MACsec is configured on a per-port basis to protect point-to-point links between switches. Mutual authentication is achieved by provisioning the same set of credentials (pre-shared key) on each end of a link.
Prior to authentication, all port traffic is blocked. After authentication, all port traffic is protected by the GCM-AES-128 cipher suite by default, or optionally, by GCM-AES-256. MACsec operates at Layer 2 and is therefore protocol agnostic, encrypting everything it passes. Because encryption takes place at the hardware level, line-rate traffic passes with low latency, but due to additional MACsec headers, some throughput drop occurs. MACsec operates on a hop-by-hop basis, allowing for deep packet inspection.
Note
The following table lists the switches/ports that support the optional GCM-AES-256 cipher.
Platform | Ports | LRM/MACsec Adapter Required? |
---|---|---|
ExtremeSwitching X450-G2, X460-G2, X670-G2, X440-G2, X590, X620, X690, X695 series switches | SFP/SFP+ ports | Yes |
ExtremeSwitching X465 |
VIM5-4XE: all 4 ports VIM5-4YE in X465-24MU, X465i-48W, X465-24XE, X465-24MU-24W switches: all 4 ports VIM5-4YE in X465-24W, X465-48T, X465-48P, X465-48W: first 2 ports only |
No |
Authentication is provided by pre-shared-keys (PSK), which consist of a public secure connectivity association key name (CKN) and a private secure connectivity association key (CAK). Each PSK is configured against a connectivity-association namespace. Each connectivity-association can be applied to one or more MACsec-capable ports. Each port may belong to only one connectivity-association.
Note
When MACsec is enabled, every protected packet is prefixed with an 8-byte (include-sci disable) or 16-byte (include-sci enable) SecTAG and suffixed with a 16-byte Integrity Check Value (ICV). If the average packet size on a port is small, then these 24 to 32 extra bytes per packet have a non-trivial impact on throughput. This is a function of the protocol, and is not a factor of this implementation.