Configuring MACsec

Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for almost all types of traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly-connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.

You can configure MACsec to secure point-to-point Ethernet links connecting switches, or on Ethernet links connecting a switch to a host device such as a PC, phone, or server. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. You can enable MACsec on switch-to-switch links using dynamic or static connectivity association key (CAK) security mode. Both processes are provided in this document.

For information on configuring MACsec on control and fabric ports of supported SRX Series Firewalls in chassis cluster setup, see Media Access Control Security (MACsec) on Chassis Cluster.

Best Practice:

When enabling MACsec, we recommend that you examine your interface MTU, adjusting it for MACsec overhead, which is 32 bytes.

Note:

On SRX Series Firewalls, you can configure MACsec in routed mode; MACsec is not supported in transparent mode.

Configuring MACsec in Static CAK Mode

You can enable MACsec using static connectivity association key (CAK) security mode on a point-to-point Ethernet link connecting switches or routers. This can be a switch-to-switch, switch-to-router, or router-to-router link.

Best Practice:

We recommend enabling MACsec using static CAK security mode on links connecting switches or routers. Static CAK security mode ensures security by frequently refreshing to a new random secure association key (SAK) and by only sharing the SAK between the two devices on the MACsec-secured point-to-point link.

When you enable MACsec using static CAK security mode, a preshared key is exchanged between the devices on each end of the point-to-point Ethernet link. The preshared key includes a connectivity association name (CKN) and a connectivity association key (CAK). The CKN and CAK must be manually configured in the connectivity association and must match on both ends of the link to initially enable MACsec.

After the preshared keys are exchanged and verified, the MACsec Key Agreement (MKA) protocol enables MACsec on the link. The MKA is responsible for selecting one of the two devices on the point-to-point link as the key server. The key server then creates a randomized security key that it shares only with the peer device over the MACsec-secured link. The randomized security key enables and maintains MACsec on the point-to-point link. The key server will continue to periodically create and share a randomly-created security key over the point-to-point link for the duration of the MACsec session.

Note:

If the MACsec session terminates due to a link failure, the MKA key server elects a key server when the link is restored and generates a new SAK.

You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters. All configuration is done in the connectivity association.

To configure MACsec using static CAK security mode:

Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.
For example, to create a connectivity association named ca1, enter:

Configure the MACsec security mode as static-cak for the connectivity association:

For example, to configure the MACsec security mode to static-cak on connectivity association ca1:

Create the preshared key by configuring the CKN and CAK:
The directly-connected peers exchange a preshared key to establish a MACsec-secure link. The pre-shared-key includes the CKN and the CAK. The CKN is a 64-digit hexadecimal number and the CAK is a 32-digit hexadecimal number. The CKN and the CAK must match on both ends of a link to create a MACsec-secured link.

Note:
To maximize security, we recommend configuring all 64 digits of a CKN and all 32 digits of a CAK.

If you do not configure all 64 digits of a CKN, or all 32 digits of a CAK, all remaining digits will default to 0. However, you will receive a warning message when you commit the configuration.

After the preshared keys are exchanged and verified by both peers on the link, the MACsec Key Agreement (MKA) protocol enables MACsec. The MKA protocol then elects one of the two directly-connected switches as the key server. The key server then shares a random security with the other device over the MACsec-secure point-to-point link. The key server will continue to periodically create and share a random security key with the other device over the MACsec-secured point-to-point link as long as MACsec is enabled.

To configure a CKN of 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311 and CAK of 228ef255aa23ff6729ee664acb66e91f on connectivity association ca1:
Note:
MACsec is not enabled until you attach a connectivity association to an interface. See the final step of this procedure to attach a connectivity association to an interface.

Note:
In FIPS mode, instead of using set connectivity-association ca1 pre-shared-key cak command, you must use the following command:

user@host# prompt connectivity-association ca1 pre-shared-key cak
(Required on non-EX4300 switches when connecting to EX4300 switches only) Enable SCI tagging:
You must enable SCI tagging on a switch that is enabling MACsec on an Ethernet link connecting to an EX4300 or EX4600 switch.

