SECURE

NETWORKI NG
101
MACs ec, IPsec, and
SSL Basi cs
2

I NTRODUCTION

This document is a basic introduction to the most common secure protocols in

network communications.

THE COMMON CONCEPTS

MACSec, IPsec, and SSL/TLS protocols have similar concepts and consist of two
“planes” :
• The “control plane” which is a management layer used for the management of
the secure protocol itself (authentication of the parties, key establishment and
rotation, etc.)
• The “data plane that protects the upper protocol data which conveys the useful
information (payload) in a secured way.

All these protocols provide secure services – in the scope of their layer:
• Mutual authentication (optional). Each party securely identifies the other party
(peer).
a. The credentials used for authentication are quite flexible, it can be
pre-shared keys, password, or PKI-based, etc.
• Integrity. All information that is sent on one side is guaranteed to be delivered
unmodified at the other side.
• Confidentiality (optional). All payloads are encrypted so that a 3rd party with
access to the network would not able to understand it.
• Anti-replay. Prevents interception and modification of payload between the
 3

source and destination. Ensures invalid payloads are discarded.

• Non-repudiation. Ensures that a transferred message has been sent and received
by the parties claiming to have sent and received it.

MACSEC

MACsec is a “link layer” protocol which works on a local network scale –point to point.
It protects the link between network equipment, e.g. between a laptop and a switch,
or between two switches. The control plane is IEEE 802.1X that is also commonly used
for WiFi networks. This protocol allows the control of access to the network: only
authenticated peers are able to get connectivity.
The data plane is IEEE 802.1AE and is a simple protocol based on Ethernet with AES-
GCM encryption of the packets.
• When MACsec is in use, only authenticated peers are able to connect to the
network.
• All local attacks that “trick” switches and routers to redirect network traffic to
attacker machines do not work if MACsec is enabled.
• MACsec is the wired equivalent of WPA2 in WiFi networks.
• MACsec is invisible to the application. It encrypts all traffic without the end point
application being aware.
A typical use case for MacSec would be to secure the connection between an IP
phone in a user’s office to the corporate phone server onsite.
4

IPSEC

IPsec is a “network layer” protocol, it works between any two peers participating in
an IP network such as the Internet, regardless of how those peers are connected (via
many routers, different types of links, etc).
• The control plane is IKE or IKEv2 (Internet Key Exchange).
• The data plane is IPsec.
• This protocol is typically used for VPN, (peer to network, or network to network)
• It is a very complex protocol with tons of variants and options.
• IPsec is invisible to the application. It encrypts all traffic without the end point
application being aware.
A typical use case for IPsec is a VPN client on a mobile device connecting to a VPN
server in the enterprise to allow employees are away from the office to connect
to company resources securely and to authenticate that the users are allowed to
connect.
Another use case would be to connect a remote office to a common company intranet.

SSL / TLS / DTLS

SSL, TLS, and DTLS are “transport layer” protocols. They work between two endpoints
(in general it means one application running on one host). They provide security
directly to the endpoint.
TLS (Transport Layer Security) is the replacement for SSL (Secure Sockets Layer),
previous versions of SSL are deprecated and potentially have security issues. TLS
requires a reliable transport protocol and typically runs over TCP.
DTLS (Datagram Transport Layer Security) is based on TLS and adapted to run over
 5

UDP (unreliable transport).

Those protocols themselves contain several layers that deal with both the control
plane and data plane.
• SSL/TLS is typically used for application-specific security. For example using
https://... The reason is that the credentials of the secure protocols can be bound
to the application itself.
• In terms of architecture and software implementation, these protocols do not
require the user to modify the kernel to implement. However they do require
integration into user application(s) as these are not implemented at the system
level.
• An application can specify encryption and authentication parameters for each
host it needs to contact.
A typical use case for SSL/TLS is using a web browser (ssl client) to connect to a
secure website through https from a public network. Another use case is connecting
through a web browser to a routers web based management console.
A DTLS use case would be encrypting VOIP traffic, the data is sent in real time and
packet loss wouldn’t invalidate the entire connection. The DTLS protocol would
keep the connection open and there would be a slight degradation in the call audio
corresponding to the bad data.

I NSI DE SECURE OFFERI NGS

Inside Secure offers Semiconductor IP and software stacks implementing high

performance SSL, TLS, DTLS, IPsec, and MACsec.
Inside Secure’s MACsec solution contains the SW stack and corresponding HWIP for
both the control and data planes. The included reference data plane implementation
may be replaced during integration on a customer’s platform for performance & power
consumption considerations.
Inside Secure’s QuickSec IPsec solution provides both control and data plane
implementations as well.
6

Inside’s SW implementation is efficient for the data plane but can also integrate with
accelerated hardware for high performance. Inside’s Quicksec IPsec is the clear market
leader supporting a large variation of networking hardware. The software control plane
can also use various HW modules for enhanced authentication including SSL.
Inside Secure’s MatrixSSL implements the SSL/TLS protocol and has been integrated
with our HWIP.
MatrixSSL has a generic PKCS #11 interface which can be used to integrate with
common hardware implementations.
Inside Secure’s SafeZone FIPS library is a FIPS certified cryptography library available
for use with IPsec, SSL, or for standalone secure applications.

ABOUT I NSI DE SECURE

Inside Secure provides comprehensive embedded security solutions. World-leading

companies rely on Inside Secure’s mobile security and secure transaction offerings
to protect critical assets including connected devices, content, services, identity and
transactions. Unmatched security expertise combined with a comprehensive range of
IP, semiconductors, software and associated services gives Inside Secure customers a
single source for advanced solutions and superior investment protection.
Inside SECURE sells :
• semiconductor hardware solutions that, in particular, integrate secure
microcontrollers and electronic solutions enabling secure data storage
• software, particularly embedded software providing the secure management and
communication of data as well as cryptography algorithms
• intellectual property blocks that its customers integrate into the semiconductor
platforms of its customers
These solutions rely on Inside’s know-how in terms of analog and digital semiconductor
design and embedded software, as well as its expertise in the software design of
security and certification applications.
 7

Inside Secure is the only market player simultaneously offering hardware-only-based

solutions (based on secure microcontrollers), software-only-based solutions, and a
combination of both hardware and software, in addition to a broad intellectual property
solutions portfolio.

FOR MORE I N FORMATION

http://www.insidesecure.com

Inside Silicon IP :
http://www.insidesecure.com/Markets-solutions/Enterprise-Security-and-Secure-
Access/Enterprise-Security-Solutions-for-SoC

Inside Protocol Security toolkits :

http://www.insidesecure.com/Products-Technologies/Protocol-Security-Toolkits

Inside FIPS Certified cryptography library :

http://www.insidesecure.com/Markets-solutions/Payment-and-Mobile-Banking/
SafeZone-FIPS2
8

NETWORK LAYERS

Inside Secure offers hardware IP and software stacks implementing high performance
SSL, TLS, DTLS, IPsec, and MACsec.
9
10