Re: [c-nsp] MACSec Stages

2018-05-01 Thread Alex K. 
This will be great.

Especially documenting real world scenarios - IS-IS over MACSec, MPLS and
IP. Putting PCAPs is also very good idea.

I'm speaking for myself, but I think many here will agree - such
documentation will really address current state of affairs.

Thank you.

Alex.

בתאריך יום ג׳, 24 באפר' 2018, 10:01, מאת Graham Bartlett (grbartle) ‏<
grbar...@cisco.com>:

> Hi Antoine
>
> The details are;
>
> IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2,
> IPsec VPNs, and FlexVPN in Cisco IOS
>
>
> http://www.ciscopress.com/store/ikev2-ipsec-virtual-private-networks-understanding-9781587144608
>
> Amjad, Alex and myself didn’t write this in our work day. It’s pretty much
> all written in personal time. I’m guestimating I spent between 800 and 1000
> hours developing this, as you might imagine this didn’t have the same sales
> as Harry Potter, so we wont be taking early retirement in the near future.
> Hence the reasons for the Qs on a MACsec book.
>
> With regards to MACsec, if there was some material on the handshake, maybe
> with decrypted PCAPs to illustrate what is going on under the hood and the
> relevant commands, would this be on interest ? Once again this isn’t my
> day-job so I don’t want to promise anything, but have an idea what would
> help folk understand.
>
> cheers
>
> From: Antoine Monnier <mrantoinemonn...@gmail.com>
> Date: Monday, 23 April 2018 at 07:31
> To: grbartle Graham <grbar...@cisco.com>
> Cc: Nick Cutting <ncutt...@edgetg.com>, "Alex K." <nsp.li...@gmail.com>,
> Alan Buxey <alan.bu...@gmail.com>, cisco-nsp <cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] MACSec Stages
>
> Hi Graham,
>
> Kind of OT, but what is the title of your book on IPsec VPN?
>
> thanks
>
> On Fri, Apr 20, 2018 at 7:55 AM, Graham Bartlett (grbartle) <
> grbar...@cisco.com> wrote:
> Hi
>
> A few of us in Cisco were thinking of writing a CiscoPress book on MACsec,
> which would include details of the inner workings, including protocol flows
> and how the various key material is derived etc.
>
> If this was available would there be interest in this ?
>
> The reason I ask is, I spent a lot of time and effort developing a book on
> IPsec VPNs and it’s got a very narrow audience. I would imagine that
> there’s even less interest in MACsec. But if we could produce something
> that meets your needs and there is interest we could reconsider.
>
> cheers
>
> On 17/04/2018, 14:18, "cisco-nsp on behalf of Nick Cutting" <
> cisco-nsp-boun...@puck.nether.net on behalf of ncutt...@edgetg.com> wrote:
>
> I agree - I spent weeks with TAC cases open etc. and Cisco has no idea
> how this works either.
>
> I gave up and built a L3 routed VPN.
>
> I am waiting for the How-to article by Jeremey Stretch!
>     -----Original Message-
> From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Alex
> K.
> Sent: Tuesday, April 17, 2018 4:13 AM
> To: Alan Buxey <alan.bu...@gmail.com>
> Cc: cisco-nsp <cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] MACSec Stages
>
> This message originates from outside of your organisation.
>
> Hello Alan and thank you for answering.
>
> That's the point - all one can find by searching the standard ID, is a
> bunch of unrelated documents, some from IEEE, some from independent sources
> - none display any coherent picture whatsoever.
>
> Not to mention none provide any overview of the protocol. Just some
> not connected points.
>
> Such lack of the documentation by all major vendors (white paper
> stating MACSEC is an encryption protocol, doesn't count as a documentation)
> hit the hardest when it comes to troubleshooting. No explanation for
> debugs, no known steps for endpoints to pass through, you're pretty much on
> your own trying to figure out what's going on.
>
> Alex.
>
> בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏<
> alan.bu...@gmail.com>:
>
> > 802.1AE
> >
> > Look that up for how it works
> >
> > alan
> >
> > On Wed, 4 Apr 2018, 00:32 Alex K., <nsp.li...@gmail.com> wrote:
> >
> >> Hello everyone,
> >>
> >> After a few implementations of MACSec, I began wondering is there a
> >> complete documentation of that technology out there?
> >>
> >> For example, I have quite an experience with L2TP. Now, SCCRP may
> >> sound like a bad language to some, but as we all know, it's an
> >> important step in tunnel setup. The in

Re: [c-nsp] MACSec Stages

2018-04-28 Thread frnkblk 
I've found this paper to be of some help:
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2016/WP-WAN-MACse
cDep-Aug2016.pdf

Frank

-Original Message-
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Alex K.
Sent: Tuesday, April 3, 2018 6:29 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] MACSec Stages

Hello everyone,

After a few implementations of MACSec, I began wondering is there a
complete documentation of that technology out there?

