MACsec
-
MACsec bounded delay protection (PTX10002-36QDD)—Starting in Junos OS Evolved Release 23.4R2-S1, you can enable Media Access Control Security (MACsec) bounded delay protection to protect your network against man-in-the-middle attacks. MACsec is an industry-standard security technology capable of identifying and preventing most security threats. During a man-in-the-middle attack, an attacker intercepts packets and might redirect or modify them. This attack can cause an unexpected delay in how long a packet or frame takes to arrive at its intended destination.
When you enable MACsec bounded delay protection, the device guarantees that a frame will not be delivered after a delay of two seconds or more. MACsec periodically compares the number of frames transmitted to the number received. If a frame is sent but not received within two seconds, MACsec drops the packet. This ensures that a delay of MACsec frames resulting from a man-in-the-middle attack will not go undetected.
To enable bounded delay protection, configure the following options at the
[edit security macsec connectivity-association connectivity-association-name]hierarchy level:-
mka bounded-delay -
replay-protect replay-window-size 0
-