MACsec 802.1ae - Media Access Control Security (IEEE 802.1ae)
What is MACsec (802.1AE)?
MACsec is a Layer 2 security protocol that provides point-to-point encryption and integrity for Ethernet links. It ensures that data transmitted over Ethernet is protected from threats like eavesdropping, replay attacks, and data tampering.
How Does MACsec Work?
MACsec secures Ethernet frames by: * Appending a security tag (MACsec header) and an Integrity Check Value (ICV) to each frame. * Encrypting the payload (optional). * Authenticating the source and verifying data integrity.
What is MACsec Frame Structure?
MACsec Security Tag (16 bytes): Contains metadata such as the Secure Channel Identifier (SCI) and packet number.
ICV (16 bytes): Provides frame-level data integrity.
Optional Encryption: Payload may be encrypted using AES-GCM (128 or 256-bit).
Where is MACsec Used?
Enterprise Networks: Between switches, routers, and endpoint devices.
Data Centers: For securing east-west traffic between servers and appliances.
Carrier Networks: For securing customer traffic over shared Layer 2 infrastructure.
What are the Limitations of MACsec?
MACsec does not encrypt VLAN tags (only payload and optional fields).
Spanning Tree Protocol (STP) frames are not encrypted.
Virtual Chassis Ports (VCPs) and some special-purpose interfaces may not support MACsec.
Topics in this section,
In this section, you are going to learn
Terminology
Version Info
Version |
IEEE Standard |
Year |
Core Idea / Contribution |
|---|---|---|---|
MACsec v1 |
IEEE 802.1AE |
2006 |
Original MACsec standard; introduced Layer 2 encryption, integrity, and authentication. |
MACsec v1.1 |
IEEE 802.1AEbn |
2011 |
Added support for GCM-AES-256 cipher suite for stronger encryption. |
MACsec v1.2 |
IEEE 802.1AEbw |
2013 |
Introduced Extended Packet Numbering (XPN) to support >2^32 frames per key. |
MACsec v1.3 |
IEEE 802.1AEcg |
2017 |
Defined Ethernet Data Encryption (EDE) devices and support for multiple secure channels. |
MACsec v2 |
IEEE 802.1AE |
2018 |
Consolidated all previous amendments into a revised base standard. |
MACsec v2.1 |
IEEE 802.1AEdk |
2023 |
Added privacy enhancements to reduce correlation of frame size/timing with user identity. |
Setup
Setup
MACsec_802_1ae MACsec Ethernet Frame Packet
Protocol Packet Details |
|||
|---|---|---|---|
S.No |
Protocol Packets |
Description |
Size(bytes) |
1 |
MACsec Ethernet Frame |
The full Ethernet frame secured by MACsec, including encrypted payload and tags. |
Variable up to 1500 (standard MTU) |
MACsec SecTAG |
Security tag inserted after the Ethernet header; includes TCI, AN, SCI, and PN. |
8-16 |
|
MACsec ICV (Integrity Check Value) |
Cryptographic checksum ensuring data integrity and authenticity. |
16 |
|
MACsec SCI (Secure Channel Identifier) ( included in SecTAG) |
Identifies the source of the secure channel (MAC address + port ID). |
8 |
|
MACsec PN (Packet Number) ( included in SecTAG) |
Monotonically increasing counter to prevent replay attacks. |
4 |
|
MACsec TCI (Tag Control Information) ( included in SecTAG) |
Indicates security features used (e.g., confidentiality, SCI presence). |
1 |
|
MACsec Decrypted Data |
The original Ethernet payload after decryption. |
Variable (depends on payload) |
|
Macsec 802.1ae - Use Cases |
||
|---|---|---|
S.no |
Use Case |
Description |
1 |
Secure LAN Communication |
Encrypts Ethernet frames to protect data confidentiality and integrity within local networks. |
2 |
Data Center Interconnect Security |
Secures traffic between switches and servers in data centers without relying on higher-layer encryption. |
3 |
Enterprise Campus Networks |
Ensures secure communication between endpoints and access switches in large enterprise networks. |
4 |
Carrier Ethernet Services |
Provides Layer 2 encryption for service providers offering secure Ethernet-based services. |
5 |
Industrial and OT Networks |
Protects sensitive control and monitoring data in operational technology environments. |
6 |
Government and Defense Networks |
Meets strict security requirements for classified or sensitive data over Ethernet. |
7 |
BYOD and Guest Access Control |
Works with 802.1X to enforce encryption for authenticated users and devices. |
8 |
VPN Alternative at Layer 2 |
Acts as a lightweight alternative to IPsec VPNs for securing internal traffic. |
Macsec 802.1ae - Basic Features |
||
|---|---|---|
S.no |
Features |
Description |
1 |
Layer 2 Encryption |
Encrypts Ethernet frames directly at the data link layer. |
2 |
Data Integrity and Authentication |
Ensures frames are not tampered with and verifies sender authenticity. |
3 |
AES-GCM Encryption |
Uses AES-GCM-128 (or optionally AES-GCM-256) for confidentiality and integrity. |
4 |
Replay Protection |
Uses packet numbers (PN) to detect and prevent replay attacks. |
5 |
Per-Hop Security |
Secures traffic between each pair of connected devices (e.g., switch-to-switch). |
6 |
No IP Dependency |
Works independently of IP, making it suitable for non-IP Ethernet traffic. |
7 |
Compatibility with 802.1X |
Integrates with 802.1X for authentication and key management via MKA. |
8 |
