Cisco MACsec Solution Design and Deployment for a Secure Enterprise

Transcription

1

2 Cisco MACsec Solution Design and Deployment for a Secure Enterprise Technical Marketing Engineer BRKCRS-2892 kural@cisco.com

3 Agenda MACsec Overview Need for a Layer 2 Encryption Technology Part 1: MACsec Encryption in the Campus & Data Center Deployment Use Cases Config Examples Part 2: MACsec Encryption over the Metro-E WAN WAN Deployment Use Cases Config Examples Best Practices

4 Encryption What is Encryption? Encryption is defined as: Cryptographically modifying plaintext and generating ciphertext using an encryption algorithm that can only be read if decrypted. Why do I need Encryption? Privacy & Data Confidentiality Regulatory / Compliance Requirements

5 Regulatory / Compliance Requirements Refer to PCI DSS v3.0 sections 4.1 & Refer to HIPAA section 4

6 Authentication vs Encryption I can see everything WAN 802.1X Servers Authenticated User Rogue AP can extend the attack outside physical perimeter. Rogue users with physical access can monitor and spoof. What happens if I have Authentication but not Encryption? 802.1x only ensures user authentication Without Encryption, Data confidentiality is compromised

7 Sample Packet Capture (without Encryption)

8 Network Security Today for LAN Encrypt Encrypted Data &^*RTW#(*J^*&*J^*&*sd#J &^*RTW#(*J^*&*J^*&*J^*J^*&&*sd# RTW#(*J^*&&^*RTW#(*J^*&*J^*&*sd#J159u% Switches have no visibility Decrypt End-to-end encryption technologies, e.g. IPsec Network devices have no visibility Cannot enforce policies, qos etc. Typically done by software not scalable Goal is to encrypt data on the wire

9 Network Security Today for WAN Encrypt Encrypted Data VPN &^*RTW#(*J^*&*J^*&*J^*J(*J^*&*J^*&*sd#J159u%^*&J159u%^&*sd# WAN Decrypt Encrypted Virtual Private Network (VPN) technologies over public cloud, e.g. DMVPN Higher scalability 1000s of branches Typically done by Software / Crypto Engine lower performance / throughput Goal is to encrypt data on the public cloud

10 What is MACsec? Layer 2 Encryption Technology IEEE 802.1AE Standard Connectionless data confidentiality and integrity for media access independent protocols

11 Benefits of MACsec IEEE 802.1AE Standards based Line Rate Layer 2 Encryption Hardware PHY encryption Deployment Flexibility (Hop-by-Hop Encryption)

12 Where do I Need MACsec? *WLC 5760 WLC 2500/ UCS Data Center 9 Cat3850/3650 Servers 2 * Campus 3 Cat3Kx Cat6K 3 Si 3 1 Cisco AnyConnect ASR1 K 5 6 Cat4K (Sup7E/8E,4500X) Metro Ethernet Network End to End MACsec 1. 1 Host-to-Switch 2. 2 Wireless AP to Switch 3. 3 Switch-to-Switch 4. 4 Wireless Controller-to-Switch 5. 5 Router-to-Switch 6. 6 Router-to-Router over WAN 7. 7 Router-to-switch in a Branch 8. 8 Router-to-Router in a DCI 9. 9 Server-to-Switch in Data Center 8 Data Center Branch 7 ISR SM-X Eth Cat3850/ Cat3650 * Roadmap 12

13 MACsec Campus Use Cases Summary #1- Host-to-Switch #2- Between Sites or Buildings #3- Between Floors in a Multi-tenancy Enterprise Network Main Building 1 Floor 3 Floor 1 LAN Building 2 LAN Building 4 Floor 2 Building 3

14 MACsec Data Center Use Cases Summary #1- Data Center Interconnect #2- Server-to-Switch DC1 DC Metro E-LINE DC2

15 MACsec WAN Use Cases Summary #1- Data Center Interconnect #2- Campus Interconnect #3- Hub-Spoke DC1 Main Building 1 Head- Office Metro E-LINE Metro E-LAN\ E-Line Building 2 Building 4 Metro E-LINE / E-LAN DC2 Building 3 Branch 1 Branch 2 Branch 3 * Roadmap

16 LAN MACsec

17 What is LAN MAC Security (MACsec)? Encrypted Data Encrypted Data Encrypted Data Encrypt MACsec MACsec MACsec &^*RT&*J%^*&*sd#J &^*RT&*J%^*%#&*sd#J &^*RT&*J%^*&*sd#J Downlink Uplink Downlink Switches have visibility Encryption mitigates packet eavesdropping, tampering, and injection Supports 802.1AE-based strong encryption technology 128-bit AES-GCM, NIST-approved, 10Gb line-rate encryption Hop-by-hop encryption supports data and packet inspection Works in shared media environments (IP Phones, Desktops)

18 When do I absolutely need LAN MACsec? Host to Switch MACsec Physical security and end user awareness can also mitigate threats. Customer Conference rooms, or remote offices/branches Customer, Partner or Industry events

19 When do I absolutely need LAN MACsec? Switch-to-Switch MACsec Financial Institutions Between Buildings Multi Tenants Building Dark Fiber Location A Between Two Sites Location B

20 How does LAN MACsec Work? Authenticated DMAC SMAC 802.1AE Header 802.1Q CMD ETYPE PAYLOAD ICV CRC 0x88e5 MACsec EtherType TCI/AN SL Packet Number SCI (optional) MACsec Tag Format Encrypted Frames are encrypted and protected with an integrity check value (ICV) MACsec Ethertype is 0x88e5 No impact to IP MTU/Fragmentation L2 Frame MTU Impact*: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU)

21 MACsec Jargon Acronym Definition MKA SAP MSK CAK SAK MACsec Key Agreement defined in IEEE 802.1XREV-2010 is a key agreement protocol for discovering MACsec peers and negotiating keys Security Association Protocol is a pre-standard key agreement protocol similar to MKA Master Session Key, generated during EAP exchange. Supplicant and authentication server use the MSK to generate the CAK. Connectivity Association Key is derived from MSK. CAK is a long-lived master key used to generate all other keys used for MACsec. Secure Association Key is derived from the CAK and is the key used by supplicant and switch to encrypt traffic for a given session.

22 LAN MACsec (Host-to-Switch)

23 Host-to-Switch MACsec Encrypt Encrypt Encrypt MACsec MACsec MACsec Downlink Uplink Downlink Decrypt Decrypt Decrypt Encryption between end station and switch Frame is tagged at egress & untagged at ingress

24 What is Host-to-Switch MACsec? a.k.a Downlink MACsec Supplicant without MACsec Data sent in clear Authenticated User 802.1X &^*RTW#(*J^*&*sd#J$%UJ&( Supplicant with MACsec MACsec Capable Device MACsec Link Encryption between end station and switch Frame is tagged at egress & untagged at ingress

25 What do I Need to Enable Host-to-Switch MACsec? Supplicant Authenticator Authenticating Server AnyConnect 3.0 Authentication Key Exchange Encryption Access Control Key Exchange Encryption Authentication Master Key Distribution Policy Management Supplicant: a client that runs on the endpoint & manages MACsec key negotiation and encrypt packets. Encryption may be done in software or hardware (if NIC supports it) Authenticator: the switch that relays the Supplicant s credentials to the Authentication Server and enforces the network access policy. Must be capable of MACsec key negotiation and packet encryption. Requires special hardware to support MACsec at line rate. Authenticating Server: a RADIUS server that validates the Supplicant s credentials and determines what network access the Supplicant should receive. Distributes master keying material to the supplicant and switch. Optionally defines the MACsec policy to be applied to a particular endpoint.

26 How do I Enable Host-to-Switch MACsec? Switch Configuration Example Global Configuration Commands: aaa new-model! aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius! aaa session-id common! dot1x system-auth-control! radius-server host key cisco123 radius-server vsa send authentication 802.1x global config

27 How do I Enable Host-to-Switch MACsec? Switch Configuration Example Interface Configuration Commands: interface GigabitEthernet4/1 description AnyConnect Interface to MACsec XP 1 switchport access vlan 903 switchport mode access authentication priority dot1x authentication port-control auto MACsec dot1x pae authenticator mka default-policy spanning-tree portfast authentication linksec policy should-secure Default is should-secure, other options are must-notsecure and must-secure

28 How do I Enable Host-to-Switch MACsec? AnyConnect 3.0 Client Configuration Example AnyConnect is a software based MACsec client for PCs Note: Intel NIC Hardware based MACsec is available For Should-Secure Set Key Management to MKA Set Encryption to MACsec Set Port Authentication Exception Policy to Prior to Authentication Initiation

29 How do I Enable Host-to-Switch MACsec? ISE Server Configuration Example Policy > Policy Elements > Results

30 How do I Verify MACsec is Enabled? Before Just Dot1X RAFALE#show authentication session interface gigabitethernet 4/1 Interface: GigabitEthernet4/1 MAC Address: c.0008 IP Address: User-Name: cisco Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: single-host Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A B0ADAA4C0 Acct Session ID: 0x D Handle: 0xC800000C MACsec status: Port is unsecured. Runnable methods list: Method State dot1x Authc Success

31 How do I Verify MACsec is Enabled? After the Fact RAFALE#show authentication session interface gigabitethernet 4/1 Interface: GigabitEthernet4/1 MAC Address: c.0008 IP Address: User-Name: blackbird Status: Authz Success Domain: DATA Security Policy: Must Secure Security Status: Secured Oper host mode: single-host Oper control dir: both Authorized By: Authentication Server Vlan Policy: N/A Session timeout: N/A Idle timeout: N/A Common Session ID: 0A CE18 Acct Session ID: 0x Handle: 0x MACsec status: Port is secured. Runnable methods list: Method State dot1x Authc Success

32 Troubleshooting slide Problem 1: Session is unsecured Typical Cause: End points do not support MACsec Problem 2: Unable to establish a session Typical Cause: Endpoint with invalid credentials MACsec policy is Must-Secure

33 LAN MACsec Under the covers

34 Downlink MACsec: Under the Covers EAP start 1 Authentication and Master Key Distribution AnyConnect 3.0 EAPoL: EAP Request-Identity EAPoL: EAP-Response: blackbird MKA negotiation EAP success 3 EAP Success 4 Authenticator EAP negotiation 2 ISE RADIUS Access-Request [AVP: EAP-Response: blackbird] RADIUS Access-Challenge [AVP: EAP-Request: PEAP] RADIUS Access-Accept [AVP: EAP Success] [AVP: EAP Key Name] [AVP: CAK] IEEE 802.1X Session Key Agreement Data Encrypted Session Secure 6 EAPoL-MKA: Key Server EAPoL-MKA: MACsec Capable EAPoL-MKA: Key Name, SAK EAPoL-MKA: SAK Installed AES-GCM-128 Encrypted Data Encrypted Data 5 MACsec MKA SAKey Exchange

35 Downlink MACsec: Under the Covers AnyConnect 3.0 Supplicant and ACS derive CAK from EAP EAP MSK 1 1 MSK EAP Derive CAK from MSK ACS sends CAK to Switch 2 CAK 3 CAK RADIUS Access-Accept [AVP: EAP Key Name] [AVP: ] CAK Switch generates SAK from CAK Derive SAK from CAK SAK

36 Downlink MACsec: Under the Covers AnyConnect SAK EAPoL MKA Encrypted SAK 4 Encrypted SAK SAK is encrypted with CAK and sent to Supplicant Supplicant decrypts and derives the SAK SAK 5 SAK is used to encrypt traffic on the wire. The intent is to derive the same SAK on switch port and supplicant

