Traditional Ethernet security mechanisms were not designed for the scaling and trust assumptions of next‑generation networks.
As AI and high‑performance computing (HPC) systems scale from racks to entire data centers, the network has become both a performance enabler and a growing attack surface. Modern AI fabrics interconnect thousands of GPUs and CPUs, move massive volumes of sensitive model data, and increasingly rely on direct memory access rather than host‑mediated communication. These trends exposed a fundamental gap: traditional Ethernet security mechanisms were not designed for the scaling and trust assumptions of next‑generation AI/HPC networks. Ultra Ethernet security, and specifically the Ultra Ethernet Transport Security Sub‑layer (UET‑TSS), was developed to close that gap.
Conventional Ethernet security technologies such as MACsec and IPsec are proven, widely deployed, and considered cryptographically strong by supporting a 256-bit encryption key and regular key refresh. However, they were designed for general-purpose networking: link‑centric communication, relatively stable trust domains, and traffic patterns dominated by flows rather than job- or user-specific data transfers. In contrast, AI/HPC clusters use the RDMA‑style transport that moves data directly into application or accelerator memory, bypassing the CPU to minimize latency.
This architectural shift created several challenges. First, the security boundary moved from link to the compute system itself. Second, the processing latency and reliable delivery of packets became far more visible. Third, hyperscale and enterprise AI environments required finer‑grained isolation between workloads, tenants, and trust domains, often within the same physical fabric. These requirements strained existing security models that sit “below” or “outside” the transport layer, requiring to move transport security straight into the host network adapters.
The Ultra Ethernet Consortium (UEC) was formed to evolve Ethernet specifically for AI and HPC workloads, while preserving the openness and interoperability of the Ethernet ecosystem. The release of the Ultra Ethernet Specification 1.0 in June 2025 formalized this effort, defining a new Ethernet‑based transport protocol for scale‑out AI and HPC networks. Security was treated as a first‑class architectural concern, not an optional add‑on.
Within this framework, the Ultra Ethernet Transport (UET) protocol introduced a new RDMA‑optimized transport model, distinct from InfiniBand‑derived approaches such as RoCEv2, while still preserving application interface compatibility. Because UET departs from legacy transport semantics, it also required a security model purpose‑built for its assumptions. This need directly led to the creation of the Transport Security Sub‑layer (TSS).
UET‑TSS originated from the recognition that security must be integrated into the transport layer, rather than wrapped around it. Instead of relying solely on link‑layer or network‑layer protection, TSS is defined as part of the UET architecture itself. The design draws on the strengths of established technologies, most notably IPsec, as well as concepts used for large‑scale, internal data center security, such as Google’s PSP Security protocol.
By embedding security into the transport layer, UET‑TSS aligns protection with transport protocol flows, job isolation and network fabric operation. This approach reflects lessons learned from years of operating hyperscale AI and HPC networks, where security enforcement must keep pace with extreme throughput and dynamic topology changes.
The primary purpose of UET‑TSS is to provide data confidentiality, integrity, and threat detection for Ultra Ethernet traffic without compromising the performance advantages of UET. Rather than replacing MACsec or IPsec, TSS complements them by securing traffic within the AI/HPC fabric (even if the fabric is distributed over large distances), while other protocols continue to protect data center interconnects, management planes, or legacy transport protocols.
Several design goals distinguish UET‑TSS:
An important aspect of UET‑TSS is what it does not try to replace. The UEC explicitly positions TSS alongside existing security technologies, not as a universal substitute. IPsec remains relevant for securing RoCEv2 traffic, virtual networks, and control planes, while MACsec continues to protect long‑haul and data center interconnect links. UET‑TSS fills the gap inside Ultra Ethernet fabrics, where neither MACsec nor IPsec alone can fully meet AI/HPC requirements.
Rambus, having successfully served the data center, enterprise and infrastructure markets with line rate MACsec and IPsec products, has introduced two new solutions for securing UET transport protocol with TSS:
Both of these UET-TSS IP solutions are expected to be used in SmartNICs and NIC chiplets, and in the future to be part of UET-based NVMe-oF storage controllers. As IP blocks that can be instantiated independent of the Ethernet controller, the Rambus UET-TSS IP solutions can support customers’ own tunneling protocols while providing flexibility and scalability. With over three decades of state-of-the-art security expertise, Rambus offers the industry’s broadest and most performant portfolio of security IP solutions backed by world-class support from Rambus security experts.
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply