精华内容
下载资源
问答
  • MacSec是什么

    万次阅读 2017-03-31 13:31:18
    Macsec

    Understanding Media Access Control Security (MACsec)

    Media Access Control Security (MACsec) is an 802.1AE IEEE industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks.

    MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

    MACsec is standardized in IEEE 802.1AE. The IEEE 802.1AE standard can be seen on the IEEE organization website at IEEE 802.1: BRIDGING & MANAGEMENT.

    This topic contains the following sections:

    How MACsec Works

    MACsec provides industry-standard security through the use of secured point-to-point Ethernet links. The point-to-point links are secured after matching security keys—a user-configured pre-shared key when you enable MACsec using static connectivity association key (CAK) security mode, a user-configured static secure association key when you enable MACsec using static secure association key (SAK) security mode, or a dynamic key included as part of the AAA handshake with the RADIUS server when you enable MACsec using dynamic security mode—are exchanged and verified between the interfaces at each end of the point-to-point Ethernet link. Other user-configurable parameters, such as MAC address or port, must also match on the interfaces on each side of the link to enable MACsec. See Configuring Media Access Control Security (MACsec).

    Once MACsec is enabled on a point-to-point Ethernet link, all traffic traversing the link is MACsec-secured through the use of data integrity checks and, if configured, encryption.

    The data integrity checks verify the integrity of the data. MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured point-to-point Ethernet link, and the header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.

    MACsec can also be used to encrypt all traffic on the Ethernet link. The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable; you can enable MACsec to ensure the data integrity checks are performed while still sending unencrypted data “in the clear” over the MACsec-secured link, if desired.

    MACsec is configured on point-to-point Ethernet links between MACsec-capable interfaces. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each point-to-point Ethernet link.

    Understanding Connectivity Associations and Secure Channels

    MACsec is configured in connectivity associations. MACsec is enabled when a connectivity association is assigned to an interface.

    When you are configuring MACsec using static secure association key (SAK) security mode, you must configure secure channels within a connectivity association. The secure channels are responsible for transmitting and receiving data on the MACsec-enabled link, and also responsible for transmitting SAKs across the link to enable and maintain MACsec. A single secure channel is unidirectional—it can be used to apply MACsec only to either inbound or outbound traffic. A typical connectivity association when MACsec is enabled using SAK security mode contains two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic.

    When you enable MACsec using static CAK or dynamic security mode, you have to create and configure a connectivity association. Two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic—are automatically created. The automatically-created secure channels do not have any user-configurable parameters; all configuration is done in the connectivity association outside of the secure channels.

    Understanding MACsec Security Modes

    Understanding Static Connectivity Association Key Security Mode (Recommended Security Mode for Switch-to-Switch Links)

    When you enable MACsec using static connectivity association key (CAK) security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the point-to-point Ethernet link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.

    MACsec开启CAK模式时,需要两个key来保证P2P的网络安全:1.CAK--保证控制层traffic安全; 2. SAK--保证数据traffic安全;

    You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and its own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

    Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

    You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters that cannot already be configured in the connectivity association.

    We recommend enabling MACsec on switch-to-switch links using static CAK security mode. Static CAK security mode ensures security by frequently refreshing to a new random security key and by sharing only the security key between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are available only when you enable MACsec using static CAK security mode.

    See Configuring Media Access Control Security (MACsec) for step-by-step instructions on enabling MACsec using static CAK security mode.

    Understanding Dynamic Secure Association Key Security Mode (Switch-to-Host Links)

    Dynamic secure association key security mode is used to enable MACsec on a switch-to-host link.

    To enable MACsec on a link connecting an endpoint device—such as a server, phone, or personal computer—to a switch, the endpoint device must support MACsec and must be running software that allows it to enable a MACsec-secured connection. When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A master key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The master key is then passed between the switch and the host to create a MACsec-secured connection.

