How to Configure MACsec in OCI

The purpose of this blog is to provide a simple guide on how to configure MACsec in OCI.  You can configure FastConnect to use MACsec (IEEE standard 802.1AE) to protect network-to-network connections on Layer 2.

To enable MACsec, you will need to use an advanced encryption standard (AES) encryption algorithm. The two connected networks exchange and verify security keys, and then establish a secure bidirectional link.

The Oracle Cloud Infrastructure Vault service securely stores the encrypted keys used by the FastConnect circuit leveraging the MACsec security feature.

MACsec Requirements in OCI

To use MACsec, the following requirements must be met:

• Your customer premises equipment (CPE) device must also support MACsec.
• The FastConnect virtual circuit or link aggregation group (LAG) speed must be 10 Gbps or greater.
• Not all existing cross-connect or cross-connect group can support MACsec. To upgrade an existing cross-connect or cross-connect group, the details page for the cross-connect or cross-connect group has a MACsec Encryption field with settings for either Capable or Incapable. The connection must be capable of using MACsec. If the cross-connect or cross-connect group is Incapable of using MACsec, you need to reprovision before configuring MACsec.
• Not all third-party providers can support MACsec on the type of circuit they provide. Please check with your provider to verify that the type of connectivity you purchase supports MACsec.

MACsec Parameters

When configuring MACsec on your CPE, refer to the table for various required parameters.

MACsec Configuration

FastConnect with MACsec integrates with the Vault service. Here’s an overview of the steps to fully configure FastConnect with MACsec.

• Create a Vault.
• Create a master encryption key in Vault.
• Create two secrets to represent the Connectivity Association Key (CAK) and Connectivity association Key Name (CKN) in your Vault. The CAK and CKN must be hexadecimal strings with a length of 32–64 characters.
• Configure MACsec in a Third-party provider or colocation cross-connect using the CKN and CAK secrets created for the FastConnect circuit.
• Give your on-premises network administrator the original CAK and CKN keys to use when configuring the customer premises equipment (CPE) device.
• Activate the cross-connects for the third-party provider or colocation virtual circuits.

Creating the Vault

Navigate to the OCI menu and select Identity & Security -> Vault.

Select Create Vault, provide a name, and click on Create Vault.

We will need to select the Vault once it has been created and create the Master Key Encryption and the Secret Keys used for the MACsec encryption. 

Below is the Master Key creation.

Below are the CAK and CKN key creations.

Once the Vault and Keys have been created, we can associate them with a new FastConnect circuit or and existing FastConnect circuit.

If you decide to add MACsec encryption to an existing FastConnect cross-connect, remember that changing the encryption settings requires restarting the BGP session, which briefly suspends BGP traffic.

Create a FastConnect circuit

Navigate to the OCI menu and select Networking -> FastConnect.

Create the new FastConnect circuit, select FastConnect Direct, and click Next.

We will need to provide the appropriate configurations settings for the following fields:

• Cross-Connect Group (used for LAG) or Single Cross-Connect
• Port speed (must be 10Gbps or higher)
• Encryption
• CKN Secret
• CAK Secret
• Physical Location

Once we have the FastConnect configured appropriately and the FastConnect provider has made the appropriate patching, we can start configuring the CPE.

In this blog, we will use a Cisco device to show an example of the configuration on the CPE side.  We will need to perform the following:

• Create Key Chain
• Create MACsec Policy
• Associate MACsec Policy with the FastConnect interface on the CPE side

Create Key Chain

Create MACsec Policy

Associate MACsec Policy with the FastConnect interface on the CPE side

Once the CPE side is configured, we can check the Cisco device for the MACsec peer using the show macsec mka session command or by navigating to the OCI console and view the FastConnect circuit to ensure MACsec has been applied and the circuit is up and operational.

Additional Considerations

Since the FastConnect circuit terminates at the edge of both OCI and the customer data center, we need to ensure that spanning-tree BPDUs are not sent across the circuit.  Otherwise, the circuit will start to flap, and we will not achieve a stable circuit.  To ensure this does not occur, we need to enable bpduguard on the CPE equipment for the interface that the FastConnect terminates.

Additional Resources

OCI FastConnect MACsec Documentation

OCI Vault Documentation