Overview of Media Access Control Security (MACsec) in FIPS mode
Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.
MACsec allows you to secure point to point Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.
MACsec is standardized in IEEE 802.1AE. The IEEE 802.1AE standard can be seen on the IEEE organization website at IEEE 802.1: BRIDGING & MANAGEMENT.
Each implementation of an algorithm is checked by a series of known answer test (KAT) self-tests and crypto algorithms validations (CAV). The following cryptographic algorithms are added specifically for MACsec.
-
Advanced Encryption Standard (AES)-Cipher Message Authentication Code (CMAC)
-
Advanced Encryption Standard (AES) Key Wrap
Pre-shared key configurations for both connectivity association key name (CKN) and connectivity association key (CAK):
crypto-officer@hostname:fips# prompt security macsec connectivity-association connectivity-association-name pre-shared-key cak New cak (secret): Retype new cak (secret):
crypto-officer@hostname:fips# set security macsec connectivity-association ca_name pre-shared-key ckn ckn
In the above set security macsec connectivity-association
ca_name pre-shared-key ckn ckn command,
you need to define a user defined name for the ca_name variable option
and a user defined connectivity association key name in hexadecimal format for
ckn variable option.
A pre-shared key is exchanged between directly-connected links to establish a MACsec-secure link. The pre-shared-key includes the CKN and the CAK. The CKN and CAK must match on both ends of a link to create a MACsec-secured link.
If you configure 128 bit cipher suite, then CAK can be 32 digit hexadecimal number. If you configure 256 bit cipher suite, then CAK can be 64 digit hexadecimal number.
To maximize security, we recommend you to configure all 64 digits of a CKN and all 32 digits of a CAK. If you do not configure all 64 digits of a CKN or all 32 digits of a CAK, the system auto-configures all the remaining digits to 0. However, you will receive a warning message when you commit the configuration.
After the successful exchange and verification of the pre-shared keys by both ends of the link, the MACsec Key Agreement (MKA) protocol enables and manages the secure link. The MKA protocol then elects one of the two directly-connected devices as the key server. The key server then shares a random security with the other device over the MACsec-secure point-to-point link. The key server continues to periodically create and share a random security key with the other device over the MACsec-secured point-to-point link as long as MACsec is enabled.
For example, ypu can configure a CKN of
37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311 and CAK of
228ef255aa23ff6729ee664acb66e91f on connectivity association.