|
|
|
|
|
|
 |
||||||||||||
|
Understanding MACsec and Its IntegrationBy Comcores Introduction MACsec, as defined by the IEEE 802.1AE standard, provides protection for traffic passing over Layer 1 and Layer 2 links. It is designed to prevent a range of security threats, including man-in-the-middle attacks, pasive wiretapping, impersonation, and replay attacks. By applying protection at the data link layer, MACsec ensures that all communication between devices on the same network segment is secure. As shown in Figure 1 below MACsec can be integrated in different ways and the default integration is above the Media Access Control (MAC), but there are scenarios where it is needed below the MAC.
Figure 1: Different ways MACsec can be integrated While the IEEE standard suggests that MACsec should be placed above the standard MAC function, many actual implementations have chosen to position it below the standard MAC or also known as MACsec, placed in-between the MAC and Physical Coding Sublayer (PCS). One clear reason for this is that companies producing IEEE 802.3 standalone Physical Layer Chips (PHYs) can include MACsec as part of their solution. This makes their PHY offerings more appealing, as it allows customers to add MACsec to existing products simply by upgrading the PHY chip. Another reason is the need for precise timestamping in time synchronization protocols like IEEE 1588 PTP and IEEE 802.1AS, which rely on accurate transmission and reception times. Timestamping frames close to the physical network enhances accuracy. The one-step operation, embedding the transmission time directly into the message, poses a challenge as inserting a timestamp into an already MACsec-encrypted frame compromises integrity. Therefore, frames should be timestamped before MACsec encryption, as close as possible to the physical network. Let us examine the case of MACsec placed in-between MAC and PCS in further detail. MACsec placed in-between MAC and PCS When the MACsec function is placed below the MAC individual transformation steps of an unprotected Ethernet frame will be different, but the result is identical to the standard MACsec placement. See the Figure 2.
Figure 2: Frame formats – MACsec function placed below MAC TX direction (From Switch/DMA to physical network) MAC: If the length of the frame from the MACsec function is less than 64bytes, padding bytes will be added. A Frame Check Sequence (FCS) is calculated and inserted. The Preamble and Start of Frame (SFD) are added. The MAC must ensure the minimum Interframe Gap (distance between frames) is not violated prior to forwarding the frame to the PCS/PMA layer. But instead of operating on the frame from the MACsec function it will now operate on the frame from the Switch/DMA controller. MACsec: Only the user payload, the EtherType field, and the optional VLAN TAG should be encrypted to provide confidentiality. Possible padding inserted by the MAC shouldn’t be encrypted nor included in the integrity check. The Secure TAG and ICV are added. The FCS value from the MAC is no longer valid, due to the additional fields added and the encrypted payload, so a new FCS must be calculated. The minimum Interframe Gap must be fulfilled before the frame is transferred to the PCS/PMA layer. RX direction (From physical network to Switch/DMA) MACsec: Ignore Preamble and SFD. Validate FCS and mark the frame as bad if FCS is invalid. Perform integrity check and mark frame as bad when integrity check fails. Decrypt data and strip SecTAG and ICV. Replace the received FCS with a recalculated FCS based on the decrypted frame payload to ensure the frame isn’t declared invalid by the MAC. MAC: Standard MAC receive operation; Remove preamble and SFD, validate FCS and mark frame as bad if FCS validation fails, and strip possible padding bytes. Conclusion MACsec provides robust security to Ethernet communication between network devices. Moreover, its integration options offer further benefits. Placing MACsec below the MAC offers protection to time synchronization packets and adds value to existing PHY chip products. Comcores offers a robust and ultra-compact MACsec solution that is available in the standard configuration or with MACsec below the MAC. To get more technical details and insights into Comcores MACsec, request a datasheet now. Also, read our latest whitepaper: Automotive Ethernet Security Using MACsec to know more about a use case where MACsec can be placed below the MAC, in Automotive segment. Read Whitepaper: Automotive Ethernet Security using MACsec
|
|
||||||||||
|
|
|
|
|
Home | Feedback | Register | Site Map |
|
|
|
All material on this site Copyright © 2017 Design And Reuse S.A. All rights reserved. |
