Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding Media Access Control Security (MACsec) on MX Series Routers

    Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication on Ethernet links. MACsec provides confidentiality, replay protection, and data integrity on Ethernet links between nodes. MACsec is standardized in IEEE 802.1AE.

    Starting with Junos OS Release 15.1, MACsec enables you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions.

    This topic contains the following sections:

    How MACsec Works

    Media Access Control Security (MACsec) provides industry-standard security through the use of secured point-to-point Ethernet links. The point-to-point links are secured after security keys are matched at the endpoints of the links. If you enable MACsec by using the static connectivity association key (CAK) security mode, user-configured, preshared keys are matched. If you enable MACsec by using the static secure association key (SAK) security mode, user-configured static security association keys are matched. On MX Series routers, you enable MACsec by using the static CAK security mode. See Configuring Media Access Control Security (MACsec) on MX Series Routers.

    After you enable MACsec on a point-to-point Ethernet link, all traffic traversing the link is MACsec-secured through the use of data integrity checks and, if configured, encryption.

    The data integrity checks verify the integrity of the data. MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured point-to-point Ethernet link, and the header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.

    The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable; you can enable MACsec to ensure the data integrity checks are performed while still sending unencrypted data over the MACsec-secured link.

    Typically, MACsec is configured on point-to-point Ethernet links between MACsec-capable interfaces. If you want to enable MACsec on multiple Ethernet links, such as aggregated Ethernet interface bundles, you must configure MACsec individually on each point-to-point Ethernet link.

    You can configure the set security macsec connectivity-association connectivity-association-name exclude-protocol command to specify protocols whose packets are not secured using Media Access Control Security (MACsec) when MACsec is enabled on a link by using static connectivity association key (CAK) security mode. When this option is enabled in a connectivity association that is attached to an interface, MACsec is not enabled for all packets of the specified protocols that are sent and received on the link.

    Understanding Connectivity Associations and Secure Channels

    MACsec is configured in connectivity associations. MACsec is enabled when a connectivity association is assigned to an interface. Secure channels are responsible for transmitting and receiving data on the MACsec-enabled link and also responsible for transmitting SAKs across the link to enable and maintain MACsec.

    When you enable MACsec using static CAK, you have to create and configure a connectivity association. Two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic—are automatically created. The automatically created secure channels do not have any user-configurable parameters; the secure channel configuration is derived from the connectivity association settings.

    Understanding Static Connectivity Association Key Security Mode (Security Mode for Router-to-Router Links)

    When you enable MACsec using static connectivity association key (CAK) security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the point-to-point Ethernet link.

    You initially establish a MACsec-secured link using a preshared key when you are using static CAK security mode to enable MACsec. A preshared key includes a connectivity association name (CKN) and a connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

    The preshared keys must be configured on the endpoints of the link and the keys must in agreement with each other. The MACsec Key Agreement (MKA) protocol is responsible for maintaining MACsec on the link, and decides which router on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the router at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server continues to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

    See Configuring Media Access Control Security (MACsec) on MX Series Routers for step-by-step instructions on enabling MACsec by using static CAK security mode.

    Understanding MACsec Hardware Requirements for MX Series Routers

    You can configure Media Access Control Security (MACsec) on MX Series routers with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E). Starting with Junos OS Release 16.1, you can configure MACsec on MX Series routers with the 40-port 10-Gigabit Ethernet MPC (MPC7E-10G).

    Starting with Junos OS Release 17.3R2, you can configure MACsec on MX 10003 routers with the modular MIC (JNP-MIC1-MACSEC).

    MACsec can also be configured on supported MX Series router interfaces when those routers are configured in a Virtual Chassis configuration. Encryption and decryption are implemented in the hardware in line-rate mode. An additional overhead of 24 through 32 bytes is required for MACsec if Secure Channel Identifier (SCI) tag is included. On 20-port Gigabit Ethernet MICs, the SCI tag is always included.

    For more information regarding MACsec, refer the following IEEE specifications:

    • IEEE 802.1AE-2006. Media Access Control (MAC) Security

    • IEEE 802.1X-2010. Port-Based Network Access Control. Defines MACSec Key Agreement Protocol

    Understanding MACsec Software Requirements for MX Series Routers

    Following are some of the key software requirements for MACsec on MX Series Routers:

    Note: A feature license is not required to configure MACsec on MX Series routers with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E).

    MACsec is supported on MX Series routers with MACsec-capable interfaces. The SCI tag is always included on MX Series routers.

    MACsec supports 128 and 256-bit cipher-suite with and without extended packet numbering (XPN).

    MACsec supports MACsec Key Agreement (MKA) protocol with Static-CAK mode using preshared keys.

    MACsec supports a single connectivity-association (CA) per physical port or physical interface.

    Starting with Junos OS Release 15.1, MACsec is supported on member links of an aggregated Ethernet (ae-) interface bundle, and also regular interfaces that are not part of an interface bundle.

    Starting with Junos OS Release 17.3R2, MACsec supports 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256 on MX 10003 routers with the modular MIC (model number-JNP-MIC1-MACSEC).

    Release History Table

    Release
    Description
    Starting with Junos OS Release 17.3R2, you can configure MACsec on MX 10003 routers with the modular MIC (JNP-MIC1-MACSEC).
    Starting with Junos OS Release 16.1, you can configure MACsec on MX Series routers with the 40-port 10-Gigabit Ethernet MPC (MPC7E-10G).
    Starting with Junos OS Release 15.1, MACsec enables you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions.
    Starting with Junos OS Release 15.1, MACsec is supported on member links of an aggregated Ethernet (ae-) interface bundle, and also regular interfaces that are not part of an interface bundle.

    Modified: 2018-06-19