Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Question on MACSEC encryption and decryption

     
    Posted 10-04-2021 11:21

    Hi.

     

    I have two MACSEC-configured switches S1 and S2, with a link between them.

     

    They are both configures with the same CKN and CAK keys.

     

    Traffic is being forwarded from S1 to S2.

     

    Which of the two keys is S1 using for encryption and which of the two keys is S2 using for decryption?

     

    Thanks,

    Deepak


    Juniper Business Use Only



  • 2.  RE: Question on MACSEC encryption and decryption

    Posted 10-05-2021 10:20
    I haven't done it on switches but on MX's you can just use show security mka session and it will tell you what CAK and CKN(I believe) - if you are using mka. The CKN is the connectivity association key name and the CAK is the actual key that is associated with the name. The preshared key is made up of both the CKN and the CAK and must match on both sides.

    ------------------------------
    DAVID CLARK
    ------------------------------



  • 3.  RE: Question on MACSEC encryption and decryption

     
    Posted 10-06-2021 05:32

    Thanks David.

     

    But which of the two keys are used for encryption and which is used for decryption?

     

    The output of "show security macsec connections" doesn't provide that information.

     

    --Deepak


    Juniper Business Use Only






  • 4.  RE: Question on MACSEC encryption and decryption

    Posted 10-06-2021 13:51
    If i'm not mistaken, the same key is used to encrypt and decrypt. It's a preshared key meaning both sides have the same CKN and CAK and use them to both encrypt and decrypt.

    ------------------------------
    DAVID CLARK
    ------------------------------