Minimal Latency Overhead |
Adds security with very low impact on network performance. |
Layer 2 Encryption - Testcases
Layer 2 Encryption - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Basic Encryption Enable |
Enable MACsec on a port |
MACsec is enabled and traffic is encrypted |
2 |
Basic Decryption Enable |
Enable MACsec decryption on peer port |
Peer decrypts traffic successfully |
3 |
Invalid Cipher Suite |
Configure unsupported cipher suite |
Configuration fails with error |
4 |
Valid Cipher Suite |
Configure GCM-AES-128 |
Configuration succeeds |
5 |
Replay Protection Enable |
Enable replay protection |
Replay attacks are detected and dropped |
6 |
Replay Protection Disable |
Disable replay protection |
Replay attacks are not dropped |
7 |
Replay Window Size |
Set replay window to 64 |
Packets within window are accepted |
8 |
Replay Attack Simulation |
Send replayed packets |
Packets are dropped |
9 |
Key Exchange Success |
Perform MKA key exchange |
Keys are exchanged successfully |
10 |
Key Exchange Failure |
Simulate MKA failure |
MACsec does not encrypt traffic |
11 |
SAK Rekeying |
Trigger SAK rekey |
New SAK is installed and used |
12 |
SAK Rekey Interval |
Set rekey interval to 1 hour |
Rekey occurs every hour |
13 |
SCI Format Validation |
Validate SCI format |
SCI is correctly formatted |
14 |
SCI Mismatch |
Configure mismatched SCI |
Traffic is dropped |
15 |
VLAN Tagging |
Enable MACsec with VLAN |
VLAN tags are preserved |
16 |
Jumbo Frames |
Send jumbo frames |
Frames are encrypted and decrypted |
17 |
MTU Check |
Check MTU after MACsec overhead |
MTU is adjusted correctly |
18 |
MACsec with LACP |
Enable MACsec on LACP port |
LACP functions correctly |
19 |
MACsec with STP |
Enable MACsec on STP port |
STP functions correctly |
20 |
MACsec with LLDP |
Enable MACsec on LLDP port |
LLDP packets are not encrypted |
21 |
MACsec with CDP |
Enable MACsec on CDP port |
CDP packets are not encrypted |
22 |
MACsec with IPv6 |
Send IPv6 traffic |
Traffic is encrypted and decrypted |
23 |
MACsec with IPv4 |
Send IPv4 traffic |
Traffic is encrypted and decrypted |
24 |
MACsec with Broadcast |
Send broadcast traffic |
Broadcast is encrypted and decrypted |
25 |
MACsec with Multicast |
Send multicast traffic |
Multicast is encrypted and decrypted |
26 |
MACsec with Unicast |
Send unicast traffic |
Unicast is encrypted and decrypted |
27 |
MACsec with QoS |
Enable QoS on MACsec port |
QoS markings are preserved |
28 |
MACsec with ACL |
Apply ACL on MACsec port |
ACLs are enforced correctly |
29 |
MACsec with Port Security |
Enable port security |
Port security functions correctly |
30 |
MACsec with DHCP |
Send DHCP packets |
DHCP packets are not encrypted |
31 |
MACsec with ARP |
Send ARP packets |
ARP packets are not encrypted |
32 |
MACsec with ICMP |
Send ICMP packets |
ICMP packets are encrypted and decrypted |
33 |
MACsec with TCP |
Send TCP packets |
TCP packets are encrypted and decrypted |
34 |
MACsec with UDP |
Send UDP packets |
UDP packets are encrypted and decrypted |
35 |
MACsec with Fragmented Packets |
Send fragmented packets |
Packets are encrypted and reassembled |
36 |
MACsec with High Throughput |
Send high throughput traffic |
No packet loss, encryption holds |
37 |
MACsec with Low Latency |
Measure latency with MACsec |
Latency within acceptable limits |
38 |
MACsec with Link Flap |
Flap MACsec-enabled link |
MACsec re-establishes successfully |
39 |
MACsec with Port Shutdown |
Shutdown MACsec port |
Encryption stops, traffic drops |
40 |
MACsec with Port Bounce |
Bounce MACsec port |
MACsec re-establishes successfully |
41 |
MACsec with Peer Mismatch |
Peer has different key |
Traffic is dropped |
42 |
MACsec with Peer Match |
Peer has same key |
Traffic is encrypted and decrypted |
43 |
MACsec with Manual Key |
Configure static key |
Traffic is encrypted and decrypted |
44 |
MACsec with Dynamic Key |
Use MKA for keying |
Traffic is encrypted and decrypted |
45 |
MACsec with Wrong Key |
Configure wrong key |
Traffic is dropped |
46 |
MACsec with Key Expiry |
Let key expire |
Traffic is dropped until rekey |
47 |
MACsec with Multiple Peers |
Connect multiple peers |
Encryption works with all peers |
48 |
MACsec with Redundant Links |
Use redundant links |
MACsec works across links |
49 |
MACsec with Loopback |
Enable MACsec on loopback |
Configuration fails |
50 |
MACsec with Monitoring |
Monitor MACsec stats |
Stats show encrypted/decrypted packets |
Data Integrity and Authentication - Testcases
Data Integrity and Authentication - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Integrity Check Enable |
Enable integrity check on MACsec port |
Integrity checks are performed on all frames |
2 |
Integrity Check Disable |
Disable integrity check |
Frames are not validated for integrity |
3 |
Valid ICV |
Send frame with valid Integrity Check Value (ICV) |
Frame is accepted |
4 |
Invalid ICV |
Send frame with tampered ICV |
Frame is dropped |
5 |
ICV Length Validation |
Validate ICV length (16 bytes for AES-GCM) |
Correct length is enforced |
6 |
Tampered Payload |
Modify payload after encryption |
Frame is dropped due to failed integrity |
