MACsec Overview

Media Access Control Security (MACsec) as defined by IEEE Standard 802.1X-2010 (control plane) and IEEE Standard 802.1AE-2006 (data plane) allows authorized systems that attach to, and interconnect, LANs in a network to maintain confidentiality of transmitted data and to take measures against frames transmitted or modified by unauthorized devices.

MACsec is configured on a per-port basis to protect point-to-point links between switches. Mutual authentication is achieved by provisioning the same set of credentials (Pre-Shared Key) on each end of a link. Once a secure connection is established all traffic is encrypted, with MACsec Key Agreement protocol packets (MKPDUs) being the only exception.

MACsec implements the mandatory Cipher Suite GCM‐AES‐128 as specified in table 14‐1 of the IEEE Standard 802.1AE‐2006 standard.

802.1x authentication using EAP (legacy 802.1x) is a one‐time authentication, after which, the device allows all traffic from the authenticated MAC address. Properly configured, MACsec encrypts all traffic. MACsec operates at Layer 2 and is therefore protocol agnostic. It encrypts everything it passes. Because encryption takes place at the hardware level, line‐rate traffic passes with low latency. MACsec operates on a hop‐by‐hop basis allowing for deep packet inspection.

Authentication occurs using Pre-Shared Keys (PSK) made up of a Secure Connectivity Association Key (CAK) and Secure Connectivity Association Key Name (CKN) combination. PSKs are configured on a per‐port basis. Each port supports a single PSK, which is associated with a single MACsec Key Agreement protocol instance. When MACsec is first enabled or reinitialized, all packets are dropped prior to establishing a secure connection. Once a secure connection is established, all packets are encrypted.