MACsec Key Agreement Protocol

MKA protocol performs key server election and generates Secure Association Keys (SAK) . SAKs and other MKA information is distributed in MACsec Key Agreement Protocol Data Units (MKPDU) between peers in the Connectivity Association (CA).

Initially you configure pre-shared keys on both ends of an Ethernet link, including values for the CAK and the connectivity association key name (CKN). The CAK and CKN values must match at both ends of the link.

You enable the MKA process by configuring pre-shared keys. MKA performs peer detection, identifies a live peer, and elects the peer with the highest priority as the key server.

The key server generates and distributes SAKs. After the key server and the peer successfully install the generated SAKs, the link can securely transmit encrypted data. The key server maintains the secure link by periodically generating and distributing SAKs for as long as MACsec is enabled.

The following figure illustrates the deployment of MACsec using MKA protocol.

Click to expand in new window
Switch to switch MACsec deployment scenario

You can create and configure an MKA profile and then apply that profile to a port. After applying the profile to the port and associating the port with a connectivity association, you can enable MKA on the port and optionally assign a value for actor priority.

Note

Note

If you enable MKA MACsec on a port, traffic is not sent or received on that link until the MKA session is active.

You can configure an MKA actor priority value for each MKA participant. You select priority values from the range 0x00 to 0xff, where lower numbers indicate higher priority. Each participant advertises an actor priority value, and the participant advertising the highest priority is elected as the key server. If there is a tie for the highest priority, the participant with the highest priority MAC address is seletcted.

Note

Note

Do not configure both peers in an MKA session with an actor priority value of 0xff. If both peers are configured with an actor priority value of 0xff, key server election fails.

You can enable replay protect and configure a replay window size to protect against out-of-sequence packets. Window size specifies the maximum acceptable difference in packet ID numbers between out of order packets. If a packet ID number differs from the ID number of the previously received packet by more than the specified window size, the packet is dropped.

Confidentiality offset specifies the bytes after the Ethernet header from which data encryption begins. Valid values are 30 and 50. Configuring the offset to 30 allows an IPv4 header and TCP/UDP header to remain unencrypted, while configuring the offset to 50 allows an IPv6 header and TCP/UDP header to remain unencrypted.

MKA Interoperability with EXOS

Switches configured with MKA MACsec in VOSS 8.1, or later, can interoperate with EXOS 30.3 or later switches.

Note

Note

Traffic loss occurs on the EXOS to VSP 8600 Series or VOSS MKA MACsec link when interoperating with EXOS using the VSP 8600 Series or VOSS devices as the keyserver. As a best practice, use EXOS as the keyserver.