From A to Z, learn everything you need to know about Media Access Control Security (also known as MACsec).
For end-to-end security of data, it needs to be secured when at rest (processed or stored in a device) and when in motion (communicated between connected devices). For data at rest, a hardware root of trust anchored in silicon provides the foundation upon which all data security is built. Similarly, for data in motion, security anchored in hardware at the foundational communication layer provides that basis of trust, and that’s where MACsec enters the picture.
In this article:
What is MACsec?
Media Access Control security provides security of data between Ethernet-connected devices.
The MACsec protocol is defined by IEEE standard 802.1AE. Originally, Media Access Control Security secured the link between two physically connected devices, but in its current form can secure data communications between two devices regardless of the number of intervening devices or networks.
When MACsec is enabled, a bi-directional secure link is established after an exchange and verification of security keys between the two connected devices. A combination of data integrity checks and encryption is used to safeguard the transmitted data.
The sending device appends a header and tail to all Ethernet frames to be sent, and encrypts the data payload within the frame. The receiving device checks the header and tail for integrity. If the check fails, the traffic is dropped. On a successful check, the frame is decrypted.
Foundation for Network Security
One of the most compelling cases for MACsec is that it provides Layer 2 (OSI data link layer) security allowing it to safeguard network communications against a range of attacks including denial of service, intrusion, man-in-the-middle and eavesdropping.
These attacks exploit Layer 2 vulnerabilities and often cannot be detected or prevented by higher layer security protocols. In this way, MACsec provides the foundational security on which a network security architecture can be built.
The OSI model partitions a communication system into seven layers. Each of these abstraction layers serves the layer above and is served by the layer below.
From a security standpoint, each layer can secure its activities and those above it, but depends on the security of the layers below. Since Layer 2 is where communication begins, security here establishes the foundation for security for the entire network stack.
Security at Full Speed
Another compelling advantage of MACsec is that it operates at line rate. Speed is critical as networks and data centers need all the bandwidth they can get to handle the deluge of data traffic growing at an exponential pace. Line rate operation means networks can get the robust Layer 2 security of Media Access Control Security with no sacrifice in performance.
Features and Benefits
Going deeper, here is what MACsec offers:
- Device-to-device security – MACsec establishes secure transfer of data between two devices regardless of the intervening devices or network. This has allowed MACsec to be used in LANs, MANs and WANs to secure data communication.
- Connectionless data integrity – Unauthorized changes to data cannot be made without being detected. Each MAC frame carries a separate integrity verification code, hence the term connectionless.
- Data origin authenticity – A received MAC frame is guaranteed to have been sent by the authenticated device.
- Confidentiality – The data payload of each MAC frame is encrypted to prevent it from being eavesdropped by unauthorized parties.
- Replay protection – MAC frames copied from the network by an attacker cannot be resent into the network without being detected. In special configurations, with the possibility of frame reordering within a network, limited replay can be permitted.
- Bounded receive delay – MAC frames cannot be intercepted by a man-in-the-middle attack and delayed by more than a few seconds without being detected
Where is MACsec Used?
Ethernet has become the ubiquitous communication solution from the desktop to the carrier network.
A growing torrent of network traffic has driven rapid advancements in the performance of Ethernet with 800G Ethernet representing the latest milestone in the evolution of the standard.
With MACsec as the foundational security technology for safeguarding data in motion across Ethernet networks, the use cases are many:
- WAN/MAN routers
- Data center routers and switches
- Server, storage and top-of-rack switches
- LAN switches
- Secure endpoints such as security cameras and industrial robots
Here’s a detailed example:
Imagine a global enterprise with multiple enterprise networks, here we show three (the enterprise network clouds).
At the edge of each enterprise network is an edge router (CEn). Each CE connects to a service provider edge router (PEn). The MPLS (Multi-protocol Label Switching used for speed and to guarantee QoS levels) service provider network, which may span many routers, optical transport networks, etc., links the PEs.
MACsec can be used to securely connect two CEs.
The service provider network passes the traffic using “in the clear” routing information in the header. But the key authentication, integrity checks and encryption of MACsec are still enforced just as if CE1 and CE2 were physically connected. And this scales to any number of devices, so we could link to tens or hundreds of other MAC-sec enabled CEs.
Now, imagine there is an industrial robot at the far end of Enterprise Network 1 (CE1’s cloud), and there is a server running an AI inference application in Enterprise Network 2 (CE2’s cloud).
We could securely connect these two devices to switches using MACsec, and those switches to the CEs providing end-to-end security with Media Access Control Security.
Device-level Use Cases
Let’s turn now to specific device-level use cases for MACsec.
1. Use Case: Securing 800G Multi-Port PHY
In our first use case, we want to provide communication security for an 800G Multi-port PHY.
We need line-rate encryption of the output which could be one 800G channel or 8 parallel 100G channels with aggregate bandwidth of 800 Gbps. The solution is provided by our multi-port MACsec engine consisting of MACsec classifier and MACsec transformation cores that are incorporated in the PHY transceiver chip. The system would work like this for outbound (transmit) data:
- Time-sliced (TDM) parallel data streams are received by the PHY transceiver chip
- Packet headers are classified
- Data rate is controlled based on the classification and timestamping performed per the precision time protocol (PTP)
- Security implemented (transform packet) with option of constant latency or predictable latency
- Encrypted and authenticated data stream transmitted at line rate under all conditions
In the 800G PHY use case, we assumed all traffic would be MACsec secured. What about the use case for a switch where we have differing security needs depending on the port. We’ll take a look at that use case next.
2. Use Case: Securing Terabit Switch
In our terabit switch, a subset of traffic requires MACsec security.
The solution is a multi-port MACsec engine implemented in the switch ASIC. The MACsec engine is capable of servicing a flexible number of ports with aggregate throughput of up to 800 Gbps. Here’s how that would work:
- TDM data is received
- Packet headers classified for all ports that require security
- Allow deep packet inspection for MACsec EoMPLS
- Support various proprietary schemas if required
- Provide optional support of switch classifier inputs
- Add security (transform packet) with encryption of the data payload
- Stream out encrypted and authenticated data at line rate under all conditions to all protected ports
800G MACsec Protocol Engine
For networking SoC and ASIC designers, Rambus offers an 800G Multi-Channel MACsec Protocol Engine comprised of Transform and Classifier cores. It can support up to 64 channels with aggregate bandwidth of 800 Gbps providing tremendous design flexibility. It is supported with a widely-adopted MACsec Tookit and a Driver Development Kit.
800G Multi-Channel MACsec Protocol Engine
With the Rambus 800G MACsec Protocol Engine, designers get the benefits of robust Layer 2 security with line-rate performance. It can be easily integrated into networking chips and is backed with supports and services from the world-class Media Access Control Security experts at Rambus.