Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure MACsec in FIPS Mode

Learn to configure MACsec in FIPS mode.

Configure MACsec on Your Device in FIPS Mode

You can configure MACsec to secure point-to-point Ethernet links by connecting your device with MACsec-capable Modular Interface Cards (MICs). You must separately configure each point-to-point Ethernet link that you want to secure with MACsec. You can enable MACsec on device-to-device links using static connectivity association key (CAK) security mode.

You can configure different interface rates such as 10Gbps, 40Gbps, and 100Gbps in port mode and specific interface rates such as 10Gbps, 40Gbps, and 100Gbps in PIC mode. In PIC mode you can configure only one type of interface speed.

To configure MACsec on your device with Junos OS:

  1. Customize time, see Customize Time in FIPS Mode.

    We don't claim NTP as part of FPT_STM_EXT.1 SFR. However, in this documentation, we provide the steps to activate or deactivate NTP services to validate MACsec tolerance and MACsec keychain.

  2. Configure the MACsec security mode for the connectivity association.

    Based on your requirement, you can configure the offset offset-number value at the set security macsec connectivity-association connectivity-association-name hierarchy level as 0, 30, or 50.

  3. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK).

    Based on your requirement, you can configure the number-of-packets value at the set security macsec connectivity-association connectivity-association-name replay-protect replay-window-size hierarchy level to a value in the range of 0 through 65535.

  4. Set the MACsec Key Agreement (MKA) secure channel details.
  5. Set the MKA secure channel to security mode.

    Here, the CA1 is an example of configured connectivity-association-name.

  6. Assign a specified MACsec interface to the configured connectivity association.

Configure Static MACsec for Layer 3 Traffic

To configure static MACsec for Layer 3 traffic between two devices R0 and R1:

In R0:

  1. Create the preshared key by configuring the connectivity association key name (CKN) and connectivity association key (CAK).
  2. Set the trace option values.
  3. Assign the trace to an interface.
  4. Configure the MACsec security mode as static-cak for the connectivity association.
  5. Set the MKA key server priority.
  6. Set the MKA transmit interval.
  7. Enable the MKA secure channel.
  8. Assign the connectivity association to an interface.

In R1:

  1. Create the preshared key by configuring the CKN and the CAK.

  2. Set the trace option values.

  3. Assign the trace to an interface.

  4. Configure the MACsec security mode as static-cak for the connectivity association.

  5. Set the MKA transmit interval.

  6. Enable the MKA secure channel.

  7. Assign the connectivity association to an interface.

Configure MACsec with Keychain for Layer 3 Traffic

Synchronize both MACsec endpoint devices to NTP, as the time set for key start-time trigger must be the same on both the devices. To configure MACsec with keychain for Layer 3 traffic between devices R0 and R1:

In R0:

  1. Assign a tolerance value to the authentication keychain.
  2. Create a secret password. It is a string of hexadecimal digits with up to 64 characters. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret data is used as a CAK.

    You can configure up to 64 keys. See the following sample secret keys for reference:

    Use the prompt command to enter a secret key value. For example, the secret key value can be set as 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure up to 64 secret keys. See the following sample secret keys for reference:

  3. Associate the preshared keychain name with the connectivity association.
    Note:

    The cipher value can also be set as cipher-suite gcm-aes-128.

  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure channel.
  10. Assign the connectivity association to an interface.

Configure MACsec with a keychain for Layer 3 traffic with the following steps.

In R1:

  1. Assign a tolerance value to the authentication keychain.

  2. Create a secret password. It is a string of hexadecimal digits with up to 64 characters. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret data is used as a CAK.

