MACsec is an IEEE 802.1AE standards based Layer 2 hop-by-hop encryption method.
Traffic is encrypted on the wire between two MACsec peers and is unencrypted to process internally on the switch.
It allows the switch to look for objects inside of the packet such as SGT enforcement or Quality of Service priortisation.
MACsec can utilise onboard ASICs to perform encryption and decryption rather than having to offload to a crypto engine.
MACsec is based on the ethernet frame format with an additional 16-byte MACsec Security Tag field (802.1AE header) and a 16-byte Integrity Check Value (ICV) field.
These additional headers mean that all devices within the flow of the MACsec communications must support MACsec for these fields to used and secure traffic.
MACsec provides authentication using Galois Method Authentication Code (GMAC) or authenticated encryption using Galois /Counter Mode Advanced Encryption Standard (AES-GCM)
Fields in MACsec
Set to 0x88e5 to designate the frame type as MACsec
Tag Control / Association Number field, designating the version number, version number, and integrity
Short Length field, designates the length of the encrypted data
Packet number for replay protection and building the initialisation vector
Secure Channel Identifier for classifying the connection to the virtual port
Types of MACsec
There are two types of MACsec.
Security Association Protocol
Proprietary Cisco keyring protocol used between Cisco switches
MACsec Key Agreement Protocol
MACsec Key Agreement Protocol provides required session keys and manages required encryption keys. 802.1AE encryption with MKA is supported between endpoints and switches as well as between switches
MACsec on Downlink
Download MACsec is a term used to describe the encrypted link between an endpoint and a switch.
The encryption between the two devices is handled by MACsec Key Agreement Protocol.
This requires a MACsec-capable switch and a MACsec-capable supplicant on the endpoint.
The encryption on the endpoint may be handled in hardware or in software using the CPU with software like Cisco AnyConnect.
The Cisco switch can force encryption or make it optional. The setting can be configured manually per port or dynamically as an authorisation option from Cisco ISE.
The Cisco ISE policy returned will override any setting set on the switch CLI
MACsec on Uplink
Uplink MACsec is the term for encrypting between switches.
Default uplink MACsec uses Cisco proprietary SAP encryption with AES-GCM-128.
Uplink MACsec may be negotiated manually or dynamically. A dynamic setting will require 802.1x authentication between the switches.