Mar 20, 2017  If you use a Mac, adding an additional layer of security software is a good idea that's easy to implement. For example, Malwarebytes offers free protection with their Anti-Malware for Mac.

Media Access Control Security (MACsec) is an 802.1AEIEEE industry-standard security technology that provides secure communicationfor all traffic on Ethernet links. MACsec provides point-to-pointsecurity on Ethernet links between directly connected nodes and iscapable of identifying and preventing most security threats, includingdenial of service, intrusion, man-in-the-middle, masquerading, passivewiretapping, and playback attacks.

MACsec allows you to secure an Ethernet link for almost alltraffic, including frames from the Link Layer Discovery Protocol (LLDP),Link Aggregation Control Protocol (LACP), Dynamic Host ConfigurationProtocol (DHCP), Address Resolution Protocol (ARP), and other protocolsthat are not typically secured on an Ethernet link because of limitationswith other security solutions. MACsec can be used in combination withother security protocols such as IP Security (IPsec) and Secure SocketsLayer (SSL) to provide end-to-end network security.

Starting with Junos OSRelease 15.1 for MX Series routers, MACsec enables you to secure anEthernet link for almost all traffic, including frames from the LinkLayer Discovery Protocol (LLDP), Link Aggregation Control Protocol(LACP), Dynamic Host Configuration Protocol (DHCP), Address ResolutionProtocol (ARP), and other protocols that are not typically securedon an Ethernet link because of limitations with other security solutions.

How MACsec Works

MACsec provides industry-standard security through the use ofsecured point-to-point Ethernet links. The point-to-point links aresecured after matching security keys are exchanged and verified betweenthe interfaces at each end of the point-to-point Ethernet link. Thekey can be user-configured or can be generated dynamically, dependingon the security mode used to enable MACsec. For more information onMACsec security modes, see Understanding MACsec Security Modes for Switch-to-Switch Links. Otheruser-configurable parameters, such as MAC address or port, must alsomatch on the interfaces on each side of the link to enable MACsec.

On MX Series routers, you enable MACsec by using the staticCAK security mode. See Configuring MACsec on EX, SRX and Fusion Devices.

Once MACsec is enabled on a point-to-point Ethernet link, alltraffic traversing the link is MACsec-secured through the use of dataintegrity checks and, if configured, encryption.

The data integrity checks verify the integrity of the data.MACsec appends an 8-byte header and a 16-byte tail to all Ethernetframes traversing the MACsec-secured point-to-point Ethernet link,and the header and tail are checked by the receiving interface toensure that the data was not compromised while traversing the link.If the data integrity check detects anything irregular about the traffic,the traffic is dropped.

MACsec can also be used to encrypt all traffic on the Ethernetlink. Encryption ensures that the data in the Ethernet frame cannotbe viewed by anybody monitoring traffic on the link. MACsec encryptionis optional and user-configurable; you can enable MACsec to ensurethe data integrity checks are performed while still sending unencrypteddata “ in the clear” over the MACsec-secured link, ifdesired.

When MACsec is enabled on a logical interface, VLAN tags arenot encrypted. All the VLAN tags configured on the logical interfaceenabled for MACsec are sent in clear text.

MACsec is configured on point-to-point Ethernet links betweenMACsec-capable interfaces. If you want to enable MACsec on multipleEthernet links, you must configure MACsec individually on each point-to-pointEthernet link.

On MX Series routers, you can configure the connectivity-association-name exclude-protocol command to specify protocols whose packetsare not secured using Media Access Control Security (MACsec) whenMACsec is enabled on a link by using static connectivity associationkey (CAK) security mode. When this option is enabled in a connectivityassociation that is attached to an interface, MACsec is not enabledfor all packets of the specified protocols that are sent and receivedon the link.

Understanding Connectivity Associations and Secure Channels

MACsec is configured in connectivity associations. MACsec isenabled when a connectivity association is assigned to an interface.

When you are configuring MACsec using static secure associationkey (SAK) security mode, you must configure secure channels withina connectivity association. The secure channels are responsible fortransmitting and receiving data on the MACsec-enabled link, and alsoresponsible for transmitting SAKs across the link to enable and maintainMACsec. A single secure channel is unidirectional— it can beused to apply MACsec only to either inbound or outbound traffic. Atypical connectivity association when MACsec is enabled using SAKsecurity mode contains two secure channels— one secure channelfor inbound traffic and another secure channel for outbound traffic.

When you enable MACsec using static CAK or dynamic securitymode, you have to create and configure a connectivity association.Two secure channels— one secure channel for inbound trafficand another secure channel for outbound traffic— are automaticallycreated. The automatically-created secure channels do not have anyuser-configurable parameters; all configuration is done in the connectivityassociation outside of the secure channels.

