Re: MACSEC PSK Verification

Daniel Smith · ‎03-21-2023

We will be adding new keys to our existing macsec key chain such that the new key will have a lifetime that is immediately available and expires in 15 months. I wonder how often nodes with macsec look at the keys, or reverify them, such that I can monitor for successful adoption of the new key?

M02@rt37 · ‎03-21-2023

Hello @Daniel Smith

MACsec nodes periodically re-verify the keys to ensure the integrity and confidentiality of the data being transmitted. The frequency of key re-verification depends on the key server and the MACsec implementation being used.

In general, MACsec nodes will re-verify keys when a new session is established or when a key lifetime expires. Additionally, MACsec nodes may periodically check the key server for updates to the key chain. The interval for key re-verification can be configured on the MACsec devices and may vary depending on the specific implementation.

To monitor the successful adoption of the new key, you can use the MACsec key exchange protocol (MKA) to verify the current status of the key exchange process. MKA provides a mechanism for the exchange of MACsec keys between MACsec devices and allows for the establishment of secure channels for key exchange. You can use MKA to check the status of the key exchange and to verify that the new key has been successfully adopted.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Rob Ingram · ‎03-21-2023

@Daniel Smith MKA rolls over to the next configured pre-shared key in the key chain after the lifetime is expired. You must ensure the lifetime of the keys are overlapped in order to achieve hitless key rollover. If you want the new key to be immediately available you may need to change the lifetime of the existing key to expire sooner.