Question 15 of 530 from exam 400-251: CCIE Security written exam

Question 15 of 530 from exam 400-251: CCIE Security written exam

Question

Which three statements are true about MACsec? (Choose three.)

Answers

Explanations

A. B. C. D. E. F.

BCE.

MACsec is a security protocol used to secure data on Ethernet links, providing secure communication between devices at Layer 2. Here are the explanations of the three true statements about MACsec:

A. MACsec supports GCM modes of AES and 3DES: MACsec provides confidentiality, data integrity, and replay protection. It uses the Advanced Encryption Standard (AES) with Galois/Counter Mode (GCM) or the 3DES encryption algorithm to provide data confidentiality. GCM is preferred over 3DES due to its higher security and better performance.

D. MACsec expects a strict order of frames to prevent anti-replay: MACsec provides protection against replay attacks by ensuring that frames are received in a strict order. Frames that arrive out of order or with the same sequence number as a previously received frame are discarded. This prevents an attacker from replaying an old frame and potentially gaining access to the network.

E. MKA is used for session and encryption key management: MACsec uses the IEEE 802.1AE standard for encryption, but it requires a separate key agreement protocol for key management. MACsec Key Agreement (MKA) is used for session and encryption key management, allowing devices to negotiate and establish secure MACsec links.

The other statements are false or inaccurate:

B. MACsec is not defined under IEEE 802.1A, there is no IEEE 802.1A standard.

C. MACsec does not provide hop-by-hop encryption at Layer 2, it provides end-to-end encryption.

F. MACsec does not use EAP PACs (Protected Access Credentials) to distribute encryption keys, but it does support EAP (Extensible Authentication Protocol) for authentication.