|
| 1 | + |
| 2 | +------------------------------------------------------------------------------- |
| 3 | + Title | MACSec Secure Policy |
| 4 | +-------------|----------------------------------------------------------------- |
| 5 | + Authors | Ruthrapathy Shanmuganandam (Cisco Systems Inc.) |
| 6 | + Status | In review |
| 7 | + Type | Standards track |
| 8 | + Created | 2025-09-30 |
| 9 | + SAI-Version | 1.18 |
| 10 | +------------------------------------------------------------------------------- |
| 11 | + |
| 12 | +# Introduction |
| 13 | + |
| 14 | +This proposal introduces the following enhancements for MACsec configuration: |
| 15 | + |
| 16 | +- **MACSec secure policy** Configuration of policies that define the behavior of MACSec protection on a given link when a MACSec Key Agreement (MKA) session is not established. |
| 17 | + |
| 18 | +- **Confidentiality Offset** Configuration of Confidentiality Offset to allow bytes of the ethernet frame to be unencrypted. |
| 19 | + |
| 20 | +- **Tag Control Information** Configuration to set End Station (ES) and Single Copy Broadcast (SCB) bits in Tag Control Information (TCI). |
| 21 | + |
| 22 | +# MACSec Secure Policies |
| 23 | + |
| 24 | +## Overview |
| 25 | + |
| 26 | +Media Access Control Security (MACSec, IEEE 802.1AE) provides hop-by-hop security at Layer 2, ensuring data confidentiality, integrity, and origin authenticity on direct Ethernet links. The type of secure policy chosen dictates how the interface handles non-MACSec or unauthenticated traffic, balancing strict security requirements against operational resilience. |
| 27 | + |
| 28 | +## Nomenclature |
| 29 | + |
| 30 | +In deploying MACSec, organizations must decide how strictly security should be enforced on each port or link. The two standard operational modes are |
| 31 | + |
| 32 | +- **Should Secure (Fail-Open):** Secure traffic is prioritized if MACSec Key Agreement(MKA) succeeds; but allow cleartext traffic if no secure channel is established |
| 33 | + |
| 34 | +- **Must Secure (Fail-Closed):** Only frames successfully encapsulated and authenticated with the MACSec Security Association Key (SAK) are forwarded; drop all traffic if a secure channel cannot be established. |
| 35 | + |
| 36 | +### Must Secure (Fail-Closed) |
| 37 | + |
| 38 | +Must Secure is the most stringent secure policy. |
| 39 | + |
| 40 | +- The policy ensures only Ethernet frames that are successfully encapsulated and authenticated with the MACSec Security Association Key (SAK) to be forwarded, thus ensuring that no unprotected data flows over the secured link. |
| 41 | + |
| 42 | +- If any issues are encountered during MKA negotiation (scenarios such as mismatches in key or configuration), it results in an immediate and complete connectivity loss. |
| 43 | + |
| 44 | +- If MKA session remains down, only EAPoL (Extensible Authentication Protocol over LAN) packets are exchanged bidirectionally to attempt session establishment. All other traffic is dropped. |
| 45 | + |
| 46 | +- If the peer does not support MACSec at all (no MKA capability), all traffic is dropped to maintain security. |
| 47 | + |
| 48 | +### Should Secure (Fail-Open) |
| 49 | + |
| 50 | +Should Secure is a less strict policy than Must Secure. |
| 51 | + |
| 52 | +- This policy prioritizes service availability over link-layer confidentiality when the secure channel cannot be established. |
| 53 | + |
| 54 | +- In case of MKA negotiation failure, the link reverts to an unsecured, clear-text state. |
| 55 | + |
