MACsec
The MACsec protocol is used for securing communication among the trusted components of a 802.1 LAN.
MACsec standards consists of two main components:
- MAC security (MACsec)
- MACsec Key Agreement (MKA) protocol
The MKA protocol defined as part of IEEE 802.1x-2010 standard is responsible for generating the Secure Association Keys (SAK) used by MACsec for symmetric cryptography. This protocol runs on the management card in the control plane.
When MACsec is used to secure the communication between endpoints on a LAN, each packet on the wire is encrypted in the PHY in the data plane using symmetric key cryptography so that communication cannot be monitored or altered on the wire.
MACsec critical security parameters
The following parameters make up the MACsec critical security parameters (CSPs):
- MKA Connectivity Association Key (CAK): Either configured manually by the user or derived from the MSK obtained from the authentication server.
- MKA Connectivity Key Name (CKN): Either configured manually by the user or derived from the EAP session ID obtained from the authentication server.
- MKA Secure Association Key (SAK): Derived from the CAK and used for encryption and decryption of the traffic.
- MKA Integrity Checksum Key (ICK): Derived from SP800-108 KDF.
- MKA Key Encryption Key (KEK): Derived from SP800-108 KDF.
- MKA SP800-108 KDF State
