IxNetwork MACsec Test Solution

IxNetwork MACsec Test Solution

MACsec, network test, IxNetwork

Full PDF Document

Loading PDF...

−+Fit width100%View FullscreenDownload PDFPrint PDF

×

Loading PDF...

If the inline viewer fails, it will open the original document in compatibility mode automatically. You can also open the file directly.

Extracted Text

IxNetwork MACsec Test Solution
The Industry's First MACsec Test Solution for
High-Speed Ethernet

Data Security with MACsec

With increasing demand of data privacy and protection of critical business assets, security has become an important part of every network, including cloud, data center, 5G, and automotive.
While there are different encryption technologies available for data protection, media access control security (MACsec) brings line-rate encryption throughput for high-speed Ethernet, which is critical for cloud and data center operation. It secures network components, ensuring confidentiality, and defending against potential threats.
MACsec has become an important encryption technology that is shipped with next-generation chips, routers, and switches. Thorough validation of MACsec encryption functions, throughput, and key exchange and rotation is critical to ensure robust implementation and smooth deployment.
Keysight now offers the industry's first MACsec test solution for high-speed Ethernet to help with early validation in MACsec design and implementation.
MACsec Overview
MACsec 802.1AE is an industry-standard security technology that secures a point-to-point link between directly connected nodes. It operates at the link layer and protects layer 2 and above content. MACsec provides line-rate encryption regardless of packet size, and scales linearly compared to IPsec.
MACsec offers the following key services that can protect against most security threats, including denial of service, intrusion, man-in-the-middle, playback attacks, and passive wiretapping:
� Data confidentiality--cipher-based encryption of user data � Data integrity--through the ICV � Replay protection--by using packet number and window mechanism

Highlights
� Line-rate 100G MACsec traffic encryption and decryption to stress decryption engine
� Dynamic MKA key negotiation or static SAK provision
� Vary frame sizes with fixed, increment, random and IMIX pattern from 64 bytes to 16K bytes
� Control plane protocol messages in either encryption or clear text
� VLAN in clear text for provider bridged network
� Dynamic rekey to validate no packet drop during rekey
� Mode of operation: `Integrity (ICV) only' or `integrity + encryption'
� Full automation support with Python, REST, and other APIs for continuous validation

With its line-rate encryption throughput, strong encryption protection, lower overhead, and transparency to higher-layer applications, MACsec has become an ideal encryption technology suitable for data center and cloud services that have adopted high-speed Ethernet to meet increased bandwidth demand.

Find us at www.keysight.com

Page 1

`

Keysight's MACsec Test Solution
Keysight now offers the industry's first MACsec test solution for high-speed Ethernet. It enables MACsec validation from hardware design, software stack implementation, to system integration with full coverage of various MACsec functions. Customer can now benchmark MACsec performance under a realistic traffic mix of cloud and data center workloads, guarantee service continuity during key rotation, and ensure stability under various negative conditions.
In addition, Keysight also provides software-based MACsec solution with essential capability to help MACsec validation for lower Ethernet speed in other industries, including 5G, Automotive, and Industrial.
Key Features
Hardware based MACsec
� Line rate MACsec traffic encryption and decryption at 100GE PAM4 � Line rate MACsec traffic encryption and decryption at 100G NRZ with active electrical cable (AEC)
technology to covert PAM4 signaling and NRZ signaling. � Option to include or exclude from encryption for selected control plane protocol � Vary frame sizes from 64 bytes to 16K bytes with fixed, increment, random and IMIX traffic
patterns � Static Secure Association Key (SAK) provision or Pre-shared Keys (PSK) mode with MACsec
key agreement (MKA) protocol � Integrity (ICV) only or integrity + encryption � 128/256 bits Cipher Suites with XPN (Extended Packet Number) support
o GCM-AES-128 o GCM-AES-256 o GCM-AES-XPN-128 o GCM-AES-XPN-256 � Re-key on exhaustion of packet number or timer-based periodic re-key � VLAN in clear text (before secTAG) or in encrypted payload (after secTAG) � Confidentiality Offset 0/30/50 � `Delay Protect' with MKA � Negative test with bad ICV, unused SA, mal-configured TCI flags, out of window PN � RFC2544 benchmark for MACsec encrypted traffic
Software based MACsec
� MACsec traffic encryption at line rate from 1GE to 400GE with fixed PN (packet number) and payload
� Static secure association Key (SAK) provision or dynamic key negotiation with MACsec key agreement (MKA) protocol
� Real-world application traffic encryption and decryption up to Gbps using Layer 4-7 AppLibrary traffic with standard-defined MACsec statistics
� Frame sizes from 64 bytes to 14K bytes, vary per stream

