nanog mailing list archives

RE: IEEE MACsec

From: Bertilsson, Björn via NANOG <nanog () nanog org>
Date: Wed, 23 Oct 2024 15:27:53 +0000

The biggest pitfall for telecom with MACSEC, is that PTP/SyncE and MACSEC on the same physical interface simultaneously 
is mostly not supported. Many claims that you can do both, but they don’t mention that it can’t be done at the same 
time. There are some newer models of Juniper ACX coming with that, one model of Cisco NCS (but not officially 
supported) and maybe others. But with the PHY and NPU separated it has been hard for them to implement. Probably the 
newest generation of NPU like Jericho3 will do this on the NPU and will handle it ok. But then again, the other end 
must also be of newer generation to interop properly.

 

It is possible to configure MACSEC and PTP/SyncE on several models and interfaces and get them phase aligned. But in 
most cases, they will start to drift quite badly until they go out of spec.

 

/Björn

 

From: NANOG <nanog-bounces+bjorn.bertilsson=telia.no () nanog org> On Behalf Of Dave Cohen
Sent: Tuesday, October 22, 2024 8:39 PM
To: Mark Tinka <mark@tinka.africa>
Cc: nanog () nanog org
Subject: Re: IEEE MACsec

 

I would caution anyone running MACsec on a link leveraging a provider circuit between them to quadruple check that the 
provider link supports customer use of MACsec. In theory MACsec will operate just fine over a Layer 2 link but carriers 
tend to not like unanticipated bits get appended or inserted into frame headers. In my carrier days, $dayjob's L2 
products tended to be highly interoperable relative to the industry norm, and we still forced customers into a L1 
service if they need MACsec. My understanding is that said carrier did start supporting it on its L2 services off of 
certain devices a couple of years ago, but I don't believe this is common for most providers.

 

On Tue, Oct 22, 2024 at 2:27 PM Mark Tinka <mark@tinka.africa <mailto:mark@tinka.africa> > wrote:




On 10/22/24 16:56, Tarko Tikan wrote:

What we are seeing now is MACsec getting integrated into latest NPUs 
directly. So far it has been mostly implemented by separate chips or 
in PHYs (or combination). This has, in some cases, limited you to what 
ports you can use MACsec on. It also had challenges with sync/PTP, 
per-vlan MACsec etc.

So while it is proven technology and works well we are still seeing 
innovation/improvements.


It is also now shipping in coherent pluggables as a native feature.

Mark.




 

-- 

- Dave Cohen
craetdave () gmail com <mailto:craetdave () gmail com> 
@dCoSays

www.venicesunlight.com <http://www.venicesunlight.com>

Attachment: smime.p7s
Description:

Current thread:

IEEE MACsec John Schiel (Oct 21)
- Re: IEEE MACsec Saku Ytti (Oct 21)
  - Re: IEEE MACsec John Schiel (Oct 21)
    - Re: IEEE MACsec Tom Beecher (Oct 21)
    - Re: IEEE MACsec Crist Clark (Oct 21)
    - Re: IEEE MACsec Brandon Martin (Oct 22)
  - Re: IEEE MACsec Tarko Tikan (Oct 22)
    - Re: IEEE MACsec Stephen Stuart (Oct 22)
    - Re: IEEE MACsec Mark Tinka (Oct 22)
    - Re: IEEE MACsec Dave Cohen (Oct 22)
    - RE: IEEE MACsec Bertilsson , Björn via NANOG (Oct 23)
    - Re: IEEE MACsec John Schiel (Oct 23)
- Re: IEEE MACsec Andriy Bilous (Oct 25)
  - Re: IEEE MACsec Norman Jester (Oct 25)