Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is defined by IEEE standard 802.1AE. You can use MACsec in combination with other security protocols, such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security.
MACsec is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec secures an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions.
- At the top of the OSI networking model, there is application-layer communication security with TLS. TLS is an improved version of SSL (Secure Sockets Layer) and stands for Transport Layer Security. TLS protects web browsers, client applications, and all the applications’ communications to cloud services.
- Lower down the stack at layer 3 there is IP security or IPsec. IPsec is typically used to protect networks, so if you’re connecting to your corporate network via a VPN, security is provided by IPsec.
- Finally, at Layer 2 there is MACsec which is used to protect network-to-network or device-to-network connections.
How MACsec Works
When MACsec is enabled on a point-to-point Ethernet link, the link is secured after matching security keys are exchanged and verified between the interfaces at each end of the link. The key can be configured manually, or can be generated dynamically, depending on the security mode used to enable MACsec.
MACsec uses a combination of data integrity checks and encryption to secure traffic traversing the link:Data integrity—MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured link. The header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.Encryption—Encryption ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable. You can enable MACsec to ensure the data integrity checks are performed while still sending unencrypted data “in the clear” over the MACsec-secured link, if desired.
When MACsec is enabled on a logical interface, VLAN tags are not encrypted. All the VLAN tags configured on the logical interface enabled for MACsec are sent in clear text.
Connectivity Associations
MACsec is configured in connectivity associations. A connectivity association is a set of MACsec attributes that are used by interfaces to create two secure channels, one for inbound traffic and one for outbound traffic. The secure channels are responsible for transmitting and receiving data on the MACsec-secured link.
The connectivity association must be assigned to a MACsec-capable interface on each side of the point-to-point Ethernet link. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each link. Other user-configurable parameters, such as MAC address or port, must also match on the interfaces on each side of the link to enable MACsec.
MACsec Security Modes
MACsec can be enabled using one of the following security modes:
- Static connectivity association key (CAK) mode
- Static secure association key (SAK) mode
- Dynamic secure association key (SAK) mode
BEST PRACTICE
Static CAK mode is recommended for switch-to-switch, or router-to-router, links. Static CAK mode ensures security by frequently refreshing to a new random security key and by sharing only the security key between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are available only when you enable MACsec using static CAK security mode.
Static CAK Mode (Recommended for Switch-to-Switch Links)
When you enable MACsec using static CAK security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.
You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and its own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.
Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.NOTE
If the MACsec session is terminated due to a link failure, when the link is restored, the MKA key server elects a key server and generates a new SAK.
To enable MACsec in static CAK mode, you have to configure a connectivity association on both ends of the link. The secure channels are automatically created. These secure channels do not have any user-configurable parameters; all configuration is done within the connectivity association but outside of the secure channel.
Static SAK Security Mode
Static SAK security mode can be used to secure switch-to-switch links. Use this mode only is you have a compelling reason to use it instead of static CAK mode, which is the recommended mode for switch-to-switch links.
In static SAK security mode, one of up to two manually configured SAKs is used to secure data traffic on the point-to-point Ethernet link. All SAK names and values are configured by the user; there is no key server or other tool that creates SAKs. Security is maintained on the point-to-point Ethernet link by periodically rotating between the two security keys. Each security key name and value must have a corresponding matching value on the interface at the other end of the point-to-point Ethernet link to maintain MACsec on the link.
To enable MACsec in static SAK mode, you must configure a connectivity association, and configure the secure channels within that connectivity association. A typical connectivity association for static SAK mode contains two secure channels that have each been configured with two manually-configured SAKs.
Dynamic SAK Security Mode
Use dynamic SAK security mode to enable MACsec on a switch-to-host link. The endpoint device must support MACsec and must be running software that allows it to enable a MACsec-secured connection.
When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A master key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The master key is then passed between the switch and the host to create a MACsec-secured connection.
A secure association using dynamic secure association security mode must be configured on the switch’s Ethernet interface that connects to the host in order for the switch to create a MACsec-secured connection after receiving the MKA keys from the RADIUS server.
The RADIUS server must be using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in order to support MACsec. The RADIUS servers that support other widely-used authentication frameworks, such as password-only or md5, cannot be used to support MACsec. In order to enable MACsec on a switch to secure a connection to a host, you must be using 802.1X authentication on the RADIUS server. MACsec must be configured into dynamic mode.
To enable MACsec in dynamic SAK mode, you have to configure a connectivity association on both ends of the link. The secure channels are automatically created. These secure channels do not have any user-configurable parameters; all configuration is done within the connectivity association but outside of the secure channel.
Ref:
https://www.rambus.com/blogs/macsec/
https://www.juniper.net/documentation/en_US/junos/topics/concept/macsec.html