37 Policy Recommendations Switch and supplicant have three possible policies Must-Not-Secure: Only unencrypted traffic will be sent and received. MKA frames will be ignored. Should-Secure: If MKA succeeds, only encrypted traffic will be sent and received. If MKA times out or fails, unencrypted traffic will be permitted. Must-Secure: If MKA succeeds, only encrypted traffic will be sent and received. Mismatched If MKA polices times on out switch or fails, and no supplicant traffic will can be permitted. cause problems Best practice recommendation: Use should-secure everywhere should-secure is the default setting on switch Use ACS/ISE to assign policy exceptions to switch using RADIUS attribute Cisco-av-pair=subscriber:linksec-policy AnyConnect 3.0 implements should-secure via Port Authentication Exception Policy configuration of Prior to Authentication Initiation

38 MACsec Policy Combinations Supplicant Policy Switch Policy Resultant Connection Not MACsec-capable or Must-Not-Secure Should-Secure Must-Secure Not MACsec-Capable or Must-Not-Secure Should-Secure Must-Secure Not MACsec-Capable or Must-Not-Secure Should-Secure Must-Secure Not MACsec-Capable or Must- Not-Secure Not MACsec-Capable or Must- Not-Secure Not MACsec-Capable or Must- Not-Secure Should-Secure Should-Secure Should-Secure Must-Secure Must-Secure Must-Secure Not Secure Not Secure Blocked Not Secure Secure Secure Blocked if no MACsec Fallback Policy is configured Secure Secure

39 Multiple Endpoints Support Per Port Host-Mode MACsec Details Single-Host Multi-Domain Auth (MDA) Multi-auth Multi-Host Y Y N Y Data traffic is encrypted. Cisco phones doing CDP bypass can send/receive unencrypted traffic. Either or both data and voice can be independently encrypted If should-secure, endpoints can Tx/Rx unencrypted traffic. If must-secure authentication fails Multiple MACs are allowed to piggyback after first authentication, but only one encrypted session is allowed. Intended for uplink encryption

40 LAN MACsec (Switch-to-Switch)

41 Switch-to-Switch MACsec Encrypt Encrypt Encrypt MACsec MACsec MACsec Downlink Uplink Downlink Decrypt Decrypt Decrypt Encryption between two switches Frame is tagged at egress & untagged at ingress

42 What is Switch-to-Switch MACsec? a.k.a Uplink MACsec DMAC SMAC 802.1AE 802.1Q ETYPE PAYLOAD ICV CRC Individual Link/Etherchannel = Uplink MACsec MACsec Tag field Switch to switch encryption MACsec is point-to-point (PHY to PHY) encryption

43 Switch-to-Switch MACsec Configuration Modes Manual Mode Manual configuration of interfaces on each end Benefits Considerations Easy to deploy dot1x infrastructure not required Best suited for pilot deployments Not scalable No centralized policy management No authentication of switch IEEE 802.1x Mode»802.1x mode MACsec requires NDAC Considerations for device authentication Benefits Centralized policy management ACS/ISE required Rogue switches eliminated Master key maintained centrally Requires 802.1x configuration Best suited for large scale deployment

44 Switch-to-Switch MACsec Manual Mode

45 How do I Enable Switch-to-Switch MACsec in Manual Mode? Individual Link/Etherchannel = Uplink MACsec Step 1: Configure interfaces on each end When the interface status is up, SAP exchanges required keys and starts encrypting MACsec is point-to-point (PHY to PHY) encryption. Configuration is needed on individual ports

46 How do I Enable Switch-to-Switch MACsec in Manual Mode? Configuration Example Configuration Commands: Interface t5/1 switchport mode trunk cts manual sap pmk AABBCCDDEEFF modelist gcm-encrypt gmac null no-encap no propagate sgt MACsec Capable Device 802.1X &^*RTW#(*J^*&*sd#J$%UJ&( MACsec Capable Device MACsec Link

47 Switch-to-Switch MACsec SAP Negotiation Modes gcm-encrypt Authenticate the originator & encrypt the data Use when: Confidentiality is required gmac Authenticate the originator & no encryption Use when: Integrity only is needed no-encap null No encapsulation. Only mode available when hardware is not MACsec capable Encap only. No authentication or encryption. Used for Security Group Access tagging only.

48 How do I Verify MACsec is Enabled? After the Fact sho cts int t5/1 Global Dot1x feature is Enabled Interface TenGigabitEthernet5/1: CTS is enabled, mode: MANUAL IFC state: OPEN Authentication Status: NOT APPLICABLE Peer identity: "unknown" Peer's advertised capabilities: "sap" Authorization Status: NOT APPLICABLE SAP Status: SUCCEEDED Version: 2 Configured pairwise ciphers: gcm-encrypt gmac null no-encap Replay protection: enabled Replay protection mode: STRICT Selected cipher: gcm-encrypt Config mode & Status Encryption Modes: gcm-encrypt authenticate & encrypt gmac authentication only No-encap* no encapsulation Null encap present but no authententication or encryption * If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode.

49 Troubleshooting slide Problem 1: Session is unsecured Typical Cause: One of the switch interface do not support MACsec Problem 2: Unable to establish a session Typical Cause: Config mismatch or SAP Key mismatch Only gcm-encrypt mode is configured and one end is not MACsec capable

50 Uplink MACsec Manual Mode Under the covers

51 MACsec (SAP) Jargon Acronym Definition SAP PMK PTK TK Security Association Protocol is a pre-standard key agreement protocol similar to MKA Pairwise Master Key. PMK is a long-lived master key used to generate all other keys used for MACsec. Pairwise Transient Key. Contains three keys (TK, KCK, KEK) inside as an octet stream. Temporal Key. TK is the session key used by the cipher suite for encryption of data traffic. KCK EAPOL-Key Confirmation Key. Provides data origin authenticity. KEK EAPOL-Key Encryption Key. Provides data origin confidentiality.

