Abstract
MACsec in VXLAN is an end-to-end security protocol for protecting Ethernet frames traveling over IP networks. It can provide a high-speed Ethernet encryption while supporting the virtualization of a large network such as data center network. Although MACsec addresses most of security threats, it is not immune against quantum attacks which are a future, yet disastrous threat against public-key cryptography in use. In this paper, we demonstrate a new solution for a MACsec protocol over VXLAN in a post-quantum setting. Instead of a standard MACsec key agreement protocol, we use an ephemeral key exchange protocol and an end-to-end authentication scheme, both of which are based on post-quantum cryptography. To measure the impact on the performance, we established a quantum-secure link between Germany and Israel using MACsec in VXLAN over public IP networks. We verified that the impact on the latency and throughput is minimal. Our experiment confirms that quantum-secure virtualized links can be already established in a long-distance without changing their infrastructure.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
ADVA Optical Networking. FSP 150 ProVMe Series. https://www.adva.com/en/products/packet-edge-and-aggregation/edge-computing/fsp-150-provme-series
Alagic, G., et al.: Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process, July 2020
Barker, E., Chen, L., Davis, R.: Recommendation for key-derivation methods in key-establishment schemes. NIST Special Publication 800–56C Revision 2, August 2020. https://csrc.nist.gov/publications/detail/sp/800-56c/rev-2/final
Barker, W., Polk, W., Souppaya M.: Getting Ready for Post-Quantum Cryptography: Explore Challenges Associated with Adoption and Use of Post-Quantum Cryptographic Algorithms, May 2020
Bernstein, D., et al.: Classic McEliece: conservative code-based cryptography (2019). https://classic.mceliece.org/nist/mceliece-20190331.pdf
Chen, C., et al.: NTRU 2019. https://ntru.org/
Chen, L., et al.: Report on post-quantum cryptography, NISTIR 8105 (2016)
Cho, J., Sergeev, A.: Post-quantum MACsec key agreement for ethernet networks. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, ARES (2020)
Cooper, D., Apon, D., Dang, Q., Davidson, M., Dworkin, M., Miller, C.: Recommendation for stateful hash-based signature schemes. Draft NIST Special Publication 800–208, December 2019. NIST.SP.800-208-draft.pdf
D’Anvers, J., Karmakar, A., Roy, S., Vercauteren, F.: SABER: Mod-LWR based KEM (2019). https://www.esat.kuleuven.be/cosic/pqcrypto/saber/index.html
Ding, J., Chen, M., Petzoldt, A., Schmidt, D., Yang., B.: Rainbow (2019)
DPDK: Data plane development kit. https://www.dpdk.org
GĂĽnther, F., Thomson, M., Wood, C.A.: Usage limits on AEAD algorithms, August 2020. https://www.ietf.org/id/draft-irtf-cfrg-aead-limits-00.txt
Huelsing, A., Butin, D., Gazdag, S., Rijneveld, J., Mohaisen, A.: XMSS: Extended Hash-Based Signatures. Internet-Draft draft-irtf-cfrg-xmss-hash-based-signatures-12, Internet Engineering Task Force, January 2018. Work in Progress
IEEE: IEEE standard for local and metropolitan area network-bridges and bridged networks. IEEE Std 802.1Q-2018 (Revision of IEEE Std 802.1Q-2014), pp. 1–1993, July 2018
IEEE. Local and metropolitan area networks-port-based network access control. IEEE Std 802.1X-2010 (Revision of IE EE Std 802.1X-2004), pp. 1–205, February 2010
IEEE: Local and metropolitan area networks-media access control (MAC) security. 802.1AE: MAC Security (MACsec). https://1.ieee802.org/security/802-1ae/
IEEE: Media access control (MAC) security amendment 1: Galois counter mode-advanced encryption standard- 256 (GCM-AES-256) cipher suite. 802.1AEbn-2011. https://1.ieee802.org/security/802-1aebn/
IEEE: Media access control (MAC) security amendment 2: Extended packet numbering. 802.1AEBW-2013. https://1.ieee802.org/security/802-1aebw/
KernelNewbies: 802.1AE MAC-level encryption (MACsec), Linux 4.6, May 2016
Liu, Y., Li, W.: VXLAN Security Option, May 2015. https://tools.ietf.org/html/draft-liu-nvo3-vxlan-security-option-01
Luykx, A., Paterson, K.: Limits on authenticated encryption use in TLS. www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf
Lyubashevsky, V., et al.: Crystals-dilithium (2019). https://pq-crystals.org/dilithium/index.shtml
McGrew, D., Curcio, M., Fluhrer, S.: Leighton-Micali Hash-Based Signatures. RFC 8554, April 2019. https://rfc-editor.org/rfc/rfc8554.txt
National Security Agency: Ethernet security specification, version 0.5, October 2011
Prest, T., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU (2019). https://falcon-sign.info/
Rescorla, E.: The transport layer security (TLS) protocol version 1.3, March 2016. Internet-Draft draft-ietf-tls-tls13-12
Schwabe, P., et al.: Crystals-kyber (2019). https://pq-crystals.org/kyber/index.shtml
Steblia, D., Fluhrer, S., Gueron, S.: Hybrid key exchange in TLS 1.3, February 2020
Acknowledgment
This research is co-funded by the Federal Ministry of Education and Research of Germany under the QuaSiModO project (Grant agreement No 16KIS1051).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Cho, J.Y., Sergeev, A. (2021). TLV-to-MUC Express: Post-quantum MACsec in VXLAN. In: Asplund, M., Nadjm-Tehrani, S. (eds) Secure IT Systems. NordSec 2020. Lecture Notes in Computer Science(), vol 12556. Springer, Cham. https://doi.org/10.1007/978-3-030-70852-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-70852-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-70851-1
Online ISBN: 978-3-030-70852-8
eBook Packages: Computer ScienceComputer Science (R0)