For example, I have quite an experience with L2TP. Now, SCCRP may sound
like a bad language to some, but as we all know, it's an important step in
tunnel setup. The internet is literally brimming with information about
L2TP. As for MACSec, maybe it's only me - but I'm having a hard time
finding information on MACSec internal workings (beyond packets formats)
especially - when it comes to protocols stages and related cisco debugs.

All I was able to find this far, are some really general sketches of MACSec
exchanges and seemingly unrelated debug commands.

Am I missing something? Any help, such as linking to proper documentation,
successful and unsuccessful debug outputs and such, on and off-list, will
be gladly appreciated.


Thank you,
Alex.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-24 Thread Graham Bartlett (grbartle) 
Hi Antoine

The details are;

IKEv2 IPsec Virtual Private Networks: Understanding and Deploying IKEv2, IPsec 
VPNs, and FlexVPN in Cisco IOS

http://www.ciscopress.com/store/ikev2-ipsec-virtual-private-networks-understanding-9781587144608

Amjad, Alex and myself didn’t write this in our work day. It’s pretty much all 
written in personal time. I’m guestimating I spent between 800 and 1000 hours 
developing this, as you might imagine this didn’t have the same sales as Harry 
Potter, so we wont be taking early retirement in the near future. Hence the 
reasons for the Qs on a MACsec book.

With regards to MACsec, if there was some material on the handshake, maybe with 
decrypted PCAPs to illustrate what is going on under the hood and the relevant 
commands, would this be on interest ? Once again this isn’t my day-job so I 
don’t want to promise anything, but have an idea what would help folk 
understand.

cheers

From: Antoine Monnier <mrantoinemonn...@gmail.com>
Date: Monday, 23 April 2018 at 07:31
To: grbartle Graham <grbar...@cisco.com>
Cc: Nick Cutting <ncutt...@edgetg.com>, "Alex K." <nsp.li...@gmail.com>, Alan 
Buxey <alan.bu...@gmail.com>, cisco-nsp <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] MACSec Stages

Hi Graham,

Kind of OT, but what is the title of your book on IPsec VPN?

thanks

On Fri, Apr 20, 2018 at 7:55 AM, Graham Bartlett (grbartle) 
<grbar...@cisco.com> wrote:
Hi

A few of us in Cisco were thinking of writing a CiscoPress book on MACsec, 
which would include details of the inner workings, including protocol flows and 
how the various key material is derived etc.

If this was available would there be interest in this ? 

The reason I ask is, I spent a lot of time and effort developing a book on 
IPsec VPNs and it’s got a very narrow audience. I would imagine that there’s 
even less interest in MACsec. But if we could produce something that meets your 
needs and there is interest we could reconsider.

cheers 

On 17/04/2018, 14:18, "cisco-nsp on behalf of Nick Cutting" 
<cisco-nsp-boun...@puck.nether.net on behalf of ncutt...@edgetg.com> wrote:

    I agree - I spent weeks with TAC cases open etc. and Cisco has no idea how 
this works either.

    I gave up and built a L3 routed VPN.

    I am waiting for the How-to article by Jeremey Stretch!
    -Original Message-
    From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Alex K.
    Sent: Tuesday, April 17, 2018 4:13 AM
    To: Alan Buxey <alan.bu...@gmail.com>
    Cc: cisco-nsp <cisco-nsp@puck.nether.net>
    Subject: Re: [c-nsp] MACSec Stages

    This message originates from outside of your organisation.

    Hello Alan and thank you for answering.

    That's the point - all one can find by searching the standard ID, is a 
bunch of unrelated documents, some from IEEE, some from independent sources
    - none display any coherent picture whatsoever.

    Not to mention none provide any overview of the protocol. Just some not 
connected points.

    Such lack of the documentation by all major vendors (white paper stating 
MACSEC is an encryption protocol, doesn't count as a documentation) hit the 
hardest when it comes to troubleshooting. No explanation for debugs, no known 
steps for endpoints to pass through, you're pretty much on your own trying to 
figure out what's going on.

