Against: Man In The Middle or MITM
compromising the confidentiality of the data
Altering the data in the transit = compromising data integrity
MACsec: on P2P ethernet link
Encrypt and
Authenticate
Use the advance encryption standard: gcm mode ( default)
work at Layer 2 and protect: Data and control traffic : LLDP, LACP, DHCP, ARP
Feature License
AES or Advanced Encryption Standard
| Workflow | |
|---|---|
| 1- Exchange pre-shared key: CKN + CAK | CKN or Connectivity Association Name |
| (same bot end) | CAK or Connectivity Association Key |
| >> Secure channel created for exchange of the SAK | |
| One will become the Key-server | use the MKA Macsec Key Agreement Protocol |
| 2- key-server will send the SAK | SAK or Security Association key |
| Data encryption | using the SAK to encrypt traffic |
3- +8 Byte Header +16 Byte trail MTU + 32 Bytes to the Mac frame | |
| Check License | |
|---|---|
| show system license | match macsec | |
| Configuration | |
| CKN | Link |
Enter the CKN ( 64bits ?? ) or Connectivity Association Name | set security macsec ca1 pre-shared-key ckn <key is a long hex number> |
| CAK | Link |
Static CAK | set security macsec ca1 security-mode static-cak |
Enter the CAK ( 32 bits ) or Connectivity Association Key | set security macsec ca1 pre-shared-key cak <key is a long hex number> |
| Show commands | |
| show security macsec connections | |
>> default: GCM-AES-128 GCM: Galois/Counter Mode Authentication ? AES: Adv Encryption Standard | |