Lost Ethertype in encrypted MACsec frames











up vote
2
down vote

favorite












MACsec uses an Ethertype of 88E5. This presents an obvious problem when encrypting frames which already have, or should have, another Ethertype. This RedHat blog, for example, states "[MACsec] can secure all traffic within a LAN, including DHCP and ARP, as well as traffic from higher layer protocols". How can ARP be secured when it has to have an Ethertype of 0806?



More generally, if you have an encypted backbone/switch/WLAN/whatever which talks to unencrypted endpoints, then the switch will encrypt plain Ethernet frames on ingress, and decrypt on egress. During this process, the original Ethertype is lost, since there's nowhere to store it in a MACsec frame, so what does the switch put in the outgoing Ethertype?



I guess one option is for the switch to only encrypt a specific Etherype - IPv4, say - and replace the incoming 0800 with 88E5, and reverse that at the output. This doesn't seem particularly useful though. Thanks.










share|improve this question







New contributor




EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • "the original Ethertype is lost, since there's nowhere to store it in a MACsec frame" I'm not sure where you got that idea. MACsec actually adds to the frame. Remember that 802.1Q adds to the ethernet frame, moving the Ether Type field down, and inserting a different Ether Type field and other fields. MACsec adds eight octets to the ethernet frame header, and 16 octets at the end of the frame.
    – Ron Maupin
    8 hours ago












  • Wow. Spent all day reading the docs and missed that. If you want to make that an answer I'll accept it.
    – EML
    8 hours ago










  • OK. I did that.
    – Ron Maupin
    8 hours ago















up vote
2
down vote

favorite












MACsec uses an Ethertype of 88E5. This presents an obvious problem when encrypting frames which already have, or should have, another Ethertype. This RedHat blog, for example, states "[MACsec] can secure all traffic within a LAN, including DHCP and ARP, as well as traffic from higher layer protocols". How can ARP be secured when it has to have an Ethertype of 0806?



More generally, if you have an encypted backbone/switch/WLAN/whatever which talks to unencrypted endpoints, then the switch will encrypt plain Ethernet frames on ingress, and decrypt on egress. During this process, the original Ethertype is lost, since there's nowhere to store it in a MACsec frame, so what does the switch put in the outgoing Ethertype?



I guess one option is for the switch to only encrypt a specific Etherype - IPv4, say - and replace the incoming 0800 with 88E5, and reverse that at the output. This doesn't seem particularly useful though. Thanks.










share|improve this question







New contributor




EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • "the original Ethertype is lost, since there's nowhere to store it in a MACsec frame" I'm not sure where you got that idea. MACsec actually adds to the frame. Remember that 802.1Q adds to the ethernet frame, moving the Ether Type field down, and inserting a different Ether Type field and other fields. MACsec adds eight octets to the ethernet frame header, and 16 octets at the end of the frame.
    – Ron Maupin
    8 hours ago












  • Wow. Spent all day reading the docs and missed that. If you want to make that an answer I'll accept it.
    – EML
    8 hours ago










  • OK. I did that.
    – Ron Maupin
    8 hours ago













up vote
2
down vote

favorite









up vote
2
down vote

favorite











MACsec uses an Ethertype of 88E5. This presents an obvious problem when encrypting frames which already have, or should have, another Ethertype. This RedHat blog, for example, states "[MACsec] can secure all traffic within a LAN, including DHCP and ARP, as well as traffic from higher layer protocols". How can ARP be secured when it has to have an Ethertype of 0806?



More generally, if you have an encypted backbone/switch/WLAN/whatever which talks to unencrypted endpoints, then the switch will encrypt plain Ethernet frames on ingress, and decrypt on egress. During this process, the original Ethertype is lost, since there's nowhere to store it in a MACsec frame, so what does the switch put in the outgoing Ethertype?



I guess one option is for the switch to only encrypt a specific Etherype - IPv4, say - and replace the incoming 0800 with 88E5, and reverse that at the output. This doesn't seem particularly useful though. Thanks.










share|improve this question







New contributor




EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











MACsec uses an Ethertype of 88E5. This presents an obvious problem when encrypting frames which already have, or should have, another Ethertype. This RedHat blog, for example, states "[MACsec] can secure all traffic within a LAN, including DHCP and ARP, as well as traffic from higher layer protocols". How can ARP be secured when it has to have an Ethertype of 0806?



More generally, if you have an encypted backbone/switch/WLAN/whatever which talks to unencrypted endpoints, then the switch will encrypt plain Ethernet frames on ingress, and decrypt on egress. During this process, the original Ethertype is lost, since there's nowhere to store it in a MACsec frame, so what does the switch put in the outgoing Ethertype?



