Without using IPSEC but MACsec, do we achieve confidentiality(data encryption) while using AWS DirectConnect?
If we do not, then what protocol is used with DirectConnect? I understood they were using AES-GCM with GMAC but it looks like this is not the case
References:
Thanks
Without using IPSEC but MACsec, do we achieve confidentiality(data encryption) while using AWS DirectConnect?
Yes. It's a layer2 [frames level] security/ encryption.
Basically it will have keys on both ends and you need enable this on both ends. But you will have to make a decision on what happens if the handshake fails? should you still receive un-encrypted data or not. To do that, you have to choose one of the three available options: 1.should_encrypt, 2. must_encrypt, and 3.no_encrypt
should_encrypt: it will try to encrypt the traffic meaning handshakes, key echanges have to go through to be encrypted but if not it does not encrypt so in this scenario, frames that sent from src to dest are un-encrypted
must_encrypt: attempts to key-handshake. if that does fail then no traffic flow(unlike should_encrypt). connection will be down and encryption status is down
no_encrypt: No handshake and no encryption.
Hope that sheds some light on MacSec concept?