[c-nsp] MACSec Stages

Graham Bartlett (grbartle) grbartle at cisco.com
Tue Apr 24 03:01:10 EDT 2018


Hi Antoine

The details are;

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec VPNs, and FlexVPN in Cisco IOS

http://www.ciscopress.com/store/ikev2-ipsec-virtual-private-networks-understanding-9781587144608

Amjad, Alex and myself didn’t write this in our work day. It’s pretty much all written in personal time. I’m guestimating I spent between 800 and 1000 hours developing this, as you might imagine this didn’t have the same sales as Harry Potter, so we wont be taking early retirement in the near future. Hence the reasons for the Qs on a MACsec book.

With regards to MACsec, if there was some material on the handshake, maybe with decrypted PCAPs to illustrate what is going on under the hood and the relevant commands, would this be on interest ? Once again this isn’t my day-job so I don’t want to promise anything, but have an idea what would help folk understand.

cheers

From: Antoine Monnier <mrantoinemonnier at gmail.com>
Date: Monday, 23 April 2018 at 07:31
To: grbartle Graham <grbartle at cisco.com>
Cc: Nick Cutting <ncutting at edgetg.com>, "Alex K." <nsp.lists at gmail.com>, Alan Buxey <alan.buxey at gmail.com>, cisco-nsp <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] MACSec Stages

Hi Graham,

Kind of OT, but what is the title of your book on IPsec VPN?

thanks

On Fri, Apr 20, 2018 at 7:55 AM, Graham Bartlett (grbartle) <grbartle at cisco.com> wrote:
Hi

A few of us in Cisco were thinking of writing a CiscoPress book on MACsec, which would include details of the inner workings, including protocol flows and how the various key material is derived etc.

If this was available would there be interest in this ? 

The reason I ask is, I spent a lot of time and effort developing a book on IPsec VPNs and it’s got a very narrow audience. I would imagine that there’s even less interest in MACsec. But if we could produce something that meets your needs and there is interest we could reconsider.

cheers 

On 17/04/2018, 14:18, "cisco-nsp on behalf of Nick Cutting" <cisco-nsp-bounces at puck.nether.net on behalf of ncutting at edgetg.com> wrote:

    I agree - I spent weeks with TAC cases open etc. and Cisco has no idea how this works either.

    I gave up and built a L3 routed VPN.

    I am waiting for the How-to article by Jeremey Stretch!
    -----Original Message-----
    From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Alex K.
    Sent: Tuesday, April 17, 2018 4:13 AM
    To: Alan Buxey <alan.buxey at gmail.com>
    Cc: cisco-nsp <cisco-nsp at puck.nether.net>
    Subject: Re: [c-nsp] MACSec Stages

    This message originates from outside of your organisation.

    Hello Alan and thank you for answering.

    That's the point - all one can find by searching the standard ID, is a bunch of unrelated documents, some from IEEE, some from independent sources
    - none display any coherent picture whatsoever.

    Not to mention none provide any overview of the protocol. Just some not connected points.

    Such lack of the documentation by all major vendors (white paper stating MACSEC is an encryption protocol, doesn't count as a documentation) hit the hardest when it comes to troubleshooting. No explanation for debugs, no known steps for endpoints to pass through, you're pretty much on your own trying to figure out what's going on.

    Alex.

    בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏<alan.buxey at gmail.com>:

    > 802.1AE
    >
    > Look that up for how it works
    >
    > alan
    >
    > On Wed, 4 Apr 2018, 00:32 Alex K., <nsp.lists at gmail.com> wrote:
    >
    >> Hello everyone,
    >>
    >> After a few implementations of MACSec, I began wondering is there a 
    >> complete documentation of that technology out there?
    >>
    >> For example, I have quite an experience with L2TP. Now, SCCRP may 
    >> sound like a bad language to some, but as we all know, it's an 
    >> important step in tunnel setup. The internet is literally brimming 
    >> with information about L2TP. As for MACSec, maybe it's only me - but 
    >> I'm having a hard time finding information on MACSec internal 
    >> workings (beyond packets formats) especially - when it comes to protocols stages and related cisco debugs.
    >>
    >> All I was able to find this far, are some really general sketches of 
    >> MACSec exchanges and seemingly unrelated debug commands.
    >>
    >> Am I missing something? Any help, such as linking to proper 
    >> documentation, successful and unsuccessful debug outputs and such, on 
    >> and off-list, will be gladly appreciated.
    >>
    >>
    >> Thank you,
    >> Alex.
    >> _______________________________________________
    >> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
    >> https://puck.nether.net/mailman/listinfo/cisco-nsp
    >> archive at http://puck.nether.net/pipermail/cisco-nsp/
    >>
    >
    _______________________________________________
    cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
    archive at http://puck.nether.net/pipermail/cisco-nsp/

    _______________________________________________
    cisco-nsp mailing list  cisco-nsp at puck.nether.net
    https://puck.nether.net/mailman/listinfo/cisco-nsp
    archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list