MACsec Explained and Configuration Example
MACsec (standard IEEE 802.1AE) is a network security standard that operates at the Layer 2 (MAC layer) and defines connectionless data confidentiality and integrity for media access independent protocols.
MACsec offers the following advantages:
- Provides line rate encryption capabilities.
- Helps to ensure data confidentiality by providing strong encryption at Layer 2.
- Provides integrity checking to help ensure that data cannot be modified in transit.
- Encrypts packets on a hop-by-hop basis at Layer 2, allowing the network to inspect, monitor, mark, and forward traffic according to your existing policies (unlike end-to-end Layer 3 encryption techniques that hide the contents of packets from the network devices they cross).
MACsec frame format
It is similar to the Ethernet frame, but includes additional fields:
- Security Tag, which is an extension of the EtherType (SecTAG)
- Message authentication code (ICV)
The MACsec Ethertype is 2 bytes long, like the normal Ethertype field. It has a value of 0x88e5 to indicate that this frame is a MACsec frame:
- ICV: The ICV provides the integrity check for the frame and is usually 8-16 bytes in length, depending on the cipher suite. Frames that do not match the expected ICV are dropped at the port.
- SecTAG: The security tag is 8-16 bytes in length and identifies the SAK to be used for the frame. With Secure Channel Identifier (SCI) encoding, the security tag is 16 bytes in length, and without the encoding, 8 bytes in length.
- TCI/AN: The third octect is the TAG Control Information (TCI)/Association Number field. The TCI designates the MACsec version number, if confidentiality or integrity are used alone.
- SL: The fourth octet is short length, which is set to the length of the encrypted data.
- PN: Octets 5 through 8 are the packet number and are used for replay protection and the construction of the initialization vector (along with the secure channel identifier [SCI]).
- SCI: Octets 9 through 16 are the secure channel identifier. Each connectivity association (CA) is a virtualport and each virtual port is designated a secure channel identifier that is the concatenation of the MAC address of the physical interface and a 16-bit port ID.
MACsec terminology
- MKA (MACsec Key Agreement): a key agreement protocol for discovering MACsec peers and negotiating keys. It represents the control protocol between MACsec peers.
- CA (Connectivity Association): A security relationship, established and maintained by key agreement protocols (MKA). The encryption key used by the CA participants is called CAK (connectivity association key).
- CAK (Connectivity Association Key): long-lived primary key used to generate all other keys used for MACsec.
After the CAK is generated, two keys are obtained from it:- Key Encryption Key (KEK): used to protect and encrypt the MACsec keys (encrypt the SAK)
- Integrity Connection Key (ICK): used to for integrity check of each MKPDU send between two peers. it is tagged in every data/control frame to prove the frame is from an authorized peer.
- CKN (CAK Key Name): used to configure the key value or CAK. Only even number of HEX characters up to 64 characters allowed. the CKN identifies the CAK.
I- Creating a MACsec Keychain:
A MACsec keychain is a collection of keys used to authenticate peers needing to exchange encrypted information. While creating a keychain, we define the key(s), key string with password, the cryptographic algorithm, and the key lifetime.
| MACsec Keychain Keyword | Description |
|---|---|
| Key (CKN) | The MACsec key or the CKN can be up to 64 characters in length. The key must be of an even number of characters. Entering an odd number of characters will exit the MACsec configuration mode. |
| Key-string (CAK) | The MACsec key-string or the CAK can be either 32 characters or 64 characters in length (32 for AES-128, 64 for AES-256). |
| Lifetime | This field specifies the validity period of a key. It includes a start time, and an expiry time. We recommend you to set the value for expiry time as infinite. |
Configuration Example on NXOS switch:
switch# configure terminal
switch(config)# key chain 1 macsec
switch(config-macseckeychain)# key 1000 <-- Key (CKN)
switch(config-macseckeychain-macseckey)# key-octet-string abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789
cryptographic-algorithm AES_256_CMAC <-- Key-string (CAK)
switch(config-macseckeychain-macseckey)# send-lifetime 00:00:00 Oct 04 2016 duration 100000 <-- lifetime
Code language: PHP (php)- MACsec PSK: A pre-shared key includes a connectivity association key name (CKN) and a connectivity association key (CAK). A pre-shared key is exchanged between two devices at each end of a point-to-point link to enable MACsec using static CAK security mode.
