Wilco Baan Hofman wilco at
Fri Sep 18 11:28:11 UTC 2020

On 18/09/2020 12:07, Mark Tinka wrote:

> There was a time when the use-case for MACSec was to move banks away
> from running their own DWDM/FC networks, and letting operators do it.

Well, the other use case is access networks with 802.1x. With 802.1x as
long as the port stays up the session cookie (whatever is set as
authenticated) is the MAC address. So once a port is authenticated, it's
really easy to spoof a MAC and still be on the network.

With WPA2 enterprise on WiFi, this problem does not exist, because then
there is a cryptographic session. MACsec fixes that gap on wired.

Not all that relevant for long-distance links though :)

-- Wilco

More information about the NANOG mailing list