Static and Dynamic Key Distribution

Each MACsec session is built on top of a Connectivity Association (CA), which describes a logical session between peers. The MACsec key agreement (MKA) protocol establishes this connection (Figure 2). However, before encrypted transmission can take place, the required key material must be distributed. MACsec can use both static and dynamic key distribution.

Figure 2: A MACsec session proceeds in a defined order up to the encrypted data transmission.

As the name suggests, the static variant uses preconfigured connectivity association keys (CAKs), which must match the peers involved. For this purpose, symmetric pre-shared keys (the CAKs) and a connectivity association key name (CKN) must be stored on the MACsec peers. This arrangement acts as a framework for the CAK, with peers exchanging CKNs in plain text. They also need to match on both sides of the connection.

However, the CAK is initially only used to secure the control data (control plane) and not to encrypt the user data (data plane). For this function, you need a SAK. The CAK and CKN must match to generate this key. If this is the case, the MKA goes into action. It first discovers neighboring peers and then determines the key server among them. MKAs with lower numerical priority values take priority over those with higher numerical values.

The key server then generates the symmetrical SAKs and distributes them between the opposing switches. Downstream, encrypted data transfer can take place on the data plane. The MKA then periodically generates new SAKs and distributes them in a process known as key rollover. This method is mostly used when coupling two switches with MACsec.

Dynamic Key Distribution

For the dynamic method, MACsec builds on the EAP framework from IEEE 802.1X. After successful authentication and authorization of the supplicant and authenticator, the two exchange the MKA data with a special EAPoL type. As in static key distribution, the MKA first discovers the MACsec peers. With a successful EAP authentication, a RADIUS server distributes a master key from which the CAK is derived. As with the static variant, CAKs also have an associated CKN.

Further keys are then derived from the CAK: The ICK (ICV key) and the KEK (key encryption key). The key server determined by the MKA uses the KEK to transmit the generated SAKs to the peer via the CA. The AES Key Wrap algorithm secures this transfer. These SAKs then protect the user data transmission on the data plane. The SAK has unique identifiers: The key identifier (KI, 128 bits) and the key number (KN, 32 bits), with the peers transmitting the KI in plain text in all MACsec frames.

Practical Configuration Examples

A couple of examples will illustrate the various MACsec encryption scenarios on a switch. The examples are based on Cisco Catalyst 9300 switches [2] [3] with IOS XE version 17.6 as the authenticator, a Windows endpoint with Cisco Secure Client as the supplicant, and a Cisco Identity Services Engine as the authentication server. These are just examples and do not claim to be complete. The configurations are limited to the portion specific to MACsec and 802.1X. Other manufacturers' hardware, hardware models, and software versions may differ.