I already asked this question on SF, but figured it might be a better fit here.
Is it at all possible to extend MACSec encryption over a provider bridge? Will the typical 802.1ad implementation be able to forward the encrypted frame, or will forwarding break frame integrity?
I do realize MACSec is intended for hop-by-hop security. Are there any reasons not to use MACSec for point-to-point encryption over a carrier, or other special considerations that should be taken into account?
The reason I ask is that MACSec hardware offers wirespeed encryption at a fraction of the typical cost associated with layer 2 encryption.
I don't have the rep to add new tags, but feel free to add relevant tags for MACSec, PBN, 802.1ad and 802.1ae etc
Best Answer
MacSec (i.e. 802.1ae-2006) is a hop-by-hop encyption technology... Therefore provider-bridged MacSec isn't possible today; however, there is a talk of relaxing per-hop MacSec encryption