Chapter 13. Using MACsec to encrypt layer-2 traffic in the same physical network

You can use MACsec to secure the communication between two devices (point-to-point). For example, your branch office is connected over a Metro-Ethernet connection with the central office, you can configure MACsec on the two hosts that connect the offices to increase the security.

Media Access Control security (MACsec) is a layer 2 protocol that secures different traffic types over the Ethernet links including:

  • dynamic host configuration protocol (DHCP)
  • address resolution protocol (ARP)
  • Internet Protocol version 4 / 6 (IPv4 / IPv6) and
  • any traffic over IP such as TCP or UDP

MACsec encrypts and authenticates all traffic in LANs, by default with the GCM-AES-128 algorithm, and uses a pre-shared key to establish the connection between the participant hosts. If you want to change the pre-shared key, you need to update the NM configuration on all hosts in the network that uses MACsec.

A MACsec connection uses an Ethernet device, such as an Ethernet network card, VLAN, or tunnel device, as parent. You can either set an IP configuration only on the MACsec device to communicate with other hosts only using the encrypted connection, or you can also set an IP configuration on the parent device. In the latter case, you can use the parent device to communicate with other hosts using an unencrypted connection and the MACsec device for encrypted connections.

MACsec does not require any special hardware. For example, you can use any switch, except if you want to encrypt traffic only between a host and a switch. In this scenario, the switch must also support MACsec.

In other words, there are 2 common methods to configure MACsec;

  • host to host and
  • host to switch then switch to other host(s)
Important

You can use MACsec only between hosts that are in the same (physical or virtual) LAN.

13.1. Configuring a MACsec connection using nmcli

You can configure Ethernet interfaces to use MACsec using the nmcli utility. For example, you can create a MACsec connection between two hosts that are connected over Ethernet.

Procedure

  1. On the first host on which you configure MACsec:

    • Create the connectivity association key (CAK) and connectivity-association key name (CKN) for the pre-shared key:

      1. Create a 16-byte hexadecimal CAK: 

        # dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"'
50b71a8ef0bd5751ea76de6d6c98c03a

      2. Create a 32-byte hexadecimal CKN: 

        # dd if=/dev/urandom count=32 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"'
f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550
  2. On both hosts you want to connect over a MACsec connection:

  3. Create the MACsec connection: 

    # nmcli connection add type macsec con-name macsec0 ifname macsec0 connection.autoconnect yes macsec.parent enp1s0 macsec.mode psk macsec.mka-cak 50b71a8ef0bd5751ea76de6d6c98c03a macsec.mka-ckn f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550

    Use the CAK and CKN generated in the previous step in the macsec.mka-cak and macsec.mka-ckn parameters. The values must be the same on every host in the MACsec-protected network.

  4. Configure the IP settings on the MACsec connection.

    1. Configure the IPv4 settings. For example, to set a static IPv4 address, network mask, default gateway, and DNS server to the macsec0 connection, enter: 

      # nmcli connection modify macsec0 ipv4.method manual ipv4.addresses '192.0.2.1/24' ipv4.gateway '192.0.2.254' ipv4.dns '192.0.2.253'

    2. Configure the IPv6 settings. For example, to set a static IPv6 address, network mask, default gateway, and DNS server to the macsec0 connection, enter: 

      # nmcli connection modify macsec0 ipv6.method manual ipv6.addresses '2001:db8:1::1/32' ipv6.gateway '2001:db8:1::fffe' ipv6.dns '2001:db8:1::fffd'

  5. Activate the connection: 

    # nmcli connection up macsec0

Verification

  1. Verify that the traffic is encrypted: 

    # tcpdump -nn -i enp1s0

  2. Optional: Display the unencrypted traffic: 

    # tcpdump -nn -i macsec0

  3. Display MACsec statistics: 

    # ip macsec show

  4. Display individual counters for each type of protection: integrity-only (encrypt off) and encryption (encrypt on) 

    # ip -s macsec show

13.2. Configuring a MACsec connection using nmstatectl

You can configure Ethernet interfaces to use MACsec through the nmstatectl utility in a declarative way. For example, in a YAML file, you describe the desired state of your network, which is supposed to have a MACsec connection between two hosts connected over Ethernet. The nmstatectl utility interprets the YAML file and deploys persistent and consistent network configuration across the hosts.