Find us at www.keysight.com

Page 2

`
� Integrity (ICV) only or integrity + encryption � 128/256 bits Cipher Suites with XPN (Extended Packet Number) support
o GCM-AES-128 o GCM-AES-256 o GCM-AES-XPN-128 o GCM-AES-XPN-256 � Timer-based periodic re-key with fixed count or continuous � VLAN in clear text or in encrypted payload � Confidentiality Offset 0/30/50 (non-zero offset is supported only for stateless traffic) � MACsec frame decryption and ICV validation in Wireshark capture � Negative test with mal-configured TCI flags, bad ICV, erroneous SL, out of window PN

Figure Title
Figure Y. Figure/Caption goes here.

IxNetwork MACsec Emulation

Specifications
Standards Cipher Suites
Stateless L2/3 Traffic

Hardware-Based MACsec
� IEEE - Std 802.1AE-2018 � IEEE - Std. 802.1X-2020 � GCM-AES-128 � GCM-AES-256 � GCM-AES-XPN-128 � GCM-AES-XPN-256 � Line rate encryption throughput 100G PAM4 and 100G NRZ

Find us at www.keysight.com

Page 3

`

Stateful L4/7 AppLibrary Traffic
Control Plane Protocol MKA

Hardware-Based MACsec
� Line rate decryption at receiving port � Static SAK provision or dynamic SAK provision by MKA (PSK based). � Frame size from 64 bytes to 16K bytes, as well as short length frame � Vary frame sizes with fixed, increment, random, and IMIX patterns � Integrity (ICV) only or integrity + encryption � XPN (Extended Packet Number) � Re-key on packet number exhaustion or timer-based periodic re-key � Confidentiality offset 0/30/50 with MKA � Confidentiality offset 0~64 without MKA � With and without SCI � VLAN in clear text and/or in encrypted payload (up to 4 clear text and 6
encrypted VLANs) � Negative test with bad ICV, unused SA, mal-configured TCI flags,
encryption with incorrect key, out of window PN � Up to 256 Tx/Rx SC support per port for pair-wise CA � Up to 128 Tx/Rx SC support per port for group CA � Ingress and egress tracking per Src/Dest MAC/IP, SCI, and VLAN � RFC2544 benchmark for MACsec encrypted traffic � Encryption and decryption throughput up to Gbps with port aggregation � Encryption with incremental PN and variable payload � Frame size varies per stateful flows � Static SAK provision or dynamic SAK provision by MKA (PSK based) � Integrity (ICV) only or integrity + encryption � XPN (Extended Packet Number) � Re-key on packet number exhaustion or timer-based periodic re-key � Confidentiality offset 0/30/50 with MKA � Confidentiality offset 0~64 without MKA � With and without SCI � VLAN in clear text and/or in encrypted payload (up to 4 clear text and 6
encrypted VLANs) � Option to include selected control plane protocols (BGP, OSPF, ISIS) from
encryption � Encryption of undersize control messages less than 64 bytes, eg. ARP � PSK (Pre-shared Key) based key hierarchy � Supports AES-CMAC-128/256 Key Derivation Function (KDF). � Act as key server or non-key server � Multiple MKA sessions each with a pair-wise CA � Multiple MKA sessions each with multiple members for a group CA � MKA members leaving/joining a CA on the fly � MKA session over VLAN with up to 6 VLAN tags � Confidentiality offset 0/30/50

Find us at www.keysight.com

Page 4

`

MKA Learned Information
MKA Statistics
MACsec Statistics

Hardware-Based MACsec
� Configurable Rekey threshold PN (`pendingPNExhaustion') to expedite PN-based Rekey
� Configurable starting message number, key number and AN � Simulate delayed MACsec packets on demand by bumping up the LLPN
advertised in Hello packets, to test DUT's `delay protect' behavior � ICV Key � Key Encrypting Key � Secure Association Key � SSCI � Live Peer Member Identifier � Live Peer Message Number � Potential Peer Member Identifier � Potential Peer Message Number � MKPDU Tx � MKPDU Rx � Live Peer Count � Potential Peer Count � Latest Key Tx Peer Count � Latest Key Rx Peer Count � Malform Rx MKPDU � ICV Mismatch Per Device: � Valid Packet Rx � Bad Packet Rx � Invalid ICV Discarded � Invalid ICV Accepted � Rx Bytes Validated � Rx Bytes Decrypted Per Port: � OutPktsEncrypted � Protected Packet Tx � Encrypted Packet Tx � Protected Byte Tx � Encrypted Byte Tx � Non-MACsec Packet Tx � Protected Packet Rx � Encrypted Packet Rx � Protected Byte Rx � Encrypted Byte Rx � Non-MACsec Packet Rx � Unknown SCI/SA Accepted

