CLL: A Cryptographic Link Layer for Local Area Networks

  • Yves Igor Jerschow
  • Christian Lochert
  • Björn Scheuermann
  • Martin Mauve
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5229)


Ethernet and IP form the basis of the vast majority of LAN installations. But these protocols do not provide comprehensive security mechanisms, and thus give way for a plethora of attack scenarios. In this paper, we introduce a layer 2/3 security extension for LANs, the Cryptographic Link Layer (CLL). CLL provides authentication and confidentiality to the hosts in the LAN by safeguarding all layer 2 traffic including ARP and DHCP handshakes. It is transparent to existing protocol implementations, especially to the ARP module and to DHCP clients and servers. Beyond fending off external attackers, CLL also protects from malicious behavior of authenticated clients. We discuss the CLL protocol, motivate the underlying design decisions, and finally present implementations of CLL for both Windows and Linux. Their performance is demonstrated through real-world measurement results.


Medium Access Control Block Cipher Internet Protocol Address Medium Access Control Address Address Resolution Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Altunbasak, H., Krasser, S., Owen, H., Sokol, J., Grimminger, J., Huth, H.-P.: Addressing the Weak Link Between Layer 2 and Layer 3 in the Internet Architecture. In: LCN 2004: Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks, November 2004, pp. 417–418 (2004)Google Scholar
  2. 2.
  3. 3.
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Message Authentication Using Hash Functions: the HMAC Construction. RSA CryptoBytes 2(1) (1996)Google Scholar
  5. 5.
    Bruschi, D., Ornaghi, A., Rosti, E.: S-ARP: a Secure Address Resolution Protocol. In: ACSAC 2003: Proceedings of the 19th Annual Computer Security Applications Conference, December 2003, pp. 66–74 (2003)Google Scholar
  6. 6.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (April 2006)Google Scholar
  7. 7.
    Droms, R.: Dynamic Host Configuration Protocol. RFC 2131 (March 1997)Google Scholar
  8. 8.
    Droms, R., Arbaugh, W.: Authentication for DHCP Messages. RFC 3118 (June 2001)Google Scholar
  9. 9.
  10. 10.
    Gouda, M.G., Huang, C.-T.: A secure address resolution protocol. Computer Networks 41(1), 57–71 (2003)zbMATHCrossRefGoogle Scholar
  11. 11.
    IEEE 802.1AE: Media Access Control (MAC) Security,
  12. 12.
    Jerschow, Y.I.: The CLL service & toolkit for Windows and Linux,
  13. 13.
    Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (December 2005)Google Scholar
  14. 14.
    Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Lloyd, J.: Botan Cryptographic Library,
  16. 16.
    Lootah, W., Enck, W., McDaniel, P.: TARP: Ticket-based Address Resolution Protocol. Computer Networks 51(15), 4322–4337 (2007)CrossRefGoogle Scholar
  17. 17.
    Mills, D.L.: Network Time Protocol (Version 3) Specification, Implementation and Analysis. RFC 1305 ( March 1992)Google Scholar
  18. 18.
    Montoro, M.: Cain & Abel,
  19. 19.
    Perrig, A., Canetti, R., Tygar, J.D., Song, D.: The TESLA Broadcast Authentication Protocol. RSA CryptoBytes 5(2), 2–13 (2002)Google Scholar
  20. 20.
    Plummer, D.C.: Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware. RFC 826 (November 1982)Google Scholar
  21. 21.
    NT Kernel Resources: WinpkFilter,
  22. 22.
    Test TCP (TTCP) - Benchmarking Tool for Measuring TCP and UDP Performance,
  23. 23.
    Vyncke, E., Paggen, C.: LAN Switch Security. Cisco Press (2007)Google Scholar
  24. 24.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Protocol Architecture. RFC 4251 (January 2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Yves Igor Jerschow
    • 1
  • Christian Lochert
    • 1
  • Björn Scheuermann
    • 1
  • Martin Mauve
    • 1
  1. 1.Institute of Computer ScienceHeinrich Heine UniversityDüsseldorfGermany

Personalised recommendations