EVPN MACsec

Security is crucial in today's networked environment. MACsec, defined by the IEEE 802.1AE standard, is a security protocol designed to protect data transmitted over Ethernet networks. It provides point-to-point or point-to-multipoint security by encrypting and authenticating Ethernet frames. Implementing MACsec ensures communications' confidentiality, integrity, and authenticity, protecting against threats such as eavesdropping, tampering, and replay attacks. When used with EVPN, it offers hop-by-hop security, including protection for the underlay, overlay, encapsulation, and data payload.
In our test, we enabled authentication and encryption. We configured a static mode using a pre-shared key for the MACsec Key Agreement (MKA) protocol, utilizing the GCM-AES-XPN-256 encryption cipher suite. Encryption was activated for both transmission (Tx) and reception (Rx). Our analysis of the packet capture showed that the Security Capability Identifier (SCI) was established, and all packets were subsequently protected by MACsec, including the underlay (IS-IS), overlay (BGP), encapsulation (SR-MPLS), and the data payload. The EVPN service used was EVPN-VPWS. We sent end-to-end unicast traffic and observed no packet loss. Load balancing functioned as expected in the multi-homed scenario. We did not perform any switchover during this test, as that was not the primary objective.
Spirent TestCenter was used as the traffic generator for this test.