Find us at www.keysight.com

Page 5

`

Hardware-Based MACsec

Data Plane Statistics Negative Testing

� Unknown SCI/SA Discarded � Valid Packet Rx Broadcast � Bad Packet Rx Broadcast � Invalid ICV Discarded Broadcast � Invalid ICV Accepted Broadcast � Rx Bytes Validated Broadcast � Rx Bytes Decrypted Broadcast � Valid Packet Rx Multicast � Bad Packet Rx Multicast � Invalid ICV Discarded Multicast � Invalid ICV Accepted Multicast � Rx Bytes Validated Multicast � Rx Bytes Decrypted Multicast � Full L2/3 traffic statistics with throughput, loss, latency/Jitter � Stateful traffic statistics � Packets with bad ICV � Out of window packet generation � Delayed packet simulation � Packets with malformed secTAG � Packets with Unused SA � Mix of MACsec and non-MACsec traffic

Note: See the 7019-0473-T-DS-AresONE-400GE-QSFP-DD-High-Performance data sheet for hardware specifications.

Standards Cipher Suites
Stateless Traffic

Software-Based MACsec
� IEEE--Std 802.1AE-2018 � IEEE--Std. 802.1X-2020 � GCM-AES-128 � GCM-AES-256 � GCM-AES-XPN-128 (in Static Key mode) � GCM-AES-XPN-256 (in Static Key mode) � Encryption throughput 1G to 400G � Encryption with fixed PN and payload per stream � Decryption and ICV checking with Wireshark � Frame size 64 bytes to 14K bytes, vary per stream, Tx frame can be less
than 64 bytes � Static SAK provision or dynamic SAK provision by MKA (PSK based). � Egress only tracking per Rx SCI or Destination MAC � Confidentiality offset 0/30/50 � With and without SCI

Find us at www.keysight.com

Page 6

`

Stateful AppLibrary Traffic
Wireshark Capture Negative Testing MKA
MKA Learned Information
MKA Statistics

Software-Based MACsec
� Timer-based periodic Rekey � VLAN in clear text and/or in encrypted payload (up to 6 VLANs) � Encryption and decryption throughput up to Gbps with port aggregation � Encryption with incremental PN and variable payload � Static SAK provision or dynamic SAK provision by MKA (PSK based). � Frame size vary per stateful flows � Confidentiality offset 0 � With and without SCI � Timer-based periodic rekey (no rekey on PN exhaustion) � VLAN in clear text (up to 6 VLANs) � Decryption per configured SAK � ICV validation � Display SAK used for decryption � Display decrypted payload along with encrypted payload � Bad ICV generation � Out of Window packet generation � Malformed SecTAG � Invalid SL value � Mix of MACsec and non-MACsec traffic � PSK (Pre-shared Key) based key hierarchy � Act as key server or non-key server � Multiple MKA sessions each with a pair-wise CA � Multiple MKA sessions each with multiple members for group CA � MKA members leaving/joining a CA on the fly � MKA session over VLAN with up to 6 VLAN tags � Confidentiality offset 0/30/50 � Configurable Rekey threshold PN (`pendingPNExhaustion') to expedite
PN-based Rekey � Configurable starting message number, starting key number and AN
number � ICV Key � Key Encrypting Key � Secure Association Key � SSCI � Live Peer Member Identifier � Live Peer Message Number � Potential Peer Member Identifier � Potential Peer Message Number � MKPDU Tx � MKPDU Rx

Find us at www.keysight.com

Page 7

`

MACsec Statistics Data Plane Statistics

Software-Based MACsec
� Live Peer Count
� Potential Peer Count
� Latest Key Tx Peer Count
� Latest Key Rx Peer Count
� Malform Rx MKPDU
� ICV Mismatch � Protected Packet Tx � Encrypted Packet Tx � Valid Packet Rx � Bad Packet Rx � Bad Tag/ICV Discarded � Out of Window Discarded � Unknow SCI Discarded � Unused SA Discarded � Invalid ICV Discarded � Unknown SCI Rx � Unused SA Rx � Invalid ICV Rx � Tx Bytes Protected � Tx Bytes Encrypted � Rx Bytes Validated � Rx Bytes Decrypted � Non-MACsec Packet Rx � Full L2/3 traffic statistics with throughput, loss � Stateful traffic statistics