    Alex.

    בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏<alan.bu...@gmail.com>:

    > 802.1AE
    >
    > Look that up for how it works
    >
    > alan
    >
    > On Wed, 4 Apr 2018, 00:32 Alex K., <nsp.li...@gmail.com> wrote:
    >
    >> Hello everyone,
    >>
    >> After a few implementations of MACSec, I began wondering is there a 
    >> complete documentation of that technology out there?
    >>
    >> For example, I have quite an experience with L2TP. Now, SCCRP may 
    >> sound like a bad language to some, but as we all know, it's an 
    >> important step in tunnel setup. The internet is literally brimming 
    >> with information about L2TP. As for MACSec, maybe it's only me - but 
    >> I'm having a hard time finding information on MACSec internal 
    >> workings (beyond packets formats) especially - when it comes to 
protocols stages and related cisco debugs.
    >>
    >> All I was able to find this far, are some really general sketches of 
    >> MACSec exchanges and seemingly unrelated debug commands.
    >>
    >> Am I missing something? Any help, such as linking to proper 
    >> documentation, successful and unsuccessful debug outputs and such, on 
    >> and off-list, will be gladly appreciated.
    >>
    >>
    >> Thank you,
    >> Alex.
    >> ___
    >> cisco-nsp mailing list  cisco-

Re: [c-nsp] MACSec Stages

2018-04-23 Thread Antoine Monnier 
Hi Graham,

Kind of OT, but what is the title of your book on IPsec VPN?

thanks

On Fri, Apr 20, 2018 at 7:55 AM, Graham Bartlett (grbartle) <
grbar...@cisco.com> wrote:

> Hi
>
> A few of us in Cisco were thinking of writing a CiscoPress book on MACsec,
> which would include details of the inner workings, including protocol flows
> and how the various key material is derived etc.
>
> If this was available would there be interest in this ?
>
> The reason I ask is, I spent a lot of time and effort developing a book on
> IPsec VPNs and it’s got a very narrow audience. I would imagine that
> there’s even less interest in MACsec. But if we could produce something
> that meets your needs and there is interest we could reconsider.
>
> cheers
>
> On 17/04/2018, 14:18, "cisco-nsp on behalf of Nick Cutting" <
> cisco-nsp-boun...@puck.nether.net on behalf of ncutt...@edgetg.com> wrote:
>
> I agree - I spent weeks with TAC cases open etc. and Cisco has no idea
> how this works either.
>
> I gave up and built a L3 routed VPN.
>
> I am waiting for the How-to article by Jeremey Stretch!
> -Original Message-
> From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Alex
> K.
> Sent: Tuesday, April 17, 2018 4:13 AM
>     To: Alan Buxey <alan.bu...@gmail.com>
> Cc: cisco-nsp <cisco-nsp@puck.nether.net>
> Subject: Re: [c-nsp] MACSec Stages
>
> This message originates from outside of your organisation.
>
> Hello Alan and thank you for answering.
>
> That's the point - all one can find by searching the standard ID, is a
> bunch of unrelated documents, some from IEEE, some from independent sources
> - none display any coherent picture whatsoever.
>
> Not to mention none provide any overview of the protocol. Just some
> not connected points.
>
> Such lack of the documentation by all major vendors (white paper
> stating MACSEC is an encryption protocol, doesn't count as a documentation)
> hit the hardest when it comes to troubleshooting. No explanation for
> debugs, no known steps for endpoints to pass through, you're pretty much on
> your own trying to figure out what's going on.
>
> Alex.
>
> בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏<
> alan.bu...@gmail.com>:
>
> > 802.1AE
> >
> > Look that up for how it works
> >
> > alan
> >
> > On Wed, 4 Apr 2018, 00:32 Alex K., <nsp.li...@gmail.com> wrote:
> >
> >> Hello everyone,
> >>
> >> After a few implementations of MACSec, I began wondering is there a
> >> complete documentation of that technology out there?
> >>
> >> For example, I have quite an experience with L2TP. Now, SCCRP may
> >> sound like a bad language to some, but as we all know, it's an
> >> important step in tunnel setup. The internet is literally brimming
> >> with information about L2TP. As for MACSec, maybe it's only me -
> but
> >> I'm having a hard time finding information on MACSec internal
> >> workings (beyond packets formats) especially - when it comes to
> protocols stages and related cisco debugs.
> >>
> >> All I was able to find this far, are some really general sketches
> of
> >> MACSec exchanges and seemingly unrelated debug commands.
> >>
> >> Am I missing something? Any help, such as linking to proper
> >> documentation, successful and unsuccessful debug outputs and such,
> on
> >> and off-list, will be gladly appreciated.
> >>
> >>
> >> Thank you,
> >> Alex.
> >> ___
> >> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-21 Thread Alex K. 
I'll second that.

