91³Ô¹ÏÍø

Understanding MACsec Protocol for Ethernet Security

Dana Neustadter

Apr 10, 2023 / 6 min read

Man-in-the-middle attacks. Eavesdropping. Denial of service. Privilege escalation. In Ethernet network breaches like these, the bad people are after data, one of the most valuable currencies of our time. As technology advances, our world becomes more interconnected, every device becomes smarter, and there are more avenues to steal or corrupt data as it moves through networks. Ethernet interconnects are expanding in every direction in servers, storage, routers, switches, computers, and other devices, including recent adoption in cars.

Among an array of potential system-on-chip (SoC) interface attack vulnerabilities, securing Ethernet interfaces is essential to protecting your network. The impact is real, with  citing that the average cost of a single data attack in the United States in 2022 was $9.44 million and the global average was $4.35 million. One way to help ensure against data breaches and protect your Ethernet networks is by using the , defined in the IEEE 802.1AE standard ¨C the most prevalent standard for Ethernet security. This overview covers key industries driving Ethernet security, challenges to securing Ethernet networks, and how you can better secure Ethernet interfaces with the MACsec protocol.

Circuitry shaped security padlock with digital circuit

What is MACSec Protocol?

MACsec is a security protocol that guards against network data breaches by encrypting data traffic between Ethernet-connected devices. MACsec was first introduced by IEEE in 2006 to secure Ethernet networks and has undergone updates in 2011 and 2013. Since then, advancements in automotive, 5G, mobile, and high-performance computing (HPC) industries, among others, have driven the need for greater security. While the MACsec protocol is not new, today you can use it to secure your Ethernet interfaces in alignment with the latest requirements, better securing the entire system.

At the heart of MACsec is the , the same cryptography used in PCI Express? (PCIe?) and CXL security. Specifically, it protects your system against attacks on Layer 2 (data link layer) of the Open Systems Interconnection (OSI) networking model where data communication begins. By securing Layer 2, near the bottom of the stack above the physical layer, you can set a secure foundation for the entire network stack above it, up to the top application layer, delivering data payload integrity and confidentiality for end-to-end security. This safeguards against vulnerabilities to your system such as MAC flooding, port stealing, and broadcasting attacks.

default-placeholder.jpg

MACsec based on AES-GCM cryptography is the foundation for end-to-end security in the networking stack.

There are various benefits to securing network data with the MACsec protocol:

  • Data confidentiality, achieved via encryption, prevents data (MAC frames) from being surveilled by unauthorized parties.
  • Data integrity, achieved via authentication, ensures that MAC frames cannot be modified during transmission without detection.
  • Proof of data origin provides a guarantee that a MAC frame has been sent by an authenticated device.
  • Replay protection makes sure that MAC frames that have been maliciously copied from the network, cannot be re-sent without detection.
  • Bounded receive delay prevents MAC frames from man-in-the-middle interception and ensures detection of delays that are more than a few seconds.

In addition to these and other security functions, MACsec provides benefits such as the ability to scale to high network speeds to achieve the latest interface rates. It can also be fully implemented in hardware, and it enables optimal latency due to pre-processing.

Automotive, 5G/Mobile, and HPC Drive Greater Ethernet Security

Regardless of your industry, threats to data corruption and the possibility of unauthorized access are pervasive and real. While there are different levels of sensitivity, or criticality, depending on the information, the truth is that all electronic systems are vulnerable to attack.

Here are some examples of industries helping drive the Ethernet security landscape forward:

  • Automotive industry's key challenge¡ªsecurity measues must also encompass safety compliance.

Autonomous driving, over-the-air software updates, shared connectivity, and mobility have been some of the latest innovations in the automotive industry, helping motivate the need for greater data security and defense in depth.

For automotive, the integrity of the network is not only about data security, but also about safety on the road. Because of this, the industry has been a driver (no pun intended) for all types of interface security. Today, MACsec is being adopted in electronic control units (ECUs) and is well suited for almost all onboard use cases for automotive network security.