SCI tags are automatically appended to packets leaving a MACsec-enabled interface on an EX4300 or EX4600 switch, so this option is not available on these switches.

You should only use this option when connecting a switch to an EX4300 or EX4600 switch, or to a host device that requires SCI tagging. SCI tags are eight octets long, so appending an SCI tag to all traffic on the link adds a significant amount of unneeded overhead.
(Optional) Set the MKA key server priority:
Specifies the key server priority used by the MKA protocol to select the key server. The switch with the lower priority-number is selected as the key server.

The default priority-number is 16.

If the key-server-priority is identical on both sides of the link, the MKA protocol selects the interface with the lower MAC address as the key server. Therefore, if this statement is not configured at each end of a MACsec-secured link, the interface with the lower MAC address becomes the key server.

To change the key server priority to 0 to increase the likelihood that the current device is selected as the key server when MACsec is enabled on the interface using connectivity association ca1:
To change the key server priority to 255 to decrease the likelihood that the current device is selected as the key server in connectivity association ca1:
(Optional) Set the MKA transmit interval:
The MKA transmit interval setting is the frequency for how often the MACsec Key Agreement protocol data unit (PDU) is sent to the connected device to maintain connectivity on the link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes MKA protocol communication.

The default interval is 2000ms. We recommend increasing the interval to 6000 ms in high-traffic load environments. The transmit interval settings must be identical on both ends of the link when MACsec using static CAK security mode is enabled.

For example, if you wanted to increase the MKA transmit interval to 6000 ms when connectivity association ca1 is attached to an interface:
(Optional) Exclude a protocol from MACsec:
When this option is enabled, MACsec is disabled for all packets of the specified protocol that are sent or received on the link. For example, if you did not want Link Level Discovery Protocol (LLDP) to be secured using MACsec:
When this option is enabled, MACsec is disabled for all packets of the specified protocol—in this case, LLDP—that are sent or received on the link. You can use this option to allow control traffic for some protocols to pass through the MACsec-secured connection without MACsec tags. This provides interoperability with devices, such as IP phones, that do not support MACsec.
Assign the connectivity association to an interface:
For example, to assign connectivity association ca1 to interface xe-0/0/1:
To assign a connectivity association to a logical interface, use the following command:
Note:
When assigning a CA to a logical interface, the following limitations apply:
- Configuring a CA on a physical interface and a logical interface is mutually exclusive.
- Logical interfaces with a native VLAN configuration do not support MACsec.
- Logical aggregated interfaces do not support MACsec.
Note:
On an EX4300 uplink module, the first transceiver plugged into the uplink module determines the PIC mode, as the PIC recognizes the SFP type and programs all of the ports to be either ge- or xe-. Make sure the MACsec configuration on the interface matches the link speed for the uplink module ports.

Assigning the connectivity association to an interface is the final configuration step to enabling MACsec on an interface.

MACsec using static CAK security mode is enabled when a connectivity association on the opposite end of the link is also configured. The connectivity association must contain preshared keys that match on both ends of the link.

Configuring MACsec in Dynamic CAK Mode

In dynamic CAK mode, the peer nodes on the MACsec link generate the security keys dynamically as part of the 802.1X authentication process. You can use dynamic CAK mode to secure a point-to-point link connecting switches or routers. This can be a switch-to-switch, switch-to-router, or router-to-router connection. The devices must act as both authenticator and supplicant for 802.1X authentication so they can authenticate each other.

Dynamic CAK mode provides easier administration than static CAK mode, because the keys do not need to be configured manually. Also, the keys can be centrally-managed from the RADIUS server. However, static CAK mode provides more functionality.

Note:

Dynamic CAK mode is not supported on logical interfaces.

