Securing Automotive Ethernet Connections With MACsec

Protecting communications between zonal gateways.


Zonal architecture in automotive design has become common in recent years in response to the increasing complexity of in-vehicle electrical systems. Automotive Ethernet is used to connect sensors and actuators to zonal gateways in ADAS (Advanced Driver Assistance Systems) enabled vehicles. With multi-gigabit links, it further connects zonal gateways to the central compute units that handle ADAS functionality and will do so for those that will handle autonomous driving capability in years to come.  The in-vehicle Ethernet network is, therefore, a critical element of a car’s safety and reliability, and this blog looks at how the MACsec security protocol can be implemented in automotive SoCs to protect communications between zonal gateways.

As with regular networks, in-vehicle networks are vulnerable to several security threats such as denial-of-service attacks, man-in-the middle attacks, and unauthorized access. In contrast to regular networks, an in-vehicle network requires the unwanted behavior of the network to be detectable and handled according to both automotive safety and cybersecurity requirements. This adds additional considerations for automotive Ethernet devices, network data flow operation and network management software.

Using the IEEE802.1AE MACsec security protocol in automotive Ethernet networks mitigates most of these security threats by providing Ethernet packet data integrity protection with optional confidentiality, packet delay monitoring, detection and dropping packets from the unwanted source, as well as having a set of monitoring statistics which makes it possible to differentiate (cyber)security issues from physical layer malfunctions. Implementation of MACsec in the hardware provides the possibility to detect or filter issues at the hardware level with the minimum possible system response time, while meeting automotive safety goals. This can also be combined at a system level with handling MACsec keys using a Root of Trust/Hardware Security Module (HSM) and Device Lifecycle Management to ensure that only authorized components are used in the automotive body electronics.

MACsec-capable devices can securely communicate with each other as a group or through a set of individual MACsec connections. Depending on the application, either all traffic or part of the traffic can be protected. When combined with VLAN, MACsec allows you to separately protect different network flows within the same network. Implementing MACsec in a system requires the implementation of a MACsec control plane, a MACsec data plane and its integration into the network stack.

The Control Plane (CP) implements the MACsec secure connection management. Typically, this is the MACsec Key Agreement (MKA), which is a management protocol defined in IEEE802.1X. The CP has an API to upper-level components to receive secure connection parameters (including the long-lasting connectivity key, the CAK) and provides the connection state information. It also offers an API to control the data plane for initializing, installing, and managing secure connection(s) protected with a sequence of session keys, the SAK, which are periodically refreshed. In the MACsec standard this is called Layer Management Interface (LMI).

The Data Plane (DP) implements the classification, the MACsec policy and the MACsec cryptographic transform functions and provides the required packet I/O and control interfaces to integrate into the Ethernet subsystem hardware and control software. A Data Plane implementation can be software-only, software with hardware acceleration, or purely hardware-based. For the lowest latency and line-rate throughput at gigabit speeds and beyond, the data plane should be fully hardware-based. Finally, the integration binds the hardware and software components to make a full working system.

A MACsec data plane typically comes in the form of a silicon IP core to be instantiated into an automotive ASIC design for sensors, switches, gateways, MCUs, and PHY. All MACsec data plane functions should be fully in hardware to ensure key features such as line-rate throughput, minimum latency, optimal power usage and safety logic.

The Rambus MACsec-IP-361 IP core is available as a certified ISO 26262 ASIL-B Ready configuration and is designed to be a plug-and-play block for integration into the silicon architectures of automotive Ethernet MCUs, switches and sensor SoCs. It contains all necessary safety measures without a need for external safety measures, making it an ideal solution to help customers reduce development time and risk when designing a fully certified MACsec-capable SoC or ASIC.


Leave a Reply

(Note: This name will be displayed publicly)