- Newest
- Most votes
- Most comments
I would like to inform you your understanding is correct AWS do not support auto key rotation feature for CAK/CKN as new key pair need to be manually set.
The current Direct Connect MACsec implementation does not support key rotation based on key lifetime, to begin the key rotation you must associate a new stored key to the connection using the console or the API.
SAK key rotation happens at the PN (Packet Number) rollover.
Please refer the section "Cypher suite" in the article below to get more details about PN field. https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws-direct-connect-connections/
AWS supports SAK Cipher Suite: GCM-AES-XPN-256 and XPN supports a 64-bit value for the PN.
Thanks for your detail explain. Some add about MACsec Extended Packet Numbering (XPN) which I captured from Cisco's document as below. Every MACsec frame contains a 32-bit packet number (PN), and it is unique for a given Security Association Key (SAK). Upon PN exhaustion (after reaching 75% of 231- 1), SAK rekey takes place to refresh the data plane keys. For high capacity links such as 40 Gb/s, PN exhausts within a few seconds, and frequent SAK rekey to the control plane is required. When XPN is used, the PN of the MACsec frame is a 64-bit value, after reaching 75% of th of 263- 1, it will require several years to exhaust the PN; this ensures that frequent SAK rekey does not happen on high speed links. The XPN feature in MKA/MACsec eliminates the need for frequent SAK rekey that may occur in high capacity links. XPN is a mandatory requirement for FIPS/CC compliance on high speed links such as 40 Gb/s, 100 Gb/s, and so on.
Relevant content
- asked 4 years ago
- asked 6 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