Supported Hardware Platforms

Visit keysight.com for More Information on IxNetwork Platform Options

Hardware-Based MACsec Software-Based MACsec

� AresONE 400G High Performance QSFP-DD 400/200/100/50GE � AresONE 400G High Performance QSFP-DD 400/200/100/50GE � AresONE-S 400G 16PHW QSFP-DD 400/200/100/50GE � AresONE-S 400G 8PHW QSFP-DD 400/200/100/50GE � AresONE 400G QSFP-DD 400/200/100/50GE � AresONE 400G OSFP 400/200/100/50GE � Novus ONE PLUS 10GE/5GE/2.5GE/1GE/100M � Novus High Density QSPF28 100/50/40/25/10GE � NOVUS High Density SFP28/QSPF28 100/50/25/10GE � Novus 10GE/1GE/100M � Novus 10GE/5GE/2.5GE/1GE/100M

Find us at www.keysight.com

Page 8

`

Ordering Information

MACsec Part Numbers

Part Number 905-1061
905-1062
930-2207 (AresONE) 930-2135 (Chassis based)
930-2222 (Novus ONE PLUS)

Description
IXIA, MACsec Enablement for AresONE T400GP-4P-QDD 400GE high performance fixed chassis system (944-1178) with FACTORY INSTALLED Option (905-1061); One option is required for each fixed chassis system to enable MACsec capability for 100GE ports; REQUIRES: 905-1044 AresONE T400GD/GDR/GP 2x200GE, 4x100GE, 8x50GE FAN-OUT FACTORY INSTALLED option; REQUIRES: 930-2207 IxNetwork Encryption Test package for AresONE
IXIA, MACsec Enablement for AresONE T400GP-4P-QDD 400GE high performance fixed chassis system (944-1178) with FIELD UPGRADE Option(905-1062); One option is required for each fixed chassis system to enable MACsec option for 100GE ports; REQUIRES: 905-1044 AresONE T400GD/GDR/GP 2x200GE, 4x100GE, 8x50GE FAN-OUT FACTORY INSTALLED option OR 9051045 AresONE T400GD/GDR/GP 2x200GE, 4x100GE, 8x50GE FAN-OUT FIELD UPGRADE option; REQUIRES: 930-2207 IxNetwork Encryption Test package for AresONE
IXIA IxNetwork, Encryption Test package for AresONE; INCLUDES: MACsec Emulation; REQUIRES: 930-2201 IxNetwork Basic package for AresONE; Recommend with: 930-3461 IxNetwork AppLibrary Slot Bundle, Optional Software, Layer 4-7 Performance Test Application for additional encryption/decryption capability in Static MACsec emulation
IXIA IxNetwork, Optional Software, MACsec Emulation; Enable MACsec traffic encryption; REQUIRES: pre-existing 930-1999 IxNetwork Base license OR new purchase of either IxNetwork Base PLUS (930-2056) or IxNetwork Base PREMIUM (930-2076); Recommend with: 930-3461 IxNetwork AppLibrary Slot Bundle, Optional Software, Layer 4-7 Performance Test Application for additional encryption/decryption capability
IXIA IxNetwork, Encryption Test package for Novus ONE PLUS; INCLUDES: MACsec Emulation; REQUIRES: 930-2221 IxNetwork Basic package for Novus ONE PLUS; Recommend with: 930-3461 IxNetwork AppLibrary Slot Bundle, Optional Software, Layer 4-7 Performance Test Application for additional encryption/decryption capability in Static MACsec emulation

