Media Access Control Security (MACsec) on Chassis Cluster

 

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. for more information, see the following topics:

Understanding Media Access Control Security (MACsec)

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.

MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

Starting in Junos OS Release 15.1X49-D60, Media Access Control Security(MACsec) is supported on control and fabric ports of SRX340 and SRX345 devices in chassis cluster mode.

Starting in Junos OS Release 17.4R1, MACsec is supported on HA control and fabric ports of SRX4600 devices in chassis cluster mode..

This topic contains the following sections:

How MACsec Works

To determine if a feature is supported by a specific platform or Junos OS release, refer Feature Explorer.

MACsec provides industry-standard security through the use of secured point-to-point Ethernet links. The point-to-point links are secured after matching security keys. When you enable MACsec using static connectivity association key (CAK) security mode, user-configured pre-shared keys are exchanged and verified between the interfaces at each end of the point-to-point Ethernet link.

Once MACsec is enabled on a point-to-point Ethernet link, all traffic traversing the link is MACsec-secured through the use of data integrity checks and, if configured, encryption.

The data integrity checks verify the integrity of the data. MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured point-to-point Ethernet link, and the header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.

MACsec can also be used to encrypt all traffic on the Ethernet link. The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link.

Encryption is enabled for all traffic entering or leaving the interface when MACsec is enabled using static CAK security mode, by default.

MACsec is configured on point-to-point Ethernet links between MACsec-capable interfaces. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each point-to-point Ethernet link.

Understanding Connectivity Associations and Secure Channels

MACsec is configured in connectivity associations. MACsec is enabled when a connectivity association is assigned to an interface.

When you enable MACsec using static CAK or dynamic security mode, you have to create and configure a connectivity association. Two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic—are automatically created. The automatically-created secure channels do not have any user-configurable parameters; all configuration is done in the connectivity association outside of the secure channels.

Understanding Static Connectivity Association Key Security Mode

When you enable MACsec using static connectivity association key (CAK) security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the point-to-point Ethernet link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.

You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and it’s own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters that cannot already be configured in the connectivity association.

We recommend enabling MACsec using static CAK security mode. Static CAK security mode ensures security by frequently refreshing to a new random security key and by only sharing the security key between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are only available when you enable MACsec using static CAK security mode.

Note

Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, the 802.1x protocol process (daemon) does not support restart on SRX340 and SRX345 devices.

MACsec Considerations

All types of Spanning Tree Protocol frames cannot currently be encrypted using MACsec.

The connectivity association can be defined anywhere, either global or node specific or any other configuration group as long as it is visible to the MACsec interface configuration.

Note

For MACsec configurations, identical configurations must exist on both the ends. That is, each node should contain the same configuration as the other node. If the other node is not configured or improperly configured with MACsec on the other side, the port is disabled and stops forwarding the traffic.

Warning

Prior to 15.1X49-D100, SRX340 and SRX345 devices did not support MACsec for host-to-host or switch-to-host connections.

Note

SRX4600 devices currently do not support MACsec for host-to-host connections.

Note

On SRX340 and SRX345 devices, fabric interfaces must be configured such that the Media Access Control Security (MACsec) configurations are local to the nodes. Otherwise, the fabric link will not be reachable

Configuring Media Access Control Security (MACsec)

Starting in Junos OS Release 15.1X49-D60, Media Access Control Security(MACsec) is supported on control and fabric ports of SRX340 and SRX345 devices in chassis cluster mode.

Starting in Junos OS Release 17.4R1, MACsec is supported on control and fabric ports of SRX4600 devices in chassis cluster mode.

This topic shows how to configure MACsec on control and fabric ports of supported SRX Series device in chassis cluster to secure point-to-point Ethernet links between the peer devices in a cluster. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. You can enable MACsec encryption on device-to-device links using static connectivity association key (CAK) security mode.

The configuration steps for both processes are provided in this document.