    A secure association using dynamic secure association security mode must be configured on the switch’s Ethernet interface that connects to the host in order for the switch to create a MACsec-secured connection after receiving the MKA keys from the RADIUS server.

    The RADIUS server must be using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) in order to support MACsec. The RADIUS servers that support other widely-used authentication frameworks, such as password-only or md5, cannot be used to support MACsec. In order to enable MACsec on a switch to secure a connection to a host, you must be using 802.1X authentication on the RADIUS server. MACsec must be configured into dynamic mode. MACsec is still enabled using connectivity associations when enabled on a switch-to-host link, as it is on a switch-to-switch link.

    Understanding Static Secure Association Key Security Mode (Supported for Switch-to-Switch Links)

    When you enable MACsec using static secure association key (SAK) security mode, one of up to two manually configured SAKs is used to secure data traffic on the point-to-point Ethernet link. All SAK names and values are configured by the user; there is no key server or other tool that creates SAKs. Security is maintained on the point-to-point Ethernet link by periodically rotating between the two security keys. Each security key name and value must have a corresponding matching value on the interface at the other end of the point-to-point Ethernet link to maintain MACsec on the link.

    You configure SAKs within secure channels when you enable MACsec using static SAK security mode. You configure secure channels within connectivity associations. A typical connectivity association for MACsec using static SAK security mode contains two secure channels—one for inbound traffic and one for outbound traffic—that have each been configured with two manually-configured SAKs. You must attach the connectivity association with the secure channel configurations to an interface to enable MACsec using static SAK security mode.

    We recommend enabling MACsec using static CAK security mode. Use static SAK security mode only if you have a compelling reason to use it instead of static CAK security mode.

    See Configuring Media Access Control Security (MACsec) for step-by-step instructions on enabling MACsec using SAKs.

    Understanding the Requirements to Enable MACsec on a Switch-to-Host Link

    When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A master key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The master key is then passed between the switch and the host to create a MACsec-secured connection.

    The following requirements must be met in order to enable MACsec on a link connecting a host device to a switch.

    The host device:

    • must support MACsec and must be running software that allows it to enable a MACsec-secured connection with the switch.

    The switch:

    • must be an EX4200, EX4300, or EX4550 switch running Junos OS Release 14.1X53-D10 or later, or an EX9200 switch running Junos OS Release 15.1R1 or later. MACsec is supported on EX4200, EX4300, or EX4550 switches running Junos OS Release 14.1X53-D10 or later. MACsec is supported on EX9200 switches running Junos OS Release 15.1R1 or later.
    • must be configured into dynamic secure association key security mode.
    • must be using 802.1X authentication to communicate with the RADIUS server.

    The RADIUS server:

    • must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.

      Note: RADIUS servers that support other widely-used authentication frameworks, such as password-only or md5, cannot be used to support MACsec.

    • must be using 802.1X authentication.
    • can be multiple hops from the switch and the host device.

    MACsec Hardware and Software Support Summary

    Table 1 summarizes MACsec hardware and software support for EX Series and QFX Series switches.

    MACsec hardware and software support is discussed in greater detail in the remaining sections.

    Table 1: MACsec Hardware and Software Support Summary for EX Series and QFX Series Switches

    Switch

    MACsec-capable Interfaces

    Switch-to-Switch Support Introduction

    Switch-to-Host Support Introduction

    Required Software Package

    EX4200

    All uplink port connections on the SFP+ MACsec uplink module.

    13.2X50-D15

    14.1X53-D10

    controlled

    EX4300

    All access and uplink ports.

    13.2X50-D15

    14.1X53-D10

    controlled

    EX4550

    All EX4550 optical interfaces that use the LC connection type.

    13.2X50-D15

    14.1X53-D10

    controlled

    EX4600

    All twenty-four fixed 1GbE SFP/10GbE SFP+ interfaces and all interfaces that support the copper Gigabit Interface Converter (GBIC).

    All eight SFP+ interfaces on the EX4600-EM-8F expansion module.