| 56 | +- The network continues to function, but the traffic on that specific link remains unencrypted. |
| 57 | + |
| 58 | +- If the peer does not support MACSec, traffic passes unencrypted to maintain connectivity over availability. |
| 59 | + |
| 60 | +## SAI Attribute Enhancement |
| 61 | + |
| 62 | +The below MACSec port attribute is newly introduced to allow configuration of the MACSec secure policy. This attribute controls how the switch’s MACsec security engine enforces link protection. When set, the attribute instructs the hardware to apply the corresponding policy on the specified port. |
| 63 | + |
| 64 | +```c |
| 65 | +typedef enum _sai_macsec_port_attr_t |
| 66 | +{ |
| 67 | + ... |
| 68 | + /** |
| 69 | + * @brief Secure policy configuration for MACSec port |
| 70 | + * |
| 71 | + * Attribute to set the type of secure policy for a MACSec port |
| 72 | + * |
| 73 | + * @type sai_macsec_port_secure_policy_t |
| 74 | + * @flags CREATE_AND_SET |
| 75 | + * @default SAI_MACSEC_PORT_SECURE_POLICY_MUST_SECURE |
| 76 | + */ |
| 77 | + SAI_MACSEC_PORT_ATTR_SECURE_POLICY, |
| 78 | + ... |
| 79 | +} sai_macsec_port_attr_t; |
| 80 | +``` |
| 81 | + |
| 82 | +The Secure Policy is defined to take values of the below enumeration. |
| 83 | + |
| 84 | +```c |
| 85 | +/** |
| 86 | + * @brief Attribute Data for MACSec Secure Policy |
| 87 | + */ |
| 88 | +typedef enum _sai_macsec_port_secure_policy_t |
| 89 | +{ |
| 90 | + /** |
| 91 | + * @brief Must Secure Policy: Traffic will need to be dropped till |
| 92 | + * the encryption keys are in place. |
| 93 | + */ |
| 94 | + SAI_MACSEC_PORT_SECURE_POLICY_MUST_SECURE, |
| 95 | + |
| 96 | + /** |
| 97 | + * @brief Should Secure Policy: Traffic is exchanged in clear |
| 98 | + * till the encryption keys are in place. |
| 99 | + */ |
| 100 | + SAI_MACSEC_PORT_SECURE_POLICY_SHOULD_SECURE, |
| 101 | + |
| 102 | +} sai_macsec_port_secure_policy_t; |
| 103 | +``` |
| 104 | + |
| 105 | +## API Workflow |
| 106 | + |
| 107 | +- **Step 1** Create Switch. |
| 108 | + |
| 109 | +- **Step 2** Create MACSec object. |
| 110 | + |
| 111 | +- **Step 3** Set Secure Policy as part of Create MACSec Port. |
| 112 | + |
| 113 | +```c |
| 114 | + sai_attribute_t attr; |
| 115 | + std::vector<sai_attribute_t> attr_list; |
| 116 | + sai_object_id_t macsec_port_id; |
| 117 | + |
| 118 | + attr_list.clear(); |
| 119 | + |
| 120 | + /* Populate other port attributes */ |
| 121 | + |
| 122 | + /* If should secure, set secure policy */ |
| 123 | + if (should_secure) { |
| 124 | + attr.id = SAI_MACSEC_PORT_ATTR_SECURE_POLICY; |
| 125 | + attr.value.u32 = SAI_MACSEC_PORT_SECURE_POLICY_SHOULD_SECURE; |
| 126 | + } |
| 127 | + attr_list.push_back(attr); |
| 128 | + |
| 129 | + sai_create_macsec_port_fn(&macsec_port_id, |
| 130 | + switch_id, |
| 131 | + attr_list.size(), |
| 132 | + attr_list.data()); |
| 133 | +``` |
| 134 | +
|
| 135 | +# MACSec Confidentiality Offset |
| 136 | +
|
| 137 | +## Overview |
| 138 | +
|
| 139 | +The IEEE 802.1AE (MACSec) standard allows for the configuration of a Confidentiality Offset (CO), which defines the number of bytes of the packet payload, following the MACSec Security Tag (SecTag), should remain unencrypted (sent in the clear). The rest of the payload is encrypted. Even though these bytes in a MACSec protected Ethernet frame are not encrypted, they are still integrity-protected (authenticated). |
| 140 | +
|
| 141 | +Confidentiality offset can take values in the range of 0 - 63; Typical values includes: |
| 142 | +
|
| 143 | +- 0 bytes: Full confidentiality; entire payload remains encrypted. |
