AWS directconnect documentation change
Summary
Expanded MACsec documentation with details about SAK derivation, encryption modes (must_encrypt/should_encrypt), key rotation processes, supported connection types (LAGs), service-linked roles, and security best practices for CKN/CAK management.
Security assessment
The changes add detailed security documentation about MACsec implementation specifics, including encryption enforcement modes, automatic SAK rotation, and key management practices. While these clarify security features and best practices, there is no evidence they address a specific disclosed vulnerability.
Diff
diff --git a/directconnect/latest/UserGuide/MACsec.md b/directconnect/latest/UserGuide/MACsec.md index bafe94bc9..849276fea 100644 --- a//directconnect/latest/UserGuide/MACsec.md +++ b//directconnect/latest/UserGuide/MACsec.md @@ -5 +5 @@ -MACsec conceptsMACsec key rotationSupported connectionsMACsec on dedicated connections +MACsec conceptsMACsec key rotationSupported connectionsService-Linked rolesMACsec pre-shared CKN/CAK key considerations @@ -9 +9 @@ MACsec conceptsMACsec key rotationSupported connectionsMACsec on dedicated conne -MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity. MACSec provides Layer 2 point-to-point encryption over the cross-connect to AWS. MACSec operates at Layer 2 between two Layer 3 routers and provides encryption on the Layer 2 domain. All data flowing across the AWS global network that interconnects with datacenters and Regions is automatically encrypted at the physical layer before it leaves the data center. +MAC Security (MACsec) is an IEEE standard that provides data confidentiality, data integrity, and data origin authenticity. MACsec provides Layer 2 point-to-point encryption over the cross-connect to AWS, operating between two Layer 3 routers. While MACsec secures the connection between your router and Direct Connect location at Layer 2, AWS provides additional security by encrypting all data at the physical layer as it flows across the network between AWS Direct Connect locations and AWS Regions. This creates a layered security approach where your traffic is protected both during initial entry into AWS and during transit across the AWS network. @@ -25 +25 @@ The following are the key concepts for MACsec: - * MACsec secret key — A pre-shared key that establishes the MACsec connectivity between the customer on-premises router and the connection port at the AWS Direct Connect location. The key is generated by the devices at the ends of the connection using the CKN/CAK pair that you provide to AWS and have also provisioned on your device. + * **Secure association key (SAK)** — A session key that establishes the MACsec connectivity between the customer on-premises router and the connection port at the Direct Connect location. The SAK is not pre-shared, but rather automatically derived from the CKN/CAK pair through a cryptographic key generation process. This derivation happens at both ends of the connection after you provide and provision the CKN/CAK pair. The SAK is regenerated periodically for security purposes and whenever a MACsec session is established. @@ -27 +27,11 @@ The following are the key concepts for MACsec: - * Connectivity Association Key Name (CKN) and Connectivity Association Key (CAK) — The values in this pair are used to generate the MACsec secret key. You generate the pair values, associate them with an AWS Direct Connect connection, and provision them on your edge device at your end of the AWS Direct Connect connection. Direct Connect supports only static CAK mode and not dynamic CAK mode. + * Connectivity Association Key Name (CKN) and Connectivity Association Key (CAK) — The values in this pair are used to generate the MACsec key. You generate the pair values, associate them with an AWS Direct Connect connection, and then provision them on your edge device at your end of the AWS Direct Connect connection. Direct Connect supports only static CAK mode but not dynamic CAK mode. Since only static CAK mode is supported, it's recommended that you follow your own key management policies for key generation, distribution, and rotation. + + * **Key format** — The key format should use hexadecimal characters, exactly 64 characters in length. Direct Connect supports only Advanced Encryption Standard (AES) 256-bit keys for dedicated connections, which corresponds to a 64-character hexadecimal string. + + * **Encryption modes** — Direct Connect supports two MACsec encryption modes: + + * must_encrypt — In this mode, the connection requires MACsec encryption for all traffic. If MACsec negotiation fails or encryption cannot be established, the connection will not transmit any traffic. This mode provides the highest security guarantee but may impact availability if there are any MACsec-related issues. + + * should_encrypt — In this mode, the connection attempts to establish MACsec encryption but will fall back to unencrypted communication if MACsec negotiation fails. This mode provides more flexibility and higher availability but may allow unencrypted traffic in certain failure scenarios. + +The encryption mode can be set during connection configuration and can be modified later. By default, new MACsec-enabled connections are set to "should_encrypt" mode to prevent potential connectivity issues during initial setup. @@ -34 +44,3 @@ The following are the key concepts for MACsec: -When rotating keys, key rollover is supported with MACsec keychains. Direct Connect MACsec supports MACsec keychains with capacity for storing up to three CKN/CAK pairs. You use the `associate-mac-sec-key` command to associate the CKN/CAK pair with the existing MACsec enabled connection. You then configure the same CKN/CAK pair on the device on your end of the AWS Direct Connect connection. The Direct Connect device will attempt to use the last stored key for the connection. If that key does not coincide with the key on your device, Direct Connect continues to use the previous working key. + * **CNN/CAK rotation (manual)** + +Direct Connect MACsec supports MACsec keychains with capacity for storing up to three CKN/CAK pairs. This allows you to manually rotate these long-term keys without connection disruption. When you associate a new CKN/CAK pair using the `associate-mac-sec-key` command, you must configure the same pair on your device. The Direct Connect device attempts to use the most recently added key. If that key doesn't match your device's key, it falls back to the previous working key, ensuring connection stability during rotation. @@ -37,0 +50,15 @@ For information on using `associate-mac-sec-key`, see [associate-mac-sec-key](ht + * **Secure Association Key (SAK) rotation (automatic)** + +The SAK, which is derived from the active CKN/CAK pair, undergoes automatic rotation based on the following: + + * time intervals + + * volume of encrypted traffic + + * MACsec session establishment + +This rotation is handled automatically by the protocol, occurs transparently without disrupting the connection, and requires no manual intervention. The SAK is never stored persistently and is regenerated through a secure key derivation process that follows the IEEE 802.1X standard. + + + + @@ -40 +67 @@ For information on using `associate-mac-sec-key`, see [associate-mac-sec-key](ht -MACsec is available on dedicated connections. For information about how to order connections that support MACsec, see [AWS Direct Connect](https://aws.amazon.com/directconnect/?nc=sn&loc=0). +MACsec is available on dedicated Direct Connect connections and link aggregation groups: @@ -42 +69 @@ MACsec is available on dedicated connections. For information about how to order -## MACsec on dedicated connections +###### Supported MACsec connections @@ -44 +71 @@ MACsec is available on dedicated connections. For information about how to order -The following helps you become familiar with MACsec on AWS Direct Connect dedicated connections. There are no additional charges for using MACsec. + * Dedicated connections @@ -46 +73,18 @@ The following helps you become familiar with MACsec on AWS Direct Connect dedica -The steps to configure MACsec on a dedicated connection can be found in [Get started with MACsec on a dedicated connection](./create-macsec-dedicated.html). Before configuring MACsec on a dedicated connection, note the following: + * LAGs + + + + +###### Note + +Hosted connections and Direct Connect Gateway associations do not support MACsec encryption. + +For information about how to order connections that support MACsec, see [AWS Direct Connect](https://aws.amazon.com/directconnect/?nc=sn&loc=0). + +### Dedicated connections + +The following helps you become familiar with MACsec on AWS Direct Connect dedicated connections. There are no additional charges for using MACsec. The steps to configure MACsec on a dedicated connection can be found in [Get started with MACsec on a dedicated connection](./create-macsec-dedicated.html). + +#### MACsec prerequisites for dedicated connections + +Note the following requirements for MACsec on dedicated connections: @@ -68,5 +112 @@ The steps to configure MACsec on a dedicated connection can be found in [Get sta -For additional information about Direct Connect and MACsec, see the MACsec section of the [AWS Direct Connect FAQs](https://aws.amazon.com/directconnect/faqs/). - -### MACsec prerequisites for dedicated connections - -Complete the following tasks before you configure MACsec on a dedicated connection. +In addition you should complete the following tasks before you configure MACsec on a dedicated connection. @@ -74 +114 @@ Complete the following tasks before you configure MACsec on a dedicated connecti - * Create a CKN/CAK pair for the MACsec secret key. + * Create a CKN/CAK pair for the MACsec key. @@ -87 +127,16 @@ You can create the pair using an open standard tool. The pair must meet the requ -### Service-Linked roles +### LAGs + +The following requirements help you become familiar with MACsec for Direct Connect link aggregation groups (LAGs): + + * LAGs must be composed of MACsec-capable dedicated connections support MACsec encryption + + * All connections within a LAG must be of the same bandwidth and support MACsec + + * MACsec configuration applies uniformly across all connections in the LAG + + * LAG creation and MACsec enablement can be done simultaneously + + + + +## Service-Linked roles @@ -91 +146 @@ AWS Direct Connect uses AWS Identity and Access Management (IAM)[ service-linked -### MACsec pre-shared CKN/CAK key considerations +## MACsec pre-shared CKN/CAK key considerations @@ -112 +167 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Stop a virtual interface failover test +Direct Connect maintenance