- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
ON THIS PAGE
Configuring Advanced MACsec Features
Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for almost all types of traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly-connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.
Configure Encryption Options
Assign an Encryption Algorithm
You can encrypt all traffic entering or leaving the interface using any of the following MACsec encryption algorithms:
gcm-aes-128—GCM-AES-128 cipher suite without extended packet numbering (XPN) mode
gcm-aes-256—GCM-AES-256 cipher suite without XPN
gcm-aes-xpn-128—GCM-AES-XPN_128 cipher suite with XPN mode
gcm-aes-xpn-256—GCM-AES-XPN_256 cipher suite with XPN mode
If MACsec encryption is enabled and if no encryption algorithm is specified, the default (gcm-aes-128) encryption algorithm is used without XPN mode.
We strongly recommend using XPN when using MACsec on 40G and 100G links.
The encryption algorithms with XPN mode are not supported on MX-series MPC7E-10G routers.
Only GCM-AES-128 is supported on MIC-3D-20GE-SFP-E and MIC-3D-20GE-SFP-EH.
[edit security macsec connectivity-association <varname>connectivity-association-name</varname>] user@host# set cipher-suite (gcm-aes-128 | gcm-aes-256 | gcm-aes-xpn-128 | gcm-aes-xpn-256)
For example, if you wanted to encrypt using the GCM-AES-XPN-128 algorithm in the
connectivity association named ca1:
[edit security macsec connectivity-association ca1] user@host# set cipher-suite gcm-aes-xpn-128
Disable Encryption
The default behavior for MACsec is to encrypt traffic traversing the link. You can disable encryption if you want to use MACsec only to authenticate an endpoint and guarantee integrity of the link. This is called integrity-only mode. Integrity-only mode is useful if you need the unencrypted payload to be visible when carrying MACsec over multiple hops.
When you disable encryption, traffic is forwarded across the Ethernet link in clear text. You can view unencrypted data in the Ethernet frame traversing the link when you are monitoring it. The MACsec header is still applied to the frame, however, and all MACsec data integrity checks are run on both ends of the link to ensure the traffic sent or received on the link has not been tampered with and does not represent a security threat.
To disable encryption, use the following command:
[edit security macsec connectivity-association connectivity-association-name] user@host# set no-encryption
Configure an Offset
Offset provides an option between full encyption and no encryption. Configue an offset to expose a set number of bytes of the payload and encrypting the rest. This could be used for intermediate load balancing or for load distribution at the host, in the case of switch-to-host links.
The default offset is 0. All traffic in the connectivity association is encrypted when
encryption is enabled and an offset is not set.
When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic. When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.
You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.
To configure an offset, use the following command:
[edit security macsec connectivity-association connectivity-association-name] user@host# set offset (0 | 30 | 50)
For example, if you wanted to set the offset to 30 in the connectivity association
named ca1:
[edit security macsec connectivity-association ca1] user@host# set offset 30
Configuring MACsec Key Agreement Protocol in Fail Open Mode
You can configure fail open mode for MACsec to prevent traffic from being dropped when the MKA session is inactive. This is recommended for service providers that prioritize network availability over information security.
MACsec maintains data integrity by appending a MACsec header to Ethernet frames transmitted on a MACsec-secured link. When the MKA session is active, traffic is allowed on the link only for frames with a MACsec header. When the MKA session is inactive, frames do not receive a MACsec header. All traffic, both ingress and egress, is dropped. The only exception is EAPoL traffic.
You can configure fail open mode using the should-secure CLI statement.
This allows traffic on the MACsec-secured link even when the MKA session is inactive.
Traffic is transmitted as cleartext, without MACsec headers.
To configure the MKA Protocol in Fail Open Mode:
[edit security macsec connectivity-association connectivity-association-name] user@host# set mka should-secure;
Configuring Replay Protection
MACsec assigns an ID number to each packet on a MACsec-secured link. When replay protection is enabled, the receiving interface checks the ID number of all packets that traversed the MACsec-secured link. If a packet arrives out of sequence and the difference between the packet numbers exceeds the replay protection window size, the receiving interface drops the packet.
For example, if the replay protection window size is set to five and a packet assigned the ID of 1006 arrives on the receiving link immediately after the packet assigned the ID of 1000, the packet with ID 1006 is dropped because it falls outside of the replay protection window.
Replay protection is useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network.
You can require that all packets arrive in order by setting the replay window size to 0. Replay protection should not be enabled in cases where packets are expected to arrive out of order.
To enable replay protection use the following command:
[edit security macsec connectivity-association connectivity-association-name] user@host# set replay-protect replay-window-size number-of-packets
For example, to enable replay protection with a window size of five on connectivity
association ca1:
[edit security macsec connectivity-association ca1] user@host# set replay-protect replay-window-size 5
Configuring Bounded Delay Protection
You can configure bounded delay protection to ensure that a Media Access Control Security (MACsec) frame will not be delivered after a delay of two seconds or more. This ensures that a delay of MACsec frames resulting from a man-in-the-middle attack will not go undetected.
When you configure bounded delay protection, you must also configure replay protection. This is the window during which duplicate and replay packets are allowed. Bounded delay takes precedence over replay protection. You can increase the effectiveness of bounded delay protection by configuring a lower value for the window size.
