Re: IEEE MACsec

Wed, 23 Oct 2024 16:19:48 -0700 


What a community!!!

Thanks for all the responses.

--jas

On 10/23/24 9:27 AM, Bertilsson, Björn via NANOG wrote:
The biggest pitfall for telecom with MACSEC, is that PTP/SyncE and MACSEC on the same physical interface simultaneously is mostly not supported. Many claims that you can do both, but they don’t mention that it can’t be done at the same time. There are some newer models of Juniper ACX coming with that, one model of Cisco NCS (but not officially supported) and maybe others. But with the PHY and NPU separated it has been hard for them to implement. Probably the newest generation of NPU like Jericho3 will do this on the NPU and will handle it ok. But then again, the other end must also be of newer generation to interop properly.
It is possible to configure MACSEC and PTP/SyncE on several models and interfaces and get them phase aligned. But in most cases, they will start to drift quite badly until they go out of spec. 

/Björn
*From:*NANOG <nanog-bounces+bjorn.bertilsson=telia...@nanog.org> *On Behalf Of *Dave Cohen 
*Sent:* Tuesday, October 22, 2024 8:39 PM
*To:* Mark Tinka <mark@tinka.africa>
*Cc:* nanog@nanog.org
*Subject:* Re: IEEE MACsec
I would caution anyone running MACsec on a link leveraging a provider circuit between them to quadruple check that the provider link supports customer use of MACsec. In theory MACsec will operate just fine over a Layer 2 link but carriers tend to not like unanticipated bits get appended or inserted into frame headers. In my carrier days, $dayjob's L2 products tended to be highly interoperable relative to the industry norm, and we still forced customers into a L1 service if they need MACsec. My understanding is that said carrier did start supporting it on its L2 services off of certain devices a couple of years ago, but I don't believe this is common for most providers. 

On Tue, Oct 22, 2024 at 2:27 PM Mark Tinka <mark@tinka.africa> wrote:




    On 10/22/24 16:56, Tarko Tikan wrote:

    > What we are seeing now is MACsec getting integrated into latest
    NPUs
    > directly. So far it has been mostly implemented by separate
    chips or
    > in PHYs (or combination). This has, in some cases, limited you
    to what
    > ports you can use MACsec on. It also had challenges with sync/PTP,
    > per-vlan MACsec etc.
    >
    > So while it is proven technology and works well we are still seeing
    > innovation/improvements.

    It is also now shipping in coherent pluggables as a native feature.

    Mark.


--

- Dave Cohen
craetd...@gmail.com
@dCoSays

www.venicesunlight.com <http://www.venicesunlight.com>

Reply via email to