MACsec for Deterministic Ethernet applications

Why MACsec is a compelling security solution for Deterministic Ethernet networks and how Packaged Intellectual Property solutions can accelerate time-to-market for chip developers.

Security has long been a top priority in communications networks. However, networks that support time-sensitive applications face challenges in implementing adequate security mechanisms that also meet latency and jitter requirements. This includes networks supporting mobile communication, industrial automation, automotive and aerospace applications.

The emergence of Deterministic Ethernet using time synchronization protocols like IEEE 1588 Precision Time Protocol (PTP) allows Ethernet-based networks to be used for time-critical applications. The challenge is to provide adequate security mechanisms that ensure that sensitive data is protected as well as the operation of the network itself while also meeting strict performance requirements.

In this paper, we propose MACsec as a compelling security solution for Deterministic Ethernet networks that can not only protect against Ethernet-specific attacks, but also protect applications transported over Ethernet while meeting latency and jitter requirements. The efficient port-level implementation of MACsec provides line-rate performance, but also enables MACsec to support compact device implementations that are important for Deterministic Ethernet applications.

Multi-layer Security

Ethernet has been the preferred data link layer for Internet Protocol (IP) communication for some time and with the emergence of Deterministic Ethernet, any IP-based application can be transported over Ethernet-based networks.

However, this has not always been the case and several other data link layer protocols have been used, and in some cases still are used, for transporting IP data, such as Frame Relay, Asynchronous Transfer Mode (ATM) and Optical Transport Network (OTN). For example, in some mobile network implementations, IP packets could traverse all of the above protocols. 

The Open Systems Interconnection model (OSI model) is based on multiple network layers where specific security mechanisms are used at each layer, as shown in Figure 1 (below). This enables each security protocol to focus on the threats to that specific network layer. Internet Protocol Security (IPsec) is used to protect IP packets at the network layer while Transport Layer Security (TLS) is used to protect Transport Control Protocol (TCP) datagrams at the transport layer.

Security specific to each network layer

Figure 1: Security specific to each network layer

For Deterministic Ethernet networks, MACsec can be used to provide efficient security at the data link layer. This will not only protect against Ethernet-specific attacks but also protect network layer connections and transport layer sessions, as well as applications supported by these network layers.

Advantages of MACsec

One of the advantages of MACsec is that it provides line-rate encryption performance, no matter the speed, as shown in Figure 2 (below).

MACsec vs IPsec encryption performance

Figure 2: MACsec vs IPsec encryption performance

MACsec is implemented at the Ethernet port level in dedicated FPGA or ASIC chips. This is in contrast to IPsec and TLS, which are either implemented in the router or processing chip used for forwarding IP packets or in dedicated co-processor engines with limited processing capacity.

While a single Ethernet port can support multiple IP addresses and TCP sessions and can be secured with MACsec on the port operating on a frame-by-frame basis in real-time, IPsec and TLS must encrypt each IP packet or TCP datagram individually.

A trade-off must therefore be made between forwarding and encryption performance leading to limitations to IPsec and TLS performance.

This has prompted wide-spread adoption of MACsec in networking equipment as well as the availability of MACsec solutions that now operate at 800 Gbps and even terabit per second speeds. However, the real-time performance that MACsec provides also benefits Deterministic Ethernet applications that run at lower speeds.

MACsec for Deterministic Ethernet applications

While MACsec for high-speed applications is receiving a lot of attention, the attractiveness of MACsec for lower-speed Deterministic Ethernet applications can be overlooked. As Deterministic Ethernet is adopted for time-critical applications like 5G mobile and Ethernet Time Sensitive Networks (TSN) applications like industrial automation and autonomous vehicles, securing Deterministic Ethernet becomes more important than ever.

As shown in Figure 2, the efficient implementation of MACsec at the port level ensures real-time encryption performance. This also ensures that MACsec is more deterministic than IPsec and TLS and can meet tight latency and jitter requirements at lower data rates. In addition, it protects against Ethernet-specific attacks that cannot be protected by IPsec and TLS as well as the ability to secure the Ethernet-based PTP time synchronization mechanism itself.

For compact 5G and TSN devices, such as 5G Radio Units and Internet of Things (IoT) sensors in TSN networks, MACsec is particularly interesting. MACsec protects Ethernet, but also upper layer protocols and applications. This can provide either an alternative or complement to IPsec and TLS.  For compact designs that need to minimize processing burdens as much as possible, it is possible to rely on MACsec and provide strong protection.