Ethernet vs. IP at the edge of the Smart Grid

Ethernet vs. IP at the edge of the Smart Grid

In every realm of networking, from backbone transport, to enterprise LAN, to access networks, to even data centers, there are debates about the use of layer 2 (Ethernet) versus layer 3 (IP) transport. The proponents of layer 2 argue that it’s inexpensive, efficient, and supports non-IP protocols while the proponents of layer 3 argue that it’s more secure and scalable than layer 2. There are obviously different answers for different networks, but having personally developed both IP and Ethernet systems for military wireless mesh, fixed wireless access and Wi-Fi clouds, I believe that in the case of last-mile wireless access the benefits of layer 2 (Ethernet) far outweigh the problems that need to be addressed. In order to compare the pros and cons of each transport technology, let’s look at the issues with each since the benefits of one technology are often the converse of the issues with the other.

Issues with layer 3 (IP):

• Only IP is transported: no AppleTalk, PPPoE, broadcast device discovery, or legacy Ethernet devices such as serial/Ethernet telemetry…
• No virtual LAN services: offering layer 2 pipes for virtual LAN services has become an extremely important offering for many service providers. IP networks do not inherently support this service, and additional equipment or protocols need to be layered on top in order to support it.
• IP demarcation issues: the interface from the wireless access equipment must support whatever dynamic routing protocol the operator has chosen (RIP, OSPF, BGP-4, …). And, the operator may need to run a dynamic IP routing protocol in order to support client mobility (while an Ethernet system would allow learning switches to interconnect gateways for fast, transparent roaming.)
• IP multicast support (for some types of video streaming) needs to be explicitly supported. IP Multicast forwarding is very different than regular IP forwarding, and involves different protocols.
• Slower re-routing: compared to Ethernet table learning, IP dynamic routing is slow.

Issues with layer 2 (Ethernet):

• Scalability limitations due to a large broadcast domain and Ethernet learning table size restrictions of external switches.
• Inter-subscriber security concerns due to layer 2 attacks directly between subscribers (ARP poisoning, rogue DHCP servers, …).
• Subscriber-to-network security concerns from Ethernet MAC address spoofing and ARP poisoning.

Since layer 3 is a higher layer protocol than layer 2, it seems to become a question of limitations versus problems. Is it better to live with the limitations of an IP transport or with the problems of an Ethernet transport? To deal with the issue of MAC address scalability, fortunately switch learning tables have greatly increased in size. And even if an Ethernet learning table overflows, the standard behavior is to replace the oldest entry, which is often from an inactive device. And data is still forwarded in any case, so the total number of devices supported on a network is much larger than the size of the switches’ Ethernet learning tables. And to deal with both the large broadcast domain issue and lack of security between subscribers due to potential layer 2 attacks, many switches have a feature called “protected ports” (which Trilliant has implemented as “Peer to Peer Control”). This feature can selectively block layer 2 forwarding between ports and VLANs of an Ethernet switch, or between subscribers within a virtual LAN within the SecureMesh WAN system, in cases where the users of those ports or VLANs are not from the same administrative domain (for example, not employees of the same company). And since this control can be done on a VLAN basis, an operator can use this control to provide some groups of subscribers direct layer 2 access while limiting the layer 2 access of other users, such as home Internet subscribers, to only the router that leads to the Internet. And even if users of different protected ports or VLANs need to communicate at layer 3 (for some cases of VoIP, gaming, file sharing, …) then several simple methods are available to allow that communication at layer 3 or above, such as the “local proxy ARP” feature of most routers or /30 IP subnetting at the subscriber level. So with the control of protected ports and VLANs in both the wireless system and any external network switches, the potential of attacks between subscribers (such as ARP poisoning and rogue DHCP servers) can be completely avoided, and the only attacks left are attacks directly from subscribers to the network (such as to the first hop router). These layer 2 attacks fall into two specific cases: MAC spoofing and ARP poisoning. In both of these attacks one user intentionally mimics the Ethernet MAC address of another user, which causes a temporary Denial of Service (DoS). These can not effectively be used as data intercept attacks, so data is not compromised. And the denials of service are extremely short, especially in the case of MAC address spoofing where the attack only lasts until the real user sends a single Ethernet frame. And since the attacker is easily identified and their access can simply disabled, these attacks are not actually very common, and are ineffective. And an alternative or supplementary tool that an operator can use to address many of these issues is filtering. SecureMesh WAN devices support filters that range from the Ethernet MAC layer up to the IP port level. For example, instead of (or in addition to) disabling peer to peer communication using protected ports, an operator can simply configure UDP port filters to prevent rogue DHCP servers. So by having addressed these Ethernet scalability and security concerns, the edge network can take advantage of the benefits of an Ethernet transport, including:

• Simple IP address management: IP addresses can be handed out in a number of ways (DHCP, static, PPPoE, …) and they can be assigned independently of the point of attachment.
• Support for any Ethernet device, such as IPv4, IPv6, IP multicast, NetBIOS, AppleTalk, and legacy Ethernet devices.
• Virtual LAN services (private LANs can be configured across the network).
• Simple layer 2 demarcation at the base-station (no IP routing protocol requirements).

An important aspect of Ethernet is that using it as a transport method does not mean a lack of IP services. IPv4, IPv6 and virtually every layer 3 protocol has an Ethernet convergence function, so if a device talks Ethernet then it can run over an Ethernet transport system without any special support from the network devices. And, even if a device such as a wireless mesh node provides Ethernet transport, it can also include an IP stack for its own communication, such as remote management. And IP-aware filters can be added to devices that are providing only an Ethernet transport service. So, Ethernet transport does not mean “no IP”.