Chapter 5. Using MACsec to encrypt layer-2 traffic in the same physical network
You can use MACsec to secure the communication between two devices (point-to-point). For example, your branch office is connected over a Metro-Ethernet connection with the central office, you can configure MACsec on the two hosts that connect the offices to increase the security.
5.1. How MACsec increases security
Media Access Control security (MACsec) is a layer-2 protocol that secures different traffic types over the Ethernet links, including:
- Dynamic host configuration protocol (DHCP)
- address resolution protocol (ARP)
- IPv4 and IPv6 traffic
- Any traffic over IP such as TCP or UDP
MACsec encrypts and authenticates all traffic in LANs, by default with the GCM-AES-128 algorithm, and uses a pre-shared key to establish the connection between the participant hosts. To change the pre-shared key, you must update the NM configuration on all network hosts that use MACsec.
A MACsec connection uses an Ethernet device, such as an Ethernet network card, VLAN, or tunnel device, as a parent. You can either set an IP configuration only on the MACsec device to communicate with other hosts only by using the encrypted connection, or you can also set an IP configuration on the parent device. In the latter case, you can use the parent device to communicate with other hosts using an unencrypted connection and the MACsec device for encrypted connections.
MACsec does not require any special hardware. For example, you can use any switch, except if you want to encrypt traffic only between a host and a switch. In this scenario, the switch must also support MACsec.
In other words, you can configure MACsec for two common scenarios:
- Host-to-host
- Host-to-switch and switch-to-other-hosts
You can use MACsec only between hosts being in the same physical or virtual LAN.
Additional resources
5.2. Configuring a MACsec connection by using nmcli
You can use the nmcli
utility to configure Ethernet interfaces to use MACsec. For example, you can create a MACsec connection between two hosts that are connected over Ethernet.
Procedure
On the first host on which you configure MACsec:
Create the connectivity association key (CAK) and connectivity-association key name (CKN) for the pre-shared key:
Create a 16-byte hexadecimal CAK:
# dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"' 50b71a8ef0bd5751ea76de6d6c98c03a
Create a 32-byte hexadecimal CKN:
# dd if=/dev/urandom count=32 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"' f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550
- On both hosts you want to connect over a MACsec connection:
Create the MACsec connection:
# nmcli connection add type macsec con-name macsec0 ifname macsec0 connection.autoconnect yes macsec.parent enp1s0 macsec.mode psk macsec.mka-cak 50b71a8ef0bd5751ea76de6d6c98c03a macsec.mka-ckn f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550
Use the CAK and CKN generated in the previous step in the
macsec.mka-cak
andmacsec.mka-ckn
parameters. The values must be the same on every host in the MACsec-protected network.Configure the IP settings on the MACsec connection.
Configure the
IPv4
settings. For example, to set a staticIPv4
address, network mask, default gateway, and DNS server to themacsec0
connection, enter:# nmcli connection modify macsec0 ipv4.method manual ipv4.addresses '192.0.2.1/24' ipv4.gateway '192.0.2.254' ipv4.dns '192.0.2.253'
Configure the
IPv6
settings. For example, to set a staticIPv6
address, network mask, default gateway, and DNS server to themacsec0
connection, enter:# nmcli connection modify macsec0 ipv6.method manual ipv6.addresses '2001:db8:1::1/32' ipv6.gateway '2001:db8:1::fffe' ipv6.dns '2001:db8:1::fffd'
Activate the connection:
# nmcli connection up macsec0
Verification
Verify that the traffic is encrypted:
# tcpdump -nn -i enp1s0
Optional: Display the unencrypted traffic:
# tcpdump -nn -i macsec0
Display MACsec statistics:
# ip macsec show
Display individual counters for each type of protection: integrity-only (encrypt off) and encryption (encrypt on)
# ip -s macsec show
Additional resources
5.3. Configuring a MACsec connection by using nmstatectl
You can configure Ethernet interfaces to use MACsec through the nmstatectl
utility in a declarative way. For example, in a YAML file, you describe the desired state of your network, which is supposed to have a MACsec connection between two hosts connected over Ethernet. The nmstatectl
utility interprets the YAML file and deploys persistent and consistent network configuration across the hosts.
Using the MACsec security standard for securing communication at the link layer, also known as layer 2 of the Open Systems Interconnection (OSI) model provides the following notable benefits:
- Encryption at layer 2 eliminates the need for encrypting individual services at layer 7. This reduces the overhead associated with managing a large number of certificates for each endpoint on each host.
- Point-to-point security between directly connected network devices such as routers and switches.
- No changes needed for applications and higher-layer protocols.
Prerequisites
- A physical or virtual Ethernet Network Interface Controller (NIC) exists in the server configuration.
-
The
nmstate
package is installed.
Procedure
On the first host on which you configure MACsec, create the connectivity association key (CAK) and connectivity-association key name (CKN) for the pre-shared key:
Create a 16-byte hexadecimal CAK:
# dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"' 50b71a8ef0bd5751ea76de6d6c98c03a
Create a 32-byte hexadecimal CKN:
# dd if=/dev/urandom count=32 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"' f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550
On both hosts that you want to connect over a MACsec connection, complete the following steps:
Create a YAML file, for example
create-macsec-connection.yml
, with the following settings:--- routes: config: - destination: 0.0.0.0/0 next-hop-interface: macsec0 next-hop-address: 192.0.2.2 table-id: 254 - destination: 192.0.2.2/32 next-hop-interface: macsec0 next-hop-address: 0.0.0.0 table-id: 254 dns-resolver: config: search: - example.com server: - 192.0.2.200 - 2001:db8:1::ffbb interfaces: - name: macsec0 type: macsec state: up ipv4: enabled: true address: - ip: 192.0.2.1 prefix-length: 32 ipv6: enabled: true address: - ip: 2001:db8:1::1 prefix-length: 64 macsec: encrypt: true base-iface: enp0s1 mka-cak: 50b71a8ef0bd5751ea76de6d6c98c03a mka-ckn: f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550 port: 0 validation: strict send-sci: true
-
Use the CAK and CKN generated in the previous step in the
mka-cak
andmka-ckn
parameters. The values must be the same on every host in the MACsec-protected network. Optional: In the same YAML configuration file, you can also configure the following settings:
-
A static IPv4 address -
192.0.2.1
with the/32
subnet mask -
A static IPv6 address -
2001:db8:1::1
with the/64
subnet mask -
An IPv4 default gateway -
192.0.2.2
-
An IPv4 DNS server -
192.0.2.200
-
An IPv6 DNS server -
2001:db8:1::ffbb
-
A DNS search domain -
example.com
-
A static IPv4 address -
Apply the settings to the system:
# nmstatectl apply create-macsec-connection.yml
Verification
Display the current state in YAML format:
# nmstatectl show macsec0
Verify that the traffic is encrypted:
# tcpdump -nn -i enp0s1
Optional: Display the unencrypted traffic:
# tcpdump -nn -i macsec0
Display MACsec statistics:
# ip macsec show
Display individual counters for each type of protection: integrity-only (encrypt off) and encryption (encrypt on)
# ip -s macsec show
Additional resources