MACsec for Securing High Speed Deployments

There are increasingly more and more services off-premises. There are lots of cloud services and mobile services. There are increasingly more customers who demand high-speed links to consume these services. This is a challenge for service providers because they have to deploy high-speed networks. It’s no longer worth to deploy 10 Gbps or 40 Gbps networks but 100 Gbps networks are already mandatory for lots of businesses.

What’s more, most businesses need to connect remote and branch offices to the cloud or to a remote data center, and they have to encrypt these communications. Today, IPsec is well-known and it’s used by most companies who want to encrypt traffic between offices and the data center. However, if we have high-speed links, such as 100 Gbps links, IPsec is useless because encryption is performed on centralized ASIC processors which have high performance impact. Thus, if it’s required high encryption performance, MACsec offers a simplified, line-rate, per port encryption option for secure next-generation deployments.

 Link Speeds Aligning with Encryption Using MACsec

MACsec was standardized as 802.1AE in 2006 to provide confidentiality, integrity, and authenticity in Ethernet networks for user data. Therefore, MACsec is able to encrypt and/or authenticate Ethernet frames. This is amazing because we can encrypt and authenticate data at layer 2 in high-speed networks. It’s like the wireless standard 802.11i (WPA2) but for wired networks. Both encrypt at layer 2. It’s interesting how this “new” protocol works. There is a MACsec header and encryption and authentication is performed per port at line-rate.

Defense in Depth

The MACsec header, which is 16 octets long, doesn’t have impact on Ethernet frames markings such as 802.1p for QoS, 802.1Q for VLANs, or QiQ tags. These markings tags are encrypted along with the payload. What’s more, there are no changes to the destination and source MAC addresses. In addition, a 16-byte Integrity Check Value (ICV) is included at the end of the frame. Therefore, the whole Ethernet frame is authenticate and user data is encrypted.

MACsec Frame Format
This MACsec header format is right for local area networks (LAN) where we can have a physical interface “per remote site” but it’s not a good solution for WAN deployments because Metro Ethernet services, like E-LINE VPWS and E-LAN VPLS Services, need 802.1Q tag exposed. Therefore, there is a new enhancement to the MACsec header to expose the 802.1Q tag outside the encrypted MACsec header. This enhancement allows service providers to deploy Metro Ethernet services easily.

MACsec Tag in the Clear for a Hub/Spoke Design

Maybe, most of you are wondering if MACsec is better than IPsec for encryption. As network designers, we should know the requirements of the business and we should choose the technology that best fits the requirements. For example, some companies may need MACsec for high-speed networks while other companies will need IPsec for MPLS networks.

Ethernet and IP Encryption Positioning Matrix

That’s all my friends. New standard for my pocket. I didn’t know this interesting technology.