Creating a secure bi-directional link between Ethernet-connected devices.
For end-to-end security of data, it must be secured both when “at rest” (processed or stored in a connected device) and when it is “in motion” (communicated between connected devices). For data at rest, a hardware root of trust anchored in silicon provides that foundation upon which all data and device security is built. For example, the security of applications builds on an uncompromised operating system (OS), which in turn relies on valid boot code. The validity of the boot code is ensured by a root of trust.
A similar security hierarchy applies for data in motion. Security anchored in hardware at the foundational network layer provides that basis for trust between connected devices and is extensible to securing communications across the entire network. For Ethernet-based networking, which is increasingly ubiquitous across the LAN, MAN and WAN, MACsec provides that foundational security.
Media Access Control security (MACsec) provides point-to-point security of data between Ethernet-connected devices. The MACsec protocol is defined by IEEE standard 802.1AE.
When MACsec is enabled, a secure bi-directional link is established between connected devices following an exchange and verification of security keys. A combination of data integrity checks and encryption is used to safeguard the data transmitted via the secure link.
At a high level, the sending device appends a header and tail to all Ethernet frames to be sent and encrypts the data payload within the frame. The receiving device checks the header and tail for integrity. If the check fails, the traffic is dropped. On a successful check, the frame is decrypted.
As implied by the above, MACsec secures the network by securing data exchange between two network components. With MACsec, data is encrypted by the sender and decrypted by the receiving device. Network administrators are able to monitor and inspect “in the clear” traffic at each connected device.
Ethernet connectivity and services extend from the desktop to the carrier network, making securing data communications carried by Ethernet an imperative. As the foundational security technology for safeguarding data in motion via Ethernet, the use cases for MACsec are many:
Fundamentally, wherever there is a wired Ethernet connection, there is a use case for securing that connection with MACsec.
One of the most compelling benefits of MACsec is that it provides Layer 2 security allowing it to safeguard network communications against a range of attacks including denial of service, intrusion, man-in-the-middle and eavesdropping. These attacks exploit Layer 2 vulnerabilities and often cannot be detected or prevented by higher layer security protocols.
Layer 2 refers to the Open Systems Interconnection (OSI) network model which partitions a communication system into seven layers building from Layer 1, the physical layer (PHY), to Layer 7, the application layer. Each of these network layers serves the layer above and is served by the layer below. From a security standpoint, each layer can secure its activities and those above it but depends on the security of the layers below it.
The function of Layer 1 is to encode the data per the network protocol. Layer 2 is where communication between devices begins. By securing communication at Layer 2, MACsec provides the foundational security on which an end-to-end security architecture can be built.
In data centers at the heart of the network, the need to process and move an exponentially growing torrent of data has driven the rapid jumps in the performance of Ethernet. 800G Ethernet represents the latest milestone in the evolution of the standard. To get the full benefit of the increased data rate, security needs to operate at network speed.
Speed is the second big benefit of MACsec in that it provides line-rate secure communication. It services the increasing demand for high-quality content, such as streaming video, as well as for high-bandwidth real-time applications such as autonomous vehicles. MACsec delivers the benefit of strong security without introducing unwanted latency or bandwidth limitations. Inline deployments of MACsec guarantee line-rate encryption at any Ethernet speed, with the ability to keep the latency increase for security to a bare minimum.
Anchored in hardware, and operating at Layer 2, MACsec can provide the foundational security for data in motion as a root of trust does for data at rest. As Ethernet becomes the ubiquitous means of transmitting data, so too MACsec becomes the universal means of protecting it. Further, with Ethernet reaching new speed grades of 800G and beyond, MACsec’s ability for line-rate operation means strong security can be had without a sacrifice in performance.
Additional Resources:
Rambus Website: MACsec Engines
Rambus 800G MACsec Press Release
Rambus 800G MACsec Blog
Leave a Reply