Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Media Access Control Security (MACsec)

 

Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is defined by IEEE standard 802.1AE. You can use MACsec in combination with other security protocols, such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security.

MACsec is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec secures an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions.

How MACsec Works

When MACsec is enabled on a point-to-point Ethernet link, the link is secured after matching security keys are exchanged and verified between the interfaces at each end of the link. The key can be configured manually, or can be generated dynamically, depending on the security mode used to enable MACsec. For more information on MACsec security modes, see MACsec Security Modes.

MACsec uses a combination of data integrity checks and encryption to secure traffic traversing the link:

Data integrityMACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured link. The header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.
EncryptionEncryption ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable. You can enable MACsec to ensure the data integrity checks are performed while still sending unencrypted data “in the clear” over the MACsec-secured link, if desired.
Note

When MACsec is enabled on a logical interface, VLAN tags are not encrypted. All the VLAN tags configured on the logical interface enabled for MACsec are sent in clear text.

Connectivity Associations

MACsec is configured in connectivity associations. A connectivity association is a set of MACsec attributes that are used by interfaces to create two secure channels, one for inbound traffic and one for outbound traffic. The secure channels are responsible for transmitting and receiving data on the MACsec-secured link.

The connectivity association must be assigned to a MACsec-capable interface on each side of the point-to-point Ethernet link. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each link. Other user-configurable parameters, such as MAC address or port, must also match on the interfaces on each side of the link to enable MACsec.

MACsec Security Modes

MACsec can be enabled using one of the following security modes:

  • Static connectivity association key (CAK) mode

  • Static secure association key (SAK) mode

  • Dynamic secure association key (SAK) mode

Best Practice

Static CAK mode is recommended for switch-to-switch, or router-to-router, links. Static CAK mode ensures security by frequently refreshing to a new random security key and by sharing only the security key between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are available only when you enable MACsec using static CAK security mode.

Static CAK Mode (Recommended for Switch-to-Switch Links)

When you enable MACsec using static CAK security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.

You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and its own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

Note

If the MACsec session is terminated due to a link failure, when the link is restored, the MKA key server elects a key server and generates a new SAK.

To enable MACsec in static CAK mode, you have to configure a connectivity association on both ends of the link. The secure channels are automatically created. These secure channels do not have any user-configurable parameters; all configuration is done within the connectivity association but outside of the secure channel.

Note

The switches on each end of a MACsec-secured switch-to-switch link must either both be using Junos OS Release 14.1X53-D10 or later, or must both be using an earlier version of Junos, in order to establish a MACsec-secured connection when using static CAK security mode.

Static SAK Security Mode

Static SAK security mode can be used to secure switch-to-switch links. Use this mode only is you have a compelling reason to use it instead of static CAK mode, which is the recommended mode for switch-to-switch links.

In static SAK security mode, one of up to two manually configured SAKs is used to secure data traffic on the point-to-point Ethernet link. All SAK names and values are configured by the user; there is no key server or other tool that creates SAKs. Security is maintained on the point-to-point Ethernet link by periodically rotating between the two security keys. Each security key name and value must have a corresponding matching value on the interface at the other end of the point-to-point Ethernet link to maintain MACsec on the link.

To enable MACsec in static SAK mode, you must configure a connectivity association, and configure the secure channels within that connectivity association. A typical connectivity association for static SAK mode contains two secure channels that have each been configured with two manually-configured SAKs.

Dynamic SAK Security Mode

Use dynamic SAK security mode to enable MACsec on a switch-to-host link. The endpoint device must support MACsec and must be running software that allows it to enable a MACsec-secured connection.

When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A master key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The master key is then passed between the switch and the host to create a MACsec-secured connection.

A secure association using dynamic secure association security mode must be configured on the switch’s Ethernet interface that connects to the host in order for the switch to create a MACsec-secured connection after receiving the MKA keys from the RADIUS server.

The RADIUS server must be using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in order to support MACsec. The RADIUS servers that support other widely-used authentication frameworks, such as password-only or md5, cannot be used to support MACsec. In order to enable MACsec on a switch to secure a connection to a host, you must be using 802.1X authentication on the RADIUS server. MACsec must be configured into dynamic mode.

To enable MACsec in dynamic SAK mode, you have to configure a connectivity association on both ends of the link. The secure channels are automatically created. These secure channels do not have any user-configurable parameters; all configuration is done within the connectivity association but outside of the secure channel.

MACsec Software Image Requirements for EX Series and QFX Series Switches

Junos OS Release 16.1 and Later

For Junos OS Release 16.1 and later, you must download the standard Junos image to enable MACsec. MACsec is not supported in the limited image. See the MACsec Hardware and Software Support Summary to determine the correct release for your device.

