Securing Network Traffic using MACSec Over Ethernet

VIP Expert

Jun 25, 2020 / 2 min read

In today’s digital age, networking requirements have become increasingly crucial. The possibility of unauthorized access to networks and confidential information have increased the need for secure network access.

In 2006, the IEEE officially identified a MAC Security standard, also known as MACSec/802.1AE and GCM-AES/GCM-AES-XPN Cipher Suite, to meet the requirements for secure data traversal. MACSec helps users to maintain confidentiality by securing the data with the use of secured point-to-point Ethernet links.

Why MACSec?

The MACSec security protocol provides encryption to the entire Ethernet packet except for its source and destination MAC addresses (including upper layer frames). MACSec offers point-to-point encryption, meaning it is performed for every hop unlike IPsec which works only for end-to-end connections. Thus, the MACSec protocol protects the data from getting tampered giving users the data security.

Key protocol features:

  • Maintains data confidentiality by providing strong encryption and marks an end to intrusion threats
  • Integrity check to prevent data tampering, this makes sure that the data is not manipulated during traversal – MACSec frame can be both encrypted and authenticated to provide privacy and integrity
  • The protocol flexibility ensures that MACSec security can be enabled/disabled as needed

How MACSec works?

The point-to-point Ethernet link forms the backbone of the MACSec protocol. These links are secured after matching the keys. The secured keys are dynamically available and can also be configured by the users.

The process of matching these keys takes place only after validating each end of the point-to-point connection on the interface and exchanging the keys. Once the MACSec is established on the link, all the traffic is secured using encryption and data integrity or ICV check.

MACSec over Ethernet security diagram

Fig1: MACSec Frame Format
 

The MACSec Frame adds Security TAG (SecTAG) and Integrity Check Value (ICV) in the Ethernet Frame to provide secure connectivity associations with the GCM-AES Cipher Suite using 128/192/256-bit key.

MACSec over Ethernet architecture diagram

Fig2: MACSec at layer2

Who needs MACSec?

A common use case for MACSec requirements can be picked up from our daily routine where we want to encrypt the traffic between two devices such as a remote site connected to a central site or a central site connected to its branches via MACSec enabled routers.

To prevent the data from getting spied and manipulated, data centers/ IT networks require comprehensive protection programs. Many high-speed routers and data centers have employed the WAN MACSec feature. MACSec can be used across multiple switches using VLAN/SVLAN TAGs (as mentioned in IEEE Std 802.1AEcg™-2017).

In recent years, the automotive industry has also required support for MACSec compatible hardware like controllers and switches, to provide a complete security solution. MACSec along with AVB-TSN features provide a good level of security preventing the network from getting paralyzed.

For more information on Synopsys Ethernet VIP and Test Suite offerings, please visit http://synopsys.com/vip

Read our previous blogs on 800G and Terabit Speeds with Ethernet 802.3ck, Ethernet Time-Sensitive Network (TSN): A Boon for Automotive Audio-Video Bridging (AVB) Applications

Continue Reading