The following procedure is for configuring dynamic CAK mode on links between switches or routers. To configure dynamic CAK mode on switch-to-host links, see Configuring MACsec to Secure a Switch-to-Host Link.

Before you begin to enable MACsec in dynamic CAK mode, you must configure a RADIUS server. The RADIUS server:

Must be configured with a server-side certificate.
Must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.

For information on configuring the RADIUS server, see RADIUS Server Configuration for Authentication.

Configure the Connectivity Association
Configure Certificates
Configure 802.1X Authentication

Configure the Connectivity Association

Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.
For example, to create a connectivity association named ca1, enter:

Configure the MACsec security mode as dynamic for the connectivity association:

For example, to configure the MACsec security mode to dynamic on connectivity association ca1:

Assign the connectivity association to an interface:

For example, to assign connectivity association ca1 to interface xe-0/0/1:

You must assign a local certificate and a certificate authority (CA) certificate to each supplicant interface. The supplicant and RADIUS server authenticate each other by exchanging certificate credentials. The local certificate and the server certificate must be signed by the same CA. You can generate the certificates locally using public key infrastructure (PKI), or load certificates that were generated remotely.

Generating Certificates Locally
Loading Remotely-Generated Certificates

Generating Certificates Locally

To generate a CA certificate:

Configure the CA profile:

Disable revocation check:

Enroll the certificate with the CA:

To generate a local certificate:

Generate a public-private key pair:

Generate and enroll the local certificate using the Simple Certificate Enrollment Protocol (SCEP):

Loading Remotely-Generated Certificates

To load remotely-generated certificates:

Load the CA profile:

Load the local certificate:

Configure 802.1X Authentication

Configure 802.1X authentication with EAP-TLS on the interfaces at each end of the point-to-point link. The interfaces must act as both authenticators and supplicants so that the devices can authenticate each other.

Configure the interface as an authenticator with the no-reauthentication option:

Configure the interface as a supplicant.

Configure the authentication method as EAP-TLS:

Assign a local certificate to the interface:

Configuring MACsec to Secure a Switch-to-Host Link

When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A primary key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The primary key is then passed between the switch and the host to create a MACsec-secured connection.

The following requirements must be met in order to enable MACsec on a link connecting a host device to a switch.

The host device:

must support MACsec and must be running software that allows it to enable a MACsec-secured connection with the switch.

The switch:

Must support MACsec.
Must be configured into dynamic connectivity association key (CAK) security mode.
Must be using 802.1X authentication to communicate with the RADIUS server.

Before you begin to enable MACsec on a switch-to-host link:

Configure a RADIUS server. The RADIUS server:
- Must be configured as the user database for 802.1X authentication.
- Must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.
- Must have connectivity to the switch and to the host. The RADIUS server can be multiple hops from the switch or the host.
See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
Enable MACsec on the host device.

The procedures for enabling MACsec on the host device varies by host device, and is beyond the scope of this document.

To configure MACsec using dynamic CAK security mode to secure a switch-to-host Ethernet link:

Create a connectivity association. You can skip this step if you are configuring an existing connectivity association.
For instance, to create a connectivity association named ca-dynamic1, enter:
Configure the MACsec security mode as dynamic for the connectivity association:
For instance, to configure the MACsec security mode to dynamic on connectivity association ca-dynamic1:
(Optional) Configure the must-secure option:
When the must-secure option is enabled, all traffic that is not MACsec-secured that is received on the interface is dropped.

When the must-secure option is disabled, all traffic from devices that support MACsec is MACsec-secured while traffic received from devices that do no support MACsec is forwarded through the network.