Relevant Hardware Part Numbers

Part Number

Description

944-1178 905-1044
905-1045
QSFPDD-4XQ28AEC-CBL 944-1140
944-1141

IXIA AresONE T400GP-4P-QDD, 4-port, 400GE high performance fixed chassis model with native QSFPDD 400GE physical interfaces, and L1-3 support (944-1178).
IXIA AresONE T400GD/T400GDR/T400GP Fan-out option: 2x200GE, 4x100GE, 8x50GE FACTORY INSTALLED option for the QSFP-DD and OSFP T400GD/T400GDR/T400GP 8-port and 4-port, high performance, full and reduced performance, fixed chassis systems.
IXIA AresONE T400GD/T400GDR/T400GP Fan-out option: 2x200GE, 4x100GE, 8x50GE fan-out FIELD UPGRADE option for the QSFP-DD and OSFP T400GD/T400GDR/T400GP 8-port and 4-port, high performance, full and reduced performance, fixed chassis systems.
IXIA QSFP-DD-to-4xQSFP28 400GBASE-R Active Electrical fan-out Cable (AEC), for 400GE to 4x100GE fan-out, 3-meter length (942-0139).
IXIA NOVUS100GE8Q28+FAN, 8-port, QSFP28 100GE full scale and performance, load module, 1slot with 8-ports with the native QSFP28 physical interface, L2-3 support with complete protocol coverage, and full scale and performance protocol emulation for routing, switching and access protocols.
IXIA NOVUS10/1GE32S, 32-port, SFP+ 10GE/1GE/100M load module, 1-slot with 32-ports with SFP+ physical interface, L2-3 support.

Find us at www.keysight.com

Page 9

`

Part Number 944-1142 944-1146 944-1148
944-1162 941-0063 941-0064 941-0065 941-0066 941-0067 941-0068

Description
IXIA NOVUS10/1GE16DP, 16-port, SFP+/10GBASE-T Dual-PHY 10GE/1GE/100M load module, 1-slot Dual-PHY with 16-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces, L2-7 support.
IXIA NOVUS1GE16DP, 16-port 1GE/100M SFP+/1000BASE-T Dual-PHY load module. 1-slot Dual-PHY with 16- ports each of the SFP+ and 1000BASE-T RJ45 physical interfaces, L2-7 support.
IXIA NOVUS10/5/2.5/1/100M16DP, 5-speed, 16-port, SFP+/10GBASE-T Dual-PHY 10G/5G/2.5G/1G/100M full scale and performance, load module, 1-slot Dual-PHY with 16-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces, L2-7 support with complete protocol coverage, and full scale and performance protocol emulation for routing, switching and access protocols.
IXIA NOVUS-NP10/1GE16DP, 16-port, SFP+/10GBASE-T Dual-PHY 10GE/1GE/100M Application Network Processor load module, 1-slot Dual-PHY with 16-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces, L2-7 support.
IXIA Novus ONE PLUS 10/1GE16DP Fixed Chassis, 16-port, SFP+/10GBASE-T Dual-PHY 10GE/1GE/100M, 1-slot Dual-PHY with 16-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces. L2-7 support. Includes installation of the latest production released version of the IxOS software.
IXIA Novus ONE PLUS 10/1GE8DP Fixed Chassis, 8-port, SFP+/10GBASE-T Dual-PHY 10GE/1GE/100M, 1-slot Dual-PHY with 8-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces. L2-7 support. Includes installation of the latest production released version of the IxOS software.
IXIA Novus ONE PLUS 10/1GE4DP Fixed Chassis, 4-port, SFP+/10GBASE-T Dual-PHY 10GE/1GE/100M, 1-slot Dual-PHY with 4-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces. L2-7 support. Includes installation of the latest production released version of the IxOS software.
IXIA Novus ONE PLUS 10/5/2.5/1GE16DP Fixed Chassis, 16-port, SFP+/10GBASE-T Dual-PHY 10/5/2.5/1GE/100M, 1-slot Dual-PHY with 16-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces. L2-7 support. Includes installation of the latest production released version of the IxOS software.
IXIA Novus ONE PLUS 10/5/2.5/1GE8DP Fixed Chassis, 8-port, SFP+/10GBASE-T Dual-PHY 10/5/2.5/1GE/100M, 1-slot Dual-PHY with 8-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces. L2-7 support. Includes installation of the latest production released version of the IxOS software.
IXIA Novus ONE PLUS 10/5/2.5/1GE4DP Fixed Chassis, 4-port, SFP+/10GBASE-T Dual-PHY 10/5/2.5/1GE/100M, 1-slot Dual-PHY with 4-ports each of the SFP+ and 10GBASE-T RJ45 physical interfaces. L2-7 support. Includes installation of the latest production released version of the IxOS software.

Find us at www.keysight.com

Page 10

Learn more at: www.keysight.com
For more information on Keysight Technologies' products, applications or services, please contact your local Keysight office. The complete list is available at: www.keysight.com/find/contactus
Find us at www.keysight.com
This information is subject to change without notice. � Keysight Technologies, 2021, Published in USA, August 05, 2021, 3120-1442.EN

Page 11