MACsec

MACsec is available on the 6300 Switch Series.

Media Access Control security (MACsec) provides Layer 2 security for wired LANs, protecting network communications against a range of attacks including: denial of service, intrusion, man-in-the-middle, and eavesdropping. These attacks exploit Layer 2 vulnerabilities and often cannot be detected. MACsec appends a header and tail to all Ethernet frames, and encrypts data payload within the frame. Receiving device checks header and tail for integrity. If the check fails, traffic is dropped. If the check is successful, the frame is encrypted.

The Media Access Control security (MACsec) protocol:

  • Provides a Layer 2 hop-by-hop encryption on point-to-point Ethernet links, enabling a bi-directional secure link after an exchange and verification of security keys between two connected devices.
  • Secures switch-to-switch infrastructure using the MKA (MACsec Key Agreement) protocol and Static CAK (Connectivity Association Key).
  • MACsec encrypts all fields behind the source/destination MAC addresses except for MACsec SecTAG.
  • MACsec secures switch to switch infrastructure using the MACsec Key Agreement (MKA) protocol and Static Connectivity Association Key (CAK).
  • The pre-shared key (PSK) includes a connectivity association name (CKN) and a connectivity association key (CAK). The CKN and CAK are configured by the administrator and must match on both ends of the link.
  • The MACsec frame format includes an additional 32-byte MACsec header, which includes a well-known EtherType field (0x88E5), while allowing the Ethernet source/destination MAC addresses to be left in the clear for Ethernet frame forwarding.

Figure 1  MACsec Frame Format

MACsec in AOS-CX

6300 Switch Series models that support MACsec:

6300 model

Ports

Speed

R8S89A,
R8S90A

Uplinks: 2x25G MACsec-BCM82399
R8S89A ports: 1/1/27 to 1/1/28

R8S90A ports: 1/1/51 to 1/1/52

25G

R8S91A

Uplinks: 2x10G LRM-BCM82759
Ports: 1/1/51 to 1/1/52

10G

R8S92A

Uplinks: 2x25G MACsec-BCM82399
Ports: 1/1/27 to 1/1/28

25G

R8S92A

Downlinks (10G LRM): 24 x10G MACsec
Ports: 1/1/1 to 1/1/24

10G

MACsec provides:

  • Connectionless data integrity: Unauthorized changes to data cannot be made without being detected. Each MAC frame carries a separate integrity verification code.
  • Replay protection: When enabled, packets are expected to arrive within the replay protection window number of packets. MAC frames copied from the network by an attacker cannot be resent into the network without being detected.
  • Secure Channel Identifier (SCI) tag: Enables inclusion of the Secure Channel Identifier (SCI) tag in the Security TAG (SecTAG) field of the MACsec header. The Secure Channel Identifier (SCI) tag in the Security TAG (SecTAG) field of the MACsec header is comprised of a globally unique MAC Address and a port identifier that is unique within the system. An explicitly encoded SCI field in the SecTAG is not required on point-to-point links if the transmitting link has only one MACsec peer.
  • Data origin authenticity: A received MAC frame is guaranteed to have been sent by the authenticated device.
  • Confidentiality: The data payload of each MAC frame is encrypted to prevent it from being eavesdropped by unauthorized parties. The start-of-encryption offset is configurable, with available offset options of 0, 30 or 50 bytes. The default offset of 0 causes the entire data payload to be encrypted.
  • Bounded receive delay: MAC frames cannot be intercepted by a man-in-the-middle attack and delayed by more than a few seconds without being detected.
  • Multiple Cipher Suites:
    • gcm-aes-128: AES-128 encryption with Galois/Counter mode.
    • gcm-aes-256: AES-256 encryption with Galois/Counter mode.
    • gcm-aes-xpn-128: AES-128 encryption with Galois/Counter mode and extended packet numbering.
    • gcm-aes-xpn-256: AES-128 encryption with Galois/Counter mode and extended packet numbering. (Default)