MACsec

Media Access Control security (MACsec) provides point-to-point security on Ethernet links

  • At ingress port, frames are decrypted

  • At egress port, frames are encrypted

User Flow of Using CLI to Configure MACsec

To do a MACsec test, you need to configure the following steps:

  1. Create a TX SC on the source port

  2. Configure the TX SC

  3. Configure SAK keys of the TX SC

  4. Create a RX SC on the destination port for the port to decrypt the MACsec frames

  5. Configure the RX SC

  6. Configure SAK keys of the RX SC

  7. Enable MACsec on the RX port

  8. Create and configure a stream on the source port

  9. Assign the TX SC profile to the stream, and enable MACsec on the stream

  10. Check that you have the correct associations between the TX SC, stream TPLD ID, and RX SC

  11. Start traffic on stream

  12. Collect MACsec-specific TX and RX statistics

  13. Collect non-MACsec-specific TX and RX statistics

The following is an example of how to configure MACsec using the CLI.

Note

Assumption is that port 0/0 is the source port and port 0/1 is the destination port.

(1) Create a TX SC on the source port

Use P_MACSEC_TXSC_CREATE or P_MACSEC_TXSC_INDICES.

For example:

0/0 P_MACSEC_TXSC_CREATE [0]
or
0/0 P_MACSEC_TXSC_INDICES 0

A TX SC profile with default values will be created on the source port.

(2) Configure the TX SC

For example:

0/0 P_MACSEC_TXSC_DESCR [0] "TX SC 0"
0/0 P_MACSEC_TXSC_SCI_MODE [0] NO_SCI
0/0 P_MACSEC_TXSC_SCI [0] 0x0102030405060001
0/0 P_MACSEC_TXSC_CONF_OFFSET [0] 0
0/0 P_MACSEC_TXSC_CIPHER [0] GCM_AES_128
0/0 P_MACSEC_TXSC_STARTING_PN [0] 0
0/0 P_MACSEC_TXSC_REKEY_MODE [0] PN_EXHAUSTION
0/0 P_MACSEC_TXSC_ENCRYPT [0] ENCRYPT_INTEGRITY

(3) Configure SAK keys of the TX SC

For example:

0/0 P_MACSEC_TXSC_SAK_VALUE [0,0] 0x0102030405060708090A0B0C0D0E0F
0/0 P_MACSEC_TXSC_SAK_VALUE [0,1] 0x0202030405060708090A0B0C0D0E0F
0/0 P_MACSEC_TXSC_SAK_VALUE [0,2] 0x0302030405060708090A0B0C0D0E0F
0/0 P_MACSEC_TXSC_SAK_VALUE [0,3] 0x0402030405060708090A0B0C0D0E0F

Important

Depending on the cipher suite used for the SC, you have either 4 or 2 SAK keys. Their default values are all-zero. You cannot remove a SAK key from the list.

(4) Create a RX SC on the destination port for the port to decrypt the MACsec frames

For example:

0/1 P_MACSEC_RXSC_CREATE [0]
or
0/1 P_MACSEC_RXSC_INDICES 0

A RX SC profile with default values will be created on the destination port.

(5) Configure the RX SC

For example:

0/1 P_MACSEC_RXSC_DESCR [0] "RX SC 0"
0/1 P_MACSEC_RXSC_SCI [0] 0x0102030405060001
0/1 P_MACSEC_RXSC_CONF_OFFSET [0] 0
0/1 P_MACSEC_RXSC_CIPHER [0] GCM_AES_128
0/1 P_MACSEC_RXSC_TPLDID [0] 10

(6) Configure SAK keys of the RX SC

For example:

0/1 P_MACSEC_RXSC_SAK_VALUE [0,0] 0x0102030405060708090A0B0C0D0E0F
0/1 P_MACSEC_RXSC_SAK_VALUE [0,1] 0x0202030405060708090A0B0C0D0E0F
0/1 P_MACSEC_RXSC_SAK_VALUE [0,2] 0x0302030405060708090A0B0C0D0E0F
0/1 P_MACSEC_RXSC_SAK_VALUE [0,3] 0x0402030405060708090A0B0C0D0E0F

Important

Depending on the cipher suite used for the SC, you have either 4 or 2 SAK keys. Their default values are all-zero. You cannot remove a SAK key from the list.

