IEEE1588 5

MACsec Frame Format Untagged Ethernet Classifiable pre-encryption DA SA Etype Standard MACsec format Classifiable pre-decryption payload FCS MACsec adds a SecTAG after the source address and an ICV field after the payload, protecting the complete frame DA SA SecTAG Etype payload ICV FCS Protected by ICV Provider Bridges can add/remove VLAN tags to the encrypted frame. Some devices support bypassing existing VLAN tags when performing MACsec encryption/decryption MACsec plus Single Tag Bypass Classifiable pre-decryption DA SA VLAN Tag1 SecTAG VLAN Tag2 Etype payload ICV Protected by ICV Protected by ICV MACsec plus Dual Tag Bypass Classifiable pre-decryption (may need C.O.) DA SA VLAN Tag1 VLAN Tag2 SecTAG Etype payload ICV Protected by ICV Protected by ICV FCS FCS 6

MACsec inside an MPLS EVC Standard MACsec format Classifiable pre-decryption DA SA SecTAG MPLS Etype MPLS Label1 [S=0] Protected by ICV MPLS Label2 [S=1] Optional CW/ACH Client_DA Client_SA Etype client payload ICV FCS MACsec frame inside an MPLS EVC MACsec plus EoMPLS Header Bypass Classifiable pre-decryption Classifiable pre-decryption DA SA MPLS Etype MPLS Label1 [S=0] MPLS Label2 [S=1] Optional CW/ACH Client_DA Client_SA SecTAG Etype client payload ICV FCS Protected by ICV Protects MEF EVC payload while allowing network to push/pop VLAN tags and MPLS labels, as well as mark the frames for SLA-compliance (policing result) 7

MACsec is normally point-to-point Point-Point Connectivity Assocation Supplicant-Authenticator Authentication Server Customer Premise Equipment (CPE) Service Edge Router Provider Network or Internet Supplicant Authenticator Office Buiding Access Link Secured with MACsec Point of Presence (POP) 8

MACsec in Mobile Backhaul with IEEE-1588 Access Network Aggregation Network MACsec-secured Links Aggregation Edge Node PRC Timing Source MEF UNI MEF UNI Copper Fiber uw NNI Base Station Timing Cell Site Node Pre-Aggregation/ Access Node Aggregation Edge Node Aggregation Edge Node Mobile Aggregation Site Node Controller/ Gateway IEEE-1588 Slave IEEE-1588 Transparent Clock IEEE-1588 Boundary Clock IEEE-1588 Boundary Clock IEEE-1588 Master Backhaul Data MEF E-LINE EVC Backhaul Data 9

MACsec can be used to protect EVCs End-to-End Encryption over MEF EVC or MPLS Branch Offices Carrier Ethernet Network Corporate Headquarters 10

MACsec for EVC protection through access provider network MACsec-secured data through Access Provider's network Mobile Operator Timing NID MAC sec Access Provider Network MAC sec Mobile Operator Network Mobile Operator NID IEEE-1588 Mobile Operator Base Station IEEE-1588 Slave IEEE-1588 Transparent Clock or Boundary Clock PTP phase over PTP-unaware/partially aware network G.8275.2 (future) PTP frequency over PTP-unaware network G.8265.1 Customer data can be protected using the same MACsec protected EVC 11

PTP and MACsec working together PTP-aware networks needs the ability to timestamp PTP frames on every port. MACsec protected networks encrypts/decrypts at the port/mac By combining both functions in the same silicon it is possible to provide accurate timestamping of PTP frames Only solution to provide PTP 1-step operation Significantly reduces the software load IEEE1588 MACsec 12

Maintaining 1588 Accuracy with MACsec To Switch or NPU/ASIC PHY SGMII (1G) or XFI/XAUI (10G) IEEE 1588 Timestamping MACsec Encryption Variable delay due to encryption and PCS PCS PMA 1G or 10G Line Port First opportunity to detect unencrypted IEEE 1588 IEEE 1588 Timestamp Reference Point MACsec processing introduces highly variable delays, standard MACsec destroys 1588 accuracy This is true even if 1588 remains unencrypted while other data is encrypted. Example: If the 1588 packet is immediately behind a packet that will be encrypted later, the encrypted packet grows by 24-32 bytes, delaying the 1588 packet by 192-256 ns compared to the case where the 1588 packet is behind a packet that won t be encrypted. 13

Test Results

VSC5621 Evaluation Board Complete Carrier Ethernet Switch with software Uses: VSC7460 Carrier Ethernet Switch VSC8584 Quad 1000BASE-T PHY with 1588 and MACsec VSC8490 Dual 10G PHY with 1588 and MACSec FIPS197 certified 256 bit MACsec solution 15

Test Setup Timestamp Accuracy PTP Master DUT and PTP Slave/Probe DUT is frequency locked to the same reference clock One DUT is configured in PTP probe (PTP slave) mode to measure received timestamp accuracy from PTP Master compared to the internal time in the DUT Test results will show the combined accuracy of the DUT probe (down to 1 ns depending on the DUT) and the PTP Master DUT probe produces PDV result data in Symmetricom Timemonitor format DUT in slave mode output 1PPS and allows measurement of 1PPS performance. DUT PTP Master 10 MHz Reference Ethernet 1 PPS Measurement DUT PTP Probe/Slave 16

VSC8490 Test Result Easily meets the Class B limit See details in the following slides VSC8490 Test result w/o MACsec Test result with MACsec Class B limit Constant Time Error, cte -3.3 ns 2.9 ns 20 ns Dynamic Time Error MTIE (filtered) 157 ps 420 ps 40 ns Dynamic Time Error MTIE (unfiltered) 4 ns 4 ns Dynamic Time Error TDEV (filtered) 14 ps 35 ps 4 ns Dynamic Time Error TDEV (unfiltered) 460 ps 400 ps Maximum Time Error (unfiltered) 5.0ns 4.5 ns 70 ns 17

VSC8490 TE(t) - Unfiltered LAN mode without MACsec enabled 18

VSC8490 dte MTIE - Unfiltered LAN mode without MACsec enabled 4 ns 19

VSC8490 dte TDEV - Unfiltered LAN mode without MACsec enabled 460 ps 20

VSC8490 dte MTIE - Filtered LAN mode without MACsec enabled 157 ps 21

VSC8490 dte TDEV - Filtered LAN mode without MACsec enabled 14 ps 22

VSC8490 TE(t) - Unfiltered LAN mode with MACsec enabled 23

VSC8490 dte MTIE - Unfiltered LAN mode with MACsec enabled 4 ns 24

VSC8490 dte TDEV - Unfiltered LAN mode with MACsec enabled 400 ps 25

VSC8490 dte MTIE - Filtered LAN mode with MACsec enabled 420 ps 26

VSC8490 dte TDEV - Filtered LAN mode with MACsec enabled 35 ps 27

Summary And Conclusions PTP is now being used to provide timing and synchronization with insufficient physical security Protecting the PTP traffic by means of encryption and/or integrity protection is needed. IPsec is often used for data traffic, but this is not a practical solution for accurate PTP transfer that needs hob-by-hop support. IPsec is not a good security solution for PTP due to the large and variable processing delays. MACsec is a layer 2 encryption protocol that is a perfect fit for protection of PTP traffic hob-by-hob, or end-to-end. It is shown how MACsec can be used to protect the PTP traffic without impacting the accuracy and how MACsec can be easily implemented in a systems architecture. 28

Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback