What is MACsec?
Morten Kofoed Esbjørn – Sep 08, 2022.
MACsec provides authentication by ensuring that only known nodes are allowed to communicate on the LAN. It provides confidentiality through encryption of the data so only end-points with the correct encryption key can see the contents. Integrity is provided through a cryptographic mechanism ensuring that data has not been tampered with while in motion.
MACsec was first introduced in 2006 in the IEEE 802.1AE standard. Between 2011 and 2017, multiple updates were made to introduce support for stronger encryption using AES-GCM-256, support for higher speed interfaces and the ability to monitor and inspect MACsec encrypted frames. The 802.1AE-2018 standard consolidated all these updates into a single standard specifying MACsec.
How does MACsec work?
MACsec operates at the data link layer acting as a client of the Ethernet Media Access Control (MAC) layer. It encapsulates IP packets with a 16-byte MACsec SecTag header and 16-byte Integrity Check Value (ICV) tail and uses a special EtherType (0x88E5). In the MAC layer, the preamble and Cyclic Redundancy Check (CRC) are added to the Ethernet frame before transmission.
A combination of data integrity checks and encryption is used to secure the data that is transmitted; namely MACsec Authentication, Confidentiality and Integrity.
For Ethernet end-points to send MACsec frames over a LAN, they must be authenticated. Authenticated MACsec peers on the same LAN belong to a Connectivity Association (CA). This means that these MACsec peers are connected and are allowed to communicate with each other. Members of the CA identify themselves using a long-lived Connectivity Association Key (CAK) with a corresponding Connectivity Association Key Name (CKN).
The MACsec frames are transported over virtual, unidirectional, point-to-multipoint Secure Channels (SCs), which are supported by Secure Associations (SAs). As defined by the 802.1AE standard, a “SecY “is the entity that operates the MACsec protocol on a network port. There can be zero or more SecY instances on any physical port, but the SecY instance is associated with a specific virtual port. Each SecY and virtual port will have one transmit-SA and one receive-SA for each peer connected to the Ethernet port. Each SA uses a separate SAK to encrypt and authenticate frames.
The long-lived CAK is used to generate short-lived SAKs for protecting data transferred between peers. The SAKs are regularly updated based on the number of packets transmitted to make communication more secure.
MACsec is based on the AES-GCM cryptography algorithm, which provides options for 128-bit, 192-bit and 256-bit cipher suites. For MACsec, the 128-bit AES-GCM-128 cipher suite is used by default. However, there is an option to use the stronger 256-bit AES-GCM-256 cipher suite.
MACsec not only encrypts data but also provides integrity through an Integrity Check Value (ICV) which is a cryptographic digest function dependent on the data and the SAK. This enforces the attacker to know the key to tamper with the data.
While MACsec encryption is optional, integrity is an integral part of MACsec. The ICV is used to authenticate all of the Ethernet frames before the CRC fields. This ensures that any tampering with the frame will be detected.
The Packet Number (PN) can be used by the receiver to see if a packet has been dropped, replayed or delayed. Typically, the PN is 32 bits long and is unique to the specific SA and SAK. MACsec transmits each frame in an SA with a PN that increases with each frame transmitted. Typically, the receiver will expect a packet number one higher than the last frame received, but it is possible to configure MACsec to take account of expected packet re-ordering.
Right before the PN reaches its limit, a new SA is established with a new SAK. This needs to be negotiated with all peers. At very high speeds, the PN is exhausted within a few seconds leading to frequent exchange of SAKs. For example, at 25 Gbps, a new SAK is generated every two minutes, while at 100 Gbps, this time interval drops to 30 seconds and only 3 to 4 seconds at 800 Gbps.
IPsec is the basis for layer 3 Virtual Private Networks (VPNs) and is used to provide protection, especially for network layers. IPsec works with Authentication Header (AH) and Encapsulating Security Payload (ESP). The AH protocol provides a mechanism for authentication only. The ESP protocol provides both encryption and integrity. IPsec is used in two modes; Transport mode (only the data portion of the packet is encrypted) and Tunnel mode (encrypts both payload and header)
TLS is used to secure data sent between applications over the Internet. TLS uses a combination of symmetric and asymmetric cryptography. With symmetric cryptography, data is encrypted and decrypted with a key that is known to both the sender and receiver, which is the methodology behind MACsec and IPsec. With asymmetric cryptography the public key of the recipient is used by the sender to encrypt data sent to the recipient, who then uses their private key to decrypt the data.
