MACsec

Overview

Media Access Control Security (MACsec) provides point-to-point, point-to-multipoint, and in-band security on Ethernet links between directly connected NEs or NEs connected over a Layer 2 cloud. MACsec uses MACsec Key Agreement (MKA) to signal data path encryption keys known as Security Association Keys (SAKs).

To use MACsec, you need to configure a global and a local connectivity association. A connectivity association creates secure channels for inbound and outbound traffic.

MACsec in NFM-P supports the static Connectivity Association Key (CAK) feature, which uses MKA and a Pre-Shared Key (PSK) to discover and authenticate peers. Static CAK uses two security keys to secure the Ethernet link: a CAK that secures control plane traffic, and an SAK that secures data plane traffic. Both keys are regularly exchanged between devices on each end of the Ethernet link to ensure link security. PSK is also used for encrypting SAKs between the key server and other peers in the MACsec connectivity association.

MACsec configuration components

The following need to be configured to use MACsec:

MACsec interfaces

A MACsec port is an Ethernet port on a card that supports MACsec. A MACsec interface is a virtual sub-port, that is, a VLAN, on a MACsec port. MACsec port properties apply to all MACsec interfaces on the port. MACsec interface properties apply only to the interface.

MACsec is activated when MACsec interfaces are added to a connectivity association, and the interfaces, the ports, and the connectivity association are all in an administrative up state. If the port, interface, or connectivity association is down, the MKA session providing encryption will end. A new session will be established when the port, interface, and connectivity association are all back up.

Key updates with offline nodes

A node is in offline mode if the NFM-P has lost connectivity to the node at the time of the action (global PSK creation, manual PSK distribution, scheduled rekey). A node is not in offline mode if it responds to SSH and SNMP requests.

By default, the key update process skips offline nodes. When the node is back online, you can manually distribute the new keys to the node or create a global key to be automatically distributed to all sites in the CA.