The MACsec Key Agreement (MKA) protocol is enabled after the pre-shared keys are successfully verified and exchanged. The pre-shared keys, the CKN and CAK, must match on both ends of a link.
- MACsec Keychain: A MACsec keychain can have multiple pre-shared keys (PSKs), each configured with a key ID and an optional lifetime. A key lifetime specifies at which time the key activates and expires. In the absence of a lifetime configuration, the default lifetime is unlimited. When a lifetime is configured, MKA rolls over to the next configured pre-shared key in the keychain after the lifetime is expired.
II- MKA Authentication Process:
MACsec provides the secure MAC Service on a frame-by-frame basis. MACsec uses the MACsec Key Agreement protocol (MKA) to exchange session keys, and manage encryption keys:
Step 1: When a link is first established between two routers, they become peers. Mutual peer authentication takes place by configuring a Pre-shared Key (PSK) (also known as CAK).
Step 2: On successful peer authentication, a connectivity association is formed between the peers, and a secure Connectivity Association Key Name (CKN) is exchanged. After the exchange, the MKA ICV is validated with a Connectivity Association Key (CAK), which is effectively a secret key.
Step 3: A key server is selected between the routers, based on the configured key server priority.
Lower the priority value, higher the preference for the router to become the key server.
Step 4: A security association is formed between the peers. The key server generates and distributes the Secure Association Key (SAK) to the key client (peer).
- SAK (Secure Association Key): derived by the elected Key Server from the CAK and is the key used by the switch/end devices to encrypt Data traffic for a given session.
Step 5: Encrypted data is exchanged between the peers:
MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the MKA peer, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped.
SA and SC:
Secure association (SA) is an agreement negotiated by CA participants. The agreement includes a cipher suite and keys for integrity check.
A Secure Channel (SC) can contains more than one SA. Each SA uses a unique secure association key (SAK). The SAK is generated from the CAK, and MACsec uses the SAK to encrypt data transmitted along the secure channel.
In the case of 2 SAs per SC, each with a different SAK, each SC comprises a succession of SAs. Each SA has an SC identifier (SCI).
MACsec Policy
You can create multiple MACsec policies with different parameters. However, only one policy can be active on an interface.
switch# configure terminal
switch(config)# macsec policy learnduty
switch(config-macsec-policy)# window-size 512
switch(config-macsec-policy)# key-server-priority 0
switch(config-macsec-policy)# cipher-suite GCM-AES-256
switch(config-macsec-policy)# security-policy should-secureCode language: PHP (php)key server priority: it is needed to break the tie between peers during a key exchange. The range is from 0 (highest priority) and 255 (lowest), and the default value is 16.
Replay protection and window size: When MACsec frames are transmitted over the network, frame disorder might occur. MACsec replay protection allows the device to accept the out-of-order packets within the replay protection window size and drop other out-of-order packets.
With replay protection, the sequence of the ID number (PN) of received packets is checked. If a packet arrives out of sequence and the difference between the packet IDs exceeds the replay protection window size, the packet is counted by the receiving port and discarded
For example if the replay protection window size is configured to 512 and a packet with an ID (PN) equal to 1513 arrives on the receiving link immediately following the packet assigned an ID (PN) of 1000, the packet with ID 1513 is counted and discarded because it is outside the parameter of the window size.
A window size of 0 enforces strict order of packet reception, discarding all packets not received in perfect sequence (if packet with ID 1000 received, next packet ID should be 1001 otherwise discarded).
Security policy mode: it defines the handling of data and control packets:
- must-secure: Packets not carrying MACsec headers will be dropped.
Must-Secure imposes only MACsec encrypted traffic to flow. Hence, until MKA session is not secured, traffic will be dropped.
- should-secure: Packets not carrying MACsec headers will be permitted.
Should-Secure allows unencrypted traffic to flow until MKA session is secured. After the MKA session is secured, Should-Secure policy imposes only encrypted traffic to flow.
Apply MACsec on the interface level
After configuring a user-defined MACsec policy (optional), we can then apply the policy to interface:
interface Ethernet1/10
macsec keychain 1 policy learndutyCode language: PHP (php)
Reference:
Cisco.com
Nokia
H3C
