MACsec 802.1ae - Media Access Control Security (IEEE 802.1ae) =============================================================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is MACsec (802.1AE)?** MACsec is a Layer 2 security protocol that provides point-to-point encryption and integrity for Ethernet links. It ensures that data transmitted over Ethernet is protected from threats like eavesdropping, replay attacks, and data tampering. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How Does MACsec Work?** MACsec secures Ethernet frames by: * Appending a security tag (MACsec header) and an Integrity Check Value (ICV) to each frame. * Encrypting the payload (optional). * Authenticating the source and verifying data integrity. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is MACsec Frame Structure?** * **MACsec Security Tag (16 bytes):** Contains metadata such as the Secure Channel Identifier (SCI) and packet number. * **ICV (16 bytes):** Provides frame-level data integrity. * **Optional Encryption:** Payload may be encrypted using AES-GCM (128 or 256-bit). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is MACsec Used?** * **Enterprise Networks:** Between switches, routers, and endpoint devices. * **Data Centers:** For securing east-west traffic between servers and appliances. * **Carrier Networks:** For securing customer traffic over shared Layer 2 infrastructure. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the Limitations of MACsec?** * MACsec does **not encrypt VLAN tags** (only payload and optional fields). * **Spanning Tree Protocol (STP)** frames are not encrypted. * **Virtual Chassis Ports (VCPs)** and some special-purpose interfaces may not support MACsec. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`MACsec_802_1ae Version&RFC Details ` * :ref:`MACsec_802_1ae Basic Setup on Ubuntu using IPv4 ` * :ref:`MACsec_802_1ae Basic Setup on Ubuntu using IPv6 ` * :ref:`MACsec_802_1ae Protocol Packet Details ` * :ref:`MACsec_802_1ae Usecases ` * :ref:`MACsec_802_1ae Basic Features ` * :ref:`MACsec_802_1ae Feature : Layer 2 Encryption ` * :ref:`MACsec_802_1ae Feature : Data Integrity and Authentication ` * :ref:`MACsec_802_1ae Feature : AES-GCM Encryption ` * :ref:`MACsec_802_1ae Feature : Replay Protection ` * :ref:`MACsec_802_1ae Feature : Per-Hop Security ` * :ref:`MACsec_802_1ae Feature : No IP Dependency ` * :ref:`MACsec_802_1ae Feature : Compatibility with 802.1X ` * :ref:`MACsec_802_1ae Feature : Minimal Latency Overhead ` * :ref:`Reference links ` .. _MACsec_802_1ae_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _MACsec_802_1ae_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _MACsec_802_1ae_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _MACsec_802_1ae_step5: .. tab-set:: .. tab-item:: MACsec_802_1ae Version&RFC Details .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Version_RFC_details.csv :widths: 10,10,10,30 :header-rows: 1 .. _MACsec_802_1ae_step18: .. tab-set:: .. tab-item:: MACsec_802_1ae Basic Setup on Ubuntu using IPv4 * Setup .. _MACsec_802_1ae_step19: .. tab-set:: .. tab-item:: MACsec_802_1ae Basic Setup on Ubuntu using IPv6 * Setup .. _MACsec_802_1ae_step6: .. tab-set:: .. tab-item:: MACsec_802_1ae Protocol Packet Details **MACsec_802_1ae MACsec Ethernet Frame Packet** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Packetdetails1.csv :widths: 10,20,30,10 :header-rows: 1 .. _MACsec_802_1ae_step7: .. tab-set:: .. tab-item:: MACsec_802_1ae Usecases .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Use_Cases.csv :widths: 10,20,30 :header-rows: 1 .. _MACsec_802_1ae_step8: .. tab-set:: .. tab-item:: MACsec_802_1ae Basic Features .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Basic_Features.csv :widths: 10,10,30 :header-rows: 1 .. _MACsec_802_1ae_step9: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : Layer 2 Encryption **Layer 2 Encryption - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature1_Layer_2_Encryption_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step10: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : Data Integrity and Authentication **Data Integrity and Authentication - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature2_Data_Integrity_and_Authentication_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step11: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : AES-GCM Encryption **AES-GCM Encryption - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature3_AES_GCM_Encryption_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step12: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : Replay Protection **Replay Protection - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature4_Replay_Protection_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step13: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : Per-Hop Security **Per-Hop Security - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature5_Per_Hop_Security_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step14: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : No IP Dependency **No IP Dependency - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature6_No_IP_Dependency_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step15: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : Compatibility with 802.1X **Compatibility with 802.1X - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature7_Compatibility_with_802_1X_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step16: .. tab-set:: .. tab-item:: MACsec_802_1ae Feature : Minimal Latency Overhead **Minimal Latency Overhead - Testcases** .. csv-table:: :file: ./MACsec_802_1ae/MACsec_802_1ae_Feature8_Minimal_Latency_Overhead_TestCases.csv :widths: 10,10,30,20 :header-rows: 1 .. _MACsec_802_1ae_step17: .. tab-set:: .. tab-item:: Reference links * Reference links