This came up in a more generic link layer encryption question:
Commodity switches with MACSec hardware offers wirespeed AES-GCM encryption at a fraction of the cost typically associated with layer 2 encryption.
Is it at all possible to extend MACSec (802.1AE) as a point-to-point solution over a provider bridge (802.1AD) or will this break frame integrity?
If Q-in-Q won't work, might it be possible to use some other form of enveloping or low-overhead encapsulation to transport the MACSec encrypted frames through carrier ethernet?
I do realize MACSec is intended for hop-by-hop security, but naturally hop-by-hop encryption becomes a lot less interesting when the networks (and the encryption keys) are managed by a third party such as the communications provider. It is necessary to maintain point-to-point data integrity and security all the way through the provider network, although preferably not at the cost of tunneling and fork lifting the traffic to layer 3 for IPSec encryption.
Even when possible, might there be any good reasons to avoid MACSec for point-to-point encryption, or any other special considerations that should be taken into account?
