Connectivity associations and secure channels

You configure MACsec in connectivity associations (CA). You can enable MACsec after you associate a connectivity association with an interface. To use the static Connectivity Association Key (CAK) security mode to enable MACsec, you must create, and configure connectivity associations on both ends of the link.

Tip

Tip

Configure the Connectivity Association key name (CKN) in multiples of 4 characters to avoid MKA interoperability issues between VOSS switches and EXOS switches. For example, Macsecma (8 chararcters) or Macsecmka123 (12 characters) are valid, but Macsec (6 characters) is not valid.

A CA is a logical representation of a MACsec domain within a network. Each connectivity association is associated with a CAK. MACsec links are associated with a CA to establish end-to-end MACsec communication. Every MACsec enabled interface is a member of one CA. Switch ports are members of a CA, and can only be a member of one CA.

A secure channel (SC) is a unidirectional channel that connects two endpoints of MACsec. A secure channel is a long-term relationship that persists through the sequence of secure associations.

A secure association (SA) is a short-lived relationship within an SC. MACsec identifies each SA by AN, and supported secure association key (SAK), which is derived from the CAK or generated by the MKA key server. Both ends of the MACsec link use the SAK to encrypt and decrypt the frames. SAKs are frequently refreshed for security reasons. Periodically changing SAs allows the use of fresh keys without terminating the SC relationship.

For static MACsec, you configure CAs. SCs and SAs are internally created in the hardware.

For MKA MACsec, you configure CAs. SCs and SAs are internally created in the hardware based on the information provided by the MKA key server.