Understanding Media Access Control Security (MACsec) in FIPS mode
Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.
MACsec allows you to secure point to point Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.
MACsec is standardized in IEEE 802.1AE. The IEEE 802.1AE standard can be seen on the IEEE organization website at IEEE 802.1: BRIDGING & MANAGEMENT.
Each implementation of an algorithm is checked by a series of known answer test (KAT) self-tests and crypto algorithms validations (CAV). The following cryptographic algorithms are added specifically for MACsec.
Advanced Encryption Standard (AES)-Cipher Message Authentication Code (CMAC)
Advanced Encryption Standard (AES) Key Wrap
For MACsec, in configuration mode, use the prompt
command to enter a secret key value of 64 hexadecimal characters
for authentication.
[edit] crypto-officer@hostname:fips# prompt security macsec connectivity-association pre-shared-key cak New cak (secret): Retype new cak (secret):