Understanding Media Access Control Security And Macsec Key Agreement - Cisco Catalyst 3560-X Software Configuration Manual

Understanding Media Access Control Security and MACsec Key Agreement

Understanding Media Access Control Security and MACsec Key
Agreement
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using
out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the
required session keys and manages the required encryption keys. MKA and MACsec are implemented
after successful authentication using the 802.1x Extensible Authentication Protocol (EAP) framework.
Only host facing links (links between network access devices and endpoint devices such as a PC or IP
phone) can be secured using MACsec.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy
associated with the client. MACsec frames are encrypted and protected with an integrity check value
(ICV). When the switch receives frames from the client, it decrypts them and calculates the correct ICV
by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If
they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent
over the secured port (the access point used to provide the secure MAC service to a client) using the
current session key.
The MKA Protocol manages the encryption keys used by the underlying MACsec protocol. The basic
requirements of MKA are defined in 802.1x-REV. The MKA Protocol extends 802.1x to allow peer
discovery with confirmation of mutual authentication and sharing of MACsec secret keys to protect data
exchanged by the peers.
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP
authentication produces a master session key (MSK) shared by both partners in the data exchange.
Entering the EAP session ID generates a secure connectivity association key name (CKN). Because the
switch is the authenticator, it is also the key server, generating a random 128-bit secure association key
(SAK), which it sends it to the client partner. The client is never a key server and can only interact with
a single MKA entity, the key server. After key derivation and generation, the switch sends periodic
transports to the partner at a default interval of 2 seconds.
The packet body in an EAPOL Protocol Data Unit (PDU) is referred to as a MACsec Key Agreement
PDU (MKPDU). MKA sessions and participants are deleted when the MKA lifetime (6 seconds) passes
with no MKPDU received from a participant. For example, if a client disconnects, the participant on the
switch continues to operate MKA until 6 seconds have elapsed after the last MKPDU is received from
the client.
These sections provide more details:
•
•
•
•
•
MKA Policies
You apply a defined MKA policy to an interface to enable MKA on the interface. Removing the MKA
policy disables MKA on that interface. You can configure these options:
•
•
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-2
MKA Policies, page 1-2
Virtual Ports, page 1-3
MACsec and Stacking, page 1-3
MACsec, MKA and 802.1x Host Modes, page 1-4
MKA Statistics, page 1-5
Policy name, not to exceed 16 ASCII characters.
Confidentiality (encryption) offset of 0, 30, or 50 bytes for each physical interface.
Chapter 1 Configuring MACsec Encryption
OL-25303-03