MACsec Capability, Desire, and encryption offset

802.1x-2010 had identified two fields in the MKA PDU. Those fields are:

MACsec Capability signals weather MACsec is capable of integrity and confidentiality. Table: MACsec basic settings describes the four basic settings for MACsec Capability.

Table: MACsec basic settings
Setting Description

0

MACsec is not implemented

1

Integrity without confidentiality

2

The following are supported:

  • Integrity without confidentiality

  • Integrity and confidentiality with a confidentiality offset of 0

31

The following are supported:

  • Integrity without confidentiality

  • Integrity and confidentiality with a confidentiality offset of 0, 30, or 50

An encryption offset of 0, 30, or 50 starts from the byte after the SecTAG (802.1ae header). Ideally, the encryption offset should be configured for IPv4 (offset 30) and IPv6 (offset 50) to leave the IP header in the clear text. This allows routers and switches to use the IP header for LAG or ECMP hashing.

1 SR OS supports setting (3): integrity without confidentiality and Integrity and confidentiality with a confidentiality offset of 0, 30, or 50.