Mapping OpenConfig MACsec Model Commands to Junos Configuration

Note:

See OpenConfig Data Model Version topic to understand the data models supported version and its Junos OS release for Juniper Networks PTX Series.

The following tables show the mapping of OpenConfig Media Access Control Security (MACsec) commands with the relevant configurations in Junos OS:

Table 1: MACsec Key Agreement (MKA) Policies Configuration
Table 2: MKA Key Chain Configuration
Table 3: MKA Key Chain Key ID Configuration Deviation
Table 4: MACsec Interfaces Configuration

Table 1: MACsec Key Agreement (MKA) Policies Configuration
Command Name	OpenConfig Configuration	Junos Configuration
name	openconfig-macsec: macsec { mka { policies { policy { name(leafref) } } } }	security macsec { connectivity-association { <ca_name> } } s
name	openconfig-macsec: macsec { mka { policies { policy { config { name(string) } } } } }	security macsec { connectivity-association { <name> } }
key-server-priority	openconfig-macsec: macsec { mka { policies { policy { config { key-server-priority(uint8) } } } } }	security macsec { connectivity-association { <name> { mka { key-server-priority < 0..255 > } } } }
macsec-cipher-suite	openconfig-macsec: macsec { mka { policies { policy { config { macsec-cipher-suite(macsec-types:macsec-cipher-suite) } } } } }	security macsec { connectivity-association { <name> { cipher-suite { <suit-options> } } } }
confidentiality-offset	openconfig-macsec: macsec { mka { policies { policy { config { confidentiality-offset(macsec-types: confidentiality-offset) } } } } }	security macsec { connectivity-association { <name> { offset { <0 or 30 or 50> } } } }
delay-protection	openconfig-macsec: macsec { mka { policies { policy { config { delay-protection(boolean) } } } } }	security macsec { connectivity-association { <name> { mka { bounded-delay } } } }
include-icv-indication	openconfig-macsec: macsec { mka { policies { policy { config { include-icv-indication(boolean) } } } } }	Configuration unsupported in Junos OS.
sak-rekey-interval	openconfig-macsec: macsec { mka { policies { policy { config { sak-rekey-interval(uint32) } } } } }	security macsec { connectivity-association { <name> { mka { sak-rekey-interval < 60..86400 seconds> } } } }
sak-rekey-on-live-peer-loss	openconfig-macsec: macsec { mka { policies { policy { config { sak-rekey-on-live-peer-loss(boolean) } } } }	Configuration unsupported in Junos OS.
use-updated-eth-header	openconfig-macsec: macsec { mka { policies { policy { config { use-updated-eth-header(boolean) } } } }	Configuration unsupported in Junos OS.

Table 2: MKA Key Chain Configuration
Command Name	OpenConfig Configuration	Junos Configuration
key-chain name	openconfig-macsec: macsec { mka { key-chains { key-chain { name(leafref) } } } }	security authentication-key-chains { key-chain { <key-chain-name> } }
key-chain config name	openconfig-macsec: macsec { mka { key-chains { key-chain { config { name(string) } } } } }	security authentication-key-chains { key-chain { <key-chain-name> } }
mka-key id	openconfig-macsec: macsec { mka { key-chains { key-chain { mka-keys { mka-key { id(leafref) } } } } } }	security authentication-key-chains { key-chain { <key-chain-name> { key <0..63> } } }
mka-key config id	openconfig-macsec: macsec { mka { key-chains { key-chain { mka-keys { mka-key { config { id(oc-yang:hex-string) } } } } } } }	security authentication-key-chains { key-chain { <key-chain-name> { key <0..63> { key-name <> } } } }
key-clear-text	openconfig-macsec: macsec { mka { key-chains { key-chain { mka-keys { mka-key { config { key-clear-text(string) } } } } } } }	key-chain { <key-chain-name> { key <0..63> { secret <secret_key> } } } }
cryptographic-algorithm	openconfig-macsec: macsec { mka { key-chains { key-chain { mka-keys { mka-key { config { cryptographic-algorithm(enumeration) } } } } } } }	Configuration unsupported in Junos OS.
valid-date-time	openconfig-macsec: macsec { mka { key-chains { key-chain { mka-keys { mka-key { config { valid-date-time(union) } } } } } } }	security authentication-key-chains { key-chain { <key-chain-name> { key <0..63> { start-time { < YYYY-MM-DD.HH:MM> } } } } }
	openconfig-macsec: macsec { mka { key-chains { key-chain { mka-keys { mka-key { config { expiration-date-time(union) } } } } } } }	Configuration unsupported in Junos OS.

Table 3: MKA Key Chain Key ID Configuration Deviation
Command Name	OpenConfig Configuration	Junos Configuration
MKA Key	openconfig-macsec: macsec { mka { key-chains { key-chain { mka-keys { mka-key { id(leafref) } } } } } }	security authentication-key-chains { key-chain { <key-chain-name> { key <0..63> } } }
In OpenConfig configurations, the `mka-key` elements ID, key, and start time are referenced by the `mka-key id`. In Junos OS configurations, this is referenced by the `key` value, in the range from 0 to 63. In order to support the OpenConfig configuration, Junos OS deviates the `mka-key` pattern in the OpenConfig model in the following way: The first two digits should be an integer from 00 to 63 followed by a hexstring; for example: [00..63][hexstring]. The first two digits from the OpenConfig `mka-key id` translate to the Junos OS configuration integer. The following OpenConfig configuration is an example: `set openconfig-macsec:macsec mka key-chains key-chain MACSEC_OC_KEY mka-keys mka-key 00cafe0000 config key-clear-text 1234567890` `set openconfig-macsec:macsec mka key-chains key-chain MACSEC_OC_KEY mka-keys mka-key 00cafe0000 config valid-date-time 2021-11-30T00:00:00.0Z` The resulting OpenConfig configuration commit on a Juniper device looks like this: security { authentication-key-chains { key-chain MACSEC_OC_KEY { key 0 { secret "$9$EVBcev8X7Vs2LXikmfzFevMW-VJGDjk."; ## SECRET-DATA key-name cafe0000; start-time "2021-11-29.16:00:00 -0800"; } } }

Table 4: MACsec Interfaces Configuration
Command Name	OpenConfig Configuration	Junos Configuration
interface name	openconfig-macsec: macsec { interfaces { interface { name(leafref) } } }	security macsec { interfaces { <name> } }
interface config name	openconfig-macsec: macsec { interfaces { interface { config { name(oc-if:base-interface-ref) } } } }	security macsec { interfaces { <name> } }
config enable	openconfig-macsec: macsec { interfaces { interface { config { enable(boolean) } } } }	There is no separate enable keyword in Junos OS.
replay-protection	openconfig-macsec: macsec { interfaces { interface { config { replay-protection(uint16) } } } }	openconfig-macsec: macsec { interfaces { interface { config { replay-protection(uint16) } } } } security macsec { connectivity-association { <name> { replay-protect { replay-window-size < 0..65535 packets> } } } }
mka-policy	openconfig-macsec: macsec { interfaces { interface { mka { config { mka-policy(leafref) } } } } }	security macsec { interfaces { <name> { connectivity-association { <connectivity-association> } } } }
config key-chain	openconfig-macsec: macsec { interfaces { interface { mka { config { key-chain(leafref) } } } } }	security macsec { connectivity-association { <name> { pre-shared-key-chain { <pre-shared-key-chain> } } } }