Media Access Control Security (MACsec) in FIPS Mode Overview
Media Access Control Security (MACsec) is an IEEE 802.1AE industry-standard security technology that provides secure communication for all traffic on Ethernet links. See IEEE 802.1AE standard details on the IEEE organization website at IEEE 802.1: BRIDGING & MANAGEMENT. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle attacks, masquerading, passive wiretapping, and playback attacks.
With MACsec you can secure point-to-point Ethernet links for almost all traffic, including frames from the following protocols:
-
Link Layer Discovery Protocol (LLDP)
-
Link Aggregation Control Protocol (LACP)
-
Dynamic Host Configuration Protocol (DHCP)
-
Address Resolution Protocol (ARP)
-
Other protocols that are not typically secured on an Ethernet link because of limitations with other related security solutions.
You can use MACsec in combination with other security protocols such as IPsec and Secure Sockets Layer (SSL) to provide end-to-end network security.
A series of known-answer test (KAT) self-tests and crypto algorithms validations (CAV) validate each implementation of an algorithm. The following cryptographic algorithms are added specifically for MACsec.
Advanced Encryption Standard (AES)—Cipher Message Authentication Code (CMAC)
Advanced Encryption Standard (AES) Key Wrap
A connectivity association (CA) is a set of devices that are authorized to communicate securely with each other using MACsec. Within a specific CA the connectivity association key (CAK), a cryptographic key, secures the communication. Within a network the connectivity association key name (CKN), a unique identifier, is used to distinguish different CAs. Configure a preshared key (PSK) on both ends of the communication link before the secure communication begins. This key is used to establish and authenticate the secure connection between devices.
Use the following PSK configurations for both connectivity association key name (CKN) and connectivity association key (CAK):
[edit] security-administrator@host:fips# prompt security macsec connectivity-association connectivity-association-name pre-shared-key cak New cak (secret): Retype new cak (secret):
[edit] security-administrator@host:fips# set security macsec connectivity-association ca_name pre-shared-key ckn ckn
In the above set security macsec connectivity-association
ca_name pre-shared-key ckn
ckn command, you need to
provide a user-defined name for the ca_name
variable option and a user-defined name in hexadecimal format for
the ckn variable option.
The system exchanges a preshared key between directly connected links to establish a MACsec-secure link. The preshared key includes the CKN and the CAK. The CKN is a 64-digit hexadecimal number and the CAK is a 32-digit hexadecimal number. The CKN and CAK must match on both ends of a link to create a MACsec-secure link.
To maximize security, we recommend you to configure all 64 digits of a CKN and all 32 digits of a CAK. If you do not configure all the digits for these keys, the system automatically configures all the remaining digits to 0. However, you receive a warning message when you attempt to commit the configuration.
After the successful exchange and verification of the preshared keys by both ends of the link, the MACsec Key Agreement (MKA) protocol establishes and manages the secure link. The MKA protocol then elects one of the two directly connected switches as the key server. The key server then shares a random security key with the other device over the MACsec-secure point-to-point link. The key server continues to periodically perform this action as long as MACsec is enabled.
For example, you can configure a CKN of
37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311
and CAK of 228ef255aa23ff6729ee664acb66e91f on connectivity
association.