Configuration Considerations When Configuring MACsec on Chassis Cluster Setup

Before you begin, follow these steps to configure MACsec on control ports:

  1. If the chassis cluster is already up, disable it by using the set chassis cluster disable command and reboot both nodes.
  2. Configure MACsec on the control port with its attributes as described in the following sections Configuring Static CAK on the Chassis Cluster Control Port. Both nodes must be configured independently with identical configurations.
  3. Enable the chassis cluster by using set chassis cluster cluster-id id on both of the nodes. Reboot both nodes.

Control port states affect the integrity of a chassis cluster. Consider the following when configuring MACsec on control ports:

  • Any new MACsec chassis cluster port configurations or modifications to existing MACsec chassis cluster port configurations will require the chassis cluster to be disabled. Once disabled, you can apply the preceding configurations and reenable the chassis cluster.

  • By default, chassis clusters synchronize all configurations. Correspondingly, you must monitor that synchronization does not lead to loss of any MACsec configurations. Otherwise, the chassis cluster will break. For example, for nonsymmetric, node-specific MACsec configurations, identical configurations should exist on both ends. That is, each node should contain the same configuration as the other node.

Note

The ineligible timer is 300 seconds when MACsec on the chassis cluster control port is enabled on SRX340 and SRX345 devices.

Note

If both control link fail, Junos OS changes the operating state of the secondary node to ineligible for a 180 seconds. When MACsec is enabled on the control port, the ineligibility duration is 200 seconds for SRX4600 devices.

Note

Starting with Junos OS Release 15.1X49-D60 and Junos OS Release 17.3R1, the initial hold timer is extended from 30 seconds to 120 seconds in chassis clusters on SRX340 and SRX345 devices.

Note

For any change in the MACsec configurations of control ports, the steps mentioned above must be repeated.

Consider the following when configuring MACsec on fabric ports:

Configuring MACsec leads to link state changes that can affect traffic capability of the link. When you configure fabric ports, keep the effective link state in mind. Incorrect MACsec configuration on both ends of the fabric links can move the link to an ineligible state. Note the following key points about configuring fabric links:

  • Both ends of the links must be configured simultaneously when the chassis cluster is formed.

  • Incorrect configuration can lead to fabric failures and errors in fabric recovery logic.

    Note

    Because of potential link failure scenarios, we recommend that fabric links be configured during formation of the chassis cluster.

Configuring MACsec Using Static Connectivity Association Key Security Mode

You can enable MACsec encryption by using static connectivity association key (CAK) security mode on a point-to-point Ethernet link connecting devices. This procedure shows you how to configure MACsec using static CAK security mode.

Note

For SRX340 and SRX345 devices, ge-0/0/0 is a fabric port and ge-0/0/1 is a control port for the chassis cluster and assigned as cluster-control-port 0.

Note

For SRX4600 devices, dedicated control ports are available. The dedicated Chassis Cluster fabric ports are not available. Instead, any 40G or 10G traffic ports can be used as chassis cluster fabric ports. You can configure MACsec on control ports (control port 0 [em0] and port 1 [em1]) and fabric ports 0 [fab 0] and [fab 1] on SRX4600 devices.

To configure MACsec by using static CAK security mode to secure a device-to-device Ethernet link:

  1. Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.

    For instance, to create a connectivity association named ca1, enter:

  2. Configure the MACsec security mode as static-cak for the connectivity association.

    For instance, to configure the MACsec security mode to static-cak on connectivity association ca1:

  3. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK).

    A preshared key is exchanged between directly-connected links to establish a MACsec-secure link. The pre-shared-key includes the CKN and the CAK. The CKN is a 64-digit hexadecimal number and the CAK is a 32-digit hexadecimal number. The CKN and the CAK must match on both ends of a link to create a MACsec-secured link.

    Note

    To maximize security, we recommend configuring all 64 digits of a CKN and all 32 digits of a CAK.

    After the preshared keys are successfully exchanged and verified by both ends of the link, the MACsec Key Agreement (MKA) protocol is enabled and manages the secure link. The MKA protocol then elects one of the two directly-connected devices as the key server. The key server then shares a random security with the other device over the MACsec-secure point-to-point link. The key server will continue to periodically create and share a random security key with the other device over the MACsec-secured point-to-point link as long as MACsec is enabled.