TLS uses asymmetric cryptography to securely generate and exchange session keys, which are then used for symmetric cryptography of data exchanged between parties. Once the session is over, the session keys are discarded.
Comparison between MACsec, IPsec and TLS
MACsec is implemented at the Ethernet port level in dedicated FPGA or ASIC chips. This is in contrast to IPsec and TLS, which are either implemented in the router or processing chip used for forwarding IP packets or in dedicated co-processor engines with limited processing capacity.
While a single Ethernet port can support multiple IP addresses and TCP sessions and can be secured with MACsec on the port operating on a frame-by-frame basis in real-time. IPsec and TLS must encrypt each IP packet or TCP datagram individually and then reassemble received IP packets and TCP datagrams before decryption can be performed.
A trade-off must therefore be made between forwarding and encryption performance leading to limitations to IPsec and TLS performance.
MACsec operates at line-rate and can scale from megabits to terabits per second. While it complements IPsec and TLS, it can provide a high level of security without these additional security solutions. This advantage has prompted the widespread adoption of MACsec in networking equipment as well as the availability of MACsec solutions that now operate at 800 Gbps and even terabit per second speeds.
While the ability of MACsec to scale to high speeds is catching the attention of highly influential cloud service data centers, it can be overlooked that MACsec is equally attractive for deterministic Ethernet applications. It is important to note that until recently, critical communication networks relied on a variety of data transport protocols. Now it is entirely based on Ethernet from the RU to the 5G core. However, security is still a concern as deterministic application are critical and cannot tolerate network unavailability. Deterministic Ethernet networks often include compact devices like IoT, field devices, sensors or micro-cell radio units. These are designed to be low-cost and to use as little battery power as possible. Data processing drains battery power and is avoided as much as possible, which means IPsec and TLS are expensive security solutions. MACsec, on the other hand, is well suited to compact devices as it can be implemented in two ways; programmable or fixed function.
A programmable solution can be implemented where a separate Central Processing Unit (CPU) is required. The advantage of this approach is that dynamic key exchange can be supported and functionality can be updated and adapted. The disadvantage is that additional processing power is required.
The most compact implementation is the fixed function implementation, which can be implemented in an FPGA/System on Chip (SoC) or ASIC without the need for separate CPU processing power. The FPGA/SoC or ASIC design can include one or more processing cores, such as an ARM core, which can be sufficient to support a static key exchange implementation. Only the functions that are required are implemented, but these are then fixed for the lifetime of the solution.
Yet, even for programmable MACsec implementations, a compact solution can be provided as the amount of processing required is modest compared to IPsec and TLS. Many of the newest features introduced for MACsec address high-speed requirements. However, compact devices, like TSN end-points, typically use a 1G Ethernet or lower interface. 5G RUs require 25G Ethernet interfaces to support eCPRI.
This means that there is a further opportunity to make compact solutions by not employing functionality like XPN, which addresses the exhaust of PNs at high-speeds, which is not an issue at lower speeds. It is, therefore, possible to provide a highly efficient MACsec solution that provides strong protection of data in motion without the need for significant data processing power thus enabling MACsec to be implemented on compact devices.
Comcores MACsec IP
Comcores is a leading provider of Intellectual Property (IP) design solutions, otherwise known as IP cores, for FPGA, SoC and ASIC implementations. Comcores provides a range of Ethernet-based Packaged IP solutions for 5G fronthaul and TSN applications.
Comcores MACsec IP core can be for integration with the customer’s own PHY and MAC implementations or part of a Packaged IP solution. The Packaged IP solutions combine various IP cores to provide a complete, pre-tested and validated solution that can be customized to meet individual design requirements.
Comcores MACsec IP scales from 1G to 25G making it ideal for 5G fronthaul and TSN implementations. It is designed to be silicon agnostic and can thus be used in any FPGA, SoC or ASIC chip design. This enables a smooth migration from FPGA to ASIC.
The MACsec IP core provides full support for the IEEE 802.1AE-2018 MACsec specification including important features, such as both AES-GCM-128 and AES-GCM-256 Cipher Suites, VLAN-in-Clear and Confidentiality Offset.
The solution is highly configurable and allows multiple SecY’s and Connectivity Associations (CA) per port with traffic mapping rules. The solution supports a configurable number of peers. This allows traffic differentiation per port with an independent CA for multiple traffic types and MACsec bypass for the desired traffic type. For each CA, up to 4 Secure Associations (SA) can be supported for each transmit and receive Secure Channel (SC).