Mailing List Archive

Macsec over spiky links
Dear experts
A customer of mine would like to run encryption over the core entire
network to encrypt traffic passing WAN links.
Currently on those links pass plain ip traffic (bgp, ospf, pim).

The links are 10 Gbs point2point links and are used to transport unicast
and multicast (trading) traffic, bursts are usual but encryption is
considered the only way forward due to auditing reasons.

I'd like to propose to insert on the two link end points an ex4300 macsec
device in order to run macsec in hardware and transport ethernet traffic
without any active action.

Does anybody have experiece in this kind of design? Is bursty multicast an
issue?
I am not able to find any test on the www..

Is there any other way to reach the target without rebuild the entire
network?

Thanks in advance for any hints/recommendation.

James
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Macsec over spiky links [ In reply to ]
No advice on the bursty/spikey aspect, but I do have a successful design with MACsec running over an MPLS service provider using EX3400s at each end. I'm doing IP and MPLS/L3VPN on top between MX480s and MX150s. This is for a remote office with your typical enterprisey-traffic, VOIP phones, wireless access points connecting to the central office controller, etc.

The other interesting bit is that I'm doing CCC on the MX480s between one vlan on the service provider interface and an access port where the EX3400 is connected to transport the MACsec traffic over the service provider's VLAN. The service provider is doing a similar thing (MPLS LDP VPWS) on their equipment at the far end where my other EX3400 connects.


MX480 connected to service provider:

mx480> show configuration protocols connections
interface-switch MACSEC {
interface xe-0/0/1.0;
interface xe-1/0/4.763;
}

mx480> show configuration interfaces xe-1/0/4
description "tagged port to service provider";
flexible-vlan-tagging;
mtu 9192;
encapsulation flexible-ethernet-services;
unit 763 {
description "VLAN for transporting MACsec traffic";
encapsulation vlan-ccc;
vlan-id 763;
family ccc;
}
unit xxx {
description "other VLANs for unencrypted Internet traffic";
vlan-id xxx;
family inet {
mtu 9000;
address a.b.c.d/30;
}
family inet6 {
mtu 9000;
address aaaa:bbbb:cccc:dddd::2/126;
}
}

mx480> show configuration interfaces xe-0/0/1
description "untagged port to MACsec switch port xe-0/2/0";
mtu 9192;
encapsulation ethernet-ccc;
unit 0 {
input-vlan-map {
push;
vlan-id 763;
}
output-vlan-map pop;
family ccc;
}

mx480> show configuration interfaces xe-0/1/0
description "tagged IP/MPLS trunk to MACsec switch port xe-0/2/1";
flexible-vlan-tagging;
mtu 9192;
encapsulation flexible-ethernet-services;
unit 3 {
vlan-id 3;
family inet {
mtu 8900;
address 10.0.0.1/30;
}
family inet6 {
mtu 8900;
}
family mpls;
}


EX3400 running MACsec:

ex3400> show configuration interfaces xe-0/2/0
description "MACsec encrypted to mx480 xe-0/0/1";
mtu 9192;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members INNER;
}
}
}

ex3400> show configuration interfaces xe-0/2/1
description "unencrypted to mx480 xe-0/1/0";
mtu 9192;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members INNER;
}
}
}

ex3400> show configuration vlans
INNER {
vlan-id 3;
l3-interface irb.3;
}

Manager@sw-gp1-macsec-1> show configuration security
macsec {
connectivity-association MACSEC {
security-mode static-cak;
include-sci;
pre-shared-key {
ckn xxx;
cak xxx;
}
}
interfaces {
xe-0/2/0 {
connectivity-association MACSEC;
}
}
}


On Thu, May 23, 2019 at 10:28:46PM +0200, james list wrote:
> Dear experts
> A customer of mine would like to run encryption over the core entire
> network to encrypt traffic passing WAN links.
> Currently on those links pass plain ip traffic (bgp, ospf, pim).
>
> The links are 10 Gbs point2point links and are used to transport unicast
> and multicast (trading) traffic, bursts are usual but encryption is
> considered the only way forward due to auditing reasons.
>
> I'd like to propose to insert on the two link end points an ex4300 macsec
> device in order to run macsec in hardware and transport ethernet traffic
> without any active action.
>
> Does anybody have experiece in this kind of design? Is bursty multicast an
> issue?
> I am not able to find any test on the www..
>
> Is there any other way to reach the target without rebuild the entire
> network?
>
> Thanks in advance for any hints/recommendation.
>
> James
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp