Comment by Hikikomori

Comment by Hikikomori 21 hours ago

When macsec exists?

No kidding.

Just to elaborate for others, MACSec is a standard (802.1ae) and runs at line rate. Something like a Juniper PTX10008 can run it at 400Gbps, and it’s just a feature you turn on for the port you’d be using for the link you want to protect anyway (PTXs are routers/switches, not security devices).

If I need to provide encryption on a DCI, I’m at least somewhat likely to have gear that can just do this with vendor support instead of needing to slap together some Linux based solution.

Unless, I suppose, there’s various layer 2 domains you’re stitching together with multiple L2 hops and you don’t control the ones in the middle. In which case I’d just get a different link where that isn’t true.

Reply View 3 replies

tecleandor 7 hours ago

I have at least one switch that's MACSec compatible at line speed but I haven't had time to take a look. I guess this is confined to LAN and cannot do a MACSec link through the internet, isn't it?

Reply View | 2 replies
- bc569a80a344f9c 6 hours ago
  
  It’s port to port. It protects a link.
  
  Reply View | 1 reply
  
  tecleandor 3 hours ago
  
  Thanks!
  
  Reply View | 0 replies

c0l0 11 hours ago

Yeah that would have been great, but it's not available on our existing core switches (Dell PowerSwitch S5200 series).

Reply View 0 replies

ur-whale 19 hours ago

> When macsec exists?

When you say "exists" ... is there an OpenSource high-quality implementation ?

Reply View 1 reply

Hikikomori 18 hours ago

https://man7.org/linux/man-pages/man8/ip-macsec.8.html
Generally its used when you have links going between two of your sites, so you typically only need it on your switch or router that terminate that link.

Reply View | 0 replies