No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding MACsec

Understanding MACsec

MACsec Concepts

The MACsec Key Agreement (MKA) protocol is responsible for MACsec session establishment and management as well as key negotiation. The following are concepts related to MKA:

  • A Secure Connectivity Association (CA) is established and maintained during key negotiation. It is a group of two or more MACsec-capable devices (CA members) using the same key and cipher suite on a LAN. The key used by CA members is called Secure Connectivity Association Key (CAK). MACsec supports only point-to-point connections. That is, a MACsec session is set up between two devices. Therefore, both ends of a MACsec session must use the same CAK.

  • A Secure Association (SA) ensures secure transmission of data frames between CA members. Each SA has one Secure Association Key (SAK) or a group of SAKs to encrypt frames. The SAK, calculated based on CAK, is used for frame encryption and decryption.

Security Mechanism

MACsec provides the following functions to ensure user service security within a LAN:
  • Identity authentication: Huawei switches do not support this function.
  • Data encryption: MACsec uses AES-CMAC to encrypt data. The sender encrypts data packets and transmits the encrypted packets on the LAN. The receiver decrypts packets and processes the decrypted packets.
  • Integrity check: The receiver checks integrity of the received packets, determining whether the packets have suffered tampering. Before sending a data packet, the sender calculates an Integrity Check Value (ICV) for the packet using the specified algorithm and suffixes the ICV to the packet. The receiver removes the ICV from the packet and calculates a new ICV for the packet using the same algorithm. Then the receiver compares the new ICV with that carried in the received packet. If they are the same, the packet passes the check; otherwise, the packet is dropped.
  • Replay protection: Huawei switches do not support this function.

Working Mechanism

The establishment of a point-to-point MACsec session includes three stages: negotiation, secure communication, and session keepalive.

Figure 12-1 MACsec session establishment process

The three stages in session establishment are as follows:

  1. Negotiation

    1. When MACsec is run on the interfaces of both switches, the interface with a higher priority is selected as the key server. The priorities are manually set. A smaller value indicates a higher priority. If the two interfaces have the same priority, the interface with a smaller Secure Channel Identifier (SCI) is selected as the key server. An SCI consists of an interface MAC address and the last two bytes of an interface index.

    2. The key server calculates an SAK based on the static CAK, which is the same on both switches, and issues the SAK to the peer.

  2. Secure communication

    The sender uses the SAK to encrypt data packets, and the receiver uses the SAK to decrypt data packets. The bidirectional data packets exchanged between two switches are protected by MACsec.

  3. Session keepalive

    The MKA protocol defines an MKA session keepalive timer. When MKA session negotiation is successful, the two switches exchange MKA protocol packets to ensure that the session is alive. When receiving MKA protocol packets from the peer, the local switch starts the timer:
    • If the local switch receives MKA protocol packets within the timeout interval, the local switch resets the timer.
    • If the local switch does not receive MKA protocol packets within the timeout interval, the local switch considers the connection insecure. Then the local switch disassociates from the peer and performs MKA session negotiation again.
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 28132

Downloads: 97

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next