A Security Architecture for Protecting LAN Interactions

  • André Zúquete
  • Hugo Marques
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4176)


This paper describes a security architecture for a LAN. The architecture uses the 802.1X access control mechanisms and is supported by a Key Distribution Centre built upon an 802.1X Authentication Server. The KDC is used, together with a new host identification policy and modified DHCP servers, to provide proper resource allocation and message authentication in DHCP transactions. Finally, the KDC is used to authenticate ARP transactions and to distribute session keys to pairs of LAN hosts, allowing them to set up other peer-to-peer secure interactions using such session keys. The new, authenticated DHCP and ARP protocols are fully backward compatible with the original protocols; all security-related data is appended to standard protocol messages.


Security Policy Authentication Protocol Authentication Server Security Architecture Address Resolution Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IEEE: IEEE Standards for Local and Metropolitan Area Networks: Port based Network Access Control. IEEE Std 802.1X-2001 (2001)Google Scholar
  2. 2.
    Droms, R.: Dynamic Host Configuration Protocol. RFC 2131, IETF (1997)Google Scholar
  3. 3.
    Plummer, D.: Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware. RFC 826, IETF (1982)Google Scholar
  4. 4.
    Khoussainov, R., Patel, A.: LAN security: problems and solutions for Ethernet networks. Computer Standards & Interfaces 22, 191–202 (2000)CrossRefGoogle Scholar
  5. 5.
    Hunleth, F.: Secure Link Layer (2001), http://www.hunleth.com/fhunleth/projects/sll/sll_report.pdf
  6. 6.
    Bruschi, D., Ornaghi, A., Rosti, E.: S-ARP: a Secure Address Resolution Protocol. In: 19th Annual Computer Security Applications Conf. (ACSAC 2003), Las Vegas, NV, USA (2003)Google Scholar
  7. 7.
    Gouda, M.G., Huang, C.: A Secure Address Resolution Protocol. Computer Networks 41(1) (2003)Google Scholar
  8. 8.
    Lootah, W., Enck, W., McDaniel, P.: TARP: Ticket-based Address Resolution Protocol. In: 21st Annual Computer Security Applications Conf (ACSAC 2005), Tucson, AZ, USA (2005)Google Scholar
  9. 9.
    Dubrawsky, I.: SAFE Layer 2 Security In-depth Version 2. White Paper (2004), http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/sfblu_wp.pdf
  10. 10.
    Hedrick, C.: Routing Information Protocol. RFC 1058, IETF (1988)Google Scholar
  11. 11.
    Postel, J.: Internet Control Message Protocol. RFC 792, IETF (1981)Google Scholar
  12. 12.
    Thayer, R., Doraswamy, N., Glenn, R.: IP Security Document Roadmap. RFC 2411, IETF (1998)Google Scholar
  13. 13.
    Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409, IETF (1998)Google Scholar
  14. 14.
    Kohl, J., Neuman, C.: The Kerberos Network Authentication Service (V5). RFC 1510 (1993)Google Scholar
  15. 15.
    Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC 3748, IETF (2004)Google Scholar
  16. 16.
    Droms, R., Arbaugh, W. (eds.): Authentication for DHCP Messages. RFC 3118, IETF (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • André Zúquete
    • 1
  • Hugo Marques
    • 2
  1. 1.IEETA / University of AveiroPortugal
  2. 2.DEE / ESTCBPortugal

Personalised recommendations