simple explanations for macsec and ipsec

Question

I need to implement IPSEC and MACSEC transformations on ethernet packets (i.e. I don't need to deal with setting up parameters, security associations, or key exchange issues, just do the transformations on the packets when that is already known. Also I can nick GCM/AES implementations so I don't have to implement the actual ciphering either.)

Unfortunately I am just too stupid to understand the specifications.

Does anyone know of a nice simple explanation, designed for an idiot, with diagrams and concrete examples, of what the transformations are supposed to look like?

Answer 1

This illustrated guide is good for IPSEC

http://unixwiz.net/techtips/iguide-ipsec.html

And this was invaluable for packing and unpacking IP headers.

http://www.daemon.org/ip.html#proto

There appears to be a bit of a gap in the market for MACSEC though.

Answer 2

MACsec provides three sub-functions, namely:

• Encryption/decryption
• Integrity protection
• Replay protection

These sub-functions are negotiated with other stations using MACsec Key Agreement protocol (MKA).

MACsec uses MACsec Key Agreement protocol (MKA) for exchange and agreement of secure keys between supported devices. MKA uses the EAP framework specified in IEEE 802.1X-2010 forcommunication