BFD timer Recommendations for MACsec Encryption

hardeepkumar · ‎06-09-2020

Hello All

In the Cisco documentation, Topic: Recommendations for MACsec Encryption

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html

I was looking for BFD recommended values for ASR1K and ASR9K routers using MACsec feature, but just across only above document, which recommends BFD timer values are 750 milliseconds for 10Gbps ports and 1.25 seconds for any port with speed above 10Gbps in IOS-XE.

please share what are the recommended values for ASR1K(16.9.x) and ASR9K (XR 6.0.x). If above are applicable to these as well, then I have below questions:

my query is :

- Why such high values are recommended, doesn't these impact the convergence time ?

- If I use lower values , for example - 100ms multiplier 3 - then what could be the difference in behavior.

Giuseppe Larosa · ‎06-09-2020

Hello @hardeepkumar ,

when you enable MACSec encryption between two directly connected devices all traffic is encrypted at OSI layer 2 including the BFD messages.

So the suggested values look like high but they take in account the encryption / decryption activity on the link itself that involves BFD messages.

For sure you don't want to build an unstable network using low timers that are a challenge for the devices.

There is always a price to pay if you want security given by encryption you need to accept an higher convergence time.

It is a trade off between performance, stability and security.

Hope to help

Giuseppe

hardeepkumar · ‎06-09-2020

Hello, Thank you for your response.

delay is 100ms among both of them. I've used TE-FRR to protect this link, but still I notice a micro cut whenever this link takes a hit, although FRR is correctly triggered.

Is this something that could be related to BFD timers here to detect failure and causing impact.

What are the advisable BFD timers I should use.