    14.1X53-D15

    Not supported

    controlled

    EX9200

    All forty SFP interfaces on the EX9200-40F-M line card.

    All twenty SFP interfaces on the EX9200-20F-MIC installed in an EX9200-MPC line card.

    Note: You can install up to two EX9200-20F-MIC MICs in an EX9200-MPC line card for a maximum of forty MACsec-capable interfaces.

    All forty SFP+ interfaces on the EX9200-40XS.

    15.1R1

    15.1R1

    Junos image

    Note: MACsec is available on the Junos OS image in EX9200 switches only. MACsec is not available on the limited Junos OS image package.

    QFX5100

    All eight SFP+ interfaces on the EX4600-EM-8F expansion module.

    14.1X53-D15

    Not supported

    controlled

    Understanding MACsec Hardware Requirements for EX Series and QFX Series Switches

    MACsec is currently supported on the following EX Series and QFX Series switch interfaces:

    • The uplink port connections on the SFP+ MACsec uplink module that can be installed on EX4200 series switches.
    • All access and uplink ports on EX4300 switches.
    • All EX4550 optical interfaces that use the LC connection type. See Pluggable Transceivers Supported on EX4550 Switches.
    • All twenty-four fixed 1GbE SFP/10GbE SFP+ interfaces on an EX4600 switch and all interfaces that support the copper Gigabit Interface Converter (GBIC).
    • All eight SFP+ interfaces on the EX4600-EM-8F expansion module, when installed in an EX4600 or QFX5100-24Q switch.

      Note: MACsec is not supported on EX4600 or QFX5100-24Q switches in Junos OS Release 15.1.

      See Feature Explorer for a full listing of Junos OS releases that support MACsec.

    • All forty SFP interfaces on the EX9200-40F-M line card, when the line card is installed in an EX9200 series switch.
    • All twenty SFP interfaces on the EX9200-20F-MIC, when this modular interface card is installed in the EX9200-MPC line card of an EX9200 switch. You can install up to two EX9200-20F-MIC MICs in an EX9200-MPC line card, for a maximum of forty MACsec-capable interfaces.
    • All forty SFP+ interfaces on the EX9200-40XS, when the line card in installed in an EX9200 switch.

    MACsec can be configured on supported switch interfaces when those switches are configured in a Virtual Chassis or Virtual Chassis Fabric (VCF), including when MACsec-supported interfaces are on member switches in a mixed Virtual Chassis or VCF that includes switch interfaces that do not support MACsec. MACsec, however, cannot be enabled on Virtual Chassis ports (VCPs) to secure traffic travelling between member switches in a Virtual Chassis or VCF.

    Understanding MACsec Software Requirements for EX Series and QFX Series Switches

    See Feature Explorer for a full listing of Junos OS releases and platforms that support MACsec.

    MACsec was initially released on EX4200, EX4300, and EX4550 switches in Junos OS Release 13.2X50-D15.

    MACsec support for dynamic security mode, which allows MACsec to be configured on switch-to-host links, for EX4200, EX4300, and EX4550 switches was introduced in Junos OS Release 14.1X53-D10.

    The switches on each end of a MACsec-secured switch-to-switch link must either both be using Junos OS Release 14.1X53-D10 or later, or must both be using an earlier version of Junos, in order to establish a MACsec-secured connection when using static CAK security mode.

    MACsec support for EX4600 switches and QFX5100-24Q switches was introduced in Junos OS Release 14.1X53-D15. The EX4600 and QFX5100-24Q switches supports MACsec on switch-to-switch links only.

    Note: MACsec is not supported on EX4600 or QFX5100-24Q switches in Junos OS Release 15.1.

    See Feature Explorer for a full listing of Junos OS releases and platforms that support MACsec.

