Configuring Macsec; Overview; Basic Concepts; Macsec Services - HPE FlexNetwork 5510 HI Series Security Configuration Manual
Hide thumbs
Also See for FlexNetwork 5510 HI Series:
- Configuration manual (572 pages) ,
- Mpls configuration manual (505 pages) ,
- Layer 3 - ip routing configuration manual (486 pages)
Table of Contents
Advertisement
Configuring MACsec
Overview
Media Access Control Security (MACsec) secures data communication on IEEE 802 LANs. MACsec
provides services such as data encryption, frame integrity check, and data origin validation for
frames on the MAC sublayer of the Data Link Layer.
Basic concepts
CA
Connectivity association (CA) is a group of participants that use the same key and key algorithm.
The encryption key used by the CA participants is called a connectivity association key (CAK). The
following types of CAKs are available:
•
Pairwise CAK—Used by CAs that have two participants.
•
Group CAK—Used by CAs that have more than two participants.
The pairwise CAK is used most often because MACsec is typically applied to point-to-point
networks.
A CAK can be an encryption key generated during 802.1X authentication or a user-configured
preshared key. The user-configured preshared key takes precedence over the 802.1X-generated
key.
SA
Secure association (SA) is an agreement negotiated by CA participants. The agreement includes a
cipher suite and keys for integrity check.
A secure channel can contain more than one SA. Each SA uses a unique secure association key
(SAK). The SAK is generated from the CAK, and MACsec uses the SAK to encrypt data transmitted
along the secure channel.
MACsec Key Agreement (MKA) limits the number of packets that can be encrypted by an SAK.
When the limit is exceeded, the SAK will be refreshed. For example, when packets with the minimum
size are sent on a 10-Gbps link, an SAK rekey occurs about every 300 seconds.
MACsec services
MACsec provides the following services:
•
Data encryption—Enables a port to encrypt outbound frames and decrypt MACsec-encrypted
inbound frames.
•
Integrity check—Performs integrity check when the device receives a MACsec-encrypted
frame. The integrity check uses the following process:
a. Uses a key negotiated by MKA to calculate an integrity check value (ICV) for the frame.
b. Compares the calculated ICV with the ICV in the frame trailer.
− If the ICVs are the same, the device verifies the frame as legal.
− If the ICVs are different, the device determines whether to drop the frame based on the
•
MACsec replay protection—When MACsec frames are transmitted over the network, frame
disorder might occur. MACsec replay protection allows the device to accept the out-of-order
packets within the replay protection window size and drop other out-of-order packets.
validation mode.
461
- Quick Links:
- Radius
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
