Thinking Outside the Box: Extending 802.1x Authentication to Remote "Splitter" Ports by Combining Physical and Data Link Layer Techniques

We present a novel switched full-duplex LAN architecture which can greatly simplify the cabling requirements in areas that must support high port densities and/or are subject to frequent changes. Instead of providing a separate cable to connect each host to a dedicated port on a monolithic switch behind the wall, we emulate the shared bus topology from the early days of Ethernet by daisy-chaining a series of small network-powered “slave” bridge modules called Ethernet Splitters from a single port on the “master” switch. Our partitioned switch architecture enforces network privacy throughout the entire splitter chain, so no host can view any traffic belonging to another host. The splitters also authenticate the point of origin for every frame, independent of the value contained in its source address field thus providing the same level of security as a monolithic switch under the 802.1x Port Based Access Control protocol. 1 Why Switched LANs? In recent years, Ethernet-based Local Area Networks have been transformed. The old shared half-duplex network paradigm — in which multiple hosts must take turns transmitting frames over a common medium known as a “collision domain”, according to the well-known CSMA/CD medium access control protocol — has been replaced by a new full-duplex switched network paradigm — in which each host is connected to a separate port on an IEEE 802.1d Transparent Bridge (commonly referred to as a LAN “switch”) via a dedicated, collision free, full-duplex link segment (see Fig 1). Switching was originally conceived as a means for substantially increasing the overall capacity of a network, using filtering to avoid transmitting frames to those network segments known not to contain the destination address. We will not consider this performance advantage any further in this paper. Instead, we will focus our attention on privacy and authentications issues, and how this migration to full-duplex switched networks has enabled dramatic improvements in these areas compared to earlier half-duplex shared Ethernet systems. Switch