Before you configure bounded delay protection, you must configure replay protection. See Configuring Replay Protection.
To configure bounded delay protection, use the following command:
[edit security macsec connectivity-association connectivity-association-name mka] user@host# set bounded-delay
Bounded delay impacts CPU utilization which can degrade performance. We recommend only configuring bounded delay on interfaces on which it is absolutely required.
Configuring MACsec with Fallback PSK
When you enable MACsec using static CAK security mode, a preshared key (PSK) is exchanged between the devices on each end of the point-to-point Ethernet link. The PSK is includes a connectivity association name (CKN) and a connectivity association key (CAK). The PSK must match across devices for a MACsec session to be established. If there is a mismatch, the session will not be established and all packets will be dropped.
You can configure a fallback PSK to prevent traffic loss in case the primary PSK fails to establish a connection. The fallback PSK is used when primary keys do not match for the initial MACsec negotiation.
If a MACsec session has already been established, and the primary PSK is changed on one device but not the other, the resulting mismatch is resolved by using the older primary PSK. The older primary PSK is a temporary key known as the preceding PSK.
With fallback PSK configured, a MACsec session can be secured with one of the following keys:
Primary PSK (configurable)—The preferred key.
Fallback PSK (configurable)—Used when the primary PSK fails to establish a MACsec session.
Preceding PSK (non-configurable)—When a new primary PSK is configured, the old primary PSK becomes the preceding PSK.
The status of the CAK for each key can be either live, active or in-progress. See Table 1 for a description of each status.
| CAK Status | Description |
|---|---|
Live |
|
Active |
|
In-progress |
|
A mismatch of keys occurs when a new PSK is configured on one side of the MACsec link and the other side is either misconfigured or not configured with the new key. The fallback behavior depends on which components of the PSK are changed (CAK, CKN, or both). Each mismatch scenario is described below:
If the CAK is changed, and the CKN remains the same, the existing MACsec session will be disconnected. A new session will be initiated with the old CKN and new CAK value.
If the CKN is changed, and the CAK remains the same, the old CKN paired with the existing CAK becomes the preceding PSK, and the session will be live with preceding PSK. A new session is initiated with the newly-created CKN and the CAK, which will be in-progress until the peer node is also configured with the same CKN.
If both the CAK and the CKN are changed, the old CAK+CKN pair becomes the preceding PSK, and the session will be live with the preceding PSK. A new session is initiated with the new CAK+CKN pair, which will be in-progress until the peer node is also configured with the same CAK+CKN.
The preceding PSK takes priority over the fallback PSK,
so if the session is live with the preceding PSK, the fallback PSK
will not take effect. If you want the session to be live with the
fallback PSK, you must configure the disable-preceding-key statement.
Fallback PSK is supported for preshared keychains. You can configure a fallback PSK along with a preshared key, or with a preshared keychain. The preshared key and preshared keychain are mutually exclusive.
If only a fallback PSK is configured, and there is no primary PSK, both devices attempt to establish a session with the fallback PSK. If the session comes up, the SAK derived from the fallback PSK is used for data traffic encryption. If the established session is broken, the devices continue attempting to reestablish the session and traffic will be dropped until the session is reestablished.
The fallback PSK is configured as part of the connectivity association (CA). The CA can be configured globally for all interfaces or on a per-interface basis, allowing different fallback keys for different interfaces.
To configure the fallback PSK, configure the CAK and the CKN as part of the CA:
[edit security macsec connectivity-association ca-name] user@switch# set fallback-key cak key user@switch# set fallback-key ckn key-name
The following restrictions apply to fallback PSK configuration:
Fallback CAK and CKN should not match the preshared key CKN and CAK or any key configured in the keychain under the same CA.
Security mode configuration must be present to configure the fallback key.
Key length restrictions for the configured cipher suite apply to the fallback CAK and CKN.
Configuring MACsec with GRES
The graceful switchover (GRES) feature enables a switch or router with redundant routing engines to continue forwarding packets, even if one routing engine (RE) fails. You can configure MACsec to provide uninterrupted service during RE switchover.
The MACsec Key Agreement (MKA) protocol maintains the MACsec session between two nodes on a point-to-point MACsec link. The MKA protocol works at the control plane level between the two nodes. One node acts as the key server and generates a secure association key (SAK) to secure the link.
When the local nodes initiates an RE switchover, it sends a request to the remote peer node to suspend the MACsec session at the control plane. At the data plane, traffic continues to traverse the point-to-point link during suspension. The SAK that was programmed prior to suspension remains in use until the switchover is complete. After the switchover, the key server generates a new SAK to secure the link. The key server will continue to periodically create and share a SAK over the link for as long as MACsec is enabled.
To enable GRES for MACsec, you must configure the suspend-for statement
on the local node so that it sends a suspension request in the event of an RE switchover.
You must also configure the node acting as key server to accept suspension requests using
the suspend-on-request statement. Otherwise, the key server rejects any
suspension requests, resulting in termination of the MACsec session.
When you configure the suspend-for and
suspend-on-request statements, you must also configure GRES and nonstop
routing.
During GRES, the following MACsec features are disabled:
Primary, fallback, or preceding key switch.
Keychain key switch.
SAK rekey timer.
To enable GRES for MACsec, use the following configuration on the local node:
