Abstract
Ethernet and IP form the basis of the vast majority of LAN installations. But these protocols do not provide comprehensive security mechanisms, and thus give way for a plethora of attack scenarios. In this paper, we introduce a layer 2/3 security extension for LANs, the Cryptographic Link Layer (CLL). CLL provides authentication and confidentiality to the hosts in the LAN by safeguarding all layer 2 traffic including ARP and DHCP handshakes. It is transparent to existing protocol implementations, especially to the ARP module and to DHCP clients and servers. Beyond fending off external attackers, CLL also protects from malicious behavior of authenticated clients. We discuss the CLL protocol, motivate the underlying design decisions, and finally present implementations of CLL for both Windows and Linux. Their performance is demonstrated through real-world measurement results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Altunbasak, H., Krasser, S., Owen, H., Sokol, J., Grimminger, J., Huth, H.-P.: Addressing the Weak Link Between Layer 2 and Layer 3 in the Internet Architecture. In: LCN 2004: Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks, November 2004, pp. 417–418 (2004)
Antidote, http://antidote.sourceforge.net
ArpWatch, http://ee.lbl.gov and http://freequaos.host.sk/arpwatch
Bellare, M., Canetti, R., Krawczyk, H.: Message Authentication Using Hash Functions: the HMAC Construction. RSA CryptoBytes 2(1) (1996)
Bruschi, D., Ornaghi, A., Rosti, E.: S-ARP: a Secure Address Resolution Protocol. In: ACSAC 2003: Proceedings of the 19th Annual Computer Security Applications Conference, December 2003, pp. 66–74 (2003)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (April 2006)
Droms, R.: Dynamic Host Configuration Protocol. RFC 2131 (March 1997)
Droms, R., Arbaugh, W.: Authentication for DHCP Messages. RFC 3118 (June 2001)
Ettercap, http://ettercap.sourceforge.net
Gouda, M.G., Huang, C.-T.: A secure address resolution protocol. Computer Networks 41(1), 57–71 (2003)
IEEE 802.1AE: Media Access Control (MAC) Security, http://www.ieee802.org/1/pages/802.1ae.html
Jerschow, Y.I.: The CLL service & toolkit for Windows and Linux, http://www.cn.uni-duesseldorf.de/projects/CLL
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (December 2005)
Krawczyk, H.: The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)
Lloyd, J.: Botan Cryptographic Library, http://botan.randombit.net
Lootah, W., Enck, W., McDaniel, P.: TARP: Ticket-based Address Resolution Protocol. Computer Networks 51(15), 4322–4337 (2007)
Mills, D.L.: Network Time Protocol (Version 3) Specification, Implementation and Analysis. RFC 1305 ( March 1992)
Montoro, M.: Cain & Abel, http://www.oxid.it/cain.html
Perrig, A., Canetti, R., Tygar, J.D., Song, D.: The TESLA Broadcast Authentication Protocol. RSA CryptoBytes 5(2), 2–13 (2002)
Plummer, D.C.: Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware. RFC 826 (November 1982)
NT Kernel Resources: WinpkFilter, http://www.ntkernel.com
Test TCP (TTCP) - Benchmarking Tool for Measuring TCP and UDP Performance, http://www.pcausa.com/Utilities/pcattcp.htm
Vyncke, E., Paggen, C.: LAN Switch Security. Cisco Press (2007)
Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Protocol Architecture. RFC 4251 (January 2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jerschow, Y.I., Lochert, C., Scheuermann, B., Mauve, M. (2008). CLL: A Cryptographic Link Layer for Local Area Networks. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds) Security and Cryptography for Networks. SCN 2008. Lecture Notes in Computer Science, vol 5229. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85855-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-85855-3_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85854-6
Online ISBN: 978-3-540-85855-3
eBook Packages: Computer ScienceComputer Science (R0)