In today’s digital age, networking requirements have become increasingly crucial. The possibility of unauthorized access to networks and confidential information have increased the need for secure network access.
In 2006, the IEEE officially identified a MAC Security standard, also known as MACSec/802.1AE and GCM-AES/GCM-AES-XPN Cipher Suite, to meet the requirements for secure data traversal. MACSec helps users to maintain confidentiality by securing the data with the use of secured point-to-point Ethernet links.
The MACSec security protocol provides encryption to the entire Ethernet packet except for its source and destination MAC addresses (including upper layer frames). MACSec offers point-to-point encryption, meaning it is performed for every hop unlike IPsec which works only for end-to-end connections. Thus, the MACSec protocol protects the data from getting tampered giving users the data security.
Key protocol features:
How MACSec works?
The point-to-point Ethernet link forms the backbone of the MACSec protocol. These links are secured after matching the keys. The secured keys are dynamically available and can also be configured by the users.
The process of matching these keys takes place only after validating each end of the point-to-point connection on the interface and exchanging the keys. Once the MACSec is established on the link, all the traffic is secured using encryption and data integrity or ICV check.
Fig1: MACSec Frame Format
The MACSec Frame adds Security TAG (SecTAG) and Integrity Check Value (ICV) in the Ethernet Frame to provide secure connectivity associations with the GCM-AES Cipher Suite using 128/192/256-bit key.
Fig2: MACSec at layer2
Who needs MACSec?
A common use case for MACSec requirements can be picked up from our daily routine where we want to encrypt the traffic between two devices such as a remote site connected to a central site or a central site connected to its branches via MACSec enabled routers.
To prevent the data from getting spied and manipulated, data centers/ IT networks require comprehensive protection programs. Many high-speed routers and data centers have employed the WAN MACSec feature. MACSec can be used across multiple switches using VLAN/SVLAN TAGs (as mentioned in IEEE Std 802.1AEcg™-2017).
In recent years, the automotive industry has also required support for MACSec compatible hardware like controllers and switches, to provide a complete security solution. MACSec along with AVB-TSN features provide a good level of security preventing the network from getting paralyzed.
For more information on Synopsys Ethernet VIP and Test Suite offerings, please visit http://synopsys.com/vip