7 |
Tampered Header |
Modify MACsec header |
Frame is dropped |
8 |
Authentication Success |
Peer authenticates successfully via MKA |
Secure channel is established |
9 |
Authentication Failure |
Peer fails MKA authentication |
No secure channel is established |
10 |
Null Authentication |
Attempt to bypass authentication |
Frame is dropped |
11 |
Replay Attack Detection |
Replay old authenticated frame |
Frame is dropped |
12 |
Sequence Number Validation |
Send frame with out-of-order sequence number |
Frame is dropped |
13 |
Sequence Number Wraparound |
Test sequence number rollover |
New SAK is triggered |
14 |
Authentication Timeout |
Simulate MKA timeout |
Secure channel is torn down |
15 |
Peer Identity Validation |
Validate peer MAC address |
Only authorized peers are accepted |
16 |
Key Integrity Check |
Validate integrity of SAK |
SAK is verified before use |
17 |
Secure Channel ID Validation |
Validate SCI in frame |
SCI must match expected peer |
18 |
Secure Association Validation |
Validate SA index |
Frame must match active SA |
19 |
Multiple SA Handling |
Use multiple SAs for same SCI |
Frames are matched to correct SA |
20 |
SA Expiry Handling |
Expire SA and send frame |
Frame is dropped |
21 |
SA Rekey Authentication |
Rekey with new SAK |
Authentication continues seamlessly |
22 |
Authentication with VLAN |
Send VLAN-tagged frame |
Authentication is successful |
23 |
Authentication with LACP |
Send LACP frames |
LACP frames are not authenticated |
24 |
Authentication with LLDP |
Send LLDP frames |
LLDP frames are not authenticated |
25 |
Authentication with ARP |
Send ARP frames |
ARP frames are not authenticated |
26 |
Authentication with IPv6 |
Send IPv6 traffic |
Frames are authenticated |
27 |
Authentication with IPv4 |
Send IPv4 traffic |
Frames are authenticated |
28 |
Authentication with TCP |
Send TCP traffic |
Frames are authenticated |
29 |
Authentication with UDP |
Send UDP traffic |
Frames are authenticated |
30 |
Authentication with ICMP |
Send ICMP traffic |
Frames are authenticated |
31 |
Authentication with Broadcast |
Send broadcast traffic |
Frames are authenticated |
32 |
Authentication with Multicast |
Send multicast traffic |
Frames are authenticated |
33 |
Authentication with Unicast |
Send unicast traffic |
Frames are authenticated |
34 |
Authentication with Fragmented Packets |
Send fragmented packets |
All fragments are authenticated |
35 |
Authentication with Jumbo Frames |
Send jumbo frames |
Frames are authenticated |
36 |
Authentication with High Load |
Send high traffic volume |
No authentication failures |
37 |
Authentication with Link Flap |
Flap link during authentication |
Authentication re-establishes |
38 |
Authentication with Port Bounce |
Bounce port |
Authentication re-establishes |
39 |
Authentication with Peer Mismatch |
Peer uses different credentials |
Authentication fails |
40 |
Authentication with Static Key |
Use pre-shared key |
Authentication succeeds |
41 |
Authentication with Dynamic Key |
Use MKA for key exchange |
Authentication succeeds |
42 |
Authentication with Wrong Key |
Use incorrect key |
Authentication fails |
43 |
Authentication with Expired Key |
Use expired key |
Authentication fails |
44 |
Authentication with Key Rotation |
Rotate keys periodically |
Authentication remains intact |
45 |
Authentication with Redundant Links |
Use redundant links |
Authentication works across links |
46 |
Authentication with Multiple Peers |
Authenticate multiple peers |
All peers are authenticated |
47 |
Authentication Logging |
Enable logging |
Authentication events are logged |
48 |
Authentication Statistics |
Monitor stats |
Authenticated frame count increases |
49 |
Authentication Failure Logging |
Log failed attempts |
Failures are logged |
50 |
Authentication with Monitoring Tools |
Use SNMP/CLI to monitor |
Authentication status is visible |
AES-GCM Encryption - Testcases
AES-GCM Encryption - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
AES-GCM Initialization |
Initialize AES-GCM with 128-bit key |
Initialization succeeds |
2 |
AES-GCM Key Length Validation |
Use invalid key length (e.g., 100 bits) |
Initialization fails |
3 |
AES-GCM with 128-bit Key |
Encrypt data with 128-bit key |
Data is encrypted successfully |
4 |
AES-GCM with 256-bit Key |
Encrypt data with 256-bit key |
Data is encrypted successfully |
5 |
AES-GCM with Null Key |
Attempt encryption with null key |
Operation fails |
6 |
AES-GCM with Reused IV |
Encrypt with same IV multiple times |
Warning or failure due to IV reuse |
7 |
AES-GCM with Unique IV |
Encrypt with unique IV per packet |
Encryption succeeds |
8 |
AES-GCM Tag Generation |
Generate authentication tag |
Tag is 16 bytes and valid |
9 |
AES-GCM Tag Verification |
Verify tag during decryption |
Tag matches and decryption succeeds |
10 |
AES-GCM Tag Mismatch |
Modify tag before decryption |
Decryption fails |
11 |
AES-GCM with Empty Payload |
Encrypt empty payload |
Valid ciphertext and tag generated |
12 |
AES-GCM with Large Payload |
Encrypt 9KB payload |
Encryption succeeds |
13 |
AES-GCM with Fragmented Payload |
