Understanding Media Access Control Security (MACsec)
Understanding Media Access Control Security (MACsec)
Media Access Control security (MACsec) provides point-to-point security on Ethernet links. MACsec is defined by IEEE standard 802.1AE. You can use MACsec in combination with other security protocols, such as IP Security (IPsec) and Secure Sockets Layer (SSL), to provide end-to-end network security.
MACsec is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec secures an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions.
- How MACsec Works
- Connectivity Associations
- MACsec Security Modes
- MACsec in a Virtual Chassis
- MACsec Limitations
- MACsec Platform Support
How MACsec Works
When MACsec is enabled on a point-to-point Ethernet link, the link is secured after matching security keys are exchanged and verified between the interfaces at each end of the link. The key can be configured manually, or can be generated dynamically, depending on the security mode used to enable MACsec. For more information on MACsec security modes, see MACsec Security Modes.
MACsec uses a combination of data integrity checks and encryption to secure traffic traversing the link:
Data integrity | MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured link. The header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped. |
Encryption | Encryption ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable. You can enable MACsec to ensure the data integrity checks are performed while still sending unencrypted data “in the clear” over the MACsec-secured link, if desired. Note:
When MACsec is enabled on a logical interface, VLAN tags are not encrypted. All the VLAN tags configured on the logical interface enabled for MACsec are sent in clear text. |
Connectivity Associations
MACsec is configured in connectivity associations. A connectivity association is a set of MACsec attributes that interfaces use to create two secure channels, one for inbound traffic and one for outbound traffic. The secure channels are responsible for transmitting and receiving data on the MACsec-secured link.
The secure channels are automatically created. They do not have any user-configurable parameters. All configuration is done within the connectivity association but outside of the secure channels.
The connectivity association must be assigned to a MACsec-capable interface on each side of the point-to-point Ethernet link. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each link. Other user-configurable parameters, such as MAC address or port, must also match on the interfaces on each side of the link to enable MACsec.
MACsec Security Modes
MACsec can be enabled using one of the following security modes:
Static CAK mode
Dynamic CAK mode
Static CAK mode is recommended for links connecting switches or routers. Static CAK mode ensures security by frequently refreshing to a new random security key and by sharing only the security key between the two devices on the MACsec-secured point-to-point link.
Static CAK Mode
When you enable MACsec using static CAK mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.
You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and its own CAK. The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.
Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.
If the MACsec session is terminated due to a link failure, when the link is restored, the MKA key server elects a key server and generates a new SAK.
The switches on each end of a MACsec-secured switch-to-switch link must either both be using Junos OS Release 14.1X53-D10 or later, or must both be using an earlier version of Junos, in order to establish a MACsec-secured connection when using static CAK security mode.
Dynamic CAK Mode
In dynamic CAK mode, the peer nodes on the MACsec link generate the security keys dynamically as part of the 802.1X authentication process. The peer nodes receive MACsec key attributes from the RADIUS server during authentication and use these attributes to dynamically generate the CAK and the CKN. Then they exchange the keys to create a MACsec-secured connection.
Dynamic CAK mode provides easier administration than static CAK mode, because the keys do not need to be configured manually. Also, the keys can be centrally-managed from the RADIUS server.
You can use dynamic CAK mode to secure a switch-to-host link or a link that connects switches or routers. On a switch-to-host link, the switch is the 802.1X authenticator and the host is the supplicant. On a link connecting switches or routers, the devices must act as both authenticator and supplicant so they can authenticate each other.
Dynamic CAK mode relies on certificate-based validation using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The RADIUS server and switching devices must use EAP-TLS and public key infrastructure to support MACsec in dynamic CAK mode.
MACsec in a Virtual Chassis
MACsec can be configured on supported switch interfaces when those switches are configured in a Virtual Chassis or Virtual Chassis Fabric (VCF), including when MACsec-supported interfaces are on member switches in a mixed Virtual Chassis or VCF that includes switch interfaces that do not support MACsec. MACsec, however, cannot be enabled on Virtual Chassis ports (VCPs) to secure traffic travelling between member switches in a Virtual Chassis or VCF.
MACsec Limitations
All types of Spanning Tree Protocol frames cannot currently be encrypted using MACsec.
MACsec traffic drops are expected during GRES switchover.
On EX4300 switches, MACsec might not work properly on PHY84756 1G SFP ports if auto negotiation is enabled and MACsec is configured on those ports. As a workaround, configure
no- auto-negotiation
on PHY84756 1G SFP ports before configuring MACsec on those ports.
MACsec Platform Support
For a comprehensive list of platforms that support MACsec, please refer to Feature Explorer.
See Also
MACsec Licensing and Software Requirements
- MACsec Feature Licenses
- MACsec Software Requirements for MX Series Routers
- MACsec Software Image Requirements for EX Series and QFX Series Switches
- Acquiring and Downloading the Junos OS Software
MACsec Feature Licenses
A feature license is required to configure MACsec on EX Series and QFX series switches, with the exception of the QFX10000-6C-DWDM and QFX10000-30C-M line cards. If the MACsec licence is not installed, MACsec functionality cannot be activated.
