Statement introduced in Junos OS Release 20.3R1.
Configure a timer-based refresh of the secure association key (SAK) on a MACsec-secured link. This ensures that the SAK is frequently updated, making it less vulnerable to attack.
In static CAK mode, the SAK is generated by the key server and is periodically refreshed. The refresh interval is based on packet counter movement by default. Depending on the amount of traffic and the speed of the interface, it might take a long time for the new SAK to be generated. This can provide enough time for a successful attack on the key. You can enhance security of the SAK by configuring a shorter timer-based refresh interval.
When the MACsec session is live with a primary, preceding, or fallback PSK, or with a key from a key-chain, the SAK refresh will occur based on the configured interval independent of key type in a hitless way. No traffic drop will occur at the time of the SAK rollover. Refresh of the PSK will occur periodically after every configured SAK refresh interval.
When an XPN cipher suite is configured, the refresh interval configured in the key server takes precedence over the refresh interval configured in the non-key server, even if the interval configured in the non-key server is lower.
The SAK refresh interval is not enabled by default.
Range: 60 through 86,400 seconds
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.