Re: IEEE MACsec

[John Schiel <jschiel () flowtools net>]

What a community!!!

Thanks for all the responses.

--jas

On 10/23/24 9:27 AM, Bertilsson, Björn via NANOG wrote:
> The biggest pitfall for telecom with MACSEC, is that PTP/SyncE and 
> MACSEC on the same physical interface simultaneously is mostly not 
> supported. Many claims that you can do both, but they don’t mention 
> that it can’t be done at the same time. There are some newer models of 
> Juniper ACX coming with that, one model of Cisco NCS (but not 
> officially supported) and maybe others. But with the PHY and NPU 
> separated it has been hard for them to implement. Probably the newest 
> generation of NPU like Jericho3 will do this on the NPU and will 
> handle it ok. But then again, the other end must also be of newer 
> generation to interop properly.
>
> It is possible to configure MACSEC and PTP/SyncE on several models and 
> interfaces and get them phase aligned. But in most cases, they will 
> start to drift quite badly until they go out of spec.
>
> /Björn
>
> *From:*NANOG <nanog-bounces+bjorn.bertilsson=telia.no () nanog org> *On 
> Behalf Of *Dave Cohen
> *Sent:* Tuesday, October 22, 2024 8:39 PM
> *To:* Mark Tinka <mark@tinka.africa>
> *Cc:* nanog () nanog org
> *Subject:* Re: IEEE MACsec
>
> I would caution anyone running MACsec on a link leveraging a provider 
> circuit between them to quadruple check that the provider link 
> supports customer use of MACsec. In theory MACsec will operate just 
> fine over a Layer 2 link but carriers tend to not like unanticipated 
> bits get appended or inserted into frame headers. In my carrier days, 
> $dayjob's L2 products tended to be highly interoperable relative to 
> the industry norm, and we still forced customers into a L1 service if 
> they need MACsec. My understanding is that said carrier did start 
> supporting it on its L2 services off of certain devices a couple of 
> years ago, but I don't believe this is common for most providers.
>
> On Tue, Oct 22, 2024 at 2:27 PM Mark Tinka <mark@tinka.africa> wrote:
>
>
>
>
>     On 10/22/24 16:56, Tarko Tikan wrote:
>
>     > What we are seeing now is MACsec getting integrated into latest
>     NPUs
>     > directly. So far it has been mostly implemented by separate
>     chips or
>     > in PHYs (or combination). This has, in some cases, limited you
>     to what
>     > ports you can use MACsec on. It also had challenges with sync/PTP,
>     > per-vlan MACsec etc.
>     >
>     > So while it is proven technology and works well we are still seeing
>     > innovation/improvements.
>
>     It is also now shipping in coherent pluggables as a native feature.
>
>     Mark.
>
>
> --
>
> - Dave Cohen
> craetdave () gmail com
> @dCoSays
>
> www.venicesunlight.com <http://www.venicesunlight.com>