  1. Enable MACsec on the RX port

  • Use P_MACSEC_RX_ENABLE to enable MACsec on the RX port. With it ON, the RX port will try to decode the received packets. If it is OFF, the port will not try to decode any received packets.

For example:

0/1 P_MACSEC_RX_ENABLE ON

(8) Create and configure a stream on the source port

Configure the stream, e.g. packet size, packet header, TPLD ID, etc. This is the same as a regular stream. See Stream for more information.

Important

You should build MACsec header in the packet header definition because the MACsec header configuration is done by the port using the assigned TX SC profile.

Important

The TPLD ID you assign to this stream should be the same as the TPLD ID you associated with the RX SC. This ensures that the RX port can decrypt the MACsec frames with the TPLD ID.

For example:

0/0 PS_CREATE [0]
0/0 PS_TPLDID [0] 10
0/0 PS_RATEFRACTION [0] 1000000
0/0 PS_PACKETLENGTH [0] 1500
0/0 PS_HEADERPROTOCOL [0] ETHERNET VLAN VLAN IPV4
...

(9) Assign TX SC profile to stream and enable MACsec on stream

For example:

0/0 PS_MACSEC_ASSIGN [0] 0      # Assign the TX SC config 0 to the stream 0
0/0 PS_MACSEC_ASSIGN [0]        # Remove the TX SC assignment from the stream 0
0/0 PS_MACSEC_ASSIGN [0] 0      # Assign the TX SC config 0 to the stream 0
0/0 PS_MACSEC_ENABLE [0] ON

Important

You should only assign one stream with one TX SC, and you should make sure streams have different TPLD IDs.

If you a stream doens’t have a TPLD ID, you won’t be able to see latency, jitter, ,

(10) Check that you have the correct associations between the TX SC, stream TPLD ID, and RX SC

../../../../_images/macsec_check.png

Fig. 3.16 Correct associations between the TX SC, stream TPLD ID, and RX SC

For example:

Send:       0/0 PS_MACSEC_ASSIGN [0] ?
Receive:    0/0 PS_MACSEC_ASSIGN [0] 0 (the response 0 is the TX SC index associated with the stream 0)
Send:       0/0 PS_TPLDID [0] ?
Receive:    0/0 PS_TPLDID [0] 10 (the response 10 is the TPLD ID of the stream 0)
Send:       0/1 P_MACSEC_RXSC_TPLDID [0] ?
Receive:    0/1 P_MACSEC_RXSC_TPLDID [0] 10 (the response 10 is the TPLD ID of the RX SC 0)

Apart from the above, you also need to make sure the parameters of the TX SC and RX SC are also the same. Otherwise, the destination port won’t be able ot decrypt the MACsec frames sent from the source port.

(11) Start traffic on stream

Use 0/0 P_TRAFFIC ON. The port will generate MACsec frames on stream 0 using the TX SC profile 0 on the port.

Important

The stream traffic rate (fraction, fps, and L2 bps) and packet size are not affected by MACsec. They describe what is actually on the wire. If MACSec is enabled, the clear-text traffic rate will be lower than the configured rate because of the added MACSec overhead. Similarly, the clear-text packet size will be smaller than the configured size because of the added MACSec overhead.

Thus, you need to make sure that the configured packet size is large enough to accommodate the MACSec overhead. The MACSec overhead is 8 bytes for the SecTAG (or 16 bytes when SCI is in use) and 16 bytes for the ICV. The MACSec overhead is added to the packet size before the packet is sent out on the wire.

(12) Collect MACSec-specific TX and RX statistics

For example:

0/0 P_MACSEC_TX_STATS ?
0/0 P_MACSEC_TXSC_STATS [0] ?

0/0 P_MACSEC_RX_STATS ?
0/0 P_MACSEC_RXSC_STATS [0] ?

0/0 P_MACSEC_TX_CLEAR
0/0 P_MACSEC_RX_CLEAR

(13) Collect non-MACSec-specific TX and RX statistics