Against: Man In The Middle or MITM
compromising the confidentiality of the data
Altering the data in the transit = compromising data integrity
MACsec: on P2P ethernet link
Encrypt and
Authenticate
Use the advance encryption standard: gcm mode ( default)
work at Layer 2 and protect: Data and control traffic : LLDP, LACP, DHCP, ARP
Feature License
AES or Advanced Encryption Standard
Workflow | |
---|---|
1- Exchange pre-shared key: CKN + CAK | CKN or Connectivity Association Name |
(same bot end) | CAK or Connectivity Association Key |
>> Secure channel created for exchange of the SAK | |
One will become the Key-server | use the MKA Macsec Key Agreement Protocol |
2- key-server will send the SAK | SAK or Security Association key |
Will create 2 channels: Tx and Rx | |
Data encryption | using the SAK to encrypt traffic |
3- +8 Byte Header +16 Byte trail MTU + 32 Bytes to the Mac frame | |
will cre |
Check License | |
---|---|
show system license | match macsec | |
Configuration | |
CKN | Link |
Enter the CKN ( 64bits ?? ) or Connectivity Association Name | set security macsec ca1 pre-shared-key ckn <key is a long hex number> |
CAK | Link |
Static CAK | set security macsec ca1 security-mode static-cak |
Enter the CAK ( 32 bits ) or Connectivity Association Key | set security macsec ca1 pre-shared-key cak <key is a long hex number> |
Show commands | |
show security macsec connections | |
>> default: GCM-AES-128 GCM: Galois/Counter Mode Authentication ? AES: Adv Encryption Standard | |