MACsec static CAK

MACsec uses SAs to encrypt packets. An SA is a security relationship that provides security guarantees for frames transmitted from one member of a CA to the other members. Each SA contains a single SAK with the cryptographic operations used to encrypt the datapath PDUs.

An SAK is the secret key used by an SA to encrypt the channel.

When enabled, MACsec uses a static CAK security mode. Two security keys, a CAK that secures control plane traffic and a randomly generated SAK that secures data plane traffic, are used to secure the point-to-point or point-to-multipoint Ethernet link. Both keys are regularly exchanged between both devices at each end of the Ethernet link to ensure link security.

The following figure shows MACsec generating the CAK.

Figure 1. MACsec generating the CAK

The node initially needs to secure the control plane communication to distribute the SAKs between two or more members of a CA domain.

The CAK is used to secure the control plane. There are two main methods to generate the CAK:

  • using EAPOL (the 7705 SAR does not support this method)

  • using a pre-shared key, where CAK and connectivity association key name (CKN) values are configured manually using the CLI. The following CAK and CKN rules apply:

    • The CAK has 32 hexadecimal characters for a 128-bit key and 64 hexadecimal characters for a 256-bit key depending on which algorithm is used for control plane encryption (for example, aes-128-cmac or aes-256-cmac).

    • The CKN has 32 octets (64 hexadecimal characters) and is the connectivity association key name that identifies the CAK. This allows each of the MKA participants to select which CAK to use to process a received MKPDU. The MKA places no restrictions on the format of the CKN, except that it must comprise an integral number of octets between 1 and 32 (inclusive) and all potential members of the CA must use the same CKN.

    • the CKN and CAK must match on peers to create a MACsec secure CA.

The following figure shows the MACsec control plane authentication and encryption.

Figure 2. MACsec control plane and encryption

A generated CAK can obtain the following additional keys:

  • a key encryption key (KEK), used to wrap and encrypt the SAKs

  • an integrity connection value (ICV) key (ICK), used for an integrity check of each MKPDU sent between two CAs

The key server then creates a SAK, which is shared with the CAs of the security domain, and that SAK secures all data traffic traversing the link. The key server continues to periodically create and share a randomly created SAK over the point-to-point link for as long as MACsec is enabled.

The SAK is encrypted via the AES-CMAC, using the KEK as the encryption key and the ICK as the integration key.