offset
Syntax
offset (0 |30 | 50);
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name] [edit security macsec connectivity-association connectivity-association-name secure-channel secure-channel-name]
Description
Specifies the number of octets in an Ethernet frame that are sent in unencrypted plain-text when encryption is enabled for MACsec.
Configure a confidentiality offset for MACsec. When MACsec is enabled with encryption, the confidentiality offset specifies a number of octets in an Ethernet frame that are sent in unencrypted plain-text.
Per 802.1AE-2006, confidentiality offset is relevant for switch-to-host connections by allowing a system that is incapable of terminating the secure association before distributing the load to perform load balancing across multiple processors based on the first few bytes of packets. Additionally, confidentiality offset can be used to expose IPv4 or IPv6 headers to bump-in-the-wire devices, such as transparent firewalls or monitoring devices.
Setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the remaining traffic. Setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the remaining traffic.
You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.
You configure the offset
in the [edit security macsec connectivity-association connectivity-association-name
] hierarchy when you are enabling MACsec using static connectivity association key
(CAK) or dynamic security mode.
You configure the offset
in the [edit security macsec connectivity-association connectivity-association-name secure-channel secure-channel-name
] hierarchy when you are enabling MACsec using static
secure association key (SAK) security mode.
Default
0
Options
0 | Specifies that no octets are unencrypted. When you set the offset to 0, all traffic on the interface where the connectivity association or secure channel is applied is encrypted. |
30 | Specifies that the first 30 octets of each Ethernet frame are unencrypted. Note:
In IPv4 traffic, setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the rest of the traffic. An offset of 30, therefore, is typically used when a feature needs this information to perform a task on IPv4 traffic. |
50 | Specified that the first 50 octets of each Ethernet frame are unencrypted. Note:
In IPv6 traffic, setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the rest of the traffic. An offset of 50, therefore, is typically used when a feature needs this information to perform a task on IPv6 traffic. |
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 13.2X50-D15.
Statement introduced on SRX Series Firewalls in Junos OS Release 15.1X49-D60.