In a MACsec-protected network, each node has at least one transmit secure channel. After the SecTAG comes the payload, which can be encrypted, and the ICV (Integrity Check Value), which is generated by GCM-AES, and guarantees that the packet was indeed created by a node which was in possession of the key, and hasn't been modified on the way.įigure An Ethernet frame, before (above) and after (below) MACsec processing and encryption Architecture of a MACsec network This is followed by the MACsec SecTAG, which contains information that help the receiver identify the decryption key, as well as a packet number (for replay protection). On the wire, a MACsec packet starts with an Ethernet header with EtherType 88E5. After authentication, keys are generated and exchanged (over an encrypted channel), and are used to configure the MACsec secured link. wpa_supplicant uses some authentication token (a pre-shared key, or a username/password pair, similarly to the authentication mechanisms used in WiFi) to establish a session with the authentication server, which can be a switch or a Linux host running hostapd.
On Linux machines, this is implemented in wpa_supplicant. IEEE 802.1X-2010 defines a companion protocol, MACsec Key Agreement (MKA), which provides key exchange and allows mutual authentication of nodes that want to take part in a MACsec connectivity association. The secure associations each use a separate, randomly generated key. In MACsec, packets flow over "secure channels", which are supported by "secure associations". MACsec was standardized in 2006 by IEEE (standard IEEE 802.1AE-2006), but support was only recently added to the mainline Linux kernel (as of 4.6). It relies on GCM-AES to ensure the confidentiality and integrity of all the network traffic. MACsec hasn't gained much traction yet, but now with an open source implementation available in the Linux kernel, this is will very likely change.Īs a layer 2 specification, MACsec can protect not only IP traffic, but also ARP, neighbour discovery, and DHCP. Besides TLS and IPSec, most other protocols in use today are proprietary. By default, TCP/IP doesn't offer any security guarantee. The current landscape of cryptographic network protocols is rather narrow. IPsec (a Layer 3 security protocol) and TLS (a Layer 4 security protocol) offer different guarantees and can be a better fit, depending on the use case.It is an extension to 802.1X provides secure key exchange and mutual authentication for MACsec nodes.It can secure all traffic within a LAN, including DHCP and ARP, as well as traffic from higher layer protocols.MACsec is a Layer 2 protocol that relies on GCM-AES-128 to offer integrity and confidentiality, and operates over ethernet.This blog, will give an overview of what MACsec is, how it differs from other security standards, and present some ideas about how it can be used. MACsec is an IEEE standard for security in wired ethernet LANs.
0 kommentar(er)
