B&D because replay protection is off Replay protection is especially useful for fighting man-in-the-middle attacks. A packet that is replayed by a man-in-the-middle attacker on the Ethernet link will arrive on the receiving link out of sequence, so replay protection helps ensure the replayed packet is dropped instead of forwarded through the network. https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/task/macsec.html

https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf GCM-AES-128 does not inherently prevent an adversary from intercepting the output of an invocation of authenticated encryption and “replaying” it for authenticated decryption at a later time. The fact that MACsec "is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle(...)." is not telling us anything about this specific config since we can configure MACsec without encryption - we still have to verify provided output. "Reply protection: off" "Encryption: on" so I guess: The link is not protected against man-in-the-middle attacks Data is transmitted across the link in cyphertext Is correct.

C & D. "(...)is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle(...). https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/task/macsec.html