Encrypt fragmented data |
All fragments encrypted correctly |
14 |
AES-GCM with Nonce Reuse |
Reuse nonce with same key |
Security warning or failure |
15 |
AES-GCM with Random Nonce |
Use random nonce per encryption |
Encryption succeeds |
16 |
AES-GCM with Static Nonce |
Use static nonce |
Encryption works but insecure |
17 |
AES-GCM with Additional Authenticated Data (AAD) |
Encrypt with AAD |
AAD is authenticated |
18 |
AES-GCM with Modified AAD |
Modify AAD before decryption |
Decryption fails |
19 |
AES-GCM with No AAD |
Encrypt without AAD |
Encryption succeeds |
20 |
AES-GCM with Replay Attack |
Replay encrypted packet |
Packet is dropped |
21 |
AES-GCM with Packet Loss |
Drop encrypted packet |
No impact on decryption of others |
22 |
AES-GCM with Packet Reordering |
Reorder encrypted packets |
Decryption succeeds |
23 |
AES-GCM with Bit Flipping |
Flip bit in ciphertext |
Decryption fails |
24 |
AES-GCM with Bit Flipping in Tag |
Flip bit in tag |
Decryption fails |
25 |
AES-GCM with High Throughput |
Encrypt 1 Gbps traffic |
No packet loss |
26 |
AES-GCM with Low Latency |
Measure encryption latency |
Latency within acceptable range |
27 |
AES-GCM with CPU Load |
Measure CPU usage during encryption |
CPU usage increases moderately |
28 |
AES-GCM with Hardware Acceleration |
Use AES-NI or similar |
Performance improves |
29 |
AES-GCM with Software Fallback |
Disable hardware acceleration |
Encryption still works |
30 |
AES-GCM with Key Rotation |
Rotate key periodically |
Encryption continues seamlessly |
31 |
AES-GCM with Key Expiry |
Use expired key |
Encryption fails |
32 |
AES-GCM with Key Mismatch |
Use wrong key for decryption |
Decryption fails |
33 |
AES-GCM with Key Agreement |
Use MKA to derive key |
Key is securely derived |
34 |
AES-GCM with Static Key |
Use pre-shared key |
Encryption succeeds |
35 |
AES-GCM with Key Compromise |
Simulate key leak |
Traffic is vulnerable |
36 |
AES-GCM with Secure Key Storage |
Store key in TPM/HSM |
Key is protected |
37 |
AES-GCM with Logging Enabled |
Log encryption events |
Logs show key usage and IVs |
38 |
AES-GCM with Logging Disabled |
Disable logging |
No encryption logs generated |
39 |
AES-GCM with VLAN Tags |
Encrypt VLAN-tagged frames |
Tags preserved, payload encrypted |
40 |
AES-GCM with Jumbo Frames |
Encrypt 9000-byte frame |
Encryption succeeds |
41 |
AES-GCM with Broadcast |
Encrypt broadcast frame |
Frame is encrypted |
42 |
AES-GCM with Multicast |
Encrypt multicast frame |
Frame is encrypted |
43 |
AES-GCM with Unicast |
Encrypt unicast frame |
Frame is encrypted |
44 |
AES-GCM with IPv6 |
Encrypt IPv6 traffic |
Traffic is encrypted |
45 |
AES-GCM with IPv4 |
Encrypt IPv4 traffic |
Traffic is encrypted |
46 |
AES-GCM with TCP |
Encrypt TCP packets |
Packets are encrypted |
47 |
AES-GCM with UDP |
Encrypt UDP packets |
Packets are encrypted |
48 |
AES-GCM with ICMP |
Encrypt ICMP packets |
Packets are encrypted |
49 |
AES-GCM with ARP |
Send ARP packets |
ARP not encrypted (bypassed) |
50 |
AES-GCM with LLDP |
Send LLDP packets |
LLDP not encrypted (bypassed) |
Replay Protection - Testcases
Replay Protection - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Replay Protection Enable |
Enable replay protection on MACsec port |
Replay protection is active |
2 |
Replay Protection Disable |
Disable replay protection |
Replayed packets are accepted |
3 |
Default Replay Window |
Use default replay window size (e.g., 0 or 64) |
Only packets within window are accepted |
4 |
Custom Replay Window |
Set replay window to 128 |
Packets within 128-sequence range are accepted |
5 |
Replay Window Overflow |
Send packet with sequence number beyond window |
Packet is dropped |
6 |
Replay Window Underflow |
Send packet with sequence number below window |
Packet is dropped |
7 |
Replay Window Edge |
Send packet at edge of window |
Packet is accepted |
8 |
Replay Attack Simulation |
Replay previously sent packet |
Packet is dropped |
9 |
Out-of-Order Packet |
Send packet with lower sequence number |
Packet is dropped |
10 |
In-Order Packet |
Send packet with increasing sequence number |
Packet is accepted |
11 |
Duplicate Packet |
Send same packet twice |
Second packet is dropped |
12 |
Sequence Number Wraparound |
Simulate 32-bit sequence number rollover |
Rekey is triggered |
13 |
Sequence Number Reset |
Reset sequence number manually |
Replay protection resets window |
14 |
Replay Protection with VLAN |
Send VLAN-tagged replayed packet |
Packet is dropped |
15 |
Replay Protection with IPv6 |
Send replayed IPv6 packet |
Packet is dropped |
16 |
Replay Protection with IPv4 |
Send replayed IPv4 packet |
Packet is dropped |
17 |
Replay Protection with TCP |
Send replayed TCP packet |
Packet is dropped |
18 |
Replay Protection with UDP |
Send replayed UDP packet |
Packet is dropped |
19 |
Replay Protection with ICMP |
Send replayed ICMP packet |
Packet is dropped |
20 |
Replay Protection with Multicast |
Send replayed multicast packet |
Packet is dropped |
21 |
Replay Protection with Broadcast |
Send replayed broadcast packet |
Packet is dropped |
22 |
Replay Protection with Unicast |
