# [Note] MACsec learning note
###### tags: `MACsec`, `IEEE 802.1AE`, `IEEE 802.1x-2010`, `MACsec tag`, `0x88E5`
[toc]
## Introduction
### What is MACsec
<div style="text-align: center"><img src="https://i.imgur.com/vmz1mli.png"/></div></br>
- A protocol enables confidentiality and integrity of data at layer 2.
- Standardize in IEEE 802.1AE.
- Be capable of identifying and preventing most security threats, including
- denial of service
- intrusion
- man-in-the-middle
- masquerading
- passive wiretapping
- playback attacks.
- Be able to secure all traffic within a LAN, including
- DHCP
- ARP
- LLDP
- LACP
- Traffic from higher layer protocols.
- Using Per-Hop Encryption as shown below.
<div style="text-align: center"><img src="https://i.imgur.com/0sgU6J9.png"/></div>
### MACsec Protocols & Algorithms
<div style="text-align: center"><img src="https://i.imgur.com/IUT36Op.png"/></div>
</br>
## Why MACsec is needed
- OSI was built to allow difference layers to work w/o the knowledge of each other.
<div style="text-align: center"><img src="https://i.imgur.com/dfL0PVB.png"/></div></br>
- Lower levels affect higher levels
- Unfortunately this means if one layer is hacked, communications are compromised w/o the other layers being aware of problems.
- Security is only as strong as the weakest link.
- When it comes networking, layer 2 can be a VERY weak link.
<div style="text-align: center"><img src="https://i.imgur.com/yaPNChL.png"/></div></br>
### Type of Layer 2 Security Attack
1. MAC flood / address table exhaustion attacks
2. ARP Spoofing attacks
3. DHCP Starvation attacks
4. VLAN hopping attacks
5. Spanning Tree Protocol attacks
6. Multicast Brute Force attack
## When is MACsec standardized
### MACsec Timeline
<div style="text-align: center"><img src="https://i.imgur.com/wwQCcXE.png"/></div></br>
## How does MACsec work
<div style="text-align: center"><img src="https://i.imgur.com/aUOBPW0.png"/></div></br>
For MACsec, there are two modes as shown above.
1. Work between switches, **Uplink MACsec**
2. Work between hosts, **Downlink MACsec**
In general, before the work of MACsec, MKA (MACsec Key Agreement) will first operate to setup CA and install varied of keys like CAK, MSK or SAK.
> Upon **transmission**, each frame is assigned to an SA and identified by its Association Number (AN). The AN is used to identify the SAK and the next Packet Number (PN) and all of these are encoded into a SecTAG.
> Upon **receipt** of a MACsec frame, the AN, PN and Short Length (SL) field are extracted from the SecTAG and used to assign the frame to an SA to identify the SAK.
<div style="text-align: center"><img src="https://i.imgur.com/H8UULKO.png"/></div></br>
### MACsec Frame Overview
<div style="text-align: center"><img src="https://i.imgur.com/n4BdZcM.png"/></div></br>
### MAC Frame structure
<div style="text-align: center"><img src="https://i.imgur.com/q8U0nUy.png"/></div></br>
### MACsec Concepts
</br>
<div style="text-align: center"><img src="https://i.imgur.com/VhgMHbz.png"/></div></br>
<div style="text-align: center"><img src="https://i.imgur.com/LKruohp.png"/></div></br>
### Sec TAG Format
<div style="text-align: center"><img src="https://i.imgur.com/qOdj2uo.png"/></div></br>
SCI = System MAC + Port ID
SAI = SCI + AN
## MACsec and MKA
### Switch to Switch (P2P)
<div style="text-align: center"><img src="https://i.imgur.com/YVaT8Xk.png"/></div>
### Switch to Switch (P2M) Topology
<div style="text-align: center"><img src="https://i.imgur.com/CcvdflN.png"/></div>
### MACsec KEY
<div style="text-align: center"><img src="https://i.imgur.com/gpDnBlC.png"/></div>
### Switch-Host MKA
<div style="text-align: center"><img src="https://i.imgur.com/OeB1OUi.png"/></div>
<div style="text-align: center"><img src="https://i.imgur.com/c3LSRYi.png"/></div>
### Switch-Switch MKA
<div style="text-align: center"><img src="https://i.imgur.com/sF0ZwK0.png"/></div>
## Summary
### MACsec VS IPsec
<div style="text-align: center"><img src="https://i.imgur.com/Li301Xi.png"/></div>
### Hardware Implementation Choice
- Integrate with PHY device
- Separate device (FPGA) placed in between ASIC and PHY devices
### Ways to attack MACsec
- Rogue Gateway Attack
- EAP-MD5 Forced Reauthentication Attack
## Reference
- [[Northforge Innovations] MACsec Technical Brief](https://gonorthforge.com/wp-content/uploads/2017/10/NII_MKT-Layer2-Security-MACsec-Tech-Brief_V.2.2.pdf)
- [[Spec] IEEE Std 802.1AE-2006](http://www.ieee802.org/1/files/public/docs2010/new-seaman-1AE-markup-for-gcm-aes-256-0710-v2.pdf)
- [[Cisco] Innovations in Ethernet Encryption (802.1AE -
MACsec) for Securing High Speed (1-100GE) WAN
Deployments](https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf)
- [[Cisco live] A ppt introduction to WAN MACsec and Encryption Positioning](https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2017/pdf/BRKRST-2309.pdf)
- [[Juniper] Understanding Media Access Control Security (MACsec)](https://www.juniper.net/documentation/en_US/junos/topics/topic-map/understanding_media_access_control_security_qfx_ex.html)
- [[Ruckus] How does MACsec work (Switch-Switch)](http://docs.ruckuswireless.com/fastiron/08.0.70/fastiron-08070-licenseguide/GUID-EBB8AA84-C558-4A12-82F5-3A947FD66CBE.html)
- [[Rukus] MACsec frame format](http://docs.ruckuswireless.com/fastiron/08.0.80/fastiron-08080-securityguide/GUID-333630FE-363D-43F1-A4C9-0EDD0D0D53E2.html
)
- [[Nokia] 2.3.2.3. MACsec (Switch-End)](https://infocenter.nokia.com/public/7750SR150R4A/index.jsp?topic=%2Fcom.sr.interface%2Fhtml%2Finterfaces.html)
- [[Redhat] MACsec: a different solution to encrypt network traffic](https://developers.redhat.com/blog/2016/10/14/macsec-a-different-solution-to-encrypt-network-traffic/)
- [[Redhat] A ppt about MACsec](https://www.yumpu.com/en/document/read/55514364/macsec
)
- [[Cisco] LAYER 2 ATTACKS & MITIGATION TECHNIQUES](https://www.sanog.org/resources/sanog7/yusuf-L2-attack-mitigation.pdf
)
- [Understanding Media Access Control Security (MACsec)](https://www.twblogs.net/a/5b8009832b717767c6b2f910)
- [MACSec – Media Access Control Security](https://howdoesinternetwork.com/2017/macsec#MACSec_between_switch_and_hosts)
- [A ppt bypassing Port-Security In 2018: Defeating MacSEC and 802.1x-2010](https://www.slideshare.net/cisoplatform7/bypassing-portsecurity-in-2018-defeating-macsec-and-8021x2010)
- [Rogue Gateway Attack](https://github.com/s0lst1c3/silentbridge/wiki/Rogue-Gateway-Attack)
- [[Book] Practical Network Scanning: Capture network vulnerabilities using standard tools such as Nmap and Nessus](https://play.google.com/store/books/details/Ajay_Singh_Chauhan_Practical_Network_Scanning?id=ol9dDwAAQBAJ)
Sign in with Wallet
Connect another wallet