The must-secure option is particularly useful in scenarios where multiple devices, such as a phone and a PC, are accessing the network through the same Ethernet interface. If one of the devices supports MACsec while the other device does not support MACsec, the device that doesn’t support MACsec can continue to send and receive traffic over the network—provided the must-secure option is disabled—while traffic to and from the device that supports MACsec is MACsec-secured. In this scenario, traffic to the device that is not MACsec-secured must be VLAN-tagged.
(Required only if the host device requires SCI tagging) Enable SCI tagging:
You should only use this option when connecting a switch to a host that requires SCI tags. SCI tags are eight octets long, so appending an SCI tag to all traffic on the link adds a significant amount of unneeded overhead.
(Optional) Set the MKA key server priority:
Specifies the key server priority used by the MKA protocol to select the key server. The switch with the lower priority-number is selected as the key server.

The default priority-number is 16. If the key-server-priority is identical on both sides of the point-to-point link, the MKA protocol selects the interface with the lower MAC address as the key server. Therefore, if this statement is not configured in the connectivity associations at each end of a MACsec-secured point-to-point link, the interface with the lower MAC address becomes the key server.

To change the key server priority to 0 to increase the likelihood that the current device is selected as the key server when MACsec is enabled on the interface using connectivity association ca1:
To change the key server priority to 255 to decrease the likelihood that the current device is selected as the key server in connectivity association ca-dynamic1:
(Optional) Set the MKA transmit interval:
The MKA transmit interval setting sets the frequency for how often the MKA protocol data unit (PDU) is sent to the directly connected device to maintain MACsec connectivity on the link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes MKA protocol communication.

The default interval is 2000ms. We recommend increasing the interval to 6000 ms in high-traffic load environments. The transmit interval settings must be identical on both ends of the link.

For instance, if you wanted to increase the MKA transmit interval to 6000 milliseconds when connectivity association ca-dynamic1 is attached to an interface:
(Optional) Exclude a protocol from MACsec:
For instance, if you did not want Link Level Discovery Protocol (LLDP) to be secured using MACsec:
When this option is enabled, MACsec is disabled for all packets of the specified protocol—in this case, LLDP—that are sent or received on the link. You can use this option to allow control traffic for some protocols to pass through the MACsec-secured connection without MACsec tags. This provides interoperability with devices, such as IP phones, that do not support MACsec.
Assign the connectivity association to an interface:
Assigning the connectivity association to an interface is the final configuration step to enabling MACsec on an interface. For instance, to assign connectivity association ca-dynamic1 to interface xe-0/0/1:
Note:
On an EX4300 uplink module, the first transceiver plugged into the uplink module determines the PIC mode, as the PIC recognizes the SFP type and programs all of the ports to be either ge- or xe-. Make sure the MACsec configuration on the interface matches the link speed for the uplink module ports.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release

Description

16.1R2

Starting in Junos OS Release 16.1R2, when Media Access Control Security (MACsec) is enabled on an interface, the interface flow control capability is enabled by default, regardless of the configuration that you set using the (flow-control | no-flow-control) statement at the

[edit interfaces interface- name
                        gigether-options]

hierarchy level. When MACsec is enabled, additional header bytes are added to the packet by the MACsec PHY. With line rate traffic, when MACsec is enabled and flow control is disabled, the pause frames sent by the MACsec PHY are terminated by the MIC’s MAC (enhanced 20-port Gigabit Ethernet MICs on MX Series routers) and not transferred to the Packet Forwarding Engine, causing framing errors. Therefore, when MACsec is enabled on an interface, flow control is also automatically enabled on such an interface.

15.1

Starting with Junos OS Release 15.1, you can configure MACsec to secure point-to-point Ethernet links connecting MX Series routers with MACsec-capable MICs, or on Ethernet links connecting a switch to a host device such as a PC, phone, or server.

ON THIS PAGE

Configuring MACsec

Configuring MACsec in Static CAK Mode

See Also

Configuring MACsec in Dynamic CAK Mode

Configure the Connectivity Association

Configure Certificates

Generating Certificates Locally

Loading Remotely-Generated Certificates

Configure 802.1X Authentication

Configuring MACsec to Secure a Switch-to-Host Link

Change History Table