Understanding Static Connectivity Association Key SecurityMode (Security Mode for Router-to-Router Links)

When you enable MACsec using static connectivity associationkey (CAK) security mode, two security keys—a connectivity associationkey (CAK) that secures control plane traffic and a randomly-generatedsecure association key (SAK) that secures data plane traffic—areused to secure the point-to-point Ethernet link.

You initially establish a MACsec-secured link using a presharedkey when you are using static CAK security mode to enable MACsec.A preshared key includes a connectivity association name (CKN) anda connectivity association key (CAK). The CKN and CAK are configuredby the user in the connectivity association and must match on bothends of the link to initially enable MACsec.

The preshared keys must be configured on the endpoints of thelink and the keys must in agreement with each other. The MACsec KeyAgreement (MKA) protocol is responsible for maintaining MACsec onthe link, and decides which router on the point-to-point link becomesthe key server. The key server then creates an SAK that is sharedwith the router at the other end of the point-to-point link only,and that SAK is used to secure all data traffic traversing the link.The key server continues to periodically create and share a randomly-createdSAK over the point-to-point link for as long as MACsec is enabled.

See Configuring Media Access Control Security (MACsec) on MX Series Routers for step-by-stepinstructions on enabling MACsec by using static CAK security mode.

MACsec Support on MX, ACX, and PTX Series Routers

Table 1 lists the routerswhich support MACsec.

Table 1: MACsec on MX, PTX, and ACX Series Routers

ACX6360 and ACX5448-M routers support MACsec with AES-256 encryption.

MACsec can be configured on supported MX Series routers thatare members of a Virtual Chassis. Encryption and decryption are implementedin the hardware in line-rate mode. An additional overhead of 24 through32 bytes is required for MACsec if Secure Channel Identifier (SCI)tag is included.

For more information regarding MACsec, refer the following IEEEspecifications:

• IEEE 802.1AE-2006. Media Access Control (MAC) Security

• IEEE 802.1X-2010. Port-Based Network Access Control. DefinesMACSec Key Agreement Protocol

Understanding MACsec Software Requirements for MX Series Routers

Following are some of the key software requirements for MACsecon MX Series Routers:

A feature license is not required to configure MACsec on MXSeries routers with the enhanced 20-port Gigabit Ethernet MIC (modelnumber MIC-3D-20GE-SFP-E).

MACsec is supported on MX Series routers with MACsec-capableinterfaces.

MACsec supports 128 and256-bit cipher-suite with and without extended packet numbering (XPN).

MACsec supports MACsec Key Agreement (MKA) protocol with Static-CAKmode using preshared keys.

MACsec supports a single connectivity-association (CA) per physicalport or physical interface.

Starting with Junos OSRelease 15.1, MACsec is supported on member links of an aggregatedEthernet (Original sin enhanced edition mac torrent. Divinity Original Sin Enhanced Edition ACTiVATED MacOSX Free Download published on May 10, 2017 by Author Piratebay 0 Comments – Release name (Cracked by): Divinity.Original.Sin.Enhanced.Edition.MacOSX-ACTiVATED.

See Configuring MACsec on EX, SRX and Fusion Devices for step-by-step instructions on enablingMACsec using static CAK security mode.

Understanding Dynamic Secure Association Key Security Mode(Switch-to-Host Links)

Dynamic secure association key (SAK) security mode is used toenable MACsec on a switch-to-host link.

To enable MACsec on a link connecting an endpoint device—suchas a server, phone, or personal computer—to a switch, the endpointdevice must support MACsec and must be running software that allowsit to enable a MACsec-secured connection. When configuring MACsecon a switch-to-host link, the MACsec Key Agreement (MKA) keys, whichare included as part of 802.1X authentication, are retrieved froma RADIUS server as part of the AAA handshake. A master keyis passed from the RADIUS server to the switch and from the RADIUSserver to the host in independent authentication transactions. Themaster key is then passed between the switch and the host to createa MACsec-secured connection.

A secure association using dynamic secure association securitymode must be configured on the switch’s Ethernet interface thatconnects to the host in order for the switch to create a MACsec-securedconnection after receiving the MKA keys from the RADIUS server.

The RADIUS server must be using Extensible Authentication Protocol-TransportLayer Security (EAP-TLS) in order to support MACsec. The RADIUS serversthat support other widely-used authentication frameworks, such aspassword-only or md5, cannot be used to support MACsec. In order toenable MACsec on a switch to secure a connection to a host, you mustbe using 802.1X authentication on the RADIUS server. MACsec must beconfigured into dynamic mode. MACsec is still enabled using connectivityassociations when enabled on a switch-to-host link, as it is on aswitch-to-switch link.