The standard version of Junos OS software contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of this Junos OS software is strictly controlled under United States export laws. The export, import, and use of this Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring this version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

Junos OS Releases Prior to 16.1

For releases prior to Junos OS Release 16.1, you must download the controlled version of your Junos OS software to enable MACsec. MACsec support is not available in the domestic version of Junos OS software in releases prior to Junos OS Release 16.1. See the MACsec Hardware and Software Support Summary to determine the correct release for your device.

The controlled version of Junos OS software includes all features and functionality available in the domestic version of Junos OS, while also supporting MACsec. The domestic version of Junos OS software is shipped on all switches that support MACsec, so you must download and install a controlled version of Junos OS software for your switch before you can enable MACsec.

The controlled version of Junos OS software contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of the controlled version of Junos OS software is strictly controlled under United States export laws. The export, import, and use of the controlled version of Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring the controlled version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

MACsec Support on MX, ACX, and PTX Series Routers

Table 1 lists the routers which support MACsec.

Table 1: MACsec on MX, PTX, and ACX Series Routers

Router

Line Card / MIC

Support introduced in Junos OS Release

MX240, MX480, and MX960

MIC-3D-20GE-SFP-E

14.2 and 15.1

MX240, MX480, MX960, MX2010, and MX2020

MPC7E-10G

16.1

MX10003

JNP-MIC1-MACSEC

17.3R2

ACX6360

NA

18.2R1

PTX10008

PTX10K-LC1105

18.2R1

PTX10008

PTX10K-LC1105

18.2R1

PTX10008 and PTX10016

PTX10K-LC1105

18.3R1

MX240, MX480, MX960, MX2010, and MX2020

MPC10E-15C and MPC10E-10C

19.1R1

ACX5448-M (1GbE/10GbE ports)

NA

19.3R1

PTX10003 (1GbE/40GbE/100GbE ports)

NA

19.3R1-EVO

MX2010 and MX2020

MX2K-MPC11E

20.1R1

ACX6360 and ACX5448-M routers support MACsec with AES-256 encryption.

MACsec can be configured on supported MX Series routers that are members of a Virtual Chassis. Encryption and decryption are implemented in the hardware in line-rate mode. An additional overhead of 24 through 32 bytes is required for MACsec if Secure Channel Identifier (SCI) tag is included.

For more information regarding MACsec, refer the following IEEE specifications:

  • IEEE 802.1AE-2006. Media Access Control (MAC) Security

  • IEEE 802.1X-2010. Port-Based Network Access Control. Defines MACSec Key Agreement Protocol

MACsec Software Requirements for MX Series Routers

Following are some of the key software requirements for MACsec on MX Series Routers:

Note

A feature license is not required to configure MACsec on MX Series routers with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E).

MACsec is supported on MX Series routers with MACsec-capable interfaces.

MACsec supports 128 and 256-bit cipher-suite with and without extended packet numbering (XPN).

MACsec supports MACsec Key Agreement (MKA) protocol with Static-CAK mode using preshared keys.

MACsec supports a single connectivity-association (CA) per physical port or physical interface.

Starting with Junos OS Release 15.1, MACsec is supported on member links of an aggregated Ethernet (ae-) interface bundle, and also regular interfaces that are not part of an interface bundle.

Starting with Junos OS Release 17.3R2, MACsec supports 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256 on MX10003 routers with the modular MIC (model number-JNP-MIC1-MACSEC).

Starting in Junos OS Release 18.4R2, the MIC-MACSEC-20GE MIC provides 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256. The MIC-MACSEC-20GE MIC supports MACsec on both twenty 1-Gigabit Ethernet SFP ports and on two 10-Gigabit Ethernet SFP+ ports in the following hardware configurations:

  • Installed directly on the MX80 and MX104 routers

  • Installed on MPC1, MPC2, MPC3, MPC2E, MPC3E, MPC2E-NG, and MPC3E-NG line cards on the MX240, MX480, and MX960 routers

Refer Interface Naming Conventions for MIC-MACSEC-20GE and Understanding Rate Selectability for more information.

MACsec Hardware and Software Support Summary

Table 2 summarizes MACsec hardware and software support for EX Series and QFX Series switches.

See Feature Explorer for a full listing of Junos OS releases and platforms that support MACsec.

Table 2: MACsec Hardware and Software Support Summary for EX Series and QFX Series Switches

Switch

MACsec-capable Interfaces

Switch-to-Switch Support Introduction

Switch-to-Host Support Introduction

Encryption

EX3400

10GbE fiber interfaces and 1GbE copper interfaces.