    MACsec support for EX9200 switches for both switch-to-switch links and for switch-to-host links was introduced in Junos OS Release 15.1R1. The EX9200-40F-M line card, EX9200-20F-MIC installed in an EX9200-MPC line card, and the EX9200-40XS line card support MACsec with AES-128 bit encryption, providing support for link-layer data confidentiality, data integrity, and data origin authentication. You must apply a single license—EX9200-SFL—to enable MACsec.

    You must download the controlled version of your Junos OS software to enable MACsec on EX4200, EX4300, EX4550, EX4600, or QFX5100-24Q switches. MACsec support is not available in the domestic version of your Junos OS software on these platforms.

    You must download the standard Junos image to enable MACsec on EX9200 switches. MACsec is not supported on the limited image.

    The controlled version of Junos OS software for EX4200, EX4300, EX4550, EX4600, or QFX5100-24Q switches includes all features and functionality available in the domestic version of Junos OS, while also supporting MACsec. The domestic version of Junos OS software is shipped on all switches that support MACsec, so you must download and install a controlled version of Junos OS software for your switch before you can enable MACsec.

    The controlled version of Junos OS software for EX4200, EX4300, EX4550, EX4600, or QFX5100-24Q switches contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of the controlled version of Junos OS software is strictly controlled under United States export laws. The export, import, and use of the controlled version of Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring the controlled version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

    The standard version of Junos OS software for EX9200 switches contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of this Junos OS software is strictly controlled under United States export laws. The export, import, and use of this Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring this version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

    Understanding the MACsec Feature License Requirement

    A feature license is required to configure MACsec on a switch.

    To purchase a feature license for MACsec, contact your Juniper Networks sales representative (http://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide you with a feature license file and a license key. You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by running the show chassis hardware command.

    The MACsec feature license is an independent feature license; the feature licenses that must be purchased to enable other groups of features on your switches cannot be purchased to enable MACsec.

    MACsec Limitations

    All types of Spanning Tree Protocol frames cannot currently be encrypted using MACsec.

    Release History Table

    Release
    Description
    MACsec is supported on EX9200 switches running Junos OS Release 15.1R1 or later.
    MACsec support for EX4600 switches and QFX5100-24Q switches was introduced in Junos OS Release 14.1X53-D15.
    MACsec is supported on EX4200, EX4300, or EX4550 switches running Junos OS Release 14.1X53-D10 or later.
    MACsec support for dynamic security mode, which allows MACsec to be configured on switch-to-host links, for EX4200, EX4300, and EX4550 switches was introduced in Junos OS Release 14.1X53-D10.
    MACsec was initially released on EX4200, EX4300, and EX4550 switches in Junos OS Release 13.2X50-D15.

    Modified: 2017-01-24

    展开全文
  • 为满足跨交换机间的媒体访问控制(MAC)层安全通信需求,提出一种改进的MACSec安全关联方案。该方案建立了新加入交换机与不相邻交换机之间的安全关联密钥(SAK),用于保护它们之间的MAC层数据通信。为了使得该方案...
  • Marvell(NASDAQ:MRVL)近日宣布推出双端口 400GbE MACsec PHY收发器,整合了256位加密和C类时间协议(PTP)时间戳技术,为下一代网络基础设施带来了先进的性能、更高的安全性以及更快的传输速度。该收发器基于硬件...
  • SONiC系统管理14 MACsec管理 SONiC系统2020年加入了对MACsec支持。...SONiC支持交换芯片内置MACsec和单独的支持MACsec的以太网PHY的模式,两种模式由于实现MACsec的芯片不同,对应ASIC DB中不同的表项。 S

    SONiC系统管理14

    MACsec管理

    SONiC系统2020年加入了对MACsec支持。
    MACsec是以太网MAC层加密机制,通过互联的两个MAC实体互相交换密钥信息以及基于硬件的加密算法实现了对传送的MAC帧的加解密,其基于硬件的加密算法比IPsec更便于硬件实现。
    SONiC支持GCM-AES-128 和 GCM-AES-256加密算法。
    SONiC支持交换芯片内置MACsec和单独的支持MACsec的以太网PHY的模式,两种模式由于实现MACsec的芯片不同,对应ASIC DB中不同的表项。
    SONiC通过专门的MACsec容器来支持MACsec,该容器完成MACsec会话协商和密钥交换,各部分功能的交互关系如图。

    在这里插入图片描述

    展开全文
  • Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on ...

    Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.

    MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.

    This topic contains the following sections:

    How MACsec Works

    MACsec provides industry-standard security through the use of secured point-to-point Ethernet links. The point-to-point links are secured after matching security keys—a user-configured pre-shared key when you enable MACsec using static connectivity association key (CAK) security mode or a user-configured static secure association key when you enable MACsec using static secure association key (SAK) security mode—are exchanged and verified between the interfaces at each end of the point-to-point Ethernet link. Other user-configurable parameters, such as MAC address or port, must also match on the interfaces on each side of the link to enable MACsec. See Configuring Media Access Control Security (MACsec).

    Once MACsec is enabled on a point-to-point Ethernet link, all traffic traversing the link is MACsec-secured through the use of data integrity checks and, if configured, encryption.

    The data integrity checks verify the integrity of the data. MACsec appends an 8-byte header and a 16-byte tail to all Ethernet frames traversing the MACsec-secured point-to-point Ethernet link, and the header and tail are checked by the receiving interface to ensure that the data was not compromised while traversing the link. If the data integrity check detects anything irregular about the traffic, the traffic is dropped.

    MACsec can also be used to encrypt all traffic on the Ethernet link. The encryption used by MACsec ensures that the data in the Ethernet frame cannot be viewed by anybody monitoring traffic on the link. MACsec encryption is optional and user-configurable; you can enable MACsec to ensure the data integrity checks are performed while still sending unencrypted data “in the clear” over the MACsec-secured link, if desired.

    The current implementation of MACsec on EX Series switches is configured on point-to-point Ethernet links between MACsec-capable interfaces on EX Series switches. If you want to enable MACsec on multiple Ethernet links, you must configure MACsec individually on each point-to-point Ethernet link.

    Understanding Connectivity Associations and Secure Channels

    MACsec is configured in connectivity associations. MACsec is enabled when a connectivity association is assigned to an interface.

    When you are configuring MACsec using static secure association key (SAK) security mode, you must configure secure channels within a connectivity association. The secure channels are responsible for transmitting and receiving data on the MACsec-enabled link, and also responsible for transmitting SAKs across the link to enable and maintain MACsec. A single secure channel is uni-directional—it can only be used to apply MACsec to inbound or outbound traffic. A typical connectivity association when MACsec is enabled using SAK security mode contains two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic.

    When you enable MACsec using static CAK security mode, you have to create and configure a connectivity association. Two secure channels—one secure channel for inbound traffic and another secure channel for outbound traffic—are automatically created. The automatically-created secure channels do not have any user-configurable parameters; all configuration is done in the connectivity association outside of the secure channels.

    Understanding Static Connectivity Association Key Security Mode

    When you enable MACsec using static connectivity association key (CAK) security mode, two security keys—a connectivity association key (CAK) that secures control plane traffic and a randomly-generated secure association key (SAK) that secures data plane traffic—are used to secure the point-to-point Ethernet link. Both keys are regularly exchanged between both devices on each end of the point-to-point Ethernet link to ensure link security.

    You initially establish a MACsec-secured link using a pre-shared key when you are using static CAK security mode to enable MACsec. A pre-shared key includes a connectivity association name (CKN) and it’s own connectivity association key (CAK). The CKN and CAK are configured by the user in the connectivity association and must match on both ends of the link to initially enable MACsec.

