MACsec has three major components:
Security entity (SecY)
SecY is the entity that operates the MACsec protocol within the system. You configure a secure connectivity association (CA) to meet the requirements of MACsec for connectivity between stations that attach to an individual LAN. Unidirectional secure channels (SC) support each CA. Each SC supports secure transmission of frames by use of symmetric key cryptography from one of the systems to all others in the CA.
Each SecY transmits frames conveying secure MACsec service requests on a single SC, and receives frames conveying secure service indications on separate SCs, one for each of the other SecYs that participate in the secure CA.
A connectivity association (CA) is a logical representation of a MACsec domain within a network. Each connectivity association is associated with a connectivity association key (CAK). MACsec links are associated with a CA to establish end-to-end MACsec communication. Every MACsec enabled interface is a member of one connectivity association. Switch ports are members of a connectivity association, and can only be a member of one connectivity association.
A secure channel (SC) is a unidirectional channel that connects two endpoints of MACsec. A secure channel is a long-term relationship that persists through the sequence of secure associations. An SC is a unidirectional point-to-multipoint communication, and can persist through Secure Association Key (SAK) changes. A sequence of Secure Associations (SAs) support each SC and allow for the periodic use of fresh keys without terminating the relationship. A single secret key or a set of keys support each SA, where the cryptographic operations used to protect one frame require more than one key. A Secure Channel Identifier (SCI) identifies each SC. An SCI is comprised of a unique 48-bit universally administered MAC address, identifying the system to which the transmitting SecY belongs, concatenated with a 16-bit port number, identifying the SecY within that system.
The SCI concatenated with a two-bit AN identifies each SA. The Secure Association Identifier (SAI) that is created allows the receiving SecY to identify the SA. It also allows the SAK used to decrypt and authenticate the received frame. The AN, and hence the SAI, are unique only for the SAs that can be used or recorded by participating SecYs at any instant.
Key agreement entity (KaY)
The KaY in MACsec is responsible for CAK and SAK computations, distributions and maintenance. CAK is a global key that is persistent until the CA exists. When you configure the CAK, ensure that it is identical across MACsec links.
In static SAK mode, SAKs are short-lived keys derived from the CAK, or pre-configured for a particular SC. MACsec uses a timer to refresh SAKs so that the key, as well the session, is secure.
In dynamic SAK mode, the MKA key server generates SAKs. The key server maintains the ethernet link by periodically generating and distributing SAKs across the point-to-point link as long as MACsec is enabled.
Integrity check verification or Cryptographic entity
The Cryptographic entity provides integrity check protection and validation for frames transmitted or received through the SecY layer. The integrity check verification (ICV) is calculated for the frame source address/destination address (SA/DA), SecTag, User Payload, and Cyclic Redundancy Check (CRC). The calculated ICV is appended at the end-of-frame, recalculated at the receiver side of MACsec link and validated to see if they are equal. The frames that pass the integrity check are further processed, while the system drops the frames that fail the integrity check.
MACsec configuration provides an option to encrypt the user payload. There is also the option to start the encryption from N bytes after the Ethernet header.
In the following figure, CA connects switches A, B, and C by their respective SC and SAK. Switch D cannot participate in the secure communication between A, B, or C as switch D does not know the SAK.