52 SAP Key Exchange: Under the Covers 1 Supplicant and AT derive PMK from EAP Authenticator 1 Supplicant Supplicant derives PMK from PMKID and compares PMK 4 PMK SAP Exchange PMKID 3 PMK 2 PMKID Authenticator generates PMKID from PMK and sent to Supplicant PMK Pairwise Master Key PMKID PMK Identifier

53 SAP Key Exchange: Under the Covers Supplicant PMK PTK 7 Supplicant and AT exchange Nonces 6 5 SNonce 6 TK KCK KEK SNonce ANonce SAP Exchange Exchange Nonces Authenticator ANonce TK KCK KEK PMK PTK 7 Supplicant and Authenticator derives PTK from PMK Supplicant and AT derives TK from PTK KCK Used for Data Origin Authenticity KEK Used for Data Confidentiality TK Used for Encryption of Data Traffic TK is used to encrypt traffic on the wire. The intent is to derive the same TK on AT and supplicant PMK Pairwise Master Key PTK Pairwise Transient Key TK* Temporal Key KCK* Key Confirmation Key KEK* Key Encryption Key * 16 Octets

54 Switch-to-Switch MACsec IEEE 802.1X Mode

55 What do I need to Enable Switch-to-Switch MACsec in dot1x Mode? NDAC Supplicant Authenticating Server Access Control Key Exchange Encryption Authentication Master Key Distribution Policy Management NDAC Supplicant: a switch that acts as a supplicant and authenticates before becomes an authenticator. Authenticating Server: a RADIUS server that validates the Supplicant s credentials as part of NDAC and determines what network access the Supplicant should receive. Distributes master keying material to the supplicant. NDAC Network Device Admission Control

56 How do I Enable Switch-to-Switch MACsec in dot1x Mode? Step 1: Enable NDAC (Authentication & Master Key exchange) NDAC (Network Device Admission Control) for device authentication Can be used as a standalone feature when: Only device authentication is required MACsec capable hardware is not available Step 2: Enable MACsec (SAP negotiation for keys exchange) After authentication, SAP exchanges session keys & encryption keys SAP negotiates cipher suite

57 What is Network Device Admission Control (NDAC) Authentication Succeeded ISE Non-seed Device Switch 1 Authentication Failed Switch 2 Non-seed Device NDAC is authenticating the authenticator NDAC uses 802.1x with EAP-FAST EAP-FAST enhancements Authenticate the authenticator Notify each device of its peer identity (using RADIUS TLV messages) Seed Device Authenticates first and authenticates non-seed devices EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunnel Seed Device NDAC Switch 1 Benefits: Centralized policy management Rogue switches eliminated

58 How do I Enable NDAC? Seed Switch Configuration Example Configuration Commands: aaa new-model radius server ise address ipv4 <ip address> auth-port 1812 acct-port 1813 pac key <password> aaa authentication dot1x default group radius aaa authorization network cts group radius aaa session-id common cts authorization list cts Seed device includes RADIUS info dot1x system-auth-control! Interface t5/1 switchport mode trunk cts dot1x! <exec mode> cts credentials id <userid> password <password>

59 How do I Enable NDAC? Non-Seed Switch Configuration Example Configuration Commands: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa session-id common dot1x system-auth-control! Interface t5/1 switchport mode trunk cts dot1x! <exec mode> cts credentials id <userid> password <password>

60 How do I Enable NDAC? ISE Configuration Example Administration > Network Resources > Network Devices

61 NDAC: Under the Covers Supplicant Authenticator ISE Authentication and Master Key Distribution EAP-FAST in 802.1x EAP-FAST: Tunnel Establishment EAP-FAST in RADIUS One time provisioning Device authentication User authentication IEEE 802.1X EAP-FAST: Tunnel tear down Policy acquisition Policy acquisition (RADIUS)

62 How do I Enable MACsec? Seed Switch Configuration Example Configuration Commands: aaa new-model radius server ise address ipv4 <ip address> auth-port 1812 acct-port 1813 pac key <password> aaa authentication dot1x default group radius aaa authorization network cts group radius aaa session-id common cts authorization list cts dot1x system-auth-control Seed device includes RADIUS info! Interface t5/1 switchport mode trunk cts dot1x sap mode-list gcm-encrypt gmac null no-encap! <exec mode> cts credentials id <userid> password <password>

63 How do I Enable MACsec? Non-Seed Switch Configuration Example Configuration Commands: aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa session-id common dot1x system-auth-control! Interface t5/1 switchport mode trunk cts dot1x sap mode-list gcm-encrypt gmac null no-encap! <exec mode> cts credentials id <userid> password <password>

64 How do I Verify MACsec is Enabled? After the Fact sho cts int t5/1 Global Dot1x feature is Enabled Interface TenGigabitEthernet5/1: CTS is enabled, mode: DOT1X IFC state: OPEN Authentication Status: SUCCEEDED Peer identity: dist-4k" Peer's advertised capabilities: "sap" Authorization Status: ALL-POLICY SUCCEEDED SAP Status: SUCCEEDED Version: 2 Configured pairwise ciphers: gcm-encrypt gmac null no-encap Replay protection: enabled Replay protection mode: STRICT Selected cipher: gcm-encrypt Config mode & Status Encryption Modes: gcm-encrypt authenticate & encrypt gmac authentication only No-encap* no encapsulation Null encap present but no authententication or encryption * If the interface is not capable of data link encryption, no-encap is the default and the only available SAP operating mode.