Send replayed unicast packet |
Packet is dropped |
23 |
Replay Protection with Fragmented Packets |
Replay fragmented packets |
Fragments are dropped |
24 |
Replay Protection with Jumbo Frames |
Replay jumbo frame |
Frame is dropped |
25 |
Replay Protection with High Load |
Send high-rate replayed traffic |
All replayed packets are dropped |
26 |
Replay Protection with Low Latency |
Measure latency impact |
Minimal latency added |
27 |
Replay Protection with Logging |
Enable logging |
Replayed packets are logged |
28 |
Replay Protection with Monitoring |
Monitor replay stats |
Replay counter increments |
29 |
Replay Protection with SNMP |
Query replay stats via SNMP |
Stats are available |
30 |
Replay Protection with CLI |
Show replay protection status |
CLI displays window and drops |
31 |
Replay Protection with Port Flap |
Flap port and send replayed packet |
Packet is dropped |
32 |
Replay Protection with Port Bounce |
Bounce port and test replay |
Replay protection resumes correctly |
33 |
Replay Protection with Peer Mismatch |
Peer has different window size |
Replay protection still enforced |
34 |
Replay Protection with Manual Key |
Use static key and test replay |
Replay protection works |
35 |
Replay Protection with Dynamic Key |
Use MKA and test replay |
Replay protection works |
36 |
Replay Protection with Key Rotation |
Rotate key and test replay |
Replay protection resets correctly |
37 |
Replay Protection with Expired Key |
Use expired key and test replay |
Packet is dropped |
38 |
Replay Protection with Wrong Key |
Use wrong key and test replay |
Packet is dropped |
39 |
Replay Protection with Secure Channel ID |
Replay packet with wrong SCI |
Packet is dropped |
40 |
Replay Protection with Secure Association |
Replay packet with wrong SA |
Packet is dropped |
41 |
Replay Protection with Multiple Peers |
Replay packet from one peer |
Only that peers packet is dropped |
42 |
Replay Protection with Redundant Links |
Replay packet on backup link |
Packet is dropped |
43 |
Replay Protection with Loopback |
Replay packet on loopback |
Packet is dropped |
44 |
Replay Protection with ARP |
Replay ARP packet |
ARP is not encrypted, not affected |
45 |
Replay Protection with LLDP |
Replay LLDP packet |
LLDP is not encrypted, not affected |
46 |
Replay Protection with LACP |
Replay LACP packet |
LACP is not encrypted, not affected |
47 |
Replay Protection with STP |
Replay STP packet |
STP is not encrypted, not affected |
48 |
Replay Protection with QoS |
Replay packet with QoS tag |
Packet is dropped |
49 |
Replay Protection with ACL |
Apply ACL and replay packet |
ACL and replay protection both enforced |
50 |
Replay Protection with Logging Disabled |
Disable logging |
Replayed packets are dropped silently |
Per-Hop Security - Testcases
Per-Hop Security - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Per-Hop Security Enable |
Enable MACsec on all intermediate hops |
Each hop decrypts and re-encrypts traffic |
2 |
Per-Hop Security Disable |
Disable MACsec on intermediate hops |
Traffic is not protected at those hops |
3 |
Single Hop Encryption |
Enable MACsec on one hop |
Traffic is encrypted only on that hop |
4 |
Multi-Hop Encryption |
Enable MACsec on multiple hops |
Traffic is encrypted/decrypted at each hop |
5 |
Hop with Mismatched Key |
Use different key on one hop |
Traffic is dropped at that hop |
6 |
Hop with No MACsec |
Skip MACsec on one hop |
Traffic is forwarded unencrypted |
7 |
Hop with Static Key |
Use static key on one hop |
Traffic is encrypted/decrypted correctly |
8 |
Hop with Dynamic Key |
Use MKA on one hop |
Key exchange and encryption succeed |
9 |
Hop with Key Rotation |
Rotate keys at each hop |
Traffic remains encrypted and valid |
10 |
Hop with Key Expiry |
Let key expire on one hop |
Traffic is dropped at that hop |
11 |
Hop with Replay Protection |
Enable replay protection |
Replayed packets are dropped at each hop |
12 |
Hop with Replay Attack |
Send replayed packet |
Packet is dropped at the hop |
13 |
Hop with VLAN Tag |
Send VLAN-tagged traffic |
VLAN preserved across hops |
14 |
Hop with Jumbo Frame |
Send jumbo frame |
Frame is encrypted/decrypted at each hop |
15 |
Hop with Fragmented Packet |
Send fragmented packet |
Fragments are handled correctly |
16 |
Hop with Broadcast |
Send broadcast traffic |
Traffic is encrypted/decrypted at each hop |
17 |
Hop with Multicast |
Send multicast traffic |
Traffic is encrypted/decrypted at each hop |
18 |
Hop with Unicast |
Send unicast traffic |
Traffic is encrypted/decrypted at each hop |
19 |
Hop with IPv4 |
Send IPv4 traffic |
Traffic is encrypted/decrypted at each hop |
20 |
Hop with IPv6 |
Send IPv6 traffic |
Traffic is encrypted/decrypted at each hop |
21 |
Hop with TCP |
Send TCP traffic |
Traffic is encrypted/decrypted at each hop |
22 |
Hop with UDP |
Send UDP traffic |
Traffic is encrypted/decrypted at each hop |
23 |
Hop with ICMP |
Send ICMP traffic |
Traffic is encrypted/decrypted at each hop |
24 |
Hop with ARP |
Send ARP packet |
ARP is not encrypted |
25 |
Hop with LLDP |
Send LLDP packet |
LLDP is not encrypted |
26 |
Hop with LACP |
Send LACP packet |
