MACsec encryption using SKIP
Secure Key Integration Protocol
- Options for router communication with QKD devices
How point-to-point MACsec encryption using SKIP works
Restrictions for MACsec encryption using SKIP
Configure point-to-point MACsec encryption using SKIP

MACsec encryption using SKIP

This chapter provides guidance on configuring point-to-point MACsec encryption using the Secure Key Integration Protocol (SKIP) with Quantum Key Distribution (QKD) devices. It covers protocol overview, configuration steps, supported topologies, and key operational considerations for achieving quantum-safe key management on the routers.

Secure Key Integration Protocol

A Secure Key Integration Protocol is a protocol that

enables routers to communicate with external quantum devices
facilitates the exchange of MACsec encryption keys using Quantum Key Distribution (QKD), and
addresses the key distribution problem in a post-quantum world.

A Quantum Key Distribution (QKD) is a cryptographic technique that

uses the laws of quantum mechanics to ensure secure transmission of a secret key between two parties
encodes the key in the quantum states of single photons and transmits it over optical fiber or free space (vacuum), and
provides security by making any interception detectable, since measuring a quantum state changes it, thus alerting the communicating parties to eavesdropping attempts.

QKD is resistant to quantum attacks and is expected to remain secure even as cryptanalysis and quantum computing advance. Unlike traditional cryptographic algorithms, QKD does not require continual updates in response to new vulnerabilities.

Table 1. Feature History Table
Feature Name	Release Information	Feature Description
Secure Key Integration Protocol for Routers	Release 25.1.1	Introduced in this release on: Fixed Systems (8700 [ASIC: K100])(select variants only) This feature is supported on the Cisco 8712-MOD-M routers.
Secure Key Integration Protocol for Routers	Release 24.4.1	Introduced in this release on: Fixed Systems (8200 [ASIC: P100], 8700 [ASIC: P100])(select variants only); Modular Systems (8800 [LC ASIC: P100])(select variants only) *This feature is supported on: 88-LC1-36EH 88-LC1-12TH24FH-E 88-LC1-52Y8H-EM 8212-48FH-M 8711-32FH-M
Secure Key Integration Protocol for Routers	Release 7.9.1	Your routers are now capable of handling the Secure Key Integration Protocol (SKIP) protocol. The SKIP protocol enables your routers to communicate with external quantum devices. With this ability, you can use the Quantum Key Distribution (QKD) devices for exchanging MACsec encryption keys between routers. Using QKD eliminates the key distribution problem in a post quantum world where the current cryptographic systems are no longer secure due to the advent of quantum computers. This feature introduces the following: CLI: crypto-sks-kme show crypto sks profile Yang Data Model: Cisco-IOS-XR-um-sks-server-cfg.yang (see GitHub, YANG Data Models Navigator) For more information on Quantum Key Distribution, see Post Quantum Security Brief.

Supported configuration strategies for QKD devices

Secure Key Integration Protocol allows various configurations for utilizing QKD devices:

Single QKD device configuration: Use the same QKD device at the end ports of the peer routers to exchange encryption keys efficiently.
Multiple QKD device configuration: Configure different QKD devices on the end ports of peer routers for improved flexibility and security.
Multi-link QKD device detup: Establish multiple communication links between the same peer routers using different QKD devices for enhanced security.

Options for router communication with QKD devices

To ensure efficient and secure integration between routers and Quantum Key Distribution (QKD) devices, certain router configurations are recommended.

These options optimize routing communication with QKD devices:

Source interface configuration: Specify an explicit source interface for QKD device communication using the source interface command within the SKS (Secure Key Service) profile settings. Defining the source interface controls which interface initiates outbound communication and is critical for both security and routing policies.
```
Router# config
Router(config)# sks profile ProfileR1toR2 type remote
Router(config-sks-profile)# kme server ipv4 192.0.2.34 port 10001
Router(config-sks-profile)# source interface hundredGigE 0/1/0/17
Router(config-sks-profile)# commit
```
HTTP proxy configuration: In environments requiring proxy intermediaries, configure routers to use an HTTP proxy when communicating with QKD devices. The http proxy server command allows specifying the IPv4 or IPv6 proxy address or hostname and the required TCP port.
```
Router# config
Router(config)# sks profile ProfileR1toR2 type remote
Router(config-sks-profile)# kme server ipv4 192.0.2.34 port 10001
Router(config-sks-profile)# http proxy ipv4 192.0.2.68 port 804
Router(config-sks-profile)# commit
```

How point-to-point MACsec encryption using SKIP works

Point-to-point MACsec encryption establishes secure communication between peer router interfaces by leveraging an external quantum key distribution (QKD) network for key exchange. This approach ensures secure and automated key management.