I guess one option is for the switch to only encrypt a specific Etherype - IPv4, say - and replace the incoming 0800 with 88E5, and reverse that at the output. This doesn't seem particularly useful though. Thanks.







ethernet security






share|improve this question







New contributor




EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 8 hours ago









EML

1155




1155




New contributor




EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






EML is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • "the original Ethertype is lost, since there's nowhere to store it in a MACsec frame" I'm not sure where you got that idea. MACsec actually adds to the frame. Remember that 802.1Q adds to the ethernet frame, moving the Ether Type field down, and inserting a different Ether Type field and other fields. MACsec adds eight octets to the ethernet frame header, and 16 octets at the end of the frame.
    – Ron Maupin
    8 hours ago












  • Wow. Spent all day reading the docs and missed that. If you want to make that an answer I'll accept it.
    – EML
    8 hours ago










  • OK. I did that.
    – Ron Maupin
    8 hours ago


















  • "the original Ethertype is lost, since there's nowhere to store it in a MACsec frame" I'm not sure where you got that idea. MACsec actually adds to the frame. Remember that 802.1Q adds to the ethernet frame, moving the Ether Type field down, and inserting a different Ether Type field and other fields. MACsec adds eight octets to the ethernet frame header, and 16 octets at the end of the frame.
    – Ron Maupin
    8 hours ago












  • Wow. Spent all day reading the docs and missed that. If you want to make that an answer I'll accept it.
    – EML
    8 hours ago










  • OK. I did that.
    – Ron Maupin
    8 hours ago
















"the original Ethertype is lost, since there's nowhere to store it in a MACsec frame" I'm not sure where you got that idea. MACsec actually adds to the frame. Remember that 802.1Q adds to the ethernet frame, moving the Ether Type field down, and inserting a different Ether Type field and other fields. MACsec adds eight octets to the ethernet frame header, and 16 octets at the end of the frame.
– Ron Maupin
8 hours ago






"the original Ethertype is lost, since there's nowhere to store it in a MACsec frame" I'm not sure where you got that idea. MACsec actually adds to the frame. Remember that 802.1Q adds to the ethernet frame, moving the Ether Type field down, and inserting a different Ether Type field and other fields. MACsec adds eight octets to the ethernet frame header, and 16 octets at the end of the frame.
– Ron Maupin
8 hours ago














Wow. Spent all day reading the docs and missed that. If you want to make that an answer I'll accept it.
– EML
8 hours ago




Wow. Spent all day reading the docs and missed that. If you want to make that an answer I'll accept it.
– EML
8 hours ago












OK. I did that.
– Ron Maupin
8 hours ago




OK. I did that.
– Ron Maupin
8 hours ago










1 Answer
1






active

oldest

votes

















up vote
5
down vote



accepted










MACsec actually adds to the ethernet frame header and trailer. You end up with a different value in the Ether Type field position, much like you do with 802.1Q, but the original Ether Type field is preserved.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "496"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    EML is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55172%2flost-ethertype-in-encrypted-macsec-frames%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    5
    down vote



    accepted










    MACsec actually adds to the ethernet frame header and trailer. You end up with a different value in the Ether Type field position, much like you do with 802.1Q, but the original Ether Type field is preserved.






    share|improve this answer

























      up vote
      5
      down vote



      accepted










      MACsec actually adds to the ethernet frame header and trailer. You end up with a different value in the Ether Type field position, much like you do with 802.1Q, but the original Ether Type field is preserved.






      share|improve this answer























        up vote
        5
        down vote



        accepted







        up vote
        5
        down vote



        accepted






        MACsec actually adds to the ethernet frame header and trailer. You end up with a different value in the Ether Type field position, much like you do with 802.1Q, but the original Ether Type field is preserved.






        share|improve this answer












        MACsec actually adds to the ethernet frame header and trailer. You end up with a different value in the Ether Type field position, much like you do with 802.1Q, but the original Ether Type field is preserved.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 8 hours ago









        Ron Maupin

        60.5k1058109




        60.5k1058109






















            EML is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            EML is a new contributor. Be nice, and check out our Code of Conduct.













            EML is a new contributor. Be nice, and check out our Code of Conduct.












            EML is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Network Engineering Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f55172%2flost-ethertype-in-encrypted-macsec-frames%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            What visual should I use to simply compare current year value vs last year in Power BI desktop

            How to ignore python UserWarning in pytest?

            Alexandru Averescu