    Once matching pre-shared keys are successfully exchanged, the MACsec Key Agreement (MKA) protocol is enabled. The MKA protocol is responsible for maintaining MACsec on the link, and decides which switch on the point-to-point link becomes the key server. The key server then creates an SAK that is shared with the switch at the other end of the point-to-point link only, and that SAK is used to secure all data traffic traversing the link. The key server will continue to periodically create and share a randomly-created SAK over the point-to-point link for as long as MACsec is enabled.

    You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters that cannot already be configured in the connectivity association.

    We recommend enabling MACsec using static CAK security mode. Static CAK security mode ensures security by frequently refreshing to a new random security key and by only sharing the security key between the two devices on the MACsec-secured point-to-point link. Additionally, some optional MACsec features—replay protection, SCI tagging, and the ability to exclude traffic from MACsec—are only available when you enable MACsec using static CAK security mode.

    See Configuring Media Access Control Security (MACsec) for step-by-step instructions on enabling MACsec using static CAK security mode.

    Understanding Static Secure Association Key Security Mode

    When you enable MACsec using static secure association key (SAK) security mode, one of up to two manually configured SAKs is used to secure data traffic on the point-to-point Ethernet link. All SAK names and values are configured by the user; there is no key server or other tool that creates SAKs. Security is maintained on the point-to-point Ethernet link by periodically rotating between the two security keys. Each security key name and value must have a corresponding matching value on the interface at the other end of the point-to-point Ethernet link to maintain MACsec on the link.

    You configure SAKs within secure channels when you enable MACsec using static SAK security mode. You configure secure channels within connectivity associations. A typical connectivity association for MACsec using static SAK security mode contains two secure channels—one for inbound traffic and one for outbound traffic—that have each been configured with two manually-configured SAKs. You must attach the connectivity association with the secure channel configurations to an interface to enable MACsec using static SAK security mode.

    We recommend enabling MACsec using static CAK security mode. You should only use static SAK security mode if you have a compelling reason to use it instead of static CAK security mode.

    See Configuring Media Access Control Security (MACsec) for step-by-step instructions on enabling MACsec using SAKs.

    Understanding MACsec Hardware Requirements on EX Series Switches

    MACsec is currently supported on the following EX Series switch interfaces:

    • The uplink port connections on the SFP+ MACsec uplink module that can be installed on EX4200 series switches.
    • All access and uplink ports on EX4300 switches.
    • All EX4550 optical interfaces that use the LC connection type. See Pluggable Transceivers Supported on EX4550 Switches.

    MACsec can be configured on supported EX4200, EX4300, and EX4550 member switch interfaces when those switches are configured in a Virtual Chassis, including when MACsec-supported interfaces are on member switches in a mixed Virtual Chassis that includes EX4500 switches. MACsec, however, cannot be enabled on Virtual Chassis ports (VCPs) to secure traffic travelling between Virtual Chassis member switches.

    Understanding MACsec Software Requirements

    MACsec was initially released on EX Series switches in Junos OS Release 13.2X50-D15.

    You must download the controlled version of your Junos OS software to enable MACsec. MACsec software support is not available in the domestic version of your Junos OS software. The controlled version of Junos OS software includes all features and functionality available in the domestic version of Junos OS, while also supporting MACsec. The domestic version of Junos OS software is shipped on all EX Series switches, so you must download and install a controlled version of Junos OS software on your EX series switch before you can enable MACsec.

    The controlled version of Junos OS software contains encryption and is, therefore, not available to customers in all geographies. The export and re-export of the controlled version of Junos OS software is strictly controlled under United States export laws. The export, import, and use of the controlled version of Junos OS software is also subject to controls imposed under the laws of other countries. If you have questions about acquiring the controlled version of your Junos OS software, contact Juniper Networks Trade Compliance group at compliance_helpdesk@juniper.net.

    The process for installing a controlled version of Junos OS software on your EX series switch is identical to installing the domestic version. See Downloading Software Packages from Juniper Networks.

    Understanding the MACsec Feature License Requirement

    A feature license is required to configure MACsec on an EX Series switch.

    To purchase a feature license for MACsec, contact your Juniper Networks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide you with a feature license file and a license key. You will be asked to supply the chassis serial number of your switch; you can obtain the serial number by running the show chassis hardware command.

    The MACsec feature license is an independent feature license; the enhanced feature licenses (EFLs) or advanced feature licenses (AFLs) that must be purchased to enable some features on EX Series switches cannot be purchased to enable MACsec.

    MACsec Limitations

    All types of Spanning Tree Protocol frames cannot currently be encrypted using MACsec.

    转自:https://www.juniper.net/documentation/en_US/junos13.2/topics/concept/macsec.html

    展开全文
  • 为解决以太网媒介访问控制层安全机制(media access control security,MACsec)所存在的中间人攻击及其部署过于复杂的问题,提出了一种基于三元对等鉴别构架(three-element peer authentication,TePA)的认证协议...
  • SONiC支持交换芯片内置MACsec和单独的支持MACsec的以太网PHY的模式,其中单独的支持MACsec的PHY芯片的管理模式和Gearbox变速器管理模式相同。 在40G/100G以太网发展的早期阶段,以太网交换芯片高速接口电信号的速率...

    SONiC系统管理15

    Gearbox变速器管理

    SONiC支持交换芯片内置MACsec和单独的支持MACsec的以太网PHY的模式,其中单独的支持MACsec的PHY芯片的管理模式和Gearbox变速器管理模式相同。
    在40G/100G以太网发展的早期阶段,以太网交换芯片高速接口电信号的速率只能做到10Gbps,为了让这样的芯片也能支持采用25Gbps Lane速率的以太网,需要在芯片外添加额外的Gearbox变速器芯片,将芯片输出的1010G信号转换成光模块接口所需的425Gbps信号格式,SONiC系统支持对Gearbox变速器芯片的管理。
    在这里插入图片描述

    展开全文
  • Gearbox变速器

    2021-04-14 10:50:17
    SONiC支持交换芯片内置MACsec和单独的支持MACsec的以太网PHY的模式,其中单独的支持MACsec的PHY芯片的管理模式和Gearbox变速器管理模式相同。 在40G/100G以太网发展的早期阶段,以太网交换芯片高速接口电信号的速率...
  • 媒体访问控制安全 (MACsec) 密钥协议协议 (MKA) 数据元素和程序提供额外的安全性和可管理性功能,包括在 MKA 操作暂停时保持安全通信的能力,当与支持的 MACsec 密码套件结合使用时 本次修订增加了扩展包编号。
  • MACSec:“包括了一个额外的16字节MACsec安全标签或SecTAG,以及在帧末尾有一个16字节完整性检查值(ICV)”( ) LISP: EoIP: ://help.mikrotik.com/docs/pages/viewpage.action pageId 24805521 提示: :...
  • 802.1AE保护局域网安全

    2021-03-12 10:46:45
    配置错误、错误的接线以及恶意攻击会中断企业和服务提供商的运营。由于网络容易受到这些问题的影响,因此企业必须采用...MACSec将安全保护集成到有线以太网中,保护局域网免受被动接线、假冒、中间人以及某些拒绝服...
  • 引用CISCO DOCUMENTS “Cisco Data Center Interconnect Design and Implementation Guide”中的内容:In 2006 the IEEE ratified the 802.1AE standard, also known as MAC security standard (MACsec). MACsec e.....
  • Forwarding feature ... e.g. vxlan/vlan/PTP/802.3Qbb... asic MAC asic PCS asic PMA asic serdes ... MACsec phy 1588 PTP phy MAC phy PCS phy PMA phy
  • 这些 交换机通过 Cisco StackPower 、IEEE 802.3at 增强型以太网供电 (PoE+) 配置、可选网络模块、冗余电源 和媒体访问控制安全 (MACsec) 等创新功能,提供无间断连接性、可扩展性、安全性、能效性和易操作 性。...
  • 这些 交换机通过 Cisco StackPower 、IEEE 802.3at 增强型以太网供电 (PoE+) 配置、可选网络模块、冗余电源 和媒体访问控制安全 (MACsec) 等创新功能,提供无间断连接性、可扩展性、安全性、能效性和易操作 性。...
  • https://www.router-switch.com/media/upload/product-pdf/cisco-nexus-9300-ex-and-9300-fx-platform-datasheet.pdf 硬件无所谓,主要区别是表象的...FX还能跑macsec 所以EX比较弱。 软件特性基本常用的都没区别 ...
  • 运营商网络中的"在线"加密(二)

