Category: Data link layer

MACSec – Media Access Control Security

Media Access Control Security or MACSec is the Layer 2 hop to hop network traffic protection.

Just like IPsec protects network layer, and SSL protects application data, MACSec protects traffic at data link layer (Layer 2).

MACSec is standardized IEEE 802.1AE hop-by-hop encryption that enables confidentiality and integrity of data at layer 2.

It encrypts entire Ethernet packet except Source and Destination MAC addresses on any device-to-device, switch-to-switch, router-to-switch, host-to-switch directly connected wired L2 connection.

MacSec

If we compare MACSec with, for example, IPsec, MACsec provides same security but on layer 2 for each hop separately. On each hop, packets are received and decrypted enabling other features like QoS and load balancing to function. Same data is again encrypted before being sent out to next device on the way towards the destination. MACsec works on host-to-switch connection and on switch-to-switch connection enabling line-rate up to 10 GigabitEthernet fast encryption.

It uses, especially for that occasion developed and optimised Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128) which makes line-rate encryption/decryption possible.

There is some difference in MACSec on the connection between host and switch, and MACSec on the connection from switch to switch

MACsec uses MACsec Key Agreement (MKA) which is standardized protocol to provide the required session keys and manages the required encryption keys on a MACSec connection between hosts (PC, server, etc.) and switch.

| Continue Reading.. |

Proxy ARP

I found different kinds of explanations about what Proxy ARP is, just few of them were understandable at first. After merging all of them this explanation came out of my networking workshop:

  • Assuming that a router has an ARP entry of some IP address, if he receives an ARP request from somebody for that IP, the router will respond with its own MAC address.
  • Proxy ARP is fairly simple technique for nodes to get MAC address of a destination host that is on a different subnet but on the same router. Same router different interface.

And this one to:

  • If we have in the network one edge router that is our way out from the local LAN network. That router has Proxy ARP enabled by default. When it receives an ARP request on his interface for a client that is not actually from that local network it will try to be helpful and it will search his routing table if that network is locally connected on some other local interface. If he finds it, it will respond with his own MAC address to tell the source that he is the way to go towards that host.

If we look at the image below, I prepared a more detailed example for those who are still a bit confused about it.

It’s a technique that enables our R7 router on the image below to proxy ARP request from C1 computer which tries to find MAC address of computer C3.

You need to note that C1 has address from /16 range and that is why it thinks that 192.168.50.50 is on the same subnet as 192.168.1.11 . If that was not the case and C1 had the address 192.168.1.11/24, it would send the ARP asking what is MAC address of default gateway. It will go to default gateway because he will know that he is not directly connected to all of network 192.168.0.0/16. We are then talking about standard routing by getting the packets from one subnet to another using routing table examination.

| Continue Reading.. |

L2TP – Layer 2 Tunneling Protocol

L2TP Attributes Summary

L2TP tunnelProjected L2TP standard was made available in the year 1999 by means of RFC 2661. It was originated primarily from two different tunneling protocols, named as: Point-to-Point communication protocol and PPTP (Point to Point Tunneling protocol). In other words, L2TP (Layer 2 Tunnel Protocol) is an up-and-coming IETF (Internet Engineering Task Force) standard that came in front with the traits of two on-hand tunneling protocols, named as: Cisco’s L2F  (Layer 2 Forwarding) and Microsoft’s PPTP (Point-to-Point Tunneling Protocol). L2TP protocol is actually an expanded form of the PPP (a significant constituent for VPNs).

| Continue Reading.. |

NDP – Neighbor Discovery Protocol

IPv6 Neighbor Discovery Protocol

In IPv6 we do not have ARP (address resolution protocol) anymore. ARP is replaced with ICMP based NDP protocol. NDP or ND protocol uses special IPv6 ICMP messages to find and resolve L2 neighbours IPv6 addresses.

It’s a simple way for hosts to learn IPv6 addresses of neighbours on L2 subnet around himself. That includes learning about other hosts and routers on local network. That is the biggest difference between IPv4 and IPv6, there’s no ARP but ICMP takes the function.

NDP is defined in RFC 2461 and this article will introduce you to NDP functions, main features’ lists, and the related ICMPv6 message types.

As the most precise description of NDP is that it belongs to the Link layer of the Internet Protocol suite in TCP/IP model. We can say that Link layer of TCP/IP model is basically a direct combination of the data link layer and the physical layer in the OSI Open Systems Interconnection protocol stack. As in this blog I always try to use OSI model this article was inserted both to Data-link and Physical layer category.

NDP function

In case of IPv6 networks, the NDP Protocol make use of ICMPv6 messages and solicited-node multicast addresses for operating its core function, which is tracking and discovering other IPv6 hosts that are present on the other side of connected interfaces. Another use of NDP is address autoconfiguration.

Let’s discuss some major roles of IPv6 NDP:

  • Stateless address autoconfiguration – SLAAC
  • Duplicate address detection DAD
  • Router discovery
  • Prefix discovery
  • Parameter discovery link MTU, hop limits 
  • Neighbor discovery
  • Neighbor address resolution – replaces ARP in IPv6
  • Neighbor and router reachability verification

In order to carry out work NDP uses five types of ICMPv6 messages. In the following list you can find the function as well as summary of their goals.

NDP message types:

| Continue Reading.. |

ISL Inter-Switch Link Protocol – Trunking or Frame Tagging protocol

Inter-Switch Link (ISL) is specifically used for tagging information of VLAN onto an Ethernet frame. This tagging information permits multiplexing of VLANs over a trunk link and this takes place through an external covering procedure or method, as a result of which the switch can easily determine/identify the membership of VLAN frame over the trunked link. When you run ISL, then it is easy to interconnect number of switches and it is also possible to maintain the information of VLAN while the traffic is passing on trunk links between switches.

| Continue Reading.. |