MACsec is configured on a per-port basis to protect point-to-point links between switches. Mutual authentication is achieved by provisioning the same set of credentials (pre-shared key) on each end of a link.
Prior to authentication, all port traffic is blocked. After authentication, all port traffic is protected by the GCM-AES-128 cipher suite. MACsec operates at Layer 2 and is therefore protocol agnostic, encrypting everything it passes. Because encryption takes place at the hardware level, line-rate traffic passes with low latency, but due to additional MACsec headers, some throughput drop occurs. MACsec operates on a hop-by-hop basis allowing for deep packet inspection.
Authentication is provided by pre-shared-keys (PSK), which consist of a public secure connectivity association key name (CKN) and a private secure connectivity association key (CAK). PSKs are configured on a per-port basis. Each port supports a single PSK, which is associated with a single MACsec key agreement protocol instance.
Note
When MACsec is enabled, every protected packet is prefixed with an 8-byte (include-sci disable) or 16-byte (include-sci enable) SecTAG and suffixed with a 16-byte Integrity Check Value (ICV). If the average packet size on a port is small, then these 24 to 32 extra bytes per packet have a non-trivial impact on throughput. This is a function of the protocol, and is not a factor of this implementation.
Print
this page
Email this topic
Feedback
View PDF
Download EPUB