65 Troubleshooting slide Problem 1: Session is unsecured Typical Cause: One of the switch interface do not support MACsec Problem 2: Unable to establish a session Typical Cause: Authentication Failure Only gcm-encrypt mode is configured and one end is not MACsec capable

66 NDAC & SAP: Under the Covers Supplicant Authenticator ISE EAP-FAST: Tunnel Establishment Authentication and Master Key Distribution EAP-FAST in 802.1x EAP-FAST in RADIUS One time provisioning Device authentication User authentication IEEE 802.1X EAP-FAST: Tunnel tear down Policy acquisition Policy acquisition (RADIUS) Session Secure Key establishment (SAP) AES-GCM-128 Encrypted Data Encrypted Data Ongoing key refresh (SAP) MACsec

67 LAN MACsec Considerations MACsec Header Overhead No impact to IP MTU/Fragmentation L2 Frame MTU Impact*: ~ 40 bytes = less than baby giant frame (~1600 bytes with 1552 bytes MTU) * Line rate performance impact: With 64 bytes packets: ~60% With 256 bytes packets: ~15% With 1500 bytes packets: ~2.5% With 9198 bytes packets: ~0.5%

68 Key Management vs Certificates In 802.1x Mode: Keys are managed centrally by ISE Cluster of servers Automatically sync the keys between servers In Manual Mode: Keys are managed by individual switches Admin overhead Keys vs Certificates Certificates are used to confirm identify of a device Separate CA server needed to maintain certificates ISE supports certificates Keys are needed for encryption

69 WAN MACsec

70 Network Security Today for WAN Encrypt Encrypted Data VPN &^*RTW#(*J^*&*J^*&*J^*J(*J^*&*J^*&*sd#J159u%^*&J159u%^&*sd# WAN Decrypt Encrypted Virtual Private Network (VPN) technologies over public cloud, e.g. DMVPN Higher scalability 1000s of branches Typically done by Software / Crypto Engine lower performance / throughput Goal is to encrypt data on the public cloud

71 Ethernet WAN transition for career services Metro Ethernet Forum (MEF) standardization of career Ethernet services WAN/Metro SP offerings are replacing existing T1, ATM/FR, and SONET options for their customers in favor of lower cost Ethernet transport Highly flexible, granular and scalable bandwidth Simple troubleshooting MetroEthernet Network for career ethernet services Enterprise maintains networking and routing decisions Easily add new locations to L2 VPN Ubiquitous use for router ports with Ethernet support

72 What is WAN MAC Security (MACsec)? Encrypt Encrypted Data EVCs &^*RTW#(*J^*&*J^*&*J^*J(*J^*&*J^*&*sd#J159u%^*&J159u%^&*sd# L2 Service Provider Network MACsec Decrypt Encryption mitigates packet eavesdropping, tampering, and injection Supports 802.1AE-based strong encryption technology 128/256-bit AES-GCM, NIST-approved, 10Gb line-rate encryption VLAN tag in clear option Supports point-to-point and point-to-multipoint configurations Typically done by hardware (ASIC/PHY) line rate throughput

73 How is WAN MACsec different from LAN MACsec? Point to Point Point to Multipoint Switch VLAN Tag Encrypted Central Campus / DC VLAN Tag in Clear WAN Router LAN MACsec WAN MACsec Enterprise Network Branch 1 Branch 2 Branch 3 Enterprise Network Enterprise Network

74 How is WAN MACsec different from LAN MACsec? VLAN Tag in Clear Original MACsec Authenticated Encrypted Eth 802.1AE 802.1Q ETYPE PAYLOAD ICV CRC MACsec ClearTag (VLAN) Authenticated Eth Authenticated Encrypted 802.1Q 802.1AE ETYPE PAYLOAD ICV CRC New in XE 3.14 TPID 0x8100 CoS CFI VLAN ID 2B 3b 1b 12b

75 When do I Need WAN MACsec? MACsec IPsec Central Campus / DC Enterprise Network MACsec WAN Regional Hub1 Regional Hub2 IPsec Internet Internet IPsec Sites Enterprise Network Enterprise Network Enterprise Network Enterprise Network Enterprise Network Enterprise Network MACsec Targeted Customers High Throughput, Limited by Hardware Scale IPsec Targeted Customers High Scale, Limited by Aggregate Throughput Strengths High Throughput due to Hardware Encryption More Services Enablement Simple Configuration High Throughput + Line Rate Encryption WAN MACsec IPsec Branch/DC Enterprise Network Considerations Limited Scale Requires MetroE Circuit (EVCs)

76 MACsec WAN Use Cases Summary #1- Data Center Interconnect #2- Campus Interconnect #3- Hub-Spoke DC1 Main Building 1 Head- Office Metro E-LINE Metro E-LAN\ E-Line Building 4 Building 2 Metro E-LINE / E-LAN DC2 Building 3 Branch 1 Branch 2 Branch 3 * Roadmap

77 WAN MACsec and IPsec Comparison Category WAN MACsec IPsec Market Positioning 1. Aggregate Deployments such as Regional Hubs 2. Large Branches that require high throughput 3. Data Center Interconnects Link Requirement Requires dedicated MetroE EVC circuits for L2 connectivity between sites 1. Small Branches 2. High Scale deployments 3. Low throughput Branches 4. Beyond MetroE (International) Reach Easily Routable over many commonly available public network Encryption Performance Per PHY Link Speed (1G, 10G, 40G, 100G) Constrained by IPsec Crypto engine performance Services Enablement No impact to encryption throughput Impacts encryption throughput Peers Scale Limited by hardware resources Highly Scalable Throughput Up to Line Rate on each port (limited only by the forwarding capability) Aggregate throughput (limited by the encryption throughput) Configurability Simple configuration More complex configuration and policy choices Layer 3 Visibility for Monitoring No. Except Layer 2 headers (and optionally VLAN/MPLS Labels) everything else is encrypted Visible. L3 info can be used for monitoring & policy enforcement purposes NAT environment L3 header is not accessible Works with NAT environment