Understanding Static Secure Association Key Security Mode (Supportedfor Switch-to-Switch Links)

When you enable MACsec using static secure association key (SAK)security mode, one of up to two manually configured SAKs is used tosecure data traffic on the point-to-point Ethernet link. All SAK namesand values are configured by the user; there is no key server or othertool that creates SAKs. Security is maintained on the point-to-pointEthernet link by periodically rotating between the two security keys.Each security key name and value must have a corresponding matchingvalue on the interface at the other end of the point-to-point Ethernetlink to maintain MACsec on the link.

You configure SAKs within secure channels when you enable MACsecusing static SAK security mode. You configure secure channels withinconnectivity associations. A typical connectivity association forMACsec using static SAK security mode contains two secure channels—one for inbound traffic and one for outbound traffic— that haveeach been configured with two manually-configured SAKs. You must attachthe connectivity association with the secure channel configurationsto an interface to enable MACsec using static SAK security mode.

We recommend enabling MACsec using static CAK security mode.Use static SAK security mode only if you have a compelling reasonto use it instead of static CAK security mode.

See Configuring MACsec on EX, SRX and Fusion Devices for step-by-step instructions on enablingMACsec using SAKs.

Understanding the Requirements to Enable MACsec on a Switch-to-HostLink

When configuring MACsec on a switch-to-host link, the MACsecKey Agreement (MKA) keys, which are included as part of 802.1X authentication,are retrieved from a RADIUS server as part of the AAA handshake. Amaster key is passed from the RADIUS server to the switch and fromthe RADIUS server to the host in independent authentication transactions.The master key is then passed between the switch and the host to createa MACsec-secured connection.

The following requirements must be met in order to enable MACsecon a link connecting a host device to a switch.

The host device:

• must support MACsec and must be running software thatallows it to enable a MACsec-secured connection with the switch.

The switch:

• must support MACsec (see Table 2).

• must be configured into dynamic secure association keysecurity mode.

• must be using 802.1X authentication to communicate withthe RADIUS server.

The RADIUS server:

• must be using the Extensible Authentication Protocol-TransportLayer Security (EAP-TLS) authentication framework.

  Note

  RADIUS servers that support other widely-used authenticationframeworks, such as password-only or md5, cannot be used to supportMACsec.

• must be using 802.1X authentication.

• can be multiple hops from the switch and the host device.

MACsec Software Image Requirements for EX Series and QFX SeriesSwitches

Junos OS Release 16.1 and Later

For Junos OS Release 16.1 and later, you must download the standardJunos image to enable MACsec. MACsec is not supported in the limitedimage. See the MACsec Hardware and Software Support Summary to determine thecorrect release for your device.

The standard version of Junos OS software contains encryptionand is, therefore, not available to customers in all geographies.The export and re-export of this Junos OS software is strictly controlledunder United States export laws. The export, import, and use of thisJunos OS software is also subject to controls imposed under the lawsof other countries. If you have questions about acquiring this versionof your Junos OS software, contact Juniper Networks Trade Compliancegroup at compliance_helpdesk@juniper.net.

Junos OS Releases Prior to 16.1

For releases prior to Junos OS Release 16.1, you must downloadthe controlled version of your Junos OS software to enable MACsec.MACsec support is not available in the domestic version of Junos OSsoftware in releases prior to Junos OS Release 16.1. See the MACsec Hardware and Software Support Summary to determine the correct release foryour device.

The controlled version of Junos OS software includes all featuresand functionality available in the domestic version of Junos OS, whilealso supporting MACsec. The domestic version of Junos OS softwareis shipped on all switches that support MACsec, so you must downloadand install a controlled version of Junos OS software for your switchbefore you can enable MACsec.

The controlled version of Junos OS software contains encryptionand is, therefore, not available to customers in all geographies.The export and re-export of the controlled version of Junos OS softwareis strictly controlled under United States export laws. The export,import, and use of the controlled version of Junos OS software isalso subject to controls imposed under the laws of other countries. If you have questions about acquiring the controlled version of yourJunos OS software, contact Juniper Networks Trade Compliance groupat compliance_helpdesk@juniper.net.

MACsec Hardware and Software Support Summary

Table 2 summarizes MACsechardware and software support for EX Series and QFX Series switches.

See Feature Explorer for a full listing of Junos OS releases andplatforms that support MACsec.

