Configuring MACsec
Configuration Overview
Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for almost all types of traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly-connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.
You can configure MACsec to secure point-to-point Ethernet links connecting switches, or on Ethernet links connecting a switch to a host device such as a PC, phone, or server. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. You can enable MACsec on switch-to-switch links using dynamic or static connectivity association key (CAK) security mode. Both processes are provided in this document.
For information on configuring MACsec on control and fabric ports of supported SRX Series Firewalls in chassis cluster setup, see Media Access Control Security (MACsec) on Chassis Cluster.
On SRX Series Firewalls, you can configure MACsec in routed mode; MACsec is not supported in transparent mode.
Before You Begin
Before enabling MACsec, you must ensure the difference between your interface media maximum transmission unit (MTU) and protocol MTU is large enough to accommodate the additional 32 bytes of MACsec overhead.
For how to configure the interface MTU and protocol MTU, see No link title.
Configuring MACsec in Static CAK Mode
You can enable MACsec using static connectivity association key (CAK) security mode on a point-to-point Ethernet link connecting switches or routers. This can be a switch-to-switch, switch-to-router, or router-to-router link.
We recommend enabling MACsec using static CAK security mode on links connecting switches or routers. Static CAK security mode ensures security by frequently refreshing to a new random secure association key (SAK) and by only sharing the SAK between the two devices on the MACsec-secured point-to-point link.
When you enable MACsec using static CAK security mode, a preshared key is exchanged between the devices on each end of the point-to-point Ethernet link. The preshared key includes a connectivity association name (CKN) and a connectivity association key (CAK). The CKN and CAK must be manually configured in the connectivity association and must match on both ends of the link to initially enable MACsec.
After the preshared keys are exchanged and verified, the MACsec Key Agreement (MKA) protocol enables MACsec on the link. The MKA is responsible for selecting one of the two devices on the point-to-point link as the key server. The key server then creates a randomized security key that it shares only with the peer device over the MACsec-secured link. The randomized security key enables and maintains MACsec on the point-to-point link. The key server will continue to periodically create and share a randomly-created security key over the point-to-point link for the duration of the MACsec session.
If the MACsec session terminates due to a link failure, the MKA key server elects a key server when the link is restored and generates a new SAK.
You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters. All configuration is done in the connectivity association.
To configure MACsec using static CAK security mode:
MACsec using static CAK security mode is enabled when a connectivity association on the opposite end of the link is also configured. The connectivity association must contain preshared keys that match on both ends of the link.
See Also
Configuring MACsec in Dynamic CAK Mode
In dynamic CAK mode, the peer nodes on the MACsec link generate the security keys dynamically as part of the 802.1X authentication process. You can use dynamic CAK mode to secure a point-to-point link connecting switches or routers. This can be a switch-to-switch, switch-to-router, or router-to-router connection. The devices must act as both authenticator and supplicant for 802.1X authentication so they can authenticate each other.
Dynamic CAK mode provides easier administration than static CAK mode, because the keys do not need to be configured manually. Also, the keys can be centrally-managed from the RADIUS server. However, static CAK mode provides more functionality.
Dynamic CAK mode is not supported on logical interfaces.
The following procedure is for configuring dynamic CAK mode on links between switches or routers. To configure dynamic CAK mode on switch-to-host links, see Configuring MACsec to Secure a Switch-to-Host Link.
Before you begin to enable MACsec in dynamic CAK mode, you must configure a RADIUS server. The RADIUS server:
-
Must be configured with a server-side certificate.
-
Must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.
For information on configuring the RADIUS server, see RADIUS Server Configuration for Authentication.
Configure the Connectivity Association
Configure Certificates
You must assign a local certificate and a certificate authority (CA) certificate to each supplicant interface. The supplicant and RADIUS server authenticate each other by exchanging certificate credentials. The local certificate and the server certificate must be signed by the same CA. You can generate the certificates locally using public key infrastructure (PKI), or load certificates that were generated remotely.
Generating Certificates Locally
To generate a CA certificate:
- Configure the CA profile:
[edit] user@host# set security pki ca-profile ca_profile ca-identity ca_id
- Disable revocation check:
[edit] user@host# set security pki ca-profile ca_profile revocation-check disable
- Enroll the certificate with the CA:
[edit] user@host> request security pki ca-certificate enroll ca-profile ca-profile-name
To generate a local certificate:
- Generate a public-private key pair:
[edit] user@host> request security pki generate-key-pair certificate-id cert-id
- Generate and enroll the local certificate using the Simple Certificate
Enrollment Protocol (SCEP):
[edit] user@host> request security pki local-certificate enroll ca-profile ca-profile-name certificate-id cert-id challenge-password password domain-name domain-name subject subject-distinguished-name
Loading Remotely-Generated Certificates
To load remotely-generated certificates:
- Load the CA profile:
[edit] user@host# run request security pki ca-certificate load filename ca_cert ca-profile ca_prof
- Load the local certificate:
[edit] user@host# run request security pki local-certificate load certificate-id cert-id filename path key client-key passphrase string
Configure 802.1X Authentication
Configure 802.1X authentication with EAP-TLS on the interfaces at each end of the point-to-point link. The interfaces must act as both authenticators and supplicants so that the devices can authenticate each other.
Configuring MACsec to Secure a Switch-to-Host Link
When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A primary key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The primary key is then passed between the switch and the host to create a MACsec-secured connection.
The following requirements must be met in order to enable MACsec on a link connecting a host device to a switch.
The host device:
-
must support MACsec and must be running software that allows it to enable a MACsec-secured connection with the switch.
The switch:
-
Must support MACsec.
-
Must be configured into dynamic connectivity association key (CAK) security mode.
-
Must be using 802.1X authentication to communicate with the RADIUS server.
Before you begin to enable MACsec on a switch-to-host link:
-
Configure a RADIUS server. The RADIUS server:
-
Must be configured as the user database for 802.1X authentication.
-
Must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.
-
Must have connectivity to the switch and to the host. The RADIUS server can be multiple hops from the switch or the host.
See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
-
-
Enable MACsec on the host device.
The procedures for enabling MACsec on the host device varies by host device, and is beyond the scope of this document.
To configure MACsec using dynamic CAK security mode to secure a switch-to-host Ethernet link:
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
(flow-control | no-flow-control)
statement at the
[edit interfaces interface- name
gigether-options]
hierarchy level. When MACsec is enabled,
additional header bytes are added to the packet by the MACsec PHY. With line
rate traffic, when MACsec is enabled and flow control is disabled, the pause
frames sent by the MACsec PHY are terminated by the MIC’s MAC (enhanced 20-port
Gigabit Ethernet MICs on MX Series routers) and not transferred to the Packet
Forwarding Engine, causing framing errors. Therefore, when MACsec is enabled on
an interface, flow control is also automatically enabled on such an interface.