    To configure a CKN of 11c1c1c11xxx012xx5xx8ef284aa23ff6729xx2e4xxx66e91fe34ba2cd9fe311 and CAK of 228xx255aa23xx6729xx664xxx66e91f on connectivity association ca1:

    Note

    MACsec is not enabled until a connectivity association is attached to an interface. See the final step of this procedure to attach a connectivity association to an interface.

  4. (Optional) Set the MKA key server priority.

    Specifies the key server priority used by the MKA protocol to select the key server. The device with the lower priority-number is selected as the key server.

    The default priority-number is 16.

    If the key-server-priority is identical on both sides of the point-to-point link, the MKA protocol selects the interface with the lower MAC address as the key server. Therefore, if this statement is not configured in the connectivity associations at each end of a MACsec-secured point-to-point link, the interface with the lower MAC address becomes the key server.

    To change the key server priority to 0 to increase the likelihood that the current device is selected as the key server when MACsec is enabled on the interface using connectivity association ca1:

    To change the key server priority to 255 to decrease the likelihood that the current device is selected as the key server in connectivity association ca1:

  5. (Optional) Set the MKA transmit interval.

    The MKA transmit interval setting sets the frequency for how often the MKA protocol data unit (PDU) is sent to the directly connected device to maintain MACsec connectivity on the link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes MKA protocol communication.

    The default interval is 2000 ms. We recommend increasing the interval to 6000 ms in high-traffic load environments. The transmit interval settings must be identical on both ends of the link when MACsec using static CAK security mode is enabled.

    Note

    Starting from Junos OS Release 17.4, for SRX340, SRX345, and SRX4600, the default MKA transmit interval is 10000 ms on HA links.

    For instance, if you wanted to increase the MKA transmit interval to 6000 milliseconds when connectivity association ca1 is attached to an interface:

  6. (Optional) Disable MACsec encryption.

    Encryption is enabled for all traffic entering or leaving the interface when MACsec is enabled using static CAK security mode, by default.

    When encryption is disabled, traffic is forwarded across the Ethernet link in clear text. You are able to view unencrypted data in the Ethernet frame traversing the link when you are monitoring it. The MACsec header is still applied to the frame, however, and all MACsec data integrity checks are run on both ends of the link to ensure the traffic sent or received on the link has not been tampered with and does not represent a security threat.

  7. (Optional) Set an offset for all packets traversing the link.

    For instance, if you wanted to set the offset to 30 in the connectivity association named ca1:

    The default offset is 0. All traffic in the connectivity association is encrypted when encryption is enabled and an offset is not set.

    When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic. When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

    You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

  8. (Optional) Enable replay protection.

    When MACsec is enabled on a link, an ID number is assigned to each packet on the MACsec-secured link.

    When replay protection is enabled, the receiving interface checks the ID number of all packets that have traversed the MACsec-secured link. If a packet arrives out of sequence and the difference between the packet numbers exceeds the replay protection window size, the packet is dropped by the receiving interface. For instance, if the replay protection window size is set to five and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet that is assigned the ID of 1006 is dropped because it falls outside the parameters of the replay protection window.

    Replay protection is especially useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network.

    Replay protection should not be enabled in cases where packets are expected to arrive out of order.

    You can require that all packets arrive in order by setting the replay window size to 0.

    To enable replay protection with a window size of five on connectivity association ca1:

  9. (Optional) Exclude a protocol from MACsec.

    For instance, if you did not want Link Level Discovery Protocol (LLDP) to be secured using MACsec:

    When this option is enabled, MACsec is disabled for all packets of the specified protocol—in this case, LLDP—that are sent or received on the link.

  10. Assign the connectivity association to a chassis cluster control interface.

    Assigning the connectivity association to an interface is the final configuration step for enabling MACsec on an interface.

    For instance, to assign connectivity association ca1 to interface ge-0/0/1 (For SRX340/SRX345):

  11. Assign a connectivity association for enabling MACsec on a chassis cluster fabric interface.

MACsec using static CAK security mode is not enabled until a connectivity association on the opposite end of the link is also configured, and contains preshared keys that match on both ends of the link.