| 144 | +
|
| 145 | +- 30 bytes: Partial confidentiality; The first 30 bytes after SecTAG remain unencrypted. |
| 146 | +
|
| 147 | +- 50 bytes: Partial confidentiality; The first 50 bytes after SecTAG remain unencrypted. |
| 148 | +
|
| 149 | +The need for a configurable confidentiality offset primarily stems from requirements to leave certain protocol headers unencrypted since intermediate devices may require visibility into the packet in time-sensitive networks. |
| 150 | +
|
| 151 | +## SAI Attribute Enhancement |
| 152 | +
|
| 153 | +The below MACSec Secure Channel (SC) attribute is newly introduced to allow configuration of the confidentiality offset. This attribute controls the number of bytes of the payload to be left unencrypted. |
| 154 | +
|
| 155 | +```c |
| 156 | + /** |
| 157 | + * @brief Confidentiality Offset for this Secure Channel |
| 158 | + * |
| 159 | + * @type sai_uint32_t |
| 160 | + * @flags CREATE_AND_SET |
| 161 | + * @default 0 |
| 162 | + */ |
| 163 | + SAI_MACSEC_SC_ATTR_CONFIDENTIALITY_OFFSET, |
| 164 | +``` |
| 165 | + |
| 166 | +## API Workflow |
| 167 | + |
| 168 | +During creation of Secure Channel, confidentiality offset can be configured as below: |
| 169 | + |
| 170 | +```c |
| 171 | + sai_attribute_t attr; |
| 172 | + std::vector<sai_attribute_t> attr_list; |
| 173 | + sai_object_id_t macsec_sc_id; |
| 174 | + |
| 175 | + attr_list.clear(); |
| 176 | + |
| 177 | + /* Populate other SC attributes */ |
| 178 | + |
| 179 | + /* Set conf offset */ |
| 180 | + attr.id = SAI_MACSEC_SC_ATTR_CONFIDENTIALITY_OFFSET; |
| 181 | + attr.value.u32 = conf_offset; |
| 182 | + attr_list.push_back(attr); |
| 183 | + |
| 184 | + sai_create_macsec_sc_fn(&macsec_sc_id, |
| 185 | + switch_id, |
| 186 | + attr_list.size(), |
| 187 | + attr_list.data()); |
| 188 | +``` |
| 189 | +
|
| 190 | +# Tag Control Information: ES and SCB |
| 191 | +
|
| 192 | +## Overview |
| 193 | +
|
| 194 | +The MACSec Security Tag (SecTag) contains the Tag Control Information (TCI) field, which holds critical flags defined by IEEE 802.1AE. Two specific flags, the End Station (ES) bit and the Single Copy Broadcast (SCB) bit, are essential for identifying the nature of the Secure Channel (SC) and its use case. |
| 195 | +
|
| 196 | +## Tag Control Information |
| 197 | +
|
| 198 | +The Tag Control Information (TCI) is an 8-bit field within the MACSec Security Tag (SecTag) that contains control information for the MACSec frame. The TCI field structure is defined as follows: |
| 199 | +
|
| 200 | +``` |
| 201 | +TCI Octet Structure (8 bits): |
| 202 | +┌─────┬─────┬─────┬─────┬─────┬─────┬─────┬─────┐ |
| 203 | +│ V │ ES │ SC │ SCB │ E │ C │ AN │ |
| 204 | +│ =0 │ │ │ │ │ │ │ |
| 205 | +├─────┼─────┼─────┼─────┼─────┼─────┼─────┼─────┤ |
| 206 | +│ 8 │ 7 │ 6 │ 5 │ 4 │ 3 │ 2 │ 1 │ |
| 207 | +└─────┴─────┴─────┴─────┴─────┴─────┴─────┴─────┘ |
| 208 | + Bit Position |
| 209 | +``` |
| 210 | +
|
| 211 | +**Field Descriptions:** |
| 212 | +
|
| 213 | +- **V (Version, Bit 8)**: Always set to 0 for current MACSec version |
| 214 | +- **ES (End Station, Bit 7)**: Indicates if the transmitting device is an end station |
| 215 | +- **SC (Secure Channel, Bit 6)**: Indicates presence of Secure Channel Identifier |
| 216 | +- **SCB (Single Copy Broadcast, Bit 5)**: Controls broadcast frame handling |
| 217 | +- **E (Encryption, Bit 4)**: Indicates if the payload is encrypted |
| 218 | +- **C (Changed Text, Bit 3)**: Indicates if the frame length has changed |
