|
| 1 | + |
| 2 | +------------------------------------------------------------------------------- |
| 3 | + Title | MACSec Secure Policy |
| 4 | +-------------|----------------------------------------------------------------- |
| 5 | + Authors | Ruthrapathy Shanmuganandam (Cisco Systems Inc.) |
| 6 | + Status | In review |
| 7 | + Type | Standards track |
| 8 | + Created | 2025-09-30 |
| 9 | + SAI-Version | 1.18 |
| 10 | +------------------------------------------------------------------------------- |
| 11 | + |
| 12 | +# Introduction |
| 13 | + |
| 14 | +This proposal enables configuration of different MACSec secure policies, that define the behavior of MACSec protection on a given link when a MACSec Key Agreement (MKA) session is not established. |
| 15 | + |
| 16 | +# Overview |
| 17 | + |
| 18 | +Media Access Control Security (MACSec, IEEE 802.1AE) provides hop-by-hop security at Layer 2, ensuring data confidentiality, integrity, and origin authenticity on direct Ethernet links. The type of secure policy chosen dictates how the interface handles non-MACSec or unauthenticated traffic, balancing strict security requirements against operational resilience. |
| 19 | + |
| 20 | +# Nomenclature |
| 21 | + |
| 22 | +In deploying MACSec, organizations must decide how strictly security should be enforced on each port or link. The two standard operational modes are |
| 23 | + |
| 24 | +- **Should Secure (Fail-Open):** Secure traffic is prioritized if MACSec Key Agreement(MKA) succeeds; but allow cleartext traffic if no secure channel is established |
| 25 | + |
| 26 | +- **Must Secure (Fail-Closed):** Only frames successfully encapsulated and authenticated with the MACSec Security Association Key (SAK) are forwarded; drop all traffic if a secure channel cannot be established. |
| 27 | + |
| 28 | +## Must Secure (Fail-Closed) |
| 29 | + |
| 30 | +Must Secure is the most stringent secure policy. |
| 31 | + |
| 32 | +- The policy ensures only Ethernet frames that are successfully encapsulated and authenticated with the MACSec Security Association Key (SAK) to be forwarded, thus ensuring that no unprotected data flows over the secured link. |
| 33 | + |
| 34 | +- If any issues are encountered during MKA negotiation (scenarios such as mismatches in key or configuration), it results in an immediate and complete connectivity loss. |
| 35 | + |
| 36 | +- If MKA session remains down, only EAPol(Extensible Authentication Protocol over LAN) packets are exchanged. |
| 37 | + |
| 38 | +## Should Secure (Fail-Open) |
| 39 | + |
| 40 | +Should Secure is a less stricter policy than Must Secure. |
| 41 | + |
| 42 | +- This policy prioritizes service availability over link-layer confidentiality when the secure channel cannot be established. |
| 43 | + |
| 44 | +- In case of MKA negotiation failure, the link reverts to an unsecured, clear-text state. |
| 45 | + |
| 46 | +- The network continues to function, but the traffic on that specific link remains unencrypted. |
| 47 | + |
| 48 | +# SAI Attribute Enhancement |
| 49 | + |
| 50 | +The below MACSec port attribute is newly introduced to allow configuration of the MACSec secure policy. This attribute controls how the switch’s MACsec security engine enforces link protection. When set, the attribute instructs the hardware to apply the corresponding policy on the specified port. |
| 51 | + |
| 52 | +```c |
| 53 | +typedef enum _sai_macsec_port_attr_t |
| 54 | +{ |
| 55 | + ... |
| 56 | + /** |
| 57 | + * @brief Secure policy for MACSEC port |
| 58 | + * |
| 59 | + * Attribute to set the type of secure policy for a MACSEC port |
| 60 | + * |
| 61 | + * @type sai_macsec_port_secure_policy_t |
| 62 | + * @flags CREATE_AND_SET |
| 63 | + * @default SAI_MACSEC_PORT_SECURE_POLICY_SHOULD_SECURE |
| 64 | + */ |
| 65 | + SAI_MACSEC_PORT_ATTR_SECURE_POLICY, |
| 66 | + ... |
| 67 | +} sai_macsec_port_attr_t; |
| 68 | +``` |
| 69 | + |
| 70 | +The Secure Policy is defined to take values of the below enumeration. |
| 71 | + |
| 72 | +```c |
| 73 | +/** |
| 74 | + * @brief Attribute Data for MACSec Secure Policy |
| 75 | + */ |
| 76 | +typedef enum _sai_macsec_port_secure_policy_t |
| 77 | +{ |
| 78 | + /** |
| 79 | + * @brief Should Secure Policy: Traffic is exchanged in clear |
| 80 | + * till the encryption keys are in place. |
| 81 | + */ |
| 82 | + SAI_MACSEC_PORT_SECURE_POLICY_SHOULD_SECURE, |
| 83 | + |
| 84 | + /** |
| 85 | + * @brief Must Secure Policy: Traffic will need to be dropped till |
| 86 | + * the encryption keys are in place. |
| 87 | + */ |
| 88 | + SAI_MACSEC_PORT_SECURE_POLICY_MUST_SECURE, |
| 89 | + |
| 90 | +} sai_macsec_port_secure_policy_t; |
| 91 | +``` |
| 92 | + |
| 93 | +# API Workflow |
| 94 | + |
| 95 | +- **Step 1** Create Switch. |
| 96 | + |
| 97 | +- **Step 2** Create MACSec object. |
| 98 | + |
| 99 | +- **Step 3** Set Secure Policy as part of Create MACSec Port. |
| 100 | + |
| 101 | +```c |
| 102 | + sai_attribute_t attr; |
| 103 | + std::vector<sai_attribute_t> attr_list; |
| 104 | + sai_object_id_t macsec_port_id; |
| 105 | + |
| 106 | + attr_list.clear(); |
| 107 | + |
| 108 | + /* Populate other port attributes */ |
| 109 | + |
| 110 | + /* Set Secure Policy */ |
| 111 | + attr.id = SAI_MACSEC_PORT_ATTR_SECURE_POLICY; |
| 112 | + |
| 113 | + if (must_secure) { |
| 114 | + attr.value.u32 = SAI_MACSEC_PORT_SECURE_POLICY_MUST_SECURE; |
| 115 | + } else { |
| 116 | + attr.value.u32 = SAI_MACSEC_PORT_SECURE_POLICY_SHOULD_SECURE; |
| 117 | + } |
| 118 | + attr_list.push_back(attr); |
| 119 | + |
| 120 | + sai_create_macsec_port_fn(&macsec_port_id, |
| 121 | + switch_id, |
| 122 | + attr_list.size(), |
| 123 | + attr_list.data()); |
| 124 | +``` |
| 125 | +
|
| 126 | +# References |
| 127 | +
|
| 128 | +- IEEE 802.1AE (MACSec) Standard |
| 129 | +
|
| 130 | +- IEEE 802.1X-2010 (MKA) |
0 commit comments