78 WAN MACsec and GETVPN Comparison MACsec Hub GETVPN Group Key Server PTP or E-LINE PTMP or E-LAN Static Known IP Addresses Dynamic Unknown IP Addresses Overlay Routing Ethernet hand-off, minimal peering Easy Multi-Homing Designs Provider Blackhole Protection BGP and Static Routing With Provider Provider Routes Traffic Between Sites Less Control Plane Overhead Traffic Native Routing Data Plane Any WAN Transport: IP or MPLS E-LINE requires all traffic to go through hub E-LAN spokes can communicate directly Flexible QoS policy selected by customer Private WANs Only: MPLS No Tunnels for Site-to-Site Connectivity Multicast Replication in Provider Network Data Plane Encryption E-Line requires Per Peer Keys E-LAN uses one key per system Client IP Addressing Hidden From Provider Single Group Key for All Sites Client IP Addressing Exposed to Provider Encryption

79 What Service do I Need to Enable WAN MACsec? Metro Ethernet Forum (MEF) Ethernet Service Types

80 WAN MACsec Deployment Scenarios Point to Point E-LINE Service CE to CE Hub and Spoke Multi-Point - E-LAN Service Hub and Spoke Multipoint to Multipoint

81 Point to Point E-LINE Service - CE to CE - Hub and Spoke

82 Use Case 1: Point to Point E-LINE Service Point to Point SA Configuration MACsec enabled Interface Physical Sub-interface (802.1Q) Branch Site Enterprise Network CE MKA Keying (802.1X-2010) Carrier Ethernet Service E-LINE (P2P) Ethernet Service Point to point PW service (no MAC address lookup) Port-mode, or 802.1Q offering Customer Use Cases Secure: CE CE link, DC Interconnect CE MKA Session MACsec Flow MKA Key MACsec Interface Central Campus / DC Enterprise Network

83 Use Case 2: Point to Point E-LINE Service Point to Point SA Configuration Hub and Spoke Branch Site Enterprise Network Branch Site Enterprise Network CE CE MKA Keying (802.1X-2010) Carrier Ethernet Service E-LINE (P2P) Ethernet Service Point to point PW service (no MAC address lookup) Port-mode, or 802.1Q offering Customer Use Cases Secure: CE CE link, DC Interconnect MACsec enabled Interface Physical Sub-interface (802.1Q) CE Central Campus / DC Enterprise Network

84 Use Case 3: Point to Point E-LINE Service Point to Point SA Configuration Mix of MACsec & Non-MACsec Spokes Branch Site CE2 Enterprise Network Branch Site CE3 Enterprise Network Enterprise Network MKA Keying (802.1X-2010) Carrier Ethernet Service E-LINE (P2P) CE4 Ethernet Service Point to point PW service (no MAC address lookup) Port-mode, or 802.1Q offering Customer Use Cases Secure: CE CE link, DC Interconnect, Migration MACsec enabled Interface Physical Sub-interface (802.1Q) CE1 Central Campus / DC Enterprise Network

85 P2P Router Peering Model When Using E-LINE Service Physical View Logical View CE CE CE CE Carrier Ethernet Service E-LINE (P2P) P2P Ethernet Pseudo-wire Service Routers peer per VLAN subinterface per PW CE Ethernet Sub-interface with 802.1q support CE More of a Edge/Core network deployment option Connection model is full/partial mesh via 802.1Q sub-int service CE Analogous to ATM VC s and Channelized SONET Ethernet Sub-interface with 802.1q support CE

86 Multi-Point - E-LAN Service - Hub and Spoke - Multipoint to Multipoint

87 Use Case 4: E-LAN Service (VPLS Service) Point to Point SA Configuration Hub and Spoke MACsec enabled Interface Physical Sub-interface (802.1Q) Branch Site Enterprise Network Branch Site Enterprise Network CE CE MKA Keying (802.1X-2010) Carrier Ethernet Service E-LAN (multi-pt) CE Central Campus / DC Enterprise Network Ethernet Service Multi-Point service (typically VPLS) Port-mode, or 802.1Q offering Customer Use Cases Secure: CE CE link, DC Interconnect

88 Use Case 5: E-LAN Service (VPLS Service) Point to Point SA Configuration Hub and Spoke, Spoke to Spoke MACsec enabled Interface Physical Sub-interface (802.1Q) Branch Site Enterprise Network Branch Site Enterprise Network CE CE MKA Keying (802.1X-2010) Carrier Ethernet Service E-LAN (multi-pt) CE Central Campus / DC Enterprise Network Ethernet Service Multi-Point service (typically VPLS) Port-mode, or 802.1Q offering Customer Use Cases Secure: CE CE link, DC Interconnect

89 P2MP Router Peering Model When Using E-LAN Service CE Physical View CE CE Logical View CE Carrier Ethernet Service E-LAN (multi-pt) Flat Ethernet Bridge domain Router peering is N 1 CE CE CE Targets more Branch network deployment option Routers appear as part of a single flat Ethernet domain Caution required as IP Peering is N 1 (N = router nodes) SP will dictate either port-mode (no.1q tag) or router sending.1q tag Less complex configuration CE

90 Use Cases & Config CLIs

91 Port-based E-LINE Service (P2P) CE1/CE2 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 ip address mka pre-shared-key key-chain k1* macsec* CE1 Port Based E-LINE (Point-to-Point) (a.k.a Ethernet Private Line (EPL) P2P EVC Metro Ethernet Network CE2 Defaults MKA default policy: Cipher suite: AES-128-CMAC Key server priority: 0 Confidentiality offset: 0 MACsec default parameters: Dot1q-in-clear 0 Access-control must-secure Replay-protection-window-size 64 Cipher suite: GCM-AES-128 Default Keychain parameters: Lifetime: Unlimited Use Case 1: Point to Point E-LINE Service Point to Point SA Configuration MACsec enabled Interface Physical Sub-interface (802.1Q) Branch Site CE2 Enterprise Network MKA Keying (802.1X-2010) Carrier Ethernet Service E-LINE (P2P) MKA Session MACsec Flow MKA Key MACsec Interface Central Campus / DC CE1 Enterprise Network Note: * is mandatory CLI MACsec configuration BLUE

