Re: IEEE MACsec

[Tom Beecher <beecher () beecher cc>]

> Regarding speed, the first few pages I hit made a comment that it was
> slower because of packet overhead. I'm reading more and that is less of
> a concern.

There's certainly a penalty paid for the extra time encrypting and
decrypting , which of course can aggregate over a large number of protected
links.

But unless you're trying to manage latency budgets in the microseconds
range it's not likely to be an issue.

On Mon, Oct 21, 2024 at 3:01 PM John Schiel <jschiel () flowtools net> wrote:

> Thanks.
>
> I threw this out there not knowing how fast someone would respond.
>
> I only heard about this recently and am surprised it as as old as it is.
>
> Regarding speed, the first few pages I hit made a comment that it was
> slower because of packet overhead. I'm reading more and that is less of
> a concern.
>
> --jas
>
> On 10/21/24 12:28 PM, Saku Ytti wrote:
> > On Mon, 21 Oct 2024 at 20:34, John Schiel <jschiel () flowtools net> wrote:
> >
> > >       1) May not work over wireless LAN devices?
> > I guess it depends on wireless technology, but 802.11xyzzy comes with
> > an encryption solution already so isn't really a target of interest.
> >
> > >       2) Needs a centralized key server.
> > Not really, implementation detail.
> >
> > >       3) May not be supportable on all devices?
> > Definitely not supported on all devices, you tend to pay extra, but
> > getting an increasingly small premium to pay. May become essentially
> > free, depending on demand.
> >
> > > Purported to be faster on the LAN than IPsec because MACsec is on layer
> 2.
> > Speed doesn't have anything to do with layer2 or layer3, you may be
> > assuming that ipsec is software and macsec is hardware which may be
> > true, but is implementation detail. For example Juniper Trio can do
> > some forms of IPSEC on the same hardware as MACSEC at the same
> > performance profile.
> >
> >
> > It is not exactly new technology, these devices have existed for +decade
> now?
> >