Power over Ethernet (PoE) basics and beyond

PoE is awesome. My custom home security system is all CCTV PoE with a gstreamer backend running on four-core fanless linux box. Way to go. Complete control. No batteries, no wares spying on me, no personal data getting scraped by big guys. (Cloud connectivity sucks because I have segmented mp4s and jogging through them hurts but I only care for events after they happen, not while they happen.)

If one of those cameras is outside, did you consider the case of someone plugging in his laptop on that ethernet cable? He'd be on your local network.

MACsec, https://forum.openwrt.org/t/macsec-802-1ae-with-802-1x-eapol...

MACSec is irrelevant for this purpose. MACSec encrypts points to point links, it doesn’t authenticate. That’s what 802.1x is for.

No it isn't. Most MACsec-capable platforms have a "must-secure" or "should-secure" transmission mode.

If the security association isn't completed on a "must-secure" configured port then no traffic is transmitted. One would need access to the pre-shared keys to successfully use the link.

Now, could one perform a side-channel attack of the memory on the camera and get access to them? Maybe.

This is veering into pedantry, but from what I can understand of that setting (I'm not a sysadmin guy but have used MACsec on embedded stuff), that's just as much of an 802.1X feature as a MACsec feature.

Sure the switch will only accept encrypted L2 traffic...but that encrypted link is set up via MKA, which is a part of the 802.1X standard. If you don't have 802.1X authenticating the endpoint, you don't have MKA setting up the encrypted link between that endpoint and the switch and you don't have MACsec.

So if you're trying to prevent a bad guy from getting on your LAN, you need 802.1X, whereas MACsec is an optional extra (a very useful extra if you're worried about MITM attacks). But 802.1X is still doing the heavy lifting w.r.t access control.