| 219 | +- **AN (Association Number, Bits 2-1)**: Identifies the Security Association used for frame protection |
| 220 | +
|
| 221 | +Currently SAI_MACSEC_SC_ATTR_MACSEC_EXPLICIT_SCI_ENABLE attribute is used to configure the Secure Channel(SC) bit in the TCI field. This proposal introduces attributes to configure ES and SCB bits. |
| 222 | +
|
| 223 | +### End Station (ES) |
| 224 | +
|
| 225 | +The ES bit helps the receiving MACsec entity understand the role of the sender in the network topology. Setting this bit allows receivers to identify traffic originating directly from an endpoint, distinguishing it from traffic that has passed through intermediate switches or other devices. |
| 226 | +
|
| 227 | +### Single Copy Broadcast (SCB) |
| 228 | +
|
| 229 | +The SCB is used to indicate if the ethernet frame belongs to a broadcast/multicast domain (hence its not re-encrypted by intermediate relays) vs a fully protected unicast domain (hence decrypted and re-encrypted hop-by-hop). When the bit is set, it indicates that the frame is associated with an SC that supports the Ethernet Passive Optical Network (EPON) Single Copy Broadcast capability, which is typically point-to-multipoint in nature. |
| 230 | +
|
| 231 | +## SAI Attribute Enhancement |
| 232 | +
|
| 233 | +The below MACSec Secure Channel (SC) attributes are newly introduced to allow configuration of the ES and SCB bits in the TCI. Both the attributes are configurable only when creating a Secure Channel in the Transmit (Egress) direction. |
| 234 | +
|
| 235 | +```c |
| 236 | + /** |
| 237 | + * @brief End Station bit in the TCI field of SecTAG |
| 238 | + * |
| 239 | + * @type bool |
| 240 | + * @flags CREATE_AND_SET |
| 241 | + * @default false |
| 242 | + * @validonly SAI_MACSEC_SC_ATTR_MACSEC_DIRECTION == SAI_MACSEC_DIRECTION_EGRESS |
| 243 | + */ |
| 244 | + SAI_MACSEC_SC_ATTR_USE_ES, |
| 245 | +
|
| 246 | + /** |
| 247 | + * @brief Single Copy Broadcast bit in the TCI field of SecTAG |
| 248 | + * |
| 249 | + * @type bool |
| 250 | + * @flags CREATE_AND_SET |
| 251 | + * @default false |
| 252 | + * @validonly SAI_MACSEC_SC_ATTR_MACSEC_DIRECTION == SAI_MACSEC_DIRECTION_EGRESS |
| 253 | + */ |
| 254 | + SAI_MACSEC_SC_ATTR_USE_SCB, |
| 255 | +``` |
| 256 | + |
| 257 | +## API Workflow |
| 258 | + |
| 259 | +During creation of Secure Channel, the TCI bits for End Station (ES) and Single Copy Broadcast (SCB) can be configured as below: |
| 260 | + |
| 261 | +```c |
| 262 | + sai_attribute_t attr; |
| 263 | + std::vector<sai_attribute_t> attr_list; |
| 264 | + sai_object_id_t macsec_sc_id; |
| 265 | + |
| 266 | + attr_list.clear(); |
| 267 | + |
| 268 | + attr.id = SAI_MACSEC_SC_ATTR_MACSEC_DIRECTION; |
| 269 | + attr.value.s32 = SAI_MACSEC_DIRECTION_EGRESS; |
| 270 | + attr_list.push_back(attr); |
| 271 | + |
| 272 | + /* Populate other SC attributes */ |
| 273 | + |
| 274 | + /* Populate TCI bits */ |
| 275 | + if (use_es) { |
| 276 | + attr.id = SAI_MACSEC_SC_ATTR_USE_ES; |
| 277 | + attr.value.booldata = true; |
| 278 | + attr_list.push_back(attr); |
| 279 | + } |
| 280 | + |
| 281 | + if (use_scb) { |
| 282 | + attr.id = SAI_MACSEC_SC_ATTR_USE_SCB; |
| 283 | + attr.value.booldata = true; |
| 284 | + attr_list.push_back(attr); |
| 285 | + } |
| 286 | + |
| 287 | + sai_create_macsec_sc_fn(&macsec_port_id, |
| 288 | + switch_id, |
| 289 | + attr_list.size(), |
| 290 | + attr_list.data()); |
| 291 | +``` |
| 292 | +# References |
| 293 | +
|
| 294 | +- IEEE 802.1AE (MACSec) Standard |
| 295 | +
|
| 296 | +- IEEE 802.1X-2010 (MKA) |
0 commit comments