92 VLAN-based E-LINE Service (P2P) Only MACsec Sub-Interfaces CE1 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* macsec replay-protection-window-size 100 interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* iterface GigabitEthernet0/0/4.2 encapsulation dot1q 20 ip address mka pre-shared-key key-chain k1* macsec* CE2 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* macsec replay-protection-window-size 100 interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* CE1 VLAN Based E-LINE (Point-to-Point) (a.k.a Ethernet Virtual Private Line (EVPL) Use Case 2: Point to Point E-LINE Service Point to Point SA Configuration Hub and Spoke Branch Site CE2 Enterprise Network Branch Site CE3 Enterprise Network P2P EVC Metro Ethernet Network MKA Keying (802.1X-2010) Carrier Ethernet Service E-LINE (P2P) MACsec enabled Interface Physical Sub-interface (802.1Q) CE2 CE3 Central Campus / DC CE1 Enterprise Network Note: * is mandatory CLI MACsec configuration BLUE

93 VLAN-based E-LINE Service (P2P) Mix of MACsec and Non-MACsec Sub-Interfaces CE1 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* macsec access-control should-secure* macsec replay-protection-window-size 100 interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* interface GigabitEthernet0/0/4.2 encapsulation dot1q 20 ip address mka pre-shared-key key-chain k1* macsec* interface GigabitEthernet0/0/4.3 encapsulation dot1q 30 ip address CE2 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* macsec access-control should-secure* macsec replay-protection-window-size 100 interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* CE1 VLAN Based E-LINE (Point-to-Point) (a.k.a Ethernet Virtual Private Line (EVPL) Use Case 2: Point to Point E-LINE Service Point to Point SA Configuration Hub and Spoke Branch Site CE2 Enterprise Network Branch Site CE3 Enterprise Network Enterprise Network CE4 P2P EVC Metro Ethernet Network MKA Keying (802.1X-2010) Carrier Ethernet Service E-LINE (P2P) CE2 CE3 CE4 MACsec enabled Interface Physical Sub-interface (802.1Q) Central Campus / DC CE1 Enterprise Network Note: * is mandatory CLI MACsec configuration BLUE

94 Port-based E-LAN Service (P2MP) CE1/CE2/CE3 Config key chain k1 macsec* key 01 key-string cryptographic-algorithm aes-256-cmac Use Case 3: Port Based E-LAN (Point-to-MultiPoint) (a.k.a Ethernet Private LAN (EP-LAN) CE2 mka policy p1 macsec-cipher-suite gcm-aes-256 interface GigabitEthernet0/0/4 ip address mka pre-shared-key key-chain k1* mka policy p1 macsec* CE1 P2MP EVCs Metro Ethernet Network CE3 Defaults MKA default parameters: Key server priority: 0 Confidentiality offset: 0 MACsec default parameters: Dot1q-in-clear 0 Access-control must-secure Replay-protection-window-size 64 Default Keychain parameters: Lifetime: Unlimited Note: * is mandatory CLI MACsec configuration BLUE

95 VLAN-based E-LAN Service (P2MP) CE1 Config key chain k1 macsec* key 01 key-string CE1 Router Peering Model for E-LAN Services (VPLS Service) Physical View CE2 CE1 Logical View CE2 interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* Eapol destination-address broadcast interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* CE2/CE3 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* Eapol destination-address broadcast CE4 Example 1 Carrier Ethernet Service E-LAN (mul -pt) Flat Ethernet Bridge domain CE3 Targets more Branch network deployment op on Routers appear as part of a single flat Ethernet domain Cau on required as IP Peering is N 1 (N = router nodes) Mul cast replica on is done in the Core of the network SP will dictate either port-mode (no.1q tag) or router sending.1q tag Less complex configura on Use Case 4: VLAN Based E-LAN (Point-to-MultiPoint) (a.k.a Ethernet Virtual Private LAN (EVP-LAN) CE1 VLAN 10 CE4 P2MP EVCs Metro Ethernet Network VLAN/Subinterface Router peering is N 1 CE3 CE2 CE3 Note: * is mandatory CLI MACsec configuration BLUE

96 Multiple VLAN-based E-LAN Services (P2MP) CE1 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* interface GigabitEthernet0/0/4.2 encapsulation dot1q 20 ip address mka pre-shared-key key-chain k1* macsec* CE2/CE3 Config key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* CE4/CE5 Config Example 2 CE1 VLAN 10 VLAN 20 key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* interface GigabitEthernet0/0/4.2 encapsulation dot1q 20 ip address mka pre-shared-key key-chain k1* macsec* Metro Ethernet Network P2MP EVCs CE4 CE5 CE2 VLAN/Subinterfaces CE3 Note: * is mandatory CLI MACsec configuration BLUE

97 Mix of VLAN-based E-LINE and E-LAN Services (P2P & P2MP) CE1 Config key chain k1 macsec* key 01 key-string key chain k2 macsec* key 01 key-string cryptographic-algorithm aes-256-cmac mka policy p1 macsec-cipher-suite gcm-aes-256 interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* iterface GigabitEthernet0/0/4.2 encapsulation dot1q 20 ip address mka pre-shared-key key-chain k2* mka policy p1 macsec* Note: * is mandatory CLI MACsec configuration BLUE CE2 Config Example 3 CE1 key chain k1 macsec* key 01 key-string interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* interface GigabitEthernet0/0/4.1 encapsulation dot1q 10 ip address mka pre-shared-key key-chain k1* macsec* P2MP EVCs VLAN 20 Metro Ethernet Network VLAN 10 P2P EVC VLAN 10 CE3 CE4 CE3/CE4 Config CE2 VLAN/Subinterfaces key chain k1 macsec* key 01 key-string cryptographic-algorithm aes-256-cmac mka policy p1 macsec-cipher-suite gcm-aes-256 interface GigabitEthernet0/0/4 macsec dot1q-in-clear 1* iterface GigabitEthernet0/0/4.2 encapsulation dot1q 20 ip address mka pre-shared-key key-chain k1* mka policy p1 macsec*