In automotive designs, you cannot have safety without security and vice versa. This means you need to add safety mechanisms, have safety compliance, and have all the safety documentation along with your security implementations. For example, it¡¯s a common requirement to mitigate the highest levels of risk or injury defined in the automotive safety integrity level D (ASIL-D) risk classification within ISO 26262. These safety requirements must be implemented efficiently, together with security.

  • 5G/Mobile industry's key challenge¡ªsupport for aggregation with scalable performance and area-efficient solutions for a wide variety of use cases. 

MACsec has already been used over the years in mobile computing to secure the Ethernet, but there is a disruption in the traditional solutions for MACsec because of the need for greater optimization in a universe of diverse 5G applications.

5G involves a great deal of communication with enhanced mobile broadband, delivering multi-network slicing, multi-connectivity network capabilities, and more. Because of this, you need to consider multi port in addition to single port solutions, requiring more efficient configurability with aggregation support and scalable performance ¨C more so than required in the past. 

  • HPC industry's key challenge¡ªscaling for high data rates and diverse bandwidths with optimal latency and are. 

High-Performance Computing (HPC) has rapidly adopted interface security for PCIe and CXL, and because of this, high-performance Ethernet MACsec adoption is likely to follow a similar trajectory. In the past, we dreamed of 800G and then 1.6T Ethernet speeds, and these rates are now becoming a reality. The demand for accelerated performance and increased bandwidth makes HPC a driver for MACsec solutions.

While the MACsec protocol allows you to scale to high speeds through pipelining of the AES-GCM crypto, this can be tricky for the cloud because the scaling needs to support various high-performance interface bandwidths. The challenge for Ethernet interface security in HPC is to do all this with the lowest latency while keeping the area in check.

The complexity of advanced systems means that there is no one-size-fits-all answer to data security. Adding to these complexities, the sheer volume of interfaces is growing, and new laws and regulations are coming on board all the time to address data privacy and systems security. Not only should SoC security address the unique needs of your industry and use cases, but it should also work holistically within your overall system design providing protection while offline, during power up and at runtime.

But how do you ensure that you meet all these requirements and keep your Ethernet network secure?

Choose Your Interface Security Partners Wisely

From the ground up, it¡¯s challenging to build security right. To ease your design path and lower your risk, consider complete, proven security solutions. Synopsys has deep experience in interface security solutions such as secure PCIe and CXL interfaces with Integrity and Data Encryption (IDE), secure DDR/LPDDR interfaces with Inline Memory Encryption (IME), Secure HDMI and DisplayPort interfaces with HDCP 2.3 Security, Ethernet interfaces with MACsec, and more. Our solutions lower your risk because they are standards compliant and proven. You can rest assured that when you partner with us, you will be backed by leading security experts and complete solutions that will enable you to spend more time on your core competencies to achieve a fast time to market with differentiated products.

Whether you need your security to work efficiently hand-in-hand with safety, customizable configurations, or the ability to scale bandwidth and speed while keeping your latency and area down, Synopsys Ethernet IP 91³Ô¹ÏÍø with Synopsys MACsec Security Modules enable end-to-end security for Ethernet traffic. Synopsys MACsec Security Modules are complete inline, full-duplex solutions that seamlessly integrate with the Synopsys Ethernet MAC and PCS IP, supporting scalable data rates with low latency. And we augment our offering with validated, pre-integrated, and embedded MACSec that is seamless to the end user. Our long history of enabling customers with holistic design solutions enables greater integrated security to meet the requirements in advanced designs.

New security solutions will inevitably be an ongoing part of our collective safe and reliable future. Synopsys is best positioned to secure all the interfaces in an SoC, including MACsec solutions for Ethernet and beyond. Our secure interface IP products enable your applications to not only stay safe and secure but also ease your design process and enable you to get to market faster and with lower risk.

Learn more about Synopsys secure interfaces for automotive, 5G/mobile, and HPC.

Continue Reading