Now we need to get an enterprise grade switch - doubt Cisco would add macsec into SOHO gear. Along with enterprise grade intercoms, cameras, doorbells...
And beloved by many Unifi is out of question - they still can't bake IPv6 support.
So looks like it's feasible but the cost wouldn't be good.
i well familiar with macsec. we use it between datacenters and for aws directlink. it de-facto standard for this kind of stuff. i even worked on hardware that provided macsec support
a couple of years ago I tried to use it inside datacenter during fedramp implementation. it crashed and burned for a couple of reasons:
- linux wpa_supplicant was crashing during session establishment
- switch had a limit on number of macsec session per port
802.1x is quite trivial to bypass if you have an authenticated device (in this case the intercom) that you can transparently bridge[1].
[1]. https://www.defcon.org/images/defcon-19/dc-19-presentations/...
it still will block or slow down many.
802.1x is commonly deployed with macsec. will it be also trivial to bypass ?
Did you ever seen an intercom or IP camera with macsec support?
yes
for example https://newsroom.axis.com/en-us/press-release/macsec-zero-tr...
That's great.
Now we need to get an enterprise grade switch - doubt Cisco would add macsec into SOHO gear. Along with enterprise grade intercoms, cameras, doorbells...
And beloved by many Unifi is out of question - they still can't bake IPv6 support.
So looks like it's feasible but the cost wouldn't be good.
ADD: also read this article: https://news.ycombinator.com/item?id=41531699
i well familiar with macsec. we use it between datacenters and for aws directlink. it de-facto standard for this kind of stuff. i even worked on hardware that provided macsec support
a couple of years ago I tried to use it inside datacenter during fedramp implementation. it crashed and burned for a couple of reasons:
- linux wpa_supplicant was crashing during session establishment
- switch had a limit on number of macsec session per port