MKA protocol performs key server election and generates Secure Association Keys (SAK) . SAKs and other MKA information is distributed in MACsec Key Agreement Protocol Data Units (MKPDU) between peers in the Connectivity Association (CA).
Initially you configure pre-shared keys on both ends of an Ethernet link, including values for the CAK and the connectivity association key name (CKN). The CAK and CKN values must match at both ends of the link.
You enable the MKA process by configuring pre-shared keys. MKA performs peer detection, identifies a live peer, and elects the peer with the highest priority as the key server.
The key server generates and distributes SAKs. After the key server and the peer successfully install the generated SAKs, the link can securely transmit encrypted data. The key server maintains the secure link by periodically generating and distributing SAKs for as long as MACsec is enabled.
The following figure illustrates the deployment of MACsec using MKA protocol.
You can create and configure an MKA profile and then apply that profile to a port. After applying the profile to the port and associating the port with a connectivity association, you can enable MKA on the port and optionally assign a value for actor priority.
Note
If you enable MKA MACsec on a port, traffic is not sent or received on that link until the MKA session is active.You can configure an MKA actor priority value for each MKA participant. You select priority values from the range 0x00 to 0xff, where lower numbers indicate higher priority. Each participant advertises an actor priority value, and the participant advertising the highest priority is elected as the key server. If there is a tie for the highest priority, the participant with the highest priority MAC address is seletcted.
Note
Do not configure both peers in an MKA session with an actor priority value of 0xff. If both peers are configured with an actor priority value of 0xff, key server election fails.You can enable replay protect and configure a replay window size to protect against out-of-sequence packets. Window size specifies the maximum acceptable difference in packet ID numbers between out of order packets. If a packet ID number differs from the ID number of the previously received packet by more than the specified window size, the packet is dropped.
Confidentiality offset specifies the bytes after the Ethernet header from which data encryption begins. Valid values are 30 and 50. Configuring the offset to 30 allows an IPv4 header and TCP/UDP header to remain unencrypted, while configuring the offset to 50 allows an IPv6 header and TCP/UDP header to remain unencrypted.
Switches configured with MKA MACsec in VOSS 8.1, or later, can interoperate with EXOS 30.3, or later, and Switch Engine 31.6, or later, switches.
Note
Traffic loss occurs on the EXOS or Switch Engine to VOSS MKA MACsec link when interoperating with EXOS and Switch Engine, using the VOSS devices as the keyserver. As a best practice, use EXOS or Switch Engine as the keyserver.