MACsec security modes

The static Connectivity Association Key (CAK) security mode is the only supported MACsec security mode on the platform, and is also the most common mode to enable MACsec.

When you use the static CAK security mode to enable MACsec, you configure a connectivity association on both ends of the link. Secure Association Keys (SAK) establish the MACsec relationship between the switches on each end of the Ethernet link. The SAKs include a connectivity association key name (CKN) and its own CAK. The MACsec CKN and CAK are configured in a connectivity association, and the CAK must match on both ends of the link to initially enable MACsec.

To ensure link security, the system periodically refreshes keys based on traffic volume and link speed.

To enable MACsec at the port level, you must first associate the port to the connectivity association. You complete the configuration within the connectivity association, but outside of the secure channel.

Note

Note

If you use MKA, you must apply MKA profile to a port before you associate it with a Connectivity Association (CA). After you associate the port with a CA, you cannot enable MKA on the port.

When you use the static CAK security mode, the system automatically creates two secure channels, one for inbound traffic and another for outbound traffic. You cannot configure any parameters in the automatically created secure channels.

The CAK security mode ensures security by frequently refreshing to a new random security key, and by only sharing the security key between the two devices on the MACsec-secured point-to-point link.

MACsec provides options to encrypt all data, or configure a confidentiality offset, which specifies the number of unencrypted bytes in a frame that precede MACsec encryption.

You can configure the following optional features:
  • Data encryption — If you disable encryption, MACsec forwards traffic in clear text. You can view that data that is not encrypted in the Ethernet frame that travels across the link. Even if you disable encryption the MACsec header applies to the frame and integrity checks make sure that traffic has not been tampered with.

  • Confidentiality offset — If encryption is enabled, and an offset is not configured, all traffic in the connectivity is encrypted. The confidentiality offset specifies the bytes after the Ethernet header from which data encryption begins. Valid values are 30 bytes and 50 bytes. The confidentiality offset facilitates traffic flow inspection and classification on intermediate devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header and the TCP/UDP header are not encrypted.