LACP is not encrypted |
27 |
Hop with STP |
Send STP packet |
STP is not encrypted |
28 |
Hop with QoS |
Apply QoS policy |
QoS markings preserved |
29 |
Hop with ACL |
Apply ACL on MACsec port |
ACL enforced after decryption |
30 |
Hop with Port Flap |
Flap port at one hop |
MACsec re-establishes |
31 |
Hop with Port Bounce |
Bounce port at one hop |
MACsec re-establishes |
32 |
Hop with Logging Enabled |
Enable logging |
Logs show encryption/decryption events |
33 |
Hop with Logging Disabled |
Disable logging |
No logs generated |
34 |
Hop with Monitoring |
Monitor MACsec stats |
Stats show per-hop encryption/decryption |
35 |
Hop with SNMP |
Query MACsec via SNMP |
Per-hop status visible |
36 |
Hop with CLI |
Show MACsec status via CLI |
Per-hop encryption status shown |
37 |
Hop with High Load |
Send high traffic volume |
No packet loss, encryption holds |
38 |
Hop with Low Latency |
Measure latency |
Latency within acceptable range |
39 |
Hop with Hardware Acceleration |
Use AES-NI or similar |
Performance improves |
40 |
Hop with Software Encryption |
Use software fallback |
Encryption still works |
41 |
Hop with SCI Mismatch |
Use incorrect SCI |
Traffic is dropped |
42 |
Hop with SA Mismatch |
Use incorrect SA |
Traffic is dropped |
43 |
Hop with Secure Channel ID |
Validate SCI at each hop |
SCI matches expected peer |
44 |
Hop with Secure Association Index |
Validate SA index |
SA index matches active SA |
45 |
Hop with Authentication Failure |
Fail MKA authentication |
Traffic is dropped |
46 |
Hop with Authentication Success |
Succeed MKA authentication |
Traffic is encrypted/decrypted |
47 |
Hop with Manual Rekey |
Trigger manual rekey |
Rekey succeeds at each hop |
48 |
Hop with Automatic Rekey |
Wait for rekey interval |
Rekey occurs automatically |
49 |
Hop with Peer Disconnect |
Disconnect peer at one hop |
Traffic is dropped |
50 |
Hop with Peer Reconnect |
Reconnect peer |
MACsec re-establishes and traffic resumes |
No IP Dependency - Testcases
No IP Dependency - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
No IP Configuration |
Enable MACsec without IP address |
MACsec functions correctly |
2 |
IP Address Removal |
Remove IP address after enabling MACsec |
MACsec continues to operate |
3 |
MACsec on L2-only Device |
Enable MACsec on switch with no IP stack |
MACsec encrypts and decrypts traffic |
4 |
MACsec with Static MAC |
Use static MAC address only |
MACsec operates normally |
5 |
MACsec with Dynamic MAC |
Use dynamically learned MAC |
MACsec operates normally |
6 |
MACsec with ARP Disabled |
Disable ARP on interface |
MACsec still encrypts traffic |
7 |
MACsec with IPv6 Disabled |
Disable IPv6 on interface |
MACsec still encrypts traffic |
8 |
MACsec with No Routing |
Disable routing on device |
MACsec still functions |
9 |
MACsec with No Default Gateway |
Remove default gateway |
MACsec continues to work |
10 |
MACsec with No DNS |
Remove DNS configuration |
MACsec unaffected |
11 |
MACsec with No DHCP |
Disable DHCP client |
MACsec still encrypts traffic |
12 |
MACsec with No IP Stack |
Strip IP stack from OS |
MACsec still encrypts Layer 2 frames |
13 |
MACsec with IPv4 Only |
Use only IPv4 |
MACsec encrypts traffic |
14 |
MACsec with IPv6 Only |
Use only IPv6 |
MACsec encrypts traffic |
15 |
MACsec with Non-IP Protocol |
Send non-IP protocol (e.g., STP) |
MACsec does not encrypt it |
16 |
MACsec with Ethernet II Frames |
Send Ethernet II frames |
MACsec encrypts them |
17 |
MACsec with 802.1Q VLAN |
Send VLAN-tagged frames |
MACsec encrypts them |
18 |
MACsec with 802.1ad Q-in-Q |
Send double-tagged frames |
MACsec encrypts them |
19 |
MACsec with MPLS |
Send MPLS frames |
MACsec encrypts them |
20 |
MACsec with PPPoE |
Send PPPoE frames |
MACsec encrypts them |
21 |
MACsec with No IP Reachability |
No ping or traceroute possible |
MACsec still encrypts traffic |
22 |
MACsec with MAC-only Authentication |
Authenticate using MAC address |
MACsec works without IP |
23 |
MACsec with Static Key |
Use static key without IP |
MACsec encrypts traffic |
24 |
MACsec with MKA over L2 |
Use MKA without IP |
Key exchange succeeds |
25 |
MACsec with No Hostname |
Remove hostname resolution |
MACsec unaffected |
26 |
MACsec with No NTP |
Disable NTP |
MACsec still encrypts traffic |
27 |
MACsec with No SNMP |
Disable SNMP |
MACsec continues to function |
28 |
MACsec with No Syslog |
Disable syslog |
MACsec continues to function |
29 |
MACsec with No SSH |
Disable SSH |
MACsec continues to function |
30 |
MACsec with No Telnet |
Disable Telnet |
MACsec continues to function |
31 |
MACsec with No Web UI |
Disable web interface |
MACsec continues to function |
32 |
MACsec with No IP ACL |
No IP-based ACLs |
MACsec still enforces encryption |
33 |
MACsec with MAC ACL |
Use MAC-based ACLs |
MACsec works with them |
34 |
MACsec with No IPsec |
No IPsec configured |
MACsec operates independently |
35 |
MACsec with No GRE |
No GRE tunnels |
MACsec unaffected |
36 |
MACsec with No VXLAN |
No VXLAN overlays |
MACsec unaffected |
37 |
MACsec with No BGP |
No BGP routing |
MACsec unaffected |
38 |
MACsec with No OSPF |
No OSPF routing |
