MACsec

Media Access Control security (MACsec) :

• Provides Layer 2 security protecting network communications against a range of attacks including: denial of service, intrusion, man-in-the-middle, and eavesdropping. These attacks exploit Layer 2 vulnerabilities and often cannot be detected.
• Provides Layer 2 hop-by-hop encryption on point-to-point Ethernet links.
• Enables a bi-directional secure link after an exchange and verification of security keys between two connected devices.
• 系统(ss7)保护基础设施使用MKA (MACsec Key Agreement) protocol and Static CAK (Connectivity Association Key).
• Is intended for wired LANs.

More specifically, MACsec provides:

• Connectionless data integrity: Unauthorized changes to data cannot be made without being detected. Each MAC frame carries a separate integrity verification code.
• Data origin authenticity: A received MAC frame is guaranteed to have been sent by the authenticated device.
• Confidentiality: The data payload of each MAC frame is encrypted to prevent it from being eavesdropped by unauthorized parties.
• Replay protection: MAC frames copied from the network by an attacker cannot be resent into the network without being detected.
• Bounded receive delay: MAC frames cannot be intercepted by a man-in-the-middle attack and delayed by more than a few seconds without being detected.