Using the MACsec security standard for securing communication at the link layer, also known as layer 2 of the Open Systems Interconnection (OSI) model provides the following notable benefits:

  • Encryption at layer 2 eliminates the need for encrypting individual services at layer 7. This reduces the overhead associated with managing a large number of certificates for each endpoint on each host.
  • Point-to-point security between directly connected network devices such as routers and switches.
  • No changes needed for applications and higher-layer protocols.

Prerequisites

  • A physical or virtual Ethernet Network Interface Controller (NIC) exists in the server configuration.
  • The nmstate package is installed.

Procedure

  1. On the first host on which you configure MACsec, create the connectivity association key (CAK) and connectivity-association key name (CKN) for the pre-shared key:

    1. Create a 16-byte hexadecimal CAK: 

      # dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"'
50b71a8ef0bd5751ea76de6d6c98c03a

    2. Create a 32-byte hexadecimal CKN: 

      # dd if=/dev/urandom count=32 bs=1 2> /dev/null | hexdump -e '1/2 "%04x"'
f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550

  2. On both hosts that you want to connect over a MACsec connection, complete the following steps:

    1. Create a YAML file, for example create-macsec-connection.yml, with the following settings: 

      ---
routes:
  config:
  - destination: 0.0.0.0/0
    next-hop-interface: macsec0
    next-hop-address: 192.0.2.2
    table-id: 254
  - destination: 192.0.2.2/32
    next-hop-interface: macsec0
    next-hop-address: 0.0.0.0
    table-id: 254
dns-resolver:
  config:
    search:
    - example.com
    server:
    - 192.0.2.200
    - 2001:db8:1::ffbb
interfaces:
- name: macsec0
  type: macsec
  state: up
  ipv4:
    enabled: true
    address:
    - ip: 192.0.2.1
      prefix-length: 32
  ipv6:
    enabled: true
    address:
    - ip: 2001:db8:1::1
      prefix-length: 64
  macsec:
    encrypt: true
    base-iface: enp0s1
    mka-cak: 50b71a8ef0bd5751ea76de6d6c98c03a
    mka-ckn: f2b4297d39da7330910a74abc0449feb45b5c0b9fc23df1430e1898fcf1c4550
    port: 0
    validation: strict
    send-sci: true
    2. Use the CAK and CKN generated in the previous step in the mka-cak and mka-ckn parameters. The values must be the same on every host in the MACsec-protected network.

    3. Optional: In the same YAML configuration file, you can also configure the following settings:

      • A static IPv4 address - 192.0.2.1 with the /32 subnet mask
      • A static IPv6 address - 2001:db8:1::1 with the /64 subnet mask
      • An IPv4 default gateway - 192.0.2.2
      • An IPv4 DNS server - 192.0.2.200
      • An IPv6 DNS server - 2001:db8:1::ffbb
      • A DNS search domain - example.com

  3. Apply the settings to the system: 

    # nmstatectl apply create-macsec-connection.yml

Verification

  1. Display the current state in YAML format: 

    # **nmstatectl show macsec0

  2. Verify that the traffic is encrypted: 

    # tcpdump -nn -i enp0s1

  3. Optional: Display the unencrypted traffic: 

    # tcpdump -nn -i macsec0

  4. Display MACsec statistics: 

    # ip macsec show

  5. Display individual counters for each type of protection: integrity-only (encrypt off) and encryption (encrypt on) 

    # ip -s macsec show

Additional resources

13.3. Additional resources