Using the 802.1x standard to secure nextgen multimedia VoIP phones
By Sebastien Brun
Embedded.com
(10/07/08, 12:15:00 AM EDT)
Foiling attempts to plug an unauthorized device directly into a local area network (LAN) has been the purview of the IEEE's 802.1x standard since it was introduced in 2001. Without the protection of 802.1x, hackers and other security risks might be able to wreck havoc not only on the LAN itself but also on wider Internet Protocol (IP) networks.

Of course, this becomes increasingly critical as more and more devices such as IP phones connect to LANs and access the Internet through applications like Voice over IP (VoIP).

Plug-In Authentication
The main tenet behind 802.1x is that any device that is plugged into a network must be authenticated before any regular data traffic occurs. As soon as the network cable from a device like a laptop computer or an IP phone is physically plugged into a network or as soon as a device attempts to gain access to a wireless Wi-Fi network, 802.1x must determine the identity of the device and whether it is authorized to access that network.

802.1x is limited to authenticating physical connections at the Data Link level (Level 2 of the OSI model). Built on the Extensible Authentication Protocol (EAP), 802.1x offers no security for any of the data communications once it has authorized the connection.

Three entities come into play in every 802.1x authentication process. The standard calls any device that plugs into a network a supplicant because it must first seek and be granted authorization to access the network.

The entity that is responsible for the 802.1x authentication process is called the authenticator. In many cases this is an Ethernet switch on the LAN. The process is carried forward by an authenticating server which determines whether the supplicant's traffic over the network can be authorized.

How it Works
Typically, traffic of any unoccupied access point to a network, such as a port on a wired or wireless Ethernet switch, is blocked until the 802.1x authentication process has completed. The blocked traffic includes all configurations mechanisms like Dynamic Host Configuration Protocol (DHCP) as well as any other traffic like HTTP data. When a device plugs into a network and it is detected, the port on the switch is set as "unauthorized" and only 802.1x traffic is allowed.

As a first step in the 802.1x process, the authenticator requests the identity of the supplicant. When the supplicant responds with a packet containing its identity, the authenticator forwards this information to the authenticating server, where the request for authentication and authorization for access to the network is either accepted or rejected. The authenticating server applies its authentication rules to make this determination.

When a request for authentication is accepted by the authenticating server, the authenticator sets the access port to 'authorized' and normal network traffic can begin. Should the supplicant log off or simply unplug its network cable from the network, the authenticator is notified and the status of the port is returned to an unauthorized state where only 802.1x traffic is allowed until another 802.1x authorization process has been completed. (Figure 1 below)

Figure 1. 802.1x sets up connected devices for authentication

The messages that comprise the authorization process conform to EAP, which was developed by the Internet Engineering Task Force (IETF) in 1998 as RFC2284 and updated in 2004 as RFC3748. The messages between the supplicant device and the authenticator are carried in a certain EAP packet format known as EAP over LAN (EAPoL).

The messages between the authenticator and the authenticating server are formulated into a format that is understood by the authenticating server. For example, these messages are often encapsulated into EAP over Radius (EAPoR) packets if the authenticating server happens to be a Radius server, a popular type of 802.1x authenticating server.

Generally, the supplicant software for initiating 802.1x authentication is embedded in the operating system (OS) on practically all PCs. For example, 802.1x supplicant software is contained in the most popular OSs, including Windows XP, Windows Vista, Windows 2000 (Service Pack 3), and Linux.

If this software is not included in the version of Linux present on the device, it can be added (wpa_supplicant). Other types of Ethernet devices also include 802.1x supplicant software and practically all Ethernet switches have authenticator software.

Some Limitations
It should be remembered that the security offered by 802.1x is limited to some degree. For example, there is a gap in 802.1x protection if an Ethernet hub is inserted between an authenticated supplicant and the network. When this occurs, other devices connected to the hub can access the network.

Ethernet switch suppliers have taken steps to fill this gap in the standard by blocking traffic on a port if the media access control (MAC) address of the supplicant changes. It is worthwhile noting that 802.1x is under revision to facilitate secure communication over publicly accessible LANs/MANs, as well as allow its use in additional applications.

The 802.1x standard was never truly intended to offer security beyond authenticating and authorizing physical connections to a network. As a result, once a device has been authenticated and communication commences, 802.1x does not offer security on any of the ensuing data traffic.

It is imperative that the security supported by 802.1x be supplemented by other measures such as the IP Security (IPSec) standard for authenticating and/or encrypting packets. 802.1AE (Media Access Control Security) together with 802.1af (Authenticated Key Agreement for MACSec) can also be used for data encapsulation, encryption and authenticity with key management.

Authenticating IP Phones
An IP phone is essentially an Ethernet device with all of the capabilities needed for VoIP as well as other functionality. Some IP phones have been enhanced significantly with processing power and other resources for additional applications above and beyond voice.

Most IP phones plug directly into the LAN, but they include another LAN port to which another device may be daisy-chained. IP phone manufacturers reason that most offices have only one Ethernet plug in the wall. The IP phone can be plugged directly into the office's LAN via this plug and then the user's PC can access the LAN via the IP phone's second network port.

Most IP phones feature an internal Ethernet switching device to support two connections to the LAN. Within the context of 802.1x, both the IP phone and the PC must be authenticated before they are able to send regular traffic over the LAN. This means that they both must have 802.1x supplicant capabilities and the internal Ethernet switch of the IP phone has to be able to pass 802.1x traffic to the PC (Figure 2, below).

Figure 2. Both devices must have 802.1X capability for full security

In some cases, to enable the authentication of a PC or any other device connected to the IP phone's LAN port, the Ethernet switch in the IP phone must be configured to allow the forwarding of reserved multicast packets.

At the very least, the IP phone itself must support 802.1x supplicant software. The two most dominant embedded operating systems (OS) in IP phones include supplicant capabilities for both the IP phone and devices plugged into the phone's second Ethernet port.

In its Platform for Customer Device (PCD) 3.2, VxWorks from WindRiver includes 802.1x LAN supplicant software, which performs 802.1x authentication for both the IP phone and any network devices connected to its LAN port.

Under Linux, a supplicant module (wpa_supplicant, GPLv2/BSD license) can be added to the IP phone's OS; this module will handle the 802.1x authentication process for the IP phone and will relay the 802.1x packets to the network device plugged into the second network port. This will allow this network device to be 802.1x authenticated.

The Workhorse
The flashy story that catches the headlines in regards to 802.1x focuses on the spec as a gateway to next-generation multimedia applications. In fact, the 802.1x standard's greatest and often overlooked value is in authenticating and authorizing physical connections to a network.

As a growing number of devices that consumers and businesses depend on access the Internet through advanced applications like VoIP, security remains an essential component of effective communication.

Since its introduction, the IEEE's 802.1x standard has provided advanced protection against prospective hackers as any device that is plugged into a network must be authenticated before any regular data traffic occurs. Protecting both the LAN and the wider IP network, 802.1x is the always working gatekeeper to protecting users' network connections.

Sébastien Brun is a Software Application expert for VoIP (Voice over Internet Protocol) at Texas Instruments. He has worked in several positions supporting and training customers to bring their VoIP systems on the market, making them successful in their business. Sébastien earned his degree from the Ecole Polytechnique Universitaire de Nice Sophia-Antipolis. Sébastien is currently working in the Communications Infrastructure and Voice teams within the DSP Systems Group at Texas Instruments Inc.