What Is Xsec?
In Xsec, "X" indicates unknown, and "sec" indicates security. Xsec is a new point-to-multipoint adaptive encryption technology proposed by Huawei based on IPsec and BGP extensions. It offers multiple technical advantages such as high reliability and easy deployment, effectively supporting service encryption in SRv6 scenarios.
Why Do We Need Xsec?
Traditional network encryption solutions are unable to cope with the growing scale of the service network, stricter requirements for network reliability, and development of password attack methods.
Taking the financial industry as an example, financial enterprises typically use the hub-spoke networking mode to connect the headquarters to multiple branch networks, thereby enhancing enterprise communication security and achieving unified management. Traditionally, technologies such as IPsec and GRE over IPsec are used to construct a VPN network. But because IPsec requires point-to-point tunnel establishment, branches cannot directly communicate with each other. As a result, data has to be forwarded by the headquarters (through a hub node). This leads to the following issues:
- Large-scale networks are not supported. As a point-to-point encryption technology, IPsec requires the configuration and negotiation between every two points. Consequently, as the network expands in scale, the numbers of encryption tunnels, encryption protocol sessions, and session states increase exponentially, the negotiation efficiency is reduced, and configuration and O&M grow in complexity.
- SRv6 encryption requirements cannot be met. IPsec supports only tunnel-based negotiation and cannot perform encryption based on routes or services. In SRv6 scenarios, both service bearer tunnels and IPsec tunnels need to be deployed, complicating the data transmission network status. If an IPsec tunnel fails, another available one needs to be selected to continue service forwarding. In this case, it takes several seconds to achieve service recovery, failing to meet the requirements for high network reliability.
To address the preceding issues, the Xsec technology is introduced. Xsec inherits the security features of IPsec and provides security services for IP packets through encryption and authentication. As an innovative key negotiation solution based on BGP extensions, Xsec expands the application scope of IPsec and offers the following benefits:
- Encryption can be performed by simply configuring an Xsec router ID list, making configuration and O&M much simpler. The point-to-multipoint advertisement mode of BGP avoids complex, point-to-point encryption tunnel deployment, which is required in traditional encryption. Xsec effectively supports the deployment of large-scale encryption networks.
- In-line encryption improves network reliability. With the in-line encryption technology, service tunnels are directly encrypted, eliminating the need for dedicated encryption tunnels and completely decoupling encryption and tunnels. This is simpler than configuring both service bearer tunnels and IPsec tunnels. It also simplifies network reliability design and eliminates the need to configure policy-based traffic steering actions during troubleshooting. By inheriting the original reliability assurance capability of services, Xsec implements high-reliability protection and disaster recovery for nodes, boards, and links.
How Does Xsec Work?
Xsec is a set of protocols and services — rather than an independent protocol — used to provide security for IP networks. It includes Xsec security associations (SAs), packet encapsulation, encryption and authentication algorithms, and encryption attribute transmission methods.
Xsec SA
Xsec provides secure data transmission only when Xsec SAs are successfully established between communicating parties. An SA defines conventions for certain elements of negotiation between communicating parties. It is uniquely identified by a 3-tuple, which consists of the security parameters index (SPI), destination IP address, and Encapsulating Security Payload (ESP) protocol. The SPI is a 32-bit value generated to identify an SA, and is encapsulated in an ESP header. Xsec SAs provide unidirectional logical connections, requiring one SA to process incoming IP packets and another to process outgoing IP packets. As such, two Xsec SAs must be established on a single node: one for incoming IP packets and the other for outgoing IP packets.
Xsec Packet Encapsulation
Xsec packet encapsulation
Xsec Encryption and Authentication Algorithms
The security functions provided by the ESP protocol depend on which encryption and authentication algorithms are adopted.
- Xsec uses symmetric encryption algorithms to encrypt and decrypt data. These algorithms require that the sender and receiver use the same key (a symmetric key) to encrypt and decrypt data. The symmetric key used for encryption is generated through the Diffie-Hellman (DH) algorithm and shared by both devices. Xsec supports the AES algorithm in cipher block chaining (CBC) mode or Galois/Counter Mode (GCM).
- Xsec uses the hash-based message authentication code (HMAC) algorithm to compare the integrity check value (ICV) and authenticate forwarding-plane data. HMAC is a combination of the hash function and message authentication code (MAC). With a symmetric key and data packet as the input, HMAC uses the hash function to generate a fixed-length ICV. The symmetric key used for authentication is generated through the DH algorithm and shared by both devices. Xsec supports SHA2 (256 bits or more) authentication algorithms.
