nanog mailing list archives
Re: MACsec SFP
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Tue, 24 Jun 2014 11:50:42 -0400
On Tue, Jun 24, 2014 at 9:59 AM, Pieter Hulshoff <phulshof () aimvalley nl> wrote:
On 24-6-2014 15:50, Christopher Morrow wrote:On Tue, Jun 24, 2014 at 3:59 AM, Pieter Hulshoff <phulshof () aimvalley nl> wrote:features they should have. I'll then try to build a business case to get the product developed. MACsec is currently on the top of my own list, but I'll gladly pass other ideas to my colleagues.what would be your key management strategy for the macsec version? given press / etc over the last 18 or so months it seems like folk with long-haul ether framing might be very interested in macsec for those links and NOT doing it by sticking some switch platform between the 2 routed endpoints. management of key material (and rolling and...) is probably interesting for them as well.Actually, that's part of the feature list I'm trying to put together. Not
Hurray! :)
everyone is willing to put a complete key infrastructure together, and some even expressed interest in a simple unmanaged point-to-point solution. Let me share my current view (subject to change): The first release will support 802.1X MKA using a pre-shared key. I'm still trying to decide if this key should be programmable, e.g. via I2C, or if we will simply sell paired devices with a unique pair-wise key programmed in the factory. MKA will automatically take care of the distribution of new MACsec keys.
So.. now when my SFP in Elbonia dies I need to get a truck to Elbonia AND it's paired link in west caledonia? yikes. Also, is that a 'ybFxasasdasd' on the serial-number/key-pair-note or ybfXasdadasdsd' Gosh joe I'm not sure... remote-hands work is going to get a bunch more difficult than: "grab one from the jar, hurry!!!" Programmable seems like the way to go, provided there's a path to do that in the cli of the device you plugged the SFP into? (which I think is the hard part actually, right?)
Later releases may support 802.1X EAPOL device authentication, though exactly which EAP sub-protocols we will support is yet to be determined. As said: a lot depends on the answers I will get from potential customers, including people on this list. Kind regards, Pieter Hulshoff
Current thread:
- Re: MACsec SFP, (continued)
- Re: MACsec SFP Andreas Larsen (Jun 24)
- Re: MACsec SFP Pieter Hulshoff (Jun 24)
- Re: MACsec SFP Jonathan Lassoff (Jun 24)
- Re: MACsec SFP Saku Ytti (Jun 24)
- Re: MACsec SFP Pieter Hulshoff (Jun 24)
- Re: MACsec SFP Saku Ytti (Jun 24)
- Re: MACsec SFP Pieter Hulshoff (Jun 24)
- RE: MACsec SFP Frank Bulk (iname.com) (Jun 24)
- Re: MACsec SFP Christopher Morrow (Jun 24)
- Re: MACsec SFP Pieter Hulshoff (Jun 24)
- Re: MACsec SFP Christopher Morrow (Jun 24)
- Re: MACsec SFP Saku Ytti (Jun 24)
- Re: MACsec SFP Christopher Morrow (Jun 24)
- Re: MACsec SFP Saku Ytti (Jun 24)
- Re: MACsec SFP Christopher Morrow (Jun 24)
- Re: MACsec SFP Eric Flanery (eric) (Jun 24)
- Re: MACsec SFP Pieter Hulshoff (Jun 25)
- Re: MACsec SFP Eric Flanery (eric) (Jun 25)
- Re: MACsec SFP Saku Ytti (Jun 25)
- Re: MACsec SFP Tim Durack (Jun 25)
- Re: MACsec SFP Randy Bush (Jun 24)