Table 2: MACsec Hardware and Software Support Summary for EX Series and QFXSeries Switches

Switch	MACsec-capable Interfaces	Switch-to-Switch Support Introduction	Switch-to-Host Support Introduction	Encryption
EX3400	10GbE fiber interfaces and 1GbE copper interfaces.	15.1X53-D50	15.1X53-D50	AES-128 Note: MACsec is not available on the limited Junos OS image package.
EX4200	All uplink port connections on the SFP+ MACsec uplink module.	13.2X50-D15	14.1X53-D10	AES-128
EX4300	All access and uplink ports. Both QSFP+ interfaces on the EX-UM-2QSFP-MR uplink module forEX4300-48MP switches.	13.2X50-D15	14.1X53-D10	AES-128 AES-256 (EX4300-48MP only)
EX4550	All EX4550 optical interfaces that use the LC connection type. See Pluggable Transceivers Supported on EX4550 Switches.	13.2X50-D15	14.1X53-D10	AES-128
EX4600	All twenty-four fixed 1GbE SFP/10GbE SFP+ interfaces and allinterfaces that support the copper Gigabit Interface Converter (GBIC). All eight SFP+ interfaces on the EX4600-EM-8F expansion module.	14.1X53-D15 Note: MACsec is not supported on EX4600 in Junos OS Release 15.1.	Not supported	AES-128
EX9200	All forty SFP interfaces on the EX9200-40F-M line card. All twenty SFP interfaces on the EX9200-20F-MIC installed inan EX9200-MPC line card. Note: You can install up to two EX9200-20F-MIC MICs in an EX9200-MPCline card for a maximum of forty MACsec-capable interfaces. All forty SFP+ interfaces on the EX9200-40XS.	15.1R1	15.1R1	AES-128 Note: Starting in Junos OSRelease 18.2R1, AES-256 is supported on the EX9200-40XS line card.
QFX5100	All eight SFP+ interfaces on the EX4600-EM-8F expansion moduleinstalled in a QFX5100-24Q switch.	14.1X53-D15 Note: MACsec is not supported on QFX5100-24Q switches in Junos OSRelease 15.1.	Not supported	AES-128
QFX10008 and QFX10016	All six interfaces on the QFX10000-6C-DWDM line card.	17.2R1 Note: Static CAK mode only.	Not supported	AES-128 and AES-256 Note: When enabling MACsec on the QFX10000-6C-DWDM line card, we recommendusing a cipher suite with extended packet numbering (XPN). SupportedXPN cipher suites are GCM-AES-XPN-128 and GCM-AES-XPN-256.
	All 30 interfaces on the QFX10000-30C-M line card.	17.4R1 Note: Static CAK mode only.	Not supported	AES-128 and AES-256 Note: When enabling MACsec on the QFX10000-30C-M line card, we recommendusing a cipher suite with extended packet numbering (XPN). SupportedXPN cipher suites are GCM-AES-XPN-128 and GCM-AES-XPN-256.

Understanding MACsec in a Virtual Chassis

MACsec can be configured on supported switch interfaces whenthose switches are configured in a Virtual Chassis or Virtual Chassis Fabric (VCF), including when MACsec-supportedinterfaces are on member switches in a mixed Virtual Chassis or VCFthat includes switch interfaces that do not support MACsec. MACsec,however, cannot be enabled on Virtual Chassis ports (VCPs) to securetraffic travelling between member switches in a Virtual Chassis orVCF.

Understanding the MACsec Feature License Requirement

A feature license is required to configure MACsec on EX Seriesand QFX series switches, with the exception of the QFX10000-6C-DWDMand QFX10000-30C-M line cards. If the MACsec licence is not installed,MACsec functionality cannot be activated.

To purchase a feature license for MACsec, contact your JuniperNetworks sales representative (https://www.juniper.net/us/en/contact-us/sales-offices). The Juniper sales representative will provide you with a feature license file and a license key.You will be asked to supply the chassis serial number of your switch;you can obtain the serial numberby running the no- auto-negotiation on PHY84756 1G SFP ports before configuring MACsec on those ports.

Related Documentation

Description
Starting in Junos OSRelease 18.4R2, the MIC-MACSEC-20GE MIC provides 256-bit cipher-suiteGCM-AES-256 and GCM-AES-XPN-256.
Starting in Junos OSRelease 18.2R1, AES-256 is supported on the EX9200-40XS line card.
Starting with Junos OSRelease 15.1 for MX Series routers, MACsec enables you to secure anEthernet link for almost all traffic, including frames from the LinkLayer Discovery Protocol (LLDP), Link Aggregation Control Protocol(LACP), Dynamic Host Configuration Protocol (DHCP), Address ResolutionProtocol (ARP), and other protocols that are not typically securedon an Ethernet link because of limitations with other security solutions.
Starting with Junos OSRelease 15.1, MACsec is supported on member links of an aggregatedEthernet (

You'll receive an automatic reply from Apple to acknowledge that we received your report, and we’ll contact you if we need more information.

How Apple handles these reports

For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until our investigation is complete and any necessary updates are generally available.

Apple uses security advisories and our security-announce mailing list to publish information about security fixes in our products and to publicly credit people or organizations that have reported security issues to us. We also credit researchers who have reported security issues with our web servers on the Apple Web Server Notifications page.

In certain cases, Apple pays rewards for sharing critical security issues. Learn more about the Apple Security Bounty.