Question 42 - JN0-636 discussion

The exhibit shows the output of the show security mka sessions summary command on an SRX Series device. This command displays the status of the MACsec Key Agreement (MKA) sessions on the device. In the output, we can see that there are two CAKs configured for the interface ge-0/0/1 - FFFF and EEEE. The CAK named FFFF has the type preceding and the status live. The CAK named EEEE has the type fallback and the status active.

The two statements that are true about the CAK status for the CAK named FFFF are:

CAK is not used for encryption and decryption of the MACsec session. This is because the CAK is only used for authentication and key exchange between the MACsec peers. The CAK is not used for encrypting or decrypting the MACsec traffic. The encryption and decryption of the MACsec session is done by the Secure Association Key (SAK), which is derived from the CAK using the MKA protocol. SAK is not generated using this key. This is because the CAK named FFFF has the type preceding, which means that it is a legacy key that is used for backward compatibility with older MACsec devices. The preceding key is not used for generating the SAK, but only for authenticating the MACsec peers. The SAK is generated using the active key, which is the CAK named EEEE in this case.

Reference: Juniper Security, Professional (JNCIP-SEC) Reference Materials source and documents:

https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/showsecurity-mka-sessions-summary.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-macsecoverview.html