[172664] in North American Network Operators' Group
Re: MACsec SFP
daemon@ATHENA.MIT.EDU (Glen Turner)
Sun Jun 29 23:58:39 2014
X-Original-To: nanog@nanog.org
From: Glen Turner <gdt@gdt.id.au>
In-Reply-To: <20140626062411.GA16296@pob.ytti.fi>
Date: Mon, 30 Jun 2014 13:28:27 +0930
To: Saku Ytti <saku@ytti.fi>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
>=20
> Perhaps such lag could be avoided in future if we'd specify some 'host =
to SFP'
> high level protocol, perhaps in much the same way as DHCP 'option' =
handling?
The SFF Committee specifies GBIC registers. They=92d be the appropriate =
group to add registers for features such as MACsec, Ethernet OAM and the =
like. I=92d also encourage a common SFF Committee feature to query and =
update GBIC firmware and encourage SFP vendors to make firmware freely =
redistributable so that SFPs can be updated by the operating system as =
needed to avoid security exposures (and such a feature is problematic, =
as it would have to be written in such a way as to prevent it being used =
as another mechanism resellers can use to =91lock=92 SFP sales to their =
equipment sales). The Committee have already specified registers for =
tuneable SFPs.
After the SFF Committee specifies the registers the operating system =
vendors or vendors of devices would then add commands to support to =
toggle the I2C needed to program those registers with MACsec keys, etc.
You should not be able to set the MACsec key from the optical side. That =
feature is not only cryptographically dubious but it also requires that =
the 'forwarding plane' (which might otherwise be entirely hardware) be =
connected to the SFP=92s management plane. That=92s not desirable from a =
design or security point of view. Note carefully that I=92m not =
discouraging a self-keying mode where GBICs don=92t verify their =
partners but are proof against receive-only optical taps (and in that =
case I=92d encourage the SFF Committee to specify that implementations =
print their fingerprint and the fingerprint of the partner GBIC, so that =
people can verify after the fact that the partner expected is the one =
encountered).
--=20
Glen Turner <http://www.gdt.id.au/~gdt/>
