MACsec keys
MACsec provides industry-standard security through secure point-to-point
Ethernet links. The point-to-point links are secured after matching
security keys.
Security keys are of two types:
Connectivity Association Key (CAK), which is a configured pre-shared
key.
Important
The switch supports the configuration of a pre-shared key to enable MACsec
using the static connectivity association key (CAK) security mode.
The CAK must be identical across both ends of MACsec links.
Secure Association Key (SAK):
-
Static SAKs: SAKs are static short-lived keys derived from the CAK or
pre-configured for a particular secure channel (SC). MACsec uses a timer
to refresh these keys so that the key and the session are secure.
-
Dynamic SAKs: MACsec Key Agreement
(MKA) protocol generates
SAKs. The MKA protocol determines
which switch on the point-to-point link becomes the key server. The key
server then generates SAKs and distributes them to the switch at the
other end of the point-to-point link.
MACsec uses derived keys to encrypt or decrypt data at each end
of the MACsec links.
Integrity Check Verification (ICV)
MACsec ensures data integrity using Integrity Check Verification (ICV). MACsec introduces an
8-byte or 16-byte SecTag after the Ethernet header, and an 8-byte or 16-byte
calculated ICV after the Encrypted Payload. MACsec computes the ICV for the entire
frame, starting from the Ethernet header, SecTag until the Checksum. The receiving
side recalculates the ICV after data decryption, and verifies if the received ICV
and computed ICV match. If the ICVs do not match, it indicates that data is
modified, and MACsec drops the frame.