Summary

The key components involved in the process are:

Router: Initiates the MACsec link creation and communicates with the QKD device using SKIP.
Peer router: The other end of the MACsec link, which also communicates with its QKD device.
SKIP: The protocol a router uses to establish secure encryption.
External QKD device network: A network of Quantum Key Distribution devices responsible for securely sharing MACsec encryption keys.
QKD device: A specific device within the QKD network that generates key pairs (key ID and key) and shares them.
Key ID: A unique string that identifies the shared secret (key).
Key (shared secret): The actual MACsec encryption key.

Workflow

Figure 1. Point-to-point MACsec Link Encryption using SKIP

The process involves the following stages:

Link creation request: A router needs to create a MACsec link between its interface and a peer router's interface.
Key request to QKD: The router contacts its external QKD device and requests the encryption key.
Key pair generation: The external QKD device generates a key pair. This pair comprises a unique key ID and the encryption key.
Key distribution to initiating router: The QKD device shares both the generated key ID and the key with the initiating router.
Key ID sharing with peer: The initiating router shares only the key ID with its peer router.
Key retrieval by peer: The peer router uses the received key ID to retrieve the corresponding encryption key from its own QKD device.
Secure link establishment: Both routers now possess the same MACsec encryption key, enabling them to establish the secure point-to-point MACsec link.

Result

Quantum networks securely communicate encryption keys. This enables robust and automated secure communication links between peer router interfaces. Routers do not directly exchange sensitive encryption keys.

Restrictions for MACsec encryption using SKIP

Before implementing MACsec encryption using the SKIP protocol, you must consider the following restrictions:

Use the SKIP protocol only on 8202-32FH-M routers.
Configure SKIP only for point-to-point MACsec encryption.
Enable SKIP protocol only on interfaces that support MACsec encryption.

Configure point-to-point MACsec encryption using SKIP

Establish secure, point-to-point MACsec encryption between two routers using the SKIP protocol and Quantum Key Distribution (QKD) for automated, quantum-safe key management.

Use this task when you need to configure MACsec in Pre-placed Key (PPK) mode with keys provided by external QKD devices and SKIP for secure key provisioning. This enhances security by leveraging quantum key exchange for MACsec.

Before you begin

Configure MACsec Pre-Shared Key (PSK). For more information, see Configure a MACsec keychain.
Configure MACsec in the PPK mode.
Ensure that you have a network of external QKD devices.
Add the QKD server CA to the trustpoint in the router. For more information, see Configure Trustpoint section in the System Security Configuration Guide for Cisco 8000 Series Routers.
Import the QKD server root CA certificate in the router. For more information, see Configure Certificate Enrollment Using Cut-and-Paste section in the System Security Configuration Guide for Cisco 8000 Series Routers.