Typically, encryption and authentication algorithms need to be used together. As shown in the following figure, the Xsec sender uses an encryption algorithm and symmetric key to encrypt the packet, thereby encapsulating the original data. Then, both the sender and receiver use the same authentication algorithm and symmetric key to process the encrypted packet in order to obtain ICVs. If the ICVs obtained at both ends are the same, the packet is not tampered with during transmission. In this case, the receiver decrypts the packet. However, if the ICVs are different, the receiver discards the packet.
Xsec encryption and authentication
Xsec Key Exchange
It is important that devices share a symmetric key for encryption and authentication in a secure manner. This can be achieved by using the DH algorithm to generate key materials and generating a dynamic key through automatic negotiation between Xsec communicating parties. Xsec uses BGP to transmit encryption information between the sender and receiver. The information includes key materials generated using the DH algorithm, security protocol used by Xsec, data encapsulation modes, and encryption and authentication algorithms. To ensure the transmission security of BGP packets carrying encryption attributes, BGP requires SSL/TLS authentication to be configured. During the transmission of encryption attributes, BGP mainly interacts with the Xsec component, which is responsible for generating key materials, calculating dynamic keys, and negotiating SAs. The transmission process is as follows:
- On the sender, BGP subscribes to encryption information from the Xsec component.
- After receiving a reply from the Xsec component, BGP generates an EVPN ES-AD route carrying Xsec encryption attributes and sends the route to peers (such as the receiver in the figure).
- On the receiver, BGP delivers the received EVPN ES-AD route carrying Xsec encryption attributes to the Xsec component.
- The Xsec component performs key calculation and Xsec SA negotiation.
The process for the receiver to transmit encryption attributes to the sender is similar.
Xsec encryption attribute transmission through BGP
Xsec Implementation
Xsec is implemented as follows:
- An Xsec policy is determined for the communicating parties.
Before SA establishment, an Xsec policy needs to be determined for the communicating parties. The Xsec policy defines multiple items, such as the security protocol used by Xsec, data encapsulation mode, encryption and authentication algorithms, and DH key exchange algorithm used for initiating negotiation.
- The communicating parties negotiate an Xsec SA.
To achieve this, both communicating parties use BGP to transmit encryption information based on the Xsec policy and then advertise ES-AD routes carrying Xsec attributes to the specified BGP EVPN peer or peer group. In addition, SSL/TLS authentication needs to be configured for BGP to ensure the transmission security of BGP packets carrying encryption attributes.
- The communicating parties encrypt the data to be transmitted and authenticate the received data.
The two parties can transmit data after establishing the Xsec SA. A network entity supports multiple pairs of SAs, which need to be stored in the SA database for management. The following figure shows how Xsec processes packets during data transmission between the sender and receiver. Before forwarding a packet, the sender checks whether an Xsec policy is configured. If yes, it searches the SA database for the SA corresponding to the SPI, and then encrypts and encapsulates the packet. Similarly, after receiving a packet, the receiver checks whether an Xsec policy is configured. If yes, it checks whether the packet is encapsulated using ESP. For an ESP-encapsulated packet, the receiver determines which SA in the SA database should be used for security authentication based on the SPI encapsulated in the ESP header. Then, the receiver decrypts the packet.
Xsec-based packet processing
What Are the Application Scenarios of Xsec?
Leveraging the point-to-multipoint adaptive encryption technology, Xsec uses BGP to perform in-line encryption on service data, simplifying deployment and improving network reliability. It applies to large-scale SRv6 networking scenarios, such as those involving cross-domain cloud backbone private lines and communication between a bank's head office and branches.
Cross-Domain Cloud Backbone Private Line Scenarios
The following figure provides an example of Xsec application in cross-domain cloud backbone private line scenarios. In this example, SRv6 VPN is deployed across the backbone network between City A and City B, with intermediate nodes supporting IPv6. Xsec provides in-line encryption, meaning that services only need to be deployed at the two ends. This is simpler than configuring both service bearer tunnels and IPsec tunnels, and also simplifies network reliability design.
Xsec application in cross-domain cloud backbone private line scenarios
Financial Scenarios
In financial scenarios, SRv6 is used to connect each access point and the cloud center, thereby enabling the communication between a bank's head office and branches and between the branches and outlets. The financial industry has high requirements on data transmission security. If devices on the live network use IPsec to encrypt service data, tunnels need to be deployed one by one between the head office and branches and between the branches and outlets, making configuration and management far more complex. Using Xsec to encrypt the traffic, you can add or delete encryption nodes by simply configuring an Xsec router ID list. This significantly simplifies configuration and O&M.
Xsec application in the financial scenario
- Author: Qian Lili
- Updated on: 2024-10-23
- Views: 1966
- Average rating: