MACSec – Media Access Control Security

UPDATE on 11 Jul 2019:
I wrote a fresh article describing how to implement MACSec on Cisco devices in the simplest way possible. I think that one is maybe what most of you are searching for.. get it here

Media Access Control Security or MACSec is the Layer 2 hop to hop network traffic protection.

Just like IPsec protects network layer, and SSL protects application data, MACSec protects traffic at data link layer (Layer 2).

MACSec is standardized IEEE 802.1AE hop-by-hop encryption that enables confidentiality and integrity of data at layer 2.

It encrypts entire Ethernet packet except Source and Destination MAC addresses on any device-to-device, switch-to-switch, router-to-switch, host-to-switch directly connected wired L2 connection.

MacSec

If we compare MACSec with, for example, IPsec, MACsec provides same security but on layer 2 for each hop separately. On each hop, packets are received and decrypted enabling other features like QoS and load balancing to function. Same data is again encrypted before being sent out to next device on the way towards the destination. MACsec works on host-to-switch connection and on switch-to-switch connection enabling line-rate up to 10 GigabitEthernet fast encryption.

It uses, especially for that occasion developed and optimised Galois/Counter Mode Advanced Encryption Standard 128 (GCM-AES-128) which makes line-rate encryption/decryption possible.

There is some difference in MACSec on the connection between host and switch, and MACSec on the connection from switch to switch

MACsec uses MACsec Key Agreement (MKA) which is standardized protocol to provide the required session keys and manages the required encryption keys on a MACSec connection between hosts (PC, server, etc.) and switch.

Cisco has its own proprietary Security Association Protocol (SAP) which it uses for a switch to switch MACSec on trunk connections.

In the non-cisco network, you would use MKA for a switch to switch MACSec in dynamic crypto configuration as well as for host to switch connection.

MACSec is sometimes refered to as LinkSEC. Cisco implementation with their proprietary parts is called Cisco TrustSec.

MACSec between switch and hosts

Often called Downlink MACsec.

If host NIC is supporting it, MACSec between that host and switch can be enabled in host NIC hardware at line rate. If it is not, Cisco enables hosts to run MACSec using Cisco AnyConnect software, but this time it will make the connection a little slower getting all the MACSec data through host CPU.

In host to switch connection, MACsec needs the host to first go through 802.1x authentication process using an EAP method which is able to create EAP-TLS encryption keys.

As mentioned in above, MACsec key distribution between switch and host is done by MACsec Key Agreement (MKA) protocol.

 

CONFIGURATION

This below is an example of MACSec configuration from Cisco switch for port Gi1/0/1 to which a PC supporting MACSec will be connected.

aaa new-model
!
dot1x system-auth-control 
!
aaa group server radius MyRADIUS
 server-private 10.10.10.10 key RADIUSPRESHAREKEY
 ip radius source-interface Loopback0
!
aaa authentication dot1x default group MyRADIUS
aaa authorization network default group MyRADIUS
!
interface GigabitEthernet1/0/1
 authentication host-mode single-host
 authentication port-control auto
 dot1x pae authenticator
 macsec
 mka default-policy
 authentication linksec policy must-not-secure 
 authentication event linksec fail action authorize vlan 999
!

CONFIGURATION EXPLANATION

First, we enable AAA and 802.1x on the switch.

Then we define the RADIUS/ACS/ISE server object MyRADIUS in my example.

Next is the configuration of authentication/authorization with RADIUS or even better with Cisco ISE or Cisco ACS which have MACSec policies prepared (or you will need to configure those too but that is not explained here).

Then you configure authentication and dot1x on port level.

Next, is enabling MACsec at the port level.

And next step is to specify the MKA policy used, this is also done at the port level. In this example, we are using default policy but you can define some other policy with other name and apply it here. We have an example of such policy below in the article.

MKA policy, when created, enables you to define three MACSec security level options:

must-secure – a host traffic will be dropped unless it successfully negotiates MACsec.
should-secure – this is for troubleshooting and if you are configuring the remote site MACSec. It gives you the option to check if MACSec has successfully negotiated but it will not cut you off if it didn’t.
must-not-secure – This is basically switch port default MACSec off mode.

This port-level command for MACSec security level can be overridden by Cisco ISE if you configure MKA policy on ISE in that way, and of course, if you actually have Cisco ISE. You see here that we configured on port gi 1/0/1 the command authentication linksec policy must-not-secure but if the switch receives must-secure MKA policy option from ISE, MACSec will change the way it secures the layer 2 hop.

Fallback for MACSec exist and it is configured in the last line of the example above.

If the local MACsec policy or the one received from ISE is “must-secure”, and in the case when client is not MACsec enabled, you are able to authorize the host with dot1x and connect him to fallback VLAN (VLAN999) which for example gives this client the ability to get to the Internet directly while being unable to access corporate network.

MACsec always forwards CDP, LLDP, EAP and LACP in clear-text.

MACSec between switches

Often called Uplink MACsec, it is the MACSec applied to the link between two switches.

MACSec can be configured manually with all config and crypto keys placed directly on the switch. The other option is to configure dynamic crypto key distribution and with MACsec policy on remote RADIUS/ISE server. In the case of latter, the key distribution would be done by Cisco proprietary SAP protocol.

If it is not Cisco devices that you are enabling MACSec on, protocol for key distribution will be MKA which is a standard and defined by IEEE 802.1af

 

CONFIGURATION

SW1:
interface GigabitEthernet1/0/10
switchport mode trunk
cts manual
sap pmk 101 mode-list gcm-encrypt

SW2:
interface GigabitEthernet1/0/10
switchport mode trunk
cts manual
sap pmk 101 mode-list gcm-encrypt

CONFIGURATION EXPLANATION

In the example above, we configured the simplest, static, all config directly on the switch, Cisco TrustSEC MACSec connection on trunk ports between two switches.

We enabled CTS in manual mode on the interface level and then we defined PMK hex code which needs to be same on both switches because they will use this number to generate crypto keys.

We configured SAP to do gcm-encrypt which enables authentication and encryption. Another option is to enable gmac which would only enable authentication.

For dynamic switch to switch configuration or Cisco TrustSEC in this case, configuration can be found on two last pages of official Cisco config guide for MACSec

 

Frame format

macsec

MACsec adds additional layer2 header and trailer and changes the Ethertype value to 0x88e5

Why We Need Link Layer Security?

Layer 2 attacks can affect control plane protocols, such as STP or ARP and also data-traffic.

Media Access Control Security (MACsec) is a technology that enables secure communication for traffic on Ethernet links. MACsec secures directly connected nodes Ethernet links and it is able to  identify and prevent most intrusions, denial of service attacks, man in the middle snooping, passive wiretapping, playback attacks and masquerading.

MACSec secures almost all traffic, including LLDP, LACP, DHCP, ARP and other that are not typically secured. They are still sent in plain-text, as mentioned previously, but they are checked for integrity so that we are sure nobody changed them while transmitted from one hop to another.

Upper layer security technologies like SSL and IPsec, cannot prevent or detect security breach on Layer 2 but all implemented together can enable end to end network security.

 

Performance and Scalability

802.1AE uses AES-GCM as the encryption algorithm. It is a highly optimized encryption crypto that is specifically created by Cisco labs to be easily implemented in hardware or software. The key advantage of AES-GCM is the parallelism and pipelining with which it achieves high data rates of more than 10 GBps.

MKPDU

Ok, like we mentioned at the beginning, in order for MACsec to be enabled between host and switch, host needs to be successfully authenticated via 802.1x Extensible Authentication Protocol (EAP).

EAP was extended with support for MKA protocol and it resulted in newly defined EAP-over-LAN (EAPOL) packet. Similar EAPOL packet is used for standard dot1x port security implementation.

MACsec Key Agreement PDU (MKPDU) are the PDU packets that every MACSec enables interface is sending to its peer. When MKPDU is not received after 3 hearbeats, and each hearbeat is 2 seconds, peers are considered to be disconnected.

OFFSET

The MKA can be configured with confidentiality-offset like in the example below in order to send information such as VLAN tag  in the clear so that other side can use it for multiplexing or load balancing. One example is when multiple point to point services can co-exist on physical interface and then those can be differentiated based on the now visible VLAN ID.

VLAN tag in the clear in service provider environment enables quality of service (QoS) across the SP network using 802.1P (CoS) field that is part of the 802.1Q tag. If 802.1Q is encrypted, then provider will be unable to use the information on it for QoS decisions.

CONFIGURATION EXAMPLE OF MKA POLICY

configure terminal
  mka policy MYOWNMKAPOLICY
  key-server priority key-server-priority
  macsec-cipher-suite {gcm-aes-128 [gcm-aes-256] | gcm-aes-256 [gcm-aes-128]}
  confidentiality-offset 30

Outro

MACSec is unique way to enable Layer 2 Ethernet security by enabling confidentiality and integrity without performance degradation.

Corporations are today using MACSec more and more. Layer 2 links need to have MACSec enabled in order to pass strict regulative in banking and other businesses. There are two cases, protecting corporate network from internal threads like man in the middle snooping, passive wiretapping etc, where some insider is able to connect directly on L2 between two speaking hosts. The other case where MACSec is mostly used today is dark fiber L2 connections encryption. MACSec enables line-rate encryption of complete L2 traffic going through the interconnection of two datacenters.

Without MACSec enabled devices on both sides, those datacenter connections, in order to be protected, needed to be reconfigured in L3 routed mode and then protected by IPSec or similar L3 data security method. This was usually not possible because the need for L2 between sites. It is unfortunately still needed, for some older web applications to work across multiple sites, to have L2 stretched VLAN through both datacenters.

MACSec is getting significant traction and it will probably, and very shortly, become a standard for most layer 2 connections mentioned above.

From Books

This part is cited fromLAN Switch Security: What Hackers Know About Your Switches” by Eric Vyncke and Christopher Paggen

Thanks to the extensive research and analysis performed by Dr. David McGrew, Cisco Fellow, who manages the Advanced Crypto Development group in the Cisco Security Technologies Group, and John Viega, current VP, chief security architect, and McAfee. They led the codeveloped Galois/Counter Mode [GCM]3, which is a symmetric key cryptographic block cipher capable of Gb speeds.) The IEEE 802.1 MAC Security Task Group adopted GCM as 802.1AE Media Access Control Security, often referred to as MACSec. MACSec was ratified in June 2006, and officially became the IEEE 802.1AE standard.

Post Scriptum

There’s a workaround if you need MACSec type of protection somewhere but still not having the devices who support it. To secure, for example, intra-VLAN traffic among two data centers, there is one crazy combination of Layer 2 Tunnel Protocol (L2TP) and IPsec that can bridge VLAN traffic inside an IPsec tunnel.

This should work fine but it is not a solution that you want to use on all your links. It is more like a temporary workaround till you get to your equipment refresh year. It doesn’t scale and has a huge overhead.

 

One Response

  1. Nando February 5, 2021

Leave a Reply