Procedure

Step 1	Configure the QKD profile. On Router 1, enter global configuration mode, define the SKS profile, and specify the remote KME server: Example: `Router# config Router(config)# sks profile ProfileR1toR2 type remote Router(config-sks-profile)# kme server ipv4 192.0.2.34 port 10001 Router(config-sks-profile)# commit` On Router 2, enter global configuration mode, define the SKS profile, and specify the remote KME server: Example: `Router# config Router(config)# sks profile ProfileR2toR1 type remote Router(config-sks-profile)# kme server ipv4 192.0.2.35 port 10001 Router(config-sks-profile)# commit`
Step 2	Map the QKD profile to the MACsec policy. On Router 1: Example: `Router# config Router(config)# macsec-policy R1toR2 Router(config-macsec-policy)# ppk sks-profile ProfileR1toR2 Router(config-macsec-policy)# commit` On Router 2: Example: `Router# config Router(config)# macsec-policy R2toR1 Router(config-macsec-policy)# ppk sks-profile ProfileR2toR1 Router(config-macsec-policy)# commit`
Step 3	Apply MACsec policy to the interfaces. On Router 1: Example: Router# config Router(config)# interface hundredGigE 0/1/0/10 Router(config-if)# ipv4 address 192.0.2.1 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R1toR2 Router(config)# commit Router(config)# interface hundredGigE 0/1/0/11 Router(config-if)# ipv4 address 192.0.3.1 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R1toR2 Router(config)# commit Router(config)# interface hundredGigE 0/1/0/12 Router(config-if)# ipv4 address 192.0.4.1 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R1toR2 Router(config)# commit Router(config)# interface hundredGigE 0/1/0/9 Router(config-if)# ipv4 address 192.0.5.1 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R1toR2 Router(config)# commit On Router 2: Example: Router# config Router(config)# interface hundredGigE 0/1/0/10 Router(config-if)# ipv4 address 192.0.2.2 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R2toR1 Router(config-if)# commit Router(config)# interface hundredGigE 0/1/0/11 Router(config-if)# ipv4 address 192.0.3.2 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R2toR1 Router(config-if)# commit Router(config)# interface hundredGigE 0/1/0/12 Router(config-if)# ipv4 address 192.0.4.2 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R2toR1 Router(config-if)# commit Router(config)# interface hundredGigE 0/1/0/9 Router(config-if)# ipv4 address 192.0.5.2 255.255.255.0 Router(config-if)# macsec psk-keychain mac_chain policy R2toR1 Router(config-if)# commit
Step 4	Verify the configurations in each router using the show running config command. On Router 1: Example: sks profile ProfileR1toR2 type remote kme server ipv4 192.0.2.34 port 10001 ! macsec-policy R1toR2 ppk sks-profile ProfileR1toR2 ! ! interface hundredGigE 0/1/0/10 ipv4 address 192.0.2.1 255.255.255.0 macsec psk-keychain mac_chain policy R1toR2 ! interface hundredGigE 0/1/0/11 ipv4 address 192.0.3.1 255.255.255.0 macsec psk-keychain mac_chain policy R1toR2 ! interface hundredGigE 0/1/0/12 ipv4 address 192.0.4.1 255.255.255.0 macsec psk-keychain mac_chain policy R1toR2 ! interface hundredGigE 0/1/0/9 ipv4 address 192.0.5.1 255.255.255.0 macsec psk-keychain mac_chain policy R1toR2 ! On Router 2: Example: sks profile ProfileR2toR1 type remote kme server ipv4 192.0.2.35 port 10001 ! macsec-policy R2toR1 ppk sks-profile ProfileR2toR1 ! ! interface hundredGigE 0/1/0/10 ipv4 address 192.0.2.2 255.255.255.0 macsec psk-keychain mac_chain policy R2toR1 ! interface hundredGigE 0/1/0/11 ipv4 address 192.0.3.2 255.255.255.0 macsec psk-keychain mac_chain policy R2toR1 ! interface hundredGigE 0/1/0/12 ipv4 address 192.0.4.2 255.255.255.0 macsec psk-keychain mac_chain policy R2toR1 ! interface hundredGigE 0/1/0/9 ipv4 address 192.0.5.2 255.255.255.0 macsec psk-keychain mac_chain policy R2toR1 !
Step 5	Verify the point-to-point MACsec encryption using SKIP on either router with the show crypto sks profile all and show crypto sks profile all commands. Example: `Router(ios)# show crypto sks profile all Profile Name :ProfileR1toR2 Myidentifier :Router1 Type :Remote Reg Client Count :1 Server IP :192.0.2.34 Port :10001 Vrf :Notconfigured Source Interface :Notconfigured Status :Connected Entropy :true Key :true Algorithm :QKD Local identifier :Alice Remote identifier :Alice Peerlist QKD ID :Bob State :Connected Peerlist QKD ID :Alice State :Connected` Router(ios)# show crypto sks profile all stats Profile Name : ProfileR1toR2 My identifier : Router1 Server IP : 192.0.2.34 Port : 10001 Status : connected Counters Capability request : 1 Key request : 3 Key-id request : 0 Entropy request : 0 Capability response : 1 Key response : 3 Key-id response : 0 Entropy response : 0 Total request : 4 Request failed : 0 Request success : 4 Total response : 4 Response failed : 0 Response success : 4 Retry count : 0 Response Ignored : 0 Cancelled count : 0 Response time Max Time : 100 ms Avg Time : 10 ms Min Time : 50 ms Last transaction Transaction Id : 9 Transaction type : Get key Transaction status : Response data received, successfully Http code : 200 OK (200)

When the task is completed, MACsec link encryption is established between both routers using SKIP and QKD for secure key provisioning. All interfaces configured with the MACsec policy exchange encrypted and authenticated traffic.

What to do next

Monitor SKS profile status and key exchange statistics to confirm ongoing secure operation. Review logs and counters for negotiation failures or changes in link state.

MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

Bias-Free Language

Book Title

MACsec Configuration Guide for Cisco 8000 Series Routers, Cisco IOS XR Releases

Chapter Title