On 10/22/24 00:12, Crist Clark wrote:
It is definitely deployed out there. I wouldn't worry too much about reading the specs. All of the implementations I've dealt with are only partial implementations. They almost all are limited to "point to point" functionality.
As for comparing to IPsec, IPsec came out of a different time. It is more of framework with a zillion knobs, and lots of room for customization and future changes. The keying isn't even a part of IPsec. ISAKMP, later IKE, are separate protocols. IPsec has transport mode (seldom used) and tunnel mode. It has AH (which no one uses) and ESP.
MACsec is much more narrowly defined. The cryptographic algorithms are standard. There is room for future updates of those algorithms, but for now, the implementers know what they need to do.
For those reasons, I think it is more straightforward to implement MACsec in firmware. I would expect if you trimmed down IPsec, which most NOS implementations already do, you can implement it in the same way.
Vendors have been charging big money for fast IPsec for a long time, they don't want to stop. But the MACsec price-point is so sweet compared to it, you now have people doing things like running MACsec over VXLAN in place of IPsec.
MACsec is also really useful where you need point-to-point protection of traffic that isn't easily manipulated at L3 or may not even run over IP but that may transit publicly accessible infrastructure. Utility SCADA traffic is an example, and MACsec can be very useful on those networks as they often transition from wireless to fiber.