Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for almost all types of traffic on Ethernet links. MACsec provides point-to-point and point-to-multipoint security on Ethernet links between directly-connected nodes or nodes connected via a Layer 2 cloud. MACsec can identify and prevent most security threats, including:
denial of service
intrusion
man-in-the-middle
masquerading
passive wiretapping
playback attacks
MACsec Layer 2 encryption is standardized in IEEE 802.1AE. MACsec encrypts anything from the 802.1AE header to the end of the payload including 802.1Q. MACsec leaves the DMAC and SMAC in clear text.
Figure 1 shows the 802.1AE LAN-Mode structure.
The forwarding on a MACsec packet is performed using the destination MAC address, which is in clear text.