MACsec
Overview
Media Access Control Security (MACsec) provides point-to-point, point-to-multipoint, and in-band security on Ethernet links between directly connected NEs or NEs connected over a Layer 2 cloud. MACsec uses MACsec Key Agreement (MKA) to signal data path encryption keys known as Security Association Keys (SAKs).
To use MACsec, you need to configure a global and a local connectivity association. A connectivity association creates secure channels for inbound and outbound traffic.
MACsec in NFM-P supports the static Connectivity Association Key (CAK) feature, which uses MKA and a Pre-Shared Key (PSK) to discover and authenticate peers. Static CAK uses two security keys to secure the Ethernet link: a CAK that secures control plane traffic, and an SAK that secures data plane traffic. Both keys are regularly exchanged between devices on each end of the Ethernet link to ensure link security. PSK is also used for encrypting SAKs between the key server and other peers in the MACsec connectivity association.
MACsec configuration components
The following need to be configured to use MACsec:
-
Connectivity association: a global connectivity association configuration. The global configuration contains the static CAK.
-
Connectivity association site: a local connectivity association configuration. The site contains parameters that must be synchronized to the global configuration, and parameters that can be changed on a local basis.
-
Static CAK: the CAK contains the PSK and related information. A maximum of two PSKs can be configured at one time, and only one can be active at a time.
-
PSKs: the PSKs contain the connectivity association name and CAK.
-
The global PSK is created under the global static CAK object.
-
The local PSK is created as part of the global PSK creation if the connectivity association site exists under the global connectivity association, or as part of distributing PSKs to sites.
The NFM-P manages PSK generation and rekeying operations. PSK distribution uses SSH2.
-
MACsec interfaces
A MACsec port is an Ethernet port on a card that supports MACsec. A MACsec interface is a virtual sub-port, that is, a VLAN, on a MACsec port. MACsec port properties apply to all MACsec interfaces on the port. MACsec interface properties apply only to the interface.
MACsec is activated when MACsec interfaces are added to a connectivity association, and the interfaces, the ports, and the connectivity association are all in an administrative up state. If the port, interface, or connectivity association is down, the MKA session providing encryption will end. A new session will be established when the port, interface, and connectivity association are all back up.
Key updates with offline nodes
A node is in offline mode if the NFM-P has lost connectivity to the node at the time of the action (global PSK creation, manual PSK distribution, scheduled rekey). A node is not in offline mode if it responds to SSH and SNMP requests.
By default, the key update process skips offline nodes. When the node is back online, you can manually distribute the new keys to the node or create a global key to be automatically distributed to all sites in the CA.