On 10/22/24 00:12, Crist Clark wrote:
It is definitely deployed out there. I wouldn't worry too much about
reading the specs. All of the implementations I've dealt with are only
partial implementations. They almost all are limited to "point to point"
functionality.
As for comparing to IPsec, IPsec came out of a different time. It is
more of framework with a zillion knobs, and lots of room for
customization and future changes. The keying isn't even a part of IPsec.
ISAKMP, later IKE, are separate protocols. IPsec has transport mode
(seldom used) and tunnel mode. It has AH (which no one uses) and ESP.
MACsec is much more narrowly defined. The cryptographic algorithms are
standard. There is room for future updates of those algorithms, but for
now, the implementers know what they need to do.
For those reasons, I think it is more straightforward to implement
MACsec in firmware. I would expect if you trimmed down IPsec, which most
NOS implementations already do, you can implement it in the same way.
Vendors have been charging big money for fast IPsec for a long time,
they don't want to stop. But the MACsec price-point is so sweet compared
to it, you now have people doing things like running MACsec over VXLAN
in place of IPsec.
MACsec is also really useful where you need point-to-point protection of
traffic that isn't easily manipulated at L3 or may not even run over IP
but that may transit publicly accessible infrastructure. Utility SCADA
traffic is an example, and MACsec can be very useful on those networks
as they often transition from wireless to fiber.
