Perfect forward secrecy (pfs) protected media access control security (macsec) key distribution

We claim: 1 . A non-transitory computer readable medium comprising instructions stored thereon, when executed, the instructions being effective to cause at least one processor of a first network device to: derive a private key encryption key based on a public key, a first private key of the first network device, a second private key of a live peer device, and a Connectivity Association Key (CAK); transmit a secret key encrypted by the private key encryption key to the live peer device; and receive a communication from the live peer device, the communication being encrypted by the secret key. 2 . The non-transitory computer readable medium of claim 1 , wherein the secret key is a MACsec Secret Key (SAK). 3 . The non-transitory computer readable medium of claim 1 , wherein the private encryption key is a Key Encrypting Key (KEK). 4 . The non-transitory computer readable medium of claim 1 , wherein the instructions are further effective to cause at least one processor of a first network device to: prior to the derivation of the private key encryption key, establish a second network device as the live peer device by confirming common possession of the Connectivity Association Key (CAK) between the first network device and the second network device. 5 . The non-transitory computer readable medium of claim 4 , wherein the second network device is one a plurality of network devices, and wherein the Connectivity Association Key (CAK) is shared between the first network device and each the plurality of network devices to be established as a respective live peer device. 6 . The non-transitory computer readable medium of claim 2 , wherein the communication from the live peer device comprises at least one session between the first network device and the live peer device, each of the at least one session is encrypted by a corresponding MACsec Secret Key (SAK). 7 . The non-transitory computer readable medium of claim 6 , wherein the private key encryption key is unique for each of the at least one session between the first network device and the live peer device. 8 . The non-transitory computer readable medium of claim 6 , wherein the secret key is unique for each of the at least one session between the first network device and the live peer device. 9 . The non-transitory computer readable medium of claim 2 , the secret key is encrypted under an Advanced Encryption Standard (AES). 10 . The non-transitory computer readable medium of claim 1 , wherein the private key encryption key is used for Perfect Forward Secrecy (PFS) key distribution. 11 . The non-transitory computer readable medium of claim 1 , wherein the secret key is used to encrypt a MAC Security Standard (MACsec) session. 12 . The non-transitory computer readable medium of claim 3 , wherein a Diffie-Hellman (DH) key comprises the public key, the first private key of the first network device, and the second private key of the live peer device, and the Key Encrypting Key (KEK) is derived from the Connectivity Association Key (CAK) and the Diffie-Hellman (DH) key. 13 . The non-transitory computer readable medium of claim 12 , wherein derive the private encryption key further comprises an announcement Type-Length-Value (TLV) for an announcement parameter set, to carry parameter set of the Diffie-Hellman (DH) key. 14 . A method comprising: deriving, by a first network device, a private key encryption key based on a Diffie-Hellman Key, and a Connectivity Association Key (CAK); transmitting, by the first network device, a secret key encrypted by the private key encryption key to the live peer device; and receiving, by the first network device, a communication from the live peer, the communication being encrypted by the secret key. 15 . The method of claim 14 , wherein the private key encryption key is used for Perfect Forward Secrecy (PFS) key distribution, wherein the secret key is used to encrypt a MAC Security Standard (MACsec) session. 16 . The method of claim 14 , wherein the private key encryption key is a Key Encrypting Key (KEK). 17 . The method of claim 14 , wherein the communication from the live peer device comprises at least one session between the first network device and the live peer device, each of the at least one session is encrypted by a corresponding MACsec Secret Key (SAK). 18 . The method of claim 17 , wherein the private key encryption key is unique for each of the at least one session between the first network device and the live peer device. 19 . The method of claim 17 , wherein the secret key is unique for each of the at least one session between the first network device and the live peer device. 20 . The method of claim 16 , wherein the Diffie-Hellman (DH) key comprises a public key, a first private key of the first network device, a the second private key of the live peer device, and the Key Encrypting Key (KEK) is derived from the Connectivity Association Key (CAK) and the Diffie-Hellman (DH) key.