    千次阅读 2015-10-16 15:15:39
    三种最常见的"在线"网络加密的实现方法是: 1.IPsec或 3层 (L3)加密 2.MACsec或 2层(L2)加密 3.OTN或1层(L1)加密
  • 另一角色为hostapd,即authenticator认证者,通常搭配第三方authenticator server可以实现IEEE802.1X协议的802.1x认证过程以及后续的加密过程,IEEE802.1X 2010协议将802.1x认证后的加密过程称为MACSEC,即Ethernet...
  • Yeslab现任明教教主 Identity Service Engine(ISE)中文教程 1.ISE产品介绍 2.安装ISE 3.底层配置 4.AD集成 5.证书管理 6.配置network access device(NAD) ...16.MACSec配置介绍 17.ISE部署与高可用性
  • 这些交换机通过 Cisco StackPower、IEEE 802.3at 增强型以太网供电 (PoE+) 配置、可选网络模块、冗余电源和媒体访问控制安全 (MACsec) 等创新功能,提供无间断连接性、可扩展性、安全性、能效性和易操作性。...
  • CTC7132h.pdf

    2020-05-24 21:07:06
    封装 FCPBGA 1143 工艺 28nm 低功耗工艺 典型功耗 30W(est.) ... 支持每个端口的 MACSec  支持基于 AES256 算法加密的 CloudSec  CPU 流量保护  时钟特性  IEEE 1588v2 和 Sync Ethernet
  • 新版本支持一个新型的分布式文件系统OrangeFS,采用更加稳定的耗尽内存时的处理,支持802.1AE MACsec(MAC-level encryption),支持英特尔的内存保护密钥。“上周末修复和优化的东西很多,没有非常奇怪的事情发生。...
  • 作为20世纪最伟大的发明之一,互联网已有30多年的历史。根据网络传输介质的不同,一般将网络分为...目前,解决以太网链路层的安全技术标准包括两个,一个是由干国际标准化组织制定的ISO/IEC 8802.1ae标准,即MACSec,该
  • DPDK-VPP 学习笔记-01

    千次阅读 2020-08-13 19:22:33
    vlan-strip ipv4-cksum udp-cksum tcp-cksum tcp-lro macsec-strip vlan-filter vlan-extend jumbo-frame scatter security keep-crc rss-hash rx offload active: ipv4-cksum tx offload avail: vlan-insert ipv4-...
  • Database Vault,简称DBV,2005年发布。 HISTORY OF PRIVILEGED ACCOUNTS Oracle数据库中的SYS用户相当于Linux中的root用户。另一个有DBA权限的用户是SYSTEM。 Separation of duty (SoD),拥有所有权限会导致做坏事...
  • IEEE Std 802.1AEbw-2013

    2017-11-24 15:39:03
    IEEE Std 802.1AEbw-2013 Media Access Control (MAC) Security Amendment 2: Extended Packet Numbering
  • MACSec 提供终端与服务器之间的双向鉴别,网络接入设备无身份,为网络攻击留下了可乘之机。  2 、 TLSec 协议完整,包括身份鉴别机制及保密通信; MACSec 协议重点定义了保密通信,其身份鉴别依赖于使用扩展认证...

空空如也

空空如也

1 2 3 4 5 ... 14
收藏数 262
精华内容 104
关键字:

macsec