Proper documentation, *not* simply configuration guides, available on Cisco
website - is a MUST. Not something you can possibly avoid doing until
___  (fill in reason to your liking).

I hope it goes without saying.


On the other hand, *it is *worth mentioning, that my current evel of
understanding IPSec I've got exactly from "Cisco Press" book on the subject
and I still remember and really appreciate, the depth which the subject was
covered. I still remember and appreciate the explained debug outputs, both
successful and unsuccessful. Worth noting that even today, many years after
I red it, I still prefer running debugs on Cisco gear, even if I run into
issues with other vendors. Mainly thanks to the authors. Hence - yes, if
there will be a book on the subject, I'll probably buy it, since I involved
with many MacSec projects and it's still counting.

*But*, "Cisco Press" book comes in no way, to replace *products*
documentation available on Cisco website. A book may and should cover more
in depth material, alongside theoretical/design stuff but it's a long shot.
In the meantime, I second the quick - not that in depth material - on Cisco
website.

Thank you very much for sharing your thoughts.

Alex.

בתאריך יום ו׳, 20 באפר' 2018, 9:47, מאת James Bensley ‏:

> On 20 April 2018 at 06:55, Graham Bartlett (grbartle)
>  wrote:
> > Hi
> >
> > A few of us in Cisco were thinking of writing a CiscoPress book on
> MACsec, which would include details of the inner workings, including
> protocol flows and how the various key material is derived etc.
> >
> > If this was available would there be interest in this ?
> >
> > The reason I ask is, I spent a lot of time and effort developing a book
> on IPsec VPNs and it’s got a very narrow audience. I would imagine that
> there’s even less interest in MACsec. But if we could produce something
> that meets your needs and there is interest we could reconsider.
> >
> > cheers
>
> Hi Graham,
>
> Thanks for responding to the list. I'd be interested in a more
> in-depth resource but being honest/open, I probably would read a whole
> book on MACsec (MACsec isn't our bread and butter, but we do use it).
> Do you know the Juniper Day One guides? Something like that would be
> great, circa 100 pages. I guess you could class 100 pages as a small
> book, but I had assumed you meant longer :)
>
> Cheers,
> James.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-20 Thread James Bensley 
On 20 April 2018 at 06:55, Graham Bartlett (grbartle)
 wrote:
> Hi
>
> A few of us in Cisco were thinking of writing a CiscoPress book on MACsec, 
> which would include details of the inner workings, including protocol flows 
> and how the various key material is derived etc.
>
> If this was available would there be interest in this ?
>
> The reason I ask is, I spent a lot of time and effort developing a book on 
> IPsec VPNs and it’s got a very narrow audience. I would imagine that there’s 
> even less interest in MACsec. But if we could produce something that meets 
> your needs and there is interest we could reconsider.
>
> cheers

Hi Graham,

Thanks for responding to the list. I'd be interested in a more
in-depth resource but being honest/open, I probably would read a whole
book on MACsec (MACsec isn't our bread and butter, but we do use it).
Do you know the Juniper Day One guides? Something like that would be
great, circa 100 pages. I guess you could class 100 pages as a small
book, but I had assumed you meant longer :)

Cheers,
James.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-19 Thread Graham Bartlett (grbartle) 
Hi

A few of us in Cisco were thinking of writing a CiscoPress book on MACsec, 
which would include details of the inner workings, including protocol flows and 
how the various key material is derived etc.

If this was available would there be interest in this ? 

The reason I ask is, I spent a lot of time and effort developing a book on 
IPsec VPNs and it’s got a very narrow audience. I would imagine that there’s 
even less interest in MACsec. But if we could produce something that meets your 
needs and there is interest we could reconsider.

cheers 

On 17/04/2018, 14:18, "cisco-nsp on behalf of Nick Cutting" 
<cisco-nsp-boun...@puck.nether.net on behalf of ncutt...@edgetg.com> wrote:

I agree - I spent weeks with TAC cases open etc. and Cisco has no idea how 
this works either.

I gave up and built a L3 routed VPN.

