Switching

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Question on MACSEC encryption and decryption

  • 1.  Question on MACSEC encryption and decryption

     
    Posted 22 days ago

    Hi.

     

    I have two MACSEC-configured switches S1 and S2, with a link between them.

     

    They are both configures with the same CKN and CAK keys.

     

    Traffic is being forwarded from S1 to S2.

     

    Which of the two keys is S1 using for encryption and which of the two keys is S2 using for decryption?

     

    Thanks,

    Deepak


    Juniper Business Use Only



  • 2.  RE: Question on MACSEC encryption and decryption

    Posted 21 days ago
    I haven't done it on switches but on MX's you can just use show security mka session and it will tell you what CAK and CKN(I believe) - if you are using mka. The CKN is the connectivity association key name and the CAK is the actual key that is associated with the name. The preshared key is made up of both the CKN and the CAK and must match on both sides.

    ------------------------------
    DAVID CLARK
    ------------------------------



  • 3.  RE: Question on MACSEC encryption and decryption

     
    Posted 21 days ago

    Thanks David.

     

    But which of the two keys are used for encryption and which is used for decryption?

     

    The output of "show security macsec connections" doesn't provide that information.

     

    --Deepak


    Juniper Business Use Only






  • 4.  RE: Question on MACSEC encryption and decryption

    Posted 20 days ago
    If i'm not mistaken, the same key is used to encrypt and decrypt. It's a preshared key meaning both sides have the same CKN and CAK and use them to both encrypt and decrypt.

    ------------------------------
    DAVID CLARK
    ------------------------------