Configuring Static CAK on the Chassis Cluster Control Port

To establish a CA over a chassis cluster control link on two SRX345 devices.

  1. Configure the MACsec security mode as static-cak for the connectivity association:
  2. Create the preshared key by configuring the connectivity association key name (CKN).

    The CKN must contain 32 hexadecimal characters.

  3. Create the pre-shared key by configuring the connectivity association key (CAK).

    The CAK must contain 64 hexadecimal characters.

  4. Specify chassis cluster control ports for the connectivity association.

Configuring Static CAK on the Chassis Cluster Fabric Port

To establish a connectivity association over a chassis cluster fabric link on two SRX345 devices:

  1. Configure the MACsec security mode as static-cak for the connectivity association.
  2. Create the preshared key by configuring the connectivity association key name (CKN).

    The CKN must contain 32 hexadecimal characters.

  3. Create the preshared key by configuring the connectivity association key (CAK).

    The CAK must contain 64 hexadecimal characters.

  4. Specify a chassis cluster control ports to a connectivity association.

Configuring Static CAK on the Control Port of SRX4600 Device in Chassis Cluster

Use this procedure to establish a CA over a chassis cluster control link on two SRX4600 devices.

  1. Configure the MACsec security mode as static-cak for the connectivity association:
  2. Create the preshared key by configuring the connectivity association key name (CKN).

    The CKN must contain 32 hexadecimal characters.

  3. Create the preshared key by configuring the connectivity association key (CAK).

    The CAK must contain 64 hexadecimal characters.

  4. Specify a chassis cluster control port for the connectivity association.

Verifying MACSEC Configuration

To confirm that the configuration provided in Configuring Static CAK on the Control Port of SRX4600 Device in Chassis Cluster is working properly, perform these tasks:

Display the Status of Active MACsec Connections on the Device

Purpose

Verify that MACsec is operational on the chassis cluster setup.

Action

From the operational mode, enter the show security macsec connections interface interface-name command on one or both of the nodes of chassis cluster setup.

{primary:node0}[edit]
user@host# show security macsec connections

Meaning

The Interface name and CA name outputs show that the MACsec connectivity association is operational on the interface em0. The output does not appear when the connectivity association is not operational on the interface.

Display MACsec Key Agreement (MKA) Session Information

Purpose

Display MACsec Key Agreement (MKA) session information for all interfaces.

Action

From the operational mode, enter the show security mka sessions command.

user@host> show security mka sessions

Meaning

The outputs show the status of MKA sessions.

Verifying That MACsec-Secured Traffic Is Traversing Through the Interface

Purpose

Verify that traffic traversing through the interface is MACsec-secured.

Action

From the operational mode, enter the show security macsec statistics command.

user@host> show security macsec statistics interface em0 detail

Meaning

The Encrypted packets line under the Secure Channel transmitted field are the values incremented each time a packet is sent from the interface that is secured and encrypted by MACsec.

The Accepted packets line under the Secure Association received field are the values incremented each time a packet that has passed the MACsec integrity check is received on the interface. The Decrypted bytes line under the Secure Association received output is incremented each time an encrypted packet is received and decrypted.

Verifying Chassis Cluster Ports Are Secured with MACsec Configuration

Purpose

Verify that MACsec is configured on chassis cluster ports.

Action

From operational mode, enter the show chassis cluster interfaces command.

user@host> show chassis cluster interfaces

Meaning

The Security line under the Control interfaces output for em0 interface shown as Secured means that the traffic sent from the em0 interface is secured and encrypted by MACsec.

You can also use the show chassis cluster status command to display the current status of the chassis cluster.

Release History Table
Release
Description
Starting in Junos OS Release 17.4R1, MACsec is supported on HA control and fabric ports of SRX4600 devices in chassis cluster mode.
Starting in Junos OS Release 15.1X49-D60, Media Access Control Security(MACsec) is supported on control and fabric ports of SRX340 and SRX345 devices in chassis cluster mode.