cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1035
Views
10
Helpful
0
Comments
Timothy Glen
Cisco Employee
Cisco Employee

This document will contain a number of MACsec specific terms,  please see the History & Terminology document I wrote for a detailed understanding. I also encourage you to Click Helpful, if this is helpful or to comment if you have questions or concerns!

 

Summary

When establishing a MACsec session, MACsec Key Agreement (MKA) will exchange EAPoL-MKA frames between switches, the switches will process the frames but will not forward them. Those EAPoL frames contain the CKN of the sender, key server priority, and the MACsec capabilities. MKA occurs in the control plane of the device.  

 

 

Network Diagram

In this example we will be using two Cisco Catalyst 9200 switches, both run IOS XE 17.3(1). Both switches are configured for MKA Pre Shared Key, also known as Static CKN. MAC Addresses shown are the burned-in addresses on the Interface.

 

network-diagram.png

 

Frame Summary

Here is an overview of the frames in the exchange.

Frames 1, 2, 3, 4, 5 are all part of the MACsec Key Agreement Exchange (MKA).   Frames numbered 6, 8 are MACsec keepalives.

 

2.frame-summary.png

 

 

Key Server Election

Key servers are selected based on key server priority. The device with the lowest priority is the one that will become the key server.  If no value is configured IOS XE 17.3 on my Catalyst 9200 uses a priority of zero (0). In the event that both devices have the same priority the device with the lowest SCI will become the key server. The SCI is the MAC Address of the interface concatenated with the virtual port id.

 

 

Keys, Generation, and Usage

If you read my MACsec History and Terminology you see that MACsec uses a lot of keys, CAK, SAK, ICK, KEK etc…. Here I will try and explain how these are used.

 

First, the Connectivity Association Key (CAK) and the Secure Association Key (SAK) have no connection to each other.

 

sw-sw-psk2.png

 

 

Frame 1

Bot-Sw -> Well Known EAP MAC Address

 

The switchport is configured for MACsec and as such the first frame that is sent once the link is up is EAPoL. You will see in all the frames that the destination MAC address is the well-known EAP MAC Address 01:80:C2:00:00:03.  

 

The Key Agreement section includes Key Server Priority, Key Server status, Secure Channel Identifier (SCI), Member Identifier (MI), Member Number (MN) and the Connectivity Association Key Name (CKN). 

 

All MACsec \ MKA frames can include an Integrity Check Value Indicator (ICV). The ICV is validated with the Connectivity Association Key (CAK). ICV in MKPDU us optional.  ICV is required when traffic is encrypted.  

 

A few things to note, with every new EAPoL frame the Member Number is incremented by one, the SCI is just the source MAC address plus the Port Number. 

 

frame1.png

 

 

Frame 2

Top-Sw -> Well Known EAP MAC Address

 

Similar to Frame 1, this is the first frame this switch sends after it detects Link Up.  It contains the same attributes except these are specific to the local switch.

frame2.png

 

Frame 3

Bot-Sw -> Well Known EAP MAC Address

 

At this point both switches know each others Key Server Priority and since Bot-Sw has a lower priority it has become the Key Server. In this Frame we see that Bot-Sw still stating Key Server = True.  

 

We also see the Actor MN incrementing to 2.

 

frame3.png

 

 

 

Frame 4

Top-Sw -> Well Known EAP MAC Address

 

In this frame we see the Top-Sw acknowledging it has lost the Key Server election and therefore it is advertising Key Server = False.

 

Here we see this switch also increment the Actor MN to 2. With each new EAPoL message the switch will increment the MN by 1.

 

frame4.png

Frame 5

Bot-Sw -> Well Known EAP MAC Address

 

In this Frame the Key Server distributes the SAK to the Peer Member. The Key Server performs an AES Key Wrap function on the SAK before distributing it so that the encryption key is not sent in clear text.

 

After this frame the two switches are able to transmit data across a secure link.

 

frame5.png

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card