Mike Fratto's article New Protocols Secure Layer 2 caught my attention:
[T]wo protocols -- IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV -- will help secure Layer 2 traffic on the wire... 802.1AE ensures the integrity and privacy of data between peers at Layer 2. The enhancements in 802.1X-REV automate the authentication and key management requirements for 802.1AE.
802.1AE protects data in transit on a hop-by-hop basis... ensuring that the frames are not altered between Layer 2 devices such as switches, routers, and hosts.
I think the diagram explains 802.1AE well, and Mike notes the problems with this approach:
The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards...
[A]ny products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic.
That's a significant problem in my opinion. Already I hear from network administrators who complain about IPSec because it renders the same tools and techniques useless.
The diagram shows that a network analyzer attached to a SPAN port avoids the blind spots introduced by 802.1AE. Another approach would be to introduce a 802.1AE-aware network tap. I do not believe anything like that exists yet, but I would like to see vendors offer this feature.
It appears 802.1AE might defeat the old school layer 2 hacking that continues to surface on modern networks. We'll see how it performs in real life.
The encryption mechanics deserve some attention:
802.1AE is only half the story, however, because it deals only with encryption and integrity -- both of which require keys. 802.1X-REV provides key management--creation, distribution, deletion, and renewal of encryption keys...
Many organizations' physical wiring has one physical LAN port per desk or cubicle, and 802.1X on a wired network was originally designed to be deployed on a one-host-per-port basis. However, it's now common for sites to have multiple hosts per port...
802.1X-REV addresses these issues by allowing multiple hosts to authenticate on a port.
But authenticating multiple hosts isn't enough. If a workstation is connected to a VoIP phone and was properly authenticated, someone could simply clone the workstation's MAC address and connect to the network through that VoIP phone. The bogus workstation would have network access until 802.1X required a reauthentication.
Pairing 802.1X-REV with a workstation NIC that supports 802.1AE enables multiple hosts to be authenticated simultaneously, and each host can have its own encrypted session. More important, bogus workstations can't simply plug in, because the impersonators won't have the encryption keys and therefore can't communicate with the switch.
That last point is significant. I have not personally configured port-based security in production, but I do wonder how people using port-based security handle situations like this. A related issue involves virtual machines sharing a NIC, connected to one physical switch port. Is it acceptable to manually configure the right number of MAC addresses for that port?