- 4.17.0F - MACSec EAP-FAST (key server)
- 4.21.1F - MACSec Proxy
- Arista MACSec WP (a list of supported hw)
- Cisco MACSec WP (ipsec vs macsec)
- Purpose: to protect data traffic from various types of attacks,
- passive: snooping
- active: reply, man in the middle
- vs IPSec
- Level: IPSec is at the IP level, vs MACSec MAC/data link level.
- End or Hop: IPSec provides end-to-end protection, MACsec secures Per-hop. (TLS is similar like IPSec, end-to-end)
- HW: IPSec doesn't rely on hw but with IPSec often, MACSec is on PHY level with special hw. For example,
- 7500E-6CFPX-LC
- 7280SRAM-48C6
- 7280CR2M-30
- 7500R2M-36CQ-LC
- Throughput: IPSec has a ceiling, while MACsec is line-rate like 100G.
- Key components:
- CAK - Conn Ass Key, master key. Either manual or from key server
- CAN - CAK's name
- SAK - Secu Ass Key, derived from CAK, used to data encryption.
- Point-to-Point vs clear 802.1Q
- Clear 802.1Q means, move vlan tag ahead of MACSec Tag, a must for hub-spoke topology. Cisco ASR supports it.
- Arista EOS only supports point-to-point.
- Packet format:
- Add 16-byte SecTAG after srcMAC and VLAN Tag
- Add 16-byte ICV at end of ethernet frames
- Ethertype = 0x88e5 (why not use 0x85ec?, hahaha)
- MACSec proxy:
- Provides MACSec for VxLAN traffic
- Loopback traffic to a MACSec capable front panel port to process.
- MISC:
- fallback key in case MACSec failed or during a configuration change
- L2-protocol pass thru, skipping LLDP packets
mac security
license DCI1 <license>
profile toISP1
! key <CAN> <type, 0-clear text> <key>
key a1 0 a123456
interface eth4/1/1
mac security profile toISP1
!
show mac secu counters
!
show mac secu interface
No comments:
Post a Comment