I am waiting for the How-to article by Jeremey Stretch!
-Original Message-
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Alex K.
Sent: Tuesday, April 17, 2018 4:13 AM
To: Alan Buxey <alan.bu...@gmail.com>
Cc: cisco-nsp <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] MACSec Stages

This message originates from outside of your organisation.

Hello Alan and thank you for answering.

That's the point - all one can find by searching the standard ID, is a 
bunch of unrelated documents, some from IEEE, some from independent sources
- none display any coherent picture whatsoever.

Not to mention none provide any overview of the protocol. Just some not 
connected points.

Such lack of the documentation by all major vendors (white paper stating 
MACSEC is an encryption protocol, doesn't count as a documentation) hit the 
hardest when it comes to troubleshooting. No explanation for debugs, no known 
steps for endpoints to pass through, you're pretty much on your own trying to 
figure out what's going on.

Alex.

בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏<alan.bu...@gmail.com>:

> 802.1AE
>
> Look that up for how it works
>
> alan
>
> On Wed, 4 Apr 2018, 00:32 Alex K., <nsp.li...@gmail.com> wrote:
>
>> Hello everyone,
>>
>> After a few implementations of MACSec, I began wondering is there a 
>> complete documentation of that technology out there?
>>
>> For example, I have quite an experience with L2TP. Now, SCCRP may 
>> sound like a bad language to some, but as we all know, it's an 
>> important step in tunnel setup. The internet is literally brimming 
>> with information about L2TP. As for MACSec, maybe it's only me - but 
>> I'm having a hard time finding information on MACSec internal 
>> workings (beyond packets formats) especially - when it comes to 
protocols stages and related cisco debugs.
>>
>> All I was able to find this far, are some really general sketches of 
>> MACSec exchanges and seemingly unrelated debug commands.
>>
>> Am I missing something? Any help, such as linking to proper 
>> documentation, successful and unsuccessful debug outputs and such, on 
>> and off-list, will be gladly appreciated.
>>
>>
>> Thank you,
>> Alex.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-17 Thread Ian Mock 
Might this be what you're looking for?

https://communities.cisco.com/docs/DOC-69479



Ian Mock


On Tue, Apr 3, 2018 at 6:28 PM, Alex K.  wrote:

> Hello everyone,
>
> After a few implementations of MACSec, I began wondering is there a
> complete documentation of that technology out there?
>
> For example, I have quite an experience with L2TP. Now, SCCRP may sound
> like a bad language to some, but as we all know, it's an important step in
> tunnel setup. The internet is literally brimming with information about
> L2TP. As for MACSec, maybe it's only me - but I'm having a hard time
> finding information on MACSec internal workings (beyond packets formats)
> especially - when it comes to protocols stages and related cisco debugs.
>
> All I was able to find this far, are some really general sketches of MACSec
> exchanges and seemingly unrelated debug commands.
>
> Am I missing something? Any help, such as linking to proper documentation,
> successful and unsuccessful debug outputs and such, on and off-list, will
> be gladly appreciated.
>
>
> Thank you,
> Alex.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-17 Thread Nick Cutting 
I agree - I spent weeks with TAC cases open etc. and Cisco has no idea how this 
works either.

I gave up and built a L3 routed VPN.

I am waiting for the How-to article by Jeremey Stretch!
-Original Message-
From: cisco-nsp <cisco-nsp-boun...@puck.nether.net> On Behalf Of Alex K.
Sent: Tuesday, April 17, 2018 4:13 AM
To: Alan Buxey <alan.bu...@gmail.com>
Cc: cisco-nsp <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] MACSec Stages

This message originates from outside of your organisation.

Hello Alan and thank you for answering.

That's the point - all one can find by searching the standard ID, is a bunch of 
unrelated documents, some from IEEE, some from independent sources
- none display any coherent picture whatsoever.

Not to mention none provide any overview of the protocol. Just some not 
connected points.

Such lack of the documentation by all major vendors (white paper stating MACSEC 
is an encryption protocol, doesn't count as a documentation) hit the hardest 
when it comes to troubleshooting. No explanation for debugs, no known steps for 
endpoints to pass through, you're pretty much on your own trying to figure out 
what's going on.

Alex.

בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏<alan.bu...@gmail.com>:

> 802.1AE
>
> Look that up for how it works
>
> alan
>
> On Wed, 4 Apr 2018, 00:32 Alex K., <nsp.li...@gmail.com> wrote:
>
>> Hello everyone,
>>
>> After a few implementations of MACSec, I began wondering is there a 
>> complete documentation of that technology out there?
>>
>> For example, I have quite an experience with L2TP. Now, SCCRP may 
>> sound like a bad language to some, but as we all know, it's an 
>> important step in tunnel setup. The internet is literally brimming 
>> with information about L2TP. As for MACSec, maybe it's only me - but 
>> I'm having a hard time finding information on MACSec internal 
>> workings (beyond packets formats) especially - when it comes to protocols 
>> stages and related cisco debugs.
>>
>> All I was able to find this far, are some really general sketches of 
>> MACSec exchanges and seemingly unrelated debug commands.
>>
>> Am I missing something? Any help, such as linking to proper 
>> documentation, successful and unsuccessful debug outputs and such, on 
>> and off-list, will be gladly appreciated.
>>
>>
>> Thank you,
>> Alex.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-17 Thread Alex K. 
Hello Alan and thank you for answering.

That's the point - all one can find by searching the standard ID, is a
bunch of unrelated documents, some from IEEE, some from independent sources
- none display any coherent picture whatsoever.

Not to mention none provide any overview of the protocol. Just some not
connected points.

Such lack of the documentation by all major vendors (white paper stating
MACSEC is an encryption protocol, doesn't count as a documentation) hit the
hardest when it comes to troubleshooting. No explanation for debugs, no
known steps for endpoints to pass through, you're pretty much on your own
trying to figure out what's going on.

Alex.

בתאריך יום ג׳, 10 באפר' 2018, 16:06, מאת Alan Buxey ‏:

> 802.1AE
>
> Look that up for how it works
>
> alan
>
> On Wed, 4 Apr 2018, 00:32 Alex K.,  wrote:
>
>> Hello everyone,
>>
>> After a few implementations of MACSec, I began wondering is there a
>> complete documentation of that technology out there?
>>
>> For example, I have quite an experience with L2TP. Now, SCCRP may sound
>> like a bad language to some, but as we all know, it's an important step in
>> tunnel setup. The internet is literally brimming with information about
>> L2TP. As for MACSec, maybe it's only me - but I'm having a hard time
>> finding information on MACSec internal workings (beyond packets formats)
>> especially - when it comes to protocols stages and related cisco debugs.
>>
>> All I was able to find this far, are some really general sketches of
>> MACSec
>> exchanges and seemingly unrelated debug commands.
>>
>> Am I missing something? Any help, such as linking to proper documentation,
>> successful and unsuccessful debug outputs and such, on and off-list, will
>> be gladly appreciated.
>>
>>
>> Thank you,
>> Alex.
>> ___
>> cisco-nsp mailing list  cisco-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] MACSec Stages

2018-04-10 Thread Alan Buxey 
802.1AE

Look that up for how it works

alan

On Wed, 4 Apr 2018, 00:32 Alex K.,  wrote:

> Hello everyone,
>
> After a few implementations of MACSec, I began wondering is there a
> complete documentation of that technology out there?
>
> For example, I have quite an experience with L2TP. Now, SCCRP may sound
> like a bad language to some, but as we all know, it's an important step in
> tunnel setup. The internet is literally brimming with information about
> L2TP. As for MACSec, maybe it's only me - but I'm having a hard time
> finding information on MACSec internal workings (beyond packets formats)
> especially - when it comes to protocols stages and related cisco debugs.
>
> All I was able to find this far, are some really general sketches of MACSec
> exchanges and seemingly unrelated debug commands.
>
> Am I missing something? Any help, such as linking to proper documentation,
> successful and unsuccessful debug outputs and such, on and off-list, will
> be gladly appreciated.
>
>
> Thank you,
> Alex.
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] MACSec Stages

2018-04-03 Thread Alex K. 
Hello everyone,

After a few implementations of MACSec, I began wondering is there a
complete documentation of that technology out there?

For example, I have quite an experience with L2TP. Now, SCCRP may sound
like a bad language to some, but as we all know, it's an important step in
tunnel setup. The internet is literally brimming with information about
L2TP. As for MACSec, maybe it's only me - but I'm having a hard time
finding information on MACSec internal workings (beyond packets formats)
especially - when it comes to protocols stages and related cisco debugs.

All I was able to find this far, are some really general sketches of MACSec
exchanges and seemingly unrelated debug commands.

Am I missing something? Any help, such as linking to proper documentation,
successful and unsuccessful debug outputs and such, on and off-list, will
be gladly appreciated.


Thank you,
Alex.
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/