To purchase a feature license for MACsec, contact your Juniper Networks sales
representative (https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper
sales representative will provide you with a feature license file and a license
key. You will be asked to supply the chassis serial number of your switch; you
can obtain the serial number by running the show chassis
hardware
command.
The MACsec feature license is an independent feature license. The enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that must be purchased to enable some features on EX Series or QFX Series switches cannot be purchased to enable MACsec.
For a Virtual Chassis deployment, two MACsec license keys are recommended for redundancy—one for the device in the primary role and the other for the device in the backup role. Two MACsec licenses may be required per Virtual Chassis Fabric (VCF) and per Virtual Chassis (VC), depending on model and configuration. See the licensing documents below for platform and feature specific details.
A MACsec feature license is installed and maintained like any other switch license. See Managing Licenses for EX Series Switches (CLI Procedure) or Adding New Licenses (CLI Procedure) for more detailed information on configuring and managing your MACsec software license.
MACsec Software Requirements for MX Series Routers
Following are some of the key software requirements for MACsec on MX Series Routers:
A feature license is not required to configure MACsec on MX Series routers with the enhanced 20-port Gigabit Ethernet MIC (model number MIC-3D-20GE-SFP-E).
MACsec is supported on MX Series routers with MACsec-capable interfaces.
MACsec supports 128 and 256-bit cipher-suite with and without extended packet numbering (XPN).
MACsec supports MACsec Key Agreement (MKA) protocol with Static-CAK mode using preshared keys.
MACsec supports a single connectivity-association (CA) per physical port or physical interface.
Starting in Junos OS Release 20.3R1, you can configure Media Access Control Security (MACsec) at the logical interface level on the MPC7E-10G line card. This configuration enables multiple MACsec Key Agreement (MKA) sessions on a single physical port. VLAN tags are transmitted in clear text, which allows intermediate switches that are MACsec-unaware to switch the packets based on the VLAN tags.
Starting with Junos OS Release 15.1, MACsec is supported on member links of an
aggregated Ethernet (ae-
) interface bundle, and also regular
interfaces that are not part of an interface bundle.
Starting with Junos OS Release 17.3R2, MACsec supports 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256 on MX10003 routers with the modular MIC (model number-JNP-MIC1-MACSEC).
Starting in Junos OS Release 18.4R2, the MIC-MACSEC-20GE MIC provides 256-bit cipher-suite GCM-AES-256 and GCM-AES-XPN-256. The MIC-MACSEC-20GE MIC supports MACsec on both twenty 1-Gigabit Ethernet SFP ports and on two 10-Gigabit Ethernet SFP+ ports in the following hardware configurations:
-
Installed directly on the MX80 and MX104 routers
-
Installed on MPC1, MPC2, MPC3, MPC2E, MPC3E, MPC2E-NG, and MPC3E-NG line cards on the MX240, MX480, and MX960 routers
Refer Interface Naming Conventions for MIC-MACSEC-20GE and Port Speed for Routing Devices for more information.
MACsec Software Image Requirements for EX Series and QFX Series Switches
Junos OS Release 16.1 and Later
For Junos OS Release 16.1 and later, you must download the standard Junos image to enable MACsec. MACsec is not supported in the limited image.
The standard version of Junos OS software contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of this Junos OS software is strictly controlled under United States export laws. The export, import, and use of this Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring this version of your Junos OS software, contact Juniper Networks Trade Compliance group at mailto:compliance_helpdesk@juniper.net.
Junos OS Releases Prior to 16.1
For releases prior to Junos OS Release 16.1, you must download the controlled version of your Junos OS software to enable MACsec. MACsec support is not available in the domestic version of Junos OS software in releases prior to Junos OS Release 16.1.
The controlled version of Junos OS software includes all features and functionality available in the domestic version of Junos OS, while also supporting MACsec. The domestic version of Junos OS software is shipped on all switches that support MACsec, so you must download and install a controlled version of Junos OS software for your switch before you can enable MACsec.
The controlled version of Junos OS software contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of the controlled version of Junos OS software is strictly controlled under United States export laws. The export, import, and use of the controlled version of Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring the controlled version of your Junos OS software, contact Juniper Networks Trade Compliance group at mailto:compliance_helpdesk@juniper.net.
Acquiring and Downloading the Junos OS Software
You can identify whether a software package is the standard or controlled version of Junos OS by viewing the package name. A software package for a controlled version of Junos OS is named using the following format:
package-name-m.nZx.y-controlled-signed.tgz
A software package for a standard version of Junos OS is named using the following format:
package-name-m.nZx.y-.tgz
To check which version of Junos OS is running on your switch, enter the
show version
command. If the JUNOS Crypto Software
Suite
description appears in the output, you are running the
controlled version of Junos OS. If you are running a controlled version of Junos
OS, enter the show system software
command to display the
version. The output also shows the version of all loaded software packages.
The process for installing the controlled or standard version of Junos OS
software onto your switch is identical to installing any other version of Junos
OS software. You must enter the request system software add
statement to download the Junos OS image, and the request system
reboot
statement to reboot the switch to complete the upgrade
procedure.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
ae-
) interface bundle, and
also regular interfaces that are not part of an interface bundle.