Re: IEEE MACsec

[Brandon Martin <lists.nanog () monmotha net>]

On 10/22/24 00:12, Crist Clark wrote:
> It is definitely deployed out there. I wouldn't worry too much about 
> reading the specs. All of the implementations I've dealt with are only 
> partial implementations. They almost all are limited to "point to point" 
> functionality.
>
> As for comparing to IPsec, IPsec came out of a different time. It is 
> more of framework with a zillion knobs, and lots of room for 
> customization and future changes. The keying isn't even a part of IPsec. 
> ISAKMP, later IKE, are separate protocols. IPsec has transport mode 
> (seldom used) and tunnel mode. It has AH (which no one uses) and ESP.
>
> MACsec is much more narrowly defined. The cryptographic algorithms are 
> standard. There is room for future updates of those algorithms, but for 
> now, the implementers know what they need to do.
>
> For those reasons, I think it is more straightforward to implement 
> MACsec in firmware. I would expect if you trimmed down IPsec, which most 
> NOS implementations already do, you can implement it in the same way.
>
> Vendors have been charging big money for fast IPsec for a long time, 
> they don't want to stop. But the MACsec price-point is so sweet compared 
> to it, you now have people doing things like running MACsec over VXLAN 
> in place of IPsec.

MACsec is also really useful where you need point-to-point protection of 
traffic that isn't easily manipulated at L3 or may not even run over IP 
but that may transit publicly accessible infrastructure.  Utility SCADA 
traffic is an example, and MACsec can be very useful on those networks 
as they often transition from wireless to fiber.