MACsec unaffected |
39 |
MACsec with No Static Routes |
No static routes |
MACsec unaffected |
40 |
MACsec with No IP Multicast |
No IP multicast routing |
MACsec unaffected |
41 |
MACsec with No IP Broadcast |
No IP broadcast |
MACsec unaffected |
42 |
MACsec with Ethernet Broadcast |
Send Ethernet broadcast |
MACsec encrypts it |
43 |
MACsec with Ethernet Multicast |
Send Ethernet multicast |
MACsec encrypts it |
44 |
MACsec with Ethernet Unicast |
Send Ethernet unicast |
MACsec encrypts it |
45 |
MACsec with No IP Logging |
No IP-based logs |
MACsec logs still available |
46 |
MACsec with No IP Monitoring |
No IP-based monitoring tools |
MACsec stats available via L2 tools |
47 |
MACsec with No IP SLA |
No IP SLA configured |
MACsec unaffected |
48 |
MACsec with No IP Address on Peer |
Peer has no IP |
MACsec still establishes secure channel |
49 |
MACsec with No IP on Both Ends |
Neither end has IP |
MACsec still encrypts traffic |
50 |
MACsec with L2-only Topology |
Entire network is L2 |
MACsec provides full link-layer security |
Compatibility with 802.1X - Testcases
Compatibility with 802.1X - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
802.1X Authentication Success |
Authenticate using 802.1X |
MACsec session is established |
2 |
802.1X Authentication Failure |
Fail 802.1X authentication |
MACsec session is not established |
3 |
802.1X with EAP-TLS |
Use EAP-TLS for authentication |
MACsec keys are derived successfully |
4 |
802.1X with EAP-PEAP |
Use EAP-PEAP for authentication |
MACsec keys are derived successfully |
5 |
802.1X with EAP-MSCHAPv2 |
Use EAP-MSCHAPv2 |
MACsec keys are derived successfully |
6 |
802.1X with EAP-TTLS |
Use EAP-TTLS |
MACsec keys are derived successfully |
7 |
802.1X with Invalid Credentials |
Use wrong credentials |
Authentication fails, MACsec not enabled |
8 |
802.1X with Certificate Expiry |
Use expired certificate |
Authentication fails |
9 |
802.1X with Revoked Certificate |
Use revoked certificate |
Authentication fails |
10 |
802.1X with Dynamic VLAN |
Assign VLAN post-authentication |
MACsec still functions |
11 |
802.1X with Guest VLAN |
Assign guest VLAN on failure |
MACsec not enabled on guest VLAN |
12 |
802.1X with MKA |
Use MKA for key agreement |
MACsec session established |
13 |
802.1X with Static Key |
Use static key instead of MKA |
MACsec works without 802.1X |
14 |
802.1X with Supplicant Restart |
Restart supplicant |
MACsec session re-established |
15 |
802.1X with Authenticator Restart |
Restart switch authenticator |
MACsec session re-established |
16 |
802.1X with RADIUS Server Down |
Simulate RADIUS failure |
Authentication fails, MACsec not enabled |
17 |
802.1X with RADIUS Server Recovery |
Restore RADIUS server |
Authentication and MACsec resume |
18 |
802.1X with Multiple Supplicants |
Authenticate multiple clients |
MACsec sessions established per port |
19 |
802.1X with MAC Authentication Bypass |
Use MAB fallback |
MACsec not enabled |
20 |
802.1X with Host Mode Single |
Single host per port |
MACsec enabled after authentication |
21 |
802.1X with Host Mode Multi |
Multiple hosts per port |
MACsec enabled for authenticated hosts |
22 |
802.1X with Re-authentication |
Trigger re-authentication |
MACsec session rekeyed |
23 |
802.1X with Session Timeout |
Let session expire |
MACsec session ends |
24 |
802.1X with Session Renewal |
Renew session before timeout |
MACsec session continues |
25 |
802.1X with VLAN Change |
Change VLAN after auth |
MACsec session persists |
26 |
802.1X with Port Bounce |
Bounce port |
Re-authentication and MACsec re-initiate |
27 |
802.1X with Link Flap |
Flap link |
MACsec session re-established |
28 |
802.1X with Supplicant Delay |
Delay supplicant start |
MACsec not enabled until auth |
29 |
802.1X with Supplicant Timeout |
Supplicant times out |
MACsec not enabled |
30 |
802.1X with Supplicant Logging |
Enable logs |
Authentication and MACsec events logged |
31 |
802.1X with Authenticator Logging |
Enable logs |
Auth and MACsec events logged |
32 |
802.1X with SNMP Monitoring |
Monitor via SNMP |
Auth and MACsec status visible |
33 |
802.1X with CLI Monitoring |
Use CLI to check status |
Auth and MACsec status shown |
34 |
802.1X with High Load |
Authenticate under load |
MACsec session still established |
35 |
802.1X with DoS Attack |
Simulate auth flood |
MACsec not established for unauthenticated |
36 |
802.1X with Supplicant Misconfig |
Misconfigure supplicant |
Auth fails, MACsec not enabled |
37 |
802.1X with Authenticator Misconfig |
Misconfigure switch |
Auth fails, MACsec not enabled |
38 |
802.1X with Supplicant Certificate Rotation |
Rotate certs |
Auth and MACsec re-established |
39 |
802.1X with Authenticator Certificate Rotation |
Rotate certs |
Auth and MACsec re-established |
40 |
802.1X with Supplicant Identity Change |
Change username |
Re-authentication triggered |
41 |
802.1X with Supplicant IP Change |
Change IP address |
MACsec unaffected |
42 |
802.1X with Supplicant MAC Change |
Change MAC address |
Re-authentication required |
43 |
802.1X with Supplicant Disconnect |
Disconnect client |
MACsec session ends |
44 |
802.1X with Supplicant Reconnect |
Reconnect client |
Auth and MACsec resume |
45 |
802.1X with Supplicant Mobility |
Move client to another port |
Re-authentication and MACsec resume |
46 |
802.1X with Supplicant Roaming |
Roam across switches |
MACsec re-established on new port |
47 |
802.1X with Supplicant Upgrade |
Upgrade supplicant software |
MACsec continues to function |
48 |
802.1X with Authenticator Upgrade |
Upgrade switch firmware |
MACsec resumes after reboot |
49 |
802.1X with Supplicant Debugging |
Enable debug logs |
Auth and MACsec debug info available |
50 |
802.1X with Authenticator Debugging |
Enable debug logs |
Auth and MACsec debug info available |
Minimal Latency Overhead - Testcases
Minimal Latency Overhead - Test Cases |
|||
|---|---|---|---|
# |
Test Case |
Description |
Expected Result |
1 |
Baseline Latency Measurement |
Measure latency without MACsec |
Establish baseline latency |
2 |
Latency with MACsec Enabled |
Measure latency with MACsec |
Latency increase is minimal |
3 |
Latency with AES-GCM-128 |
Use AES-GCM-128 encryption |
Latency within acceptable range |
4 |
Latency with AES-GCM-256 |
Use AES-GCM-256 encryption |
Slightly higher but acceptable latency |
5 |
Latency with Hardware Acceleration |
Enable AES-NI or crypto hardware |
Latency is minimized |
6 |
Latency with Software Encryption |
Use software-based encryption |
Slight increase in latency |
7 |
Latency with Jumbo Frames |
Send 9000-byte frames |
Latency remains low |
8 |
Latency with Small Packets |
Send 64-byte packets |
Latency remains low |
9 |
Latency with Mixed Packet Sizes |
Send varied packet sizes |
Latency remains consistent |
10 |
Latency with High Throughput |
Send 1 Gbps traffic |
No significant latency spike |
11 |
Latency with Low Throughput |
Send 10 Mbps traffic |
Latency remains minimal |
12 |
Latency with Replay Protection |
Enable replay protection |
No significant latency added |
13 |
Latency with Key Rekeying |
Trigger SAK rekey |
No packet loss or delay spike |
14 |
Latency with MKA Key Exchange |
Perform MKA exchange |
Latency unaffected during steady state |
15 |
Latency with VLAN Tags |
Send VLAN-tagged traffic |
Latency remains minimal |
16 |
Latency with Q-in-Q |
Send double-tagged frames |
Latency remains minimal |
17 |
Latency with IPv4 |
Send IPv4 traffic |
Latency remains minimal |
18 |
Latency with IPv6 |
Send IPv6 traffic |
Latency remains minimal |
19 |
Latency with TCP |
Send TCP traffic |
Latency remains minimal |
20 |
Latency with UDP |
Send UDP traffic |
Latency remains minimal |
21 |
Latency with ICMP |
Send ICMP traffic |
Latency remains minimal |
22 |
Latency with Broadcast |
Send broadcast traffic |
Latency remains minimal |
23 |
Latency with Multicast |
Send multicast traffic |
Latency remains minimal |
24 |
Latency with Unicast |
Send unicast traffic |
Latency remains minimal |
25 |
Latency with Fragmented Packets |
Send fragmented packets |
Latency remains minimal |
26 |
Latency with Port Flap |
Flap port and measure latency |
Latency recovers quickly |
27 |
Latency with Port Bounce |
Bounce port and measure latency |
Latency recovers quickly |
28 |
Latency with Link Aggregation |
Use LACP with MACsec |
Latency remains minimal |
29 |
Latency with STP |
Enable STP on MACsec port |
Latency remains minimal |
30 |
Latency with LLDP |
Send LLDP packets |
LLDP unaffected, latency minimal |
31 |
Latency with ARP |
Send ARP packets |
ARP not encrypted, no latency impact |
32 |
Latency with ACLs |
Apply ACLs on MACsec port |
Latency remains minimal |
33 |
Latency with QoS |
Apply QoS policy |
Latency remains within QoS bounds |
34 |
Latency with Congestion |
Simulate network congestion |
MACsec adds no extra delay |
35 |
Latency with CPU Load |
High CPU usage on device |
Latency remains within limits |
36 |
Latency with Memory Pressure |
Simulate low memory |
Latency remains stable |
37 |
Latency with Logging Enabled |
Enable MACsec logging |
No significant latency impact |
38 |
Latency with Logging Disabled |
Disable logging |
Latency remains minimal |
39 |
Latency with Monitoring Tools |
Use SNMP/CLI monitoring |
No latency impact |
40 |
Latency with Packet Capture |
Capture encrypted traffic |
Latency remains minimal |
41 |
Latency with Redundant Links |
Use redundant MACsec links |
Latency remains minimal |
42 |
Latency with Peer Mismatch |
Peer misconfigured |
Traffic dropped, no latency measured |
43 |
Latency with Authentication Delay |
Delay 802.1X auth |
MACsec not enabled until auth |
44 |
Latency with Static Key |
Use static key |
Latency remains minimal |
45 |
Latency with Dynamic Key |
Use MKA |
Latency remains minimal |
46 |
Latency with Key Expiry |
Let key expire |
Traffic drops, latency not applicable |
47 |
Latency with Secure Channel Re-init |
Re-initiate secure channel |
Latency spike is brief |
48 |
Latency with Multiple Peers |
Encrypt traffic to multiple peers |
Latency remains minimal |
49 |
Latency with Loopback |
Enable MACsec on loopback |
Not supported, test fails |
50 |
Latency with End-to-End Test |
Measure latency across MACsec path |
End-to-end latency within SLA |
Reference links