    You can configure up to 64 keys. See the following sample secret keys for reference:

    Use the prompt command to enter a secret key value. For example, the secret key value is 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure up to 64 secret keys. See the following sample secret keys for reference:

  3. Associate the preshared keychain name with the connectivity association.

  4. Note:
    • You can use the non-XPN ciphers AES-GCM-128 and AES-GCM-256 for 10Gbps or xe interfaces MACsec configuration only.
    • You can use the XPN ciphers AES-GCM-XPN-128 and AES-GCM-XPN-256 for 40Gbps and 100Gbps rates MACsec configuration. You can also use the XPN ciphers AES-GCM-XPN-128 and AES-GCM-XPN-256 for 10Gbps or xe interfaces MACsec configuration, if it supports.

  5. Set the trace option values.

  6. Assign the trace to an interface.

  7. Configure the MACsec security mode as static-cak for the connectivity association.

  8. Set the MKA key server priority.

  9. Set the MKA transmit interval.

  10. Enable the MKA secure channel.

  11. Assign the connectivity association to an interface.

Configure Static MACsec for Layer 2 Traffic

To configure static MACsec for Layer 2 traffic between the devices R0 and R1:

In R0:

  1. Set the MKA key server priority.
  2. Create a secret password. It is a string of hexadecimal digits with up to 64 characters. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    For example, the secret key value can be set as 2345678922334455667788992223334123456789223344556677889922233341.

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure channel.
  10. Assign the connectivity association to an interface.
  11. Configure VLAN tagging.
  12. Configure a bridge domain.

    The interface-name1 and interface-name2 options at the set bridge-domains BD-110 interface hierarchy level are user defined interfaces that are part of the bridge domain.

In R1:

  1. Create the secret password to use. It is a string of hexadecimal digits with up to 64 characters. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secretc data is used as a CAK.

    For example, the secret key value can be set as 2345678922334455667788992223334123456789223344556677889922233341.

  2. Associate the preshared keychain name with the connectivity association.

  3. Set the trace option values.

  4. Assign the trace to an interface.

  5. Configure the MACsec security mode as static-cak for the connectivity association.

  6. Set the MKA key server priority.

  7. Set the MKA transmit interval.

  8. Enable the MKA secure channel.

  9. Assign the connectivity association to an interface.

  10. Configure VLAN tagging.

  11. Configure a bridge domain.

Configure MACsec with Keychain for Layer 2 Traffic

Synchronize both MACsec endpoint devices to NTP, as the time set for key start time trigger must be the same on both the devices. To configure MACsec with keychain for Layer 3 traffic between the device R0 and R1:

In R0:

  1. Assign a tolerance value to the authentication keychain.
  2. Create the secret password to use. It is a string of hexadecimal digits up to 64 characters long. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret data is used as a CAK.

    You can configure up to 64 keys. See the following sample secret keys for reference:

    Use the prompt command to enter a secret key value. For example, the secret key value can be set as 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure up to 64 secret keys. See the following sample secret keys for reference:

  3. Associate the preshared keychain name with the connectivity association.
  4. Set the trace option values.
  5. Assign the trace to an interface.
  6. Configure the MACsec security mode as static-cak for the connectivity association.
  7. Set the MKA key server priority.
  8. Set the MKA transmit interval.
  9. Enable the MKA secure channel.
  10. Assign the connectivity association to an interface.
  11. Configure VLAN tagging.
  12. Configure a bridge domain.

In R1:

  1. Assign a tolerance value to the authentication key chain.

  2. Create a secret password. It is a string of hexadecimal digits with up to 64 characters. The password can include spaces if the character string is enclosed in quotation marks. The keychain's secret-data is used as a CAK.

    Use the prompt command to enter a secret key value. For example, the secret key value can be set as 2345678922334455667788992223334123456789223344556677889922233341.

    You can configure up to 64 secret keys. See the following sample secret keys for reference:

  3. Associate the preshared keychain name with the connectivity association.

  4. Set the trace option values.

  5. Assign the trace to an interface.

  6. Configure the MACsec security mode as static-cak for the connectivity association.

  7. Set the MKA key server priority.

  8. Set the MKA transmit interval.

  9. Enable the MKA secure channel.

  10. Assign the connectivity association to an interface.

  11. Configure VLAN tagging.

  12. Configure bridge domain.