Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Against:  Man In The Middle or MITM

        compromising the confidentiality of the data

       Altering the data in the transit = compromising data integrity

MACsec:  on P2P ethernet link

            Encrypt and

           Authenticate

           Use the advance encryption standard:   gcm mode ( default)

          work at Layer 2 and protect: Data and control traffic :  LLDP, LACP, DHCP, ARP

Feature License



AES or Advanced Encryption Standard


Workflow
1- Exchange pre-shared key: CKN + CAK CKN or Connectivity Association Name
(same bot end)CAK or Connectivity Association Key

>> Secure channel created for exchange of the SAK


One will become the Key-server

use the MKA

Macsec Key Agreement Protocol

2- key-server will send the SAKSAK or Security Association key


Will create 2 channels: Tx and Rx


Data encryptionusing the SAK to encrypt traffic

3-

+8 Byte Header

+16 Byte trail

MTU + 32 Bytes to the Mac frame 


will cre


Check License

show system license | match macsec 
Configuration
CKNLink

Enter the CKN ( 64bits ?? )

or Connectivity Association Name

set security macsec ca1 pre-shared-key ckn  <key is a long hex number>


CAK Link

Static CAK

set security macsec ca1 security-mode static-cak 

Enter the CAK ( 32 bits )

or Connectivity Association Key

set security macsec ca1 pre-shared-key cak  <key is a long hex number>


Show commands

show security macsec connections

>> default: GCM-AES-128

GCM: Galois/Counter Mode  Authentication ?

AES: Adv Encryption Standard