15.1X53-D50

15.1X53-D50

AES-128

Note: MACsec is not available on the limited Junos OS image package.

EX4200

All uplink port connections on the SFP+ MACsec uplink module.

13.2X50-D15

14.1X53-D10

AES-128

EX4300

All access and uplink ports.

Both QSFP+ interfaces on the EX-UM-2QSFP-MR uplink module for EX4300-48MP switches.

13.2X50-D15

14.1X53-D10

AES-128

AES-256 (EX4300-48MP only)

EX4550

All EX4550 optical interfaces that use the LC connection type. See Pluggable Transceivers Supported on EX4550 Switches.

13.2X50-D15

14.1X53-D10

AES-128

EX4600

All twenty-four fixed 1GbE SFP/10GbE SFP+ interfaces and all interfaces that support the copper Gigabit Interface Converter (GBIC).

All eight SFP+ interfaces on the EX4600-EM-8F expansion module.

14.1X53-D15

Note: MACsec is not supported on EX4600 in Junos OS Release 15.1.

Not supported

AES-128

EX9200

All forty SFP interfaces on the EX9200-40F-M line card.

All twenty SFP interfaces on the EX9200-20F-MIC installed in an EX9200-MPC line card.

Note: You can install up to two EX9200-20F-MIC MICs in an EX9200-MPC line card for a maximum of forty MACsec-capable interfaces.

All forty SFP+ interfaces on the EX9200-40XS.

15.1R1

15.1R1

AES-128

Note: Starting in Junos OS Release 18.2R1, AES-256 is supported on the EX9200-40XS line card.

QFX5100

All eight SFP+ interfaces on the EX4600-EM-8F expansion module installed in a QFX5100-24Q switch.

14.1X53-D15

Note: MACsec is not supported on QFX5100-24Q switches in Junos OS Release 15.1.

Not supported

AES-128

QFX10008 and QFX10016

All six interfaces on the QFX10000-6C-DWDM line card.

17.2R1

Note: Static CAK mode only.

Not supported

AES-128 and AES-256

Note: When enabling MACsec on the QFX10000-6C-DWDM line card, we recommend using a cipher suite with extended packet numbering (XPN). Supported XPN cipher suites are GCM-AES-XPN-128 and GCM-AES-XPN-256.

All 30 interfaces on the QFX10000-30C-M line card.

17.4R1

Note: Static CAK mode only.

Not supported

AES-128 and AES-256

Note: When enabling MACsec on the QFX10000-30C-M line card, we recommend using a cipher suite with extended packet numbering (XPN). Supported XPN cipher suites are GCM-AES-XPN-128 and GCM-AES-XPN-256.

Understanding MACsec in a Virtual Chassis

MACsec can be configured on supported switch interfaces when those switches are configured in a Virtual Chassis or Virtual Chassis Fabric (VCF), including when MACsec-supported interfaces are on member switches in a mixed Virtual Chassis or VCF that includes switch interfaces that do not support MACsec. MACsec, however, cannot be enabled on Virtual Chassis ports (VCPs) to secure traffic travelling between member switches in a Virtual Chassis or VCF.

Understanding the MACsec Feature License Requirement

A feature license is required to configure MACsec on EX Series and QFX series switches, with the exception of the QFX10000-6C-DWDM and QFX10000-30C-M line cards. If the MACsec licence is not installed, MACsec functionality cannot be activated.

To purchase a feature license for MACsec, contact your Juniper Networks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide you with a feature license file and a license key. You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by running the show chassis hardware command.

The MACsec feature license is an independent feature license; the feature licenses that must be purchased to enable other groups of features on your switches cannot be purchased to enable MACsec. Two MACsec license are required per Virtual Chassis Fabric (VCF) and per Virtual Chassis (VC).

MACsec Limitations

  • All types of Spanning Tree Protocol frames cannot currently be encrypted using MACsec.

  • MACsec traffic drops are expected during GRES switchover.

  • On EX4300 switches, MACsec might not work properly on PHY84756 1G SFP ports if auto negotiation is enabled and MACsec is configured on those ports. As a workaround, configure no- auto-negotiation on PHY84756 1G SFP ports before configuring MACsec on those ports.

Release History Table
Release
Description
Starting in Junos OS Release 18.4R2, the MIC-MACSEC-20GE MIC provides 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256.
Starting in Junos OS Release 18.2R1, AES-256 is supported on the EX9200-40XS line card.
Starting with Junos OS Release 15.1, MACsec is supported on member links of an aggregated Ethernet (ae-) interface bundle, and also regular interfaces that are not part of an interface bundle.