98 Configurable MKA, MACsec & Key Chain CLIs and Parameters MKA Global Policy Configurable CLIs Key-server priority 0 to 64 Default: 0 Macsec-cipher-suite macsec-cipher-suite gcm-aes-128 macsec-cipher-suite gcm-aes-256 Default: macsec-cipher-suite gcm-aes-128 Confidentiality-offset 0, 30, 50 Default: 0 Keychain Global Configurable CLIs Key Key id cryptographic-algorithm cryptographic-algorithm aes-128-cmac cryptographic-algorithm aes-256-cmac Default: cryptographic-algorithm aes-128-cmac Keystring Hex Characters Default: NA Lifetime Hh:mm:ss Time Local Time in local time zone Default: unlimited MACsec Interface Configurable CLIs macsec replay-protection-window-size 0-x Default: 64 macsec-access-control Must-secure Should-secure Default: must-secure macsec-dot1q-in-clear 0, 1 Default: 0 macsec eapol destination-address H.H.H (any mac address) Bridge-group-address Lldp-multicast-address Broadcast Default: (01:80:c2:00:00:03)

99 Monitoring and Troubleshooting

100 Monitoring and Troubleshooting Show CLIs MACsec show macsec summary show macsec statistics interface <int > show macsec status interface <int > MKA show mka sessions show mka sessions detail show mka sessions interface < > port < > detail show mka policy <MKA Policy NAME>

101 Monitoring and Troubleshooting Show CLI Sample Output R2#show macsec summary MACsec Capable Interface Extension TenGigabitEthernet0/0/1 One tag-in-clear GigabitEthernet0/0/1 One tag-in-clear MACsec Enabled Interface Receive SC VLAN GigabitEthernet0/0/1.10 : 8 10 R2# R2#show macsec status int gi0/0/1.10 Capabilities: Validate Frames: Strict Ciphers Supported: GCM-AES-128 GCM-AES-256 Include SCI: Yes Cipher: GCM-AES-128 Confidentiality Offset: 0 Transmit SC: SCI: 0022BDEF Transmitting: TRUE Transmit SA: Next PN: 1712 Receive SC: Receiving: TRUE Receive SA: In Use: TRUE Next PN: 1731 R2#

102 Monitoring and Troubleshooting Debug CLIs debug mka events/errors/packets Usage: Troubleshooting mka session bring up issues debug mka linksec-interface Usage: Troubleshooting mka keep-alive issues debug platform software macsec info/error Usage: MACsec info/error debugging

103 Monitoring and Troubleshooting Syslog Messages

104 WAN MACsec Considerations Scale & Performance 1GE interface: Max 8 Peers per interface 10GE interface: Max 32 Peers per interface Linerate performance but maybe limited by system throughput Linerate performance minus the overhead, ~32 bytes Feature Interoperability MACsec with Ether Channel (Link bundling) is not supported MACsec with TrustSec (SGT inline transport over Ethernet) config is not supported

105 Best Practices 1. Ensure basic Layer 2 connectivity is established before enabling MACsec 2. Ensure Out of Band connectivity exists to remote site to avoid locking yourself out 3. Use access control should secure only during migration or when mix of unsecured traffic is expected 4. Configure WAN interface MTU, adjusting for MACsec overhead, ~32 bytes

106 Key Takeaways Underlying Transport determines Encryption choices MACsec provides better protection with Less Overhead Linerate performance 1G/10G/40G/100G etc LAN MACsec Available on most products WAN MACsec - First in the Industry Next Gen encryption technology Ease of Config & Use

107 References

108 LAN MACsec Supported Platforms Platform Nexus 7000 M1 line-cards Nexus 7000 M2 line-cards Catalyst 6500/6800 (Sup-2T/6900 Series line-cards) Catalyst 4500-X Catalyst 4500-E (Sup-7E & 8E) Catalyst 3560-X/3750-X Catalyst 5760/3850/3650 C3KX-SM-10G Module for Catalyst 3KX EAP/SAP/128, PSK/SAP/128 Yes Yes Yes Yes Yes Yes Yes Yes SM-X Layer 2/3 Ether Switch Module for ISR Yes

109 WAN MACsec Supported Platforms Platform ASR 1001-X 2-Port Gigabit Ethernet WAN NIM (NIM-2GE-CU-SFP) for ISR4xxx Series PSK/MKA 128/256 Yes Yes

110 References Cisco TrustSec 3.0 How-To Guide: Introduction to MACSec and NDAC Configuring MACsec Encryption MACSEC and MKA Configuration Guide, Cisco IOS XE Release 3S Other relevant session: BRKRST-2309 Introduction to WAN MACSec - Aligning Encryption Technologies with WAN Transport

111 Participate in the My Favorite Speaker Contest Promote Your Favorite Speaker and You Could Be a Winner Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress) Send a tweet and include Your favorite speaker s Twitter Two hashtags: #CLUS #MyFavoriteSpeaker You can submit an entry for more than one of your favorite speakers Don t forget to View the official rules at

112 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

113 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Table Topics Meet the Engineer 1:1 meetings Related sessions

114 Thank you

115

116 MACsec CLI Behavior & Restrictions macsec dot1q-in-clear and macsec access-control mustsecure/should-secure can only be configured on main interface, and the setting is automatically inherited by the sub-interfaces. Due to hardware restriction this behavior cannot be changed. mka policy, macsec replay-protection-window and eapol destination-address can be configured on main and/or sub-interface and the value is automatically inherited by the sub-interfaces when configured on the main interface. Explicit configuration on sub-interface overrides the inherited value or policy for that sub-interface. Note macsec access-control must-secure/should-secure config controls the behavior of unencrypted packets processing: - should-secure allows unencrypted packets to be transmitted and received from main interface or sub interfaces. - must-secure does not allow transmit or receive of unencrypted packets from main interface or sub interfaces and drops the packet - If mix of macsec and non-macsec subinterfaces co-exist, then should-secure config is a must