Protect high-speed network traffic with MACsec

Written by Dana Neustadter and Jerry Lotto

There is an ever-increasing demand for bandwidth, driven by the exponential growth in the number of cloud-connected devices and a variety of sensors, applications, and services, resulting in an explosion of data traffic. This, in turn, leads to the proliferation of higher-bandwidth interfaces such as Ethernet, PCIe/CXL, and DDR to keep data moving faster and increase processing and storage capacities. End-to-end data security in a connected ecosystem is more important than ever, including when data is at rest and when it is in motion, both while it is connected between devices and the cloud and while it is being processed or stored in a device.

Ethernet-connected devices such as computers, servers, hubs, routers, and more are expanding in every direction, including high-performance computing, 5G markets, mobile phones, and automobiles, all of which require security. Security on the Internet or any other Ethernet network relies on encryption. The more encryption is used, the more difficult it is for attackers to steal data, eavesdrop on communications, and/or hack into systems.

Why encrypt Ethernet traffic

There are many reasons to encrypt Ethernet traffic. Compliance is one of the most common standards and may include one or more standards for the processing of sensitive data or personal data. Examples of these standards are outlined in the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the European General Data Protection Regulation (GDPR). For organizations that obtain and use data about children, the rules specified in the Family Education Rights and Privacy Act (FERPA) may also apply. Failure to comply with applicable standards can result in significant penalties even if a data breach does not occur.

Data theft isn’t just the domain of structured content – any research, intellectual property, proprietary data, or code is potentially a target for theft or malicious modification. Intrusion detection and prevention begins with ensuring the privacy of sharing account credentials and sensitive or valuable data. Source validation and authentication services are a critical component of this infrastructure, not all breaches occur from outside the organization, and rights-based data management critically depends on secure (private and trusted) identity verification.

What is MACsec?

The primary security standard for securing Ethernet traffic is Media Access Control Security (MACsec). MACsec provides data security in transit between devices connected to an Ethernet network and protects network communications from DoS, eavesdropping, and man-in-the-middle attacks.

MACsec is a protocol based on AES-GCM cryptography that secures the data link layer (where communication begins) by providing confidentiality, data integrity, data source credibility, and replay protection.

OSI stack security protocols and where MACsec fits

Security on the Internet or any other Ethernet network relies on encryption, for communication privacy, integrity and authentication using shared authentication keys. There are several different ways to encrypt Ethernet traffic, and they happen at different layers in the OSI stack on which they are based:

  • TLSIt was developed in 1999 as an enhancement of SSL, and is implemented at the transport layer of TCP/IP (OSI layer 4). DTLS, which was initially proposed in April 2006 via RFC 4347, is applicable to datagram protocols such as UDP/IP (also Layer 4). As such, it is not limited to Ethernet but can only secure one stream or communication channel at a time. TLS protects web browsers, client applications, and all applications’ connections to cloud services. HTTPS and SSH are examples of protocols that can take advantage of TLS – and the implementation is entirely under the control of the software.
  • IPsec: If encryption is required to protect networks (as well as anything else that traverses the IP protocol), then IPsec is an option implemented at the network layer of the OSI stack (Layer 3), often as a VPN connection. IPsec is usually implemented as a software stack and is voluntarily used by users.
  • MACsec: When encryption on an Ethernet network is required for all traffic, regardless of the upper layer protocols involved, it is necessary to enforce it at the hardware level (link or intermediate access layer 2). Fortunately, this is exactly what MACsec (aka IEEE 802.1AE) provides. MACsec is used to protect network-to-network or device-to-network communications. Every connection on an Ethernet network (host to host or host to switch or switch to switch) will traverse both encrypted and unencrypted traffic if control of that encryption is enforced at higher layers but once MACsec is enabled for a link all traffic on that will be secured Contact from prying eyes. As with its higher-layer cousins, MACsec provides both encryption and authentication services by adding two additional fields to the Ethernet frame:
    • security tagwhich is an extension of the EtherType field also used for VLAN tags
    • Message Authentication Code (ICV)To specify the integrity check value algorithm

Setting up an encrypted MACsec connection involves five steps:

  • Step 1: Mutual Peer Authentication is established using a Pre-Shared Key (PSK).
  • Step 2: After successful authentication, a secure connection key name (CKN) is exchanged to form a communication link between the peers. MKA ICV validation is done using a Connection Association Key (CAK), which is physically a secret key.
  • Step 3: The priority value of the two endpoints is used to choose the primary server while the other machine acts as the master client.
  • Step 4: The upstream server then generates and distributes the SAK to the upstream client (peer) to form a security link.
  • Step 5: Encrypted data can now be exchanged between peers.

MACsec hardware encryption also provides the lowest latency security compared to options implemented at higher layers of the OSI stack.

Ethernet solutions with MACsec security

Synopsys MACsec security modules secure Ethernet traffic against denial-of-service (DoS) attacks, eavesdropping, and man-in-the-middle attacks by supporting confidentiality, integrity, origin authentication, and re-protection in switch, router, and bridge SoCs for cloud computing, 5G, Mobile and automotive applications.

They are bi-directional, standards-compliant solutions that seamlessly integrate with Synopsys Ethernet MAC & PCS IP, supporting scalable data rates with optimal latency, network prioritization, and versatility for a range of secure Ethernet connections. Figure 1 shows a Synopsys Ethernet solution with a Synopsys MACsec Module demo that enables system-on-a-chip (SoC) designers to quickly integrate security into their system for fast time-to-market and reduced risk.

Figure 1 Synopsys Ethernet Security solution block diagram.

With Synopsys MACsec security modules, designers can take advantage of:

  • Compliance with IEEE 802.1AE standard
  • Safety handling of each tire, including encapsulation/uncapsulation and tire validation
  • Scalable throughput up to 100+ Gbps based on piped AES-GCM encryption with improved latency
  • Techniques
    • Encryption/decryption and authentication
    • Authentication only
  • Key sizes are 128-bit and 256-bit
  • Entry/exit response time fixed
  • Extended Packet Numbering according to IEEE 802.1AEbn
  • Jumbo frames support
  • Insert and remove a SecTag
  • Configurable number of secure channels and associations
  • Configurable re-protect window size
  • Formal compensation
  • Programmable covert compensation
  • VLAN tag in clear support
  • Choose bypass mode


Data retention policies vary around the world; Some government agencies will even try to enforce data access rights, control, ownership, censorship policy, or legislation. It is not enough protection to encrypt data only at rest. The use of multiple layers of network encryption may be necessary to ensure privacy and security, and to traverse unknown and uncensored elements of the Internet’s infrastructure. Zero-day vulnerabilities, malware, and viruses can easily threaten without the validation and protection provided by cryptographic technologies.

The main security standard for securing Ethernet traffic is MACsec, which provides security for data in transit between devices connected to an Ethernet network. The pre-shared key used in the first step of MACsec negotiation can prevent untrusted devices from successfully connecting to a secure Ethernet fabric. Computing on shared infrastructure further complicates this challenge – unless you can verify that the connection is secure, don’t trust it!

by adding Synopsys MACsec security modules to Synopsys Ethernet IP solutionsSoCs network designers can protect high-speed network traffic, enabling end-to-end security for data in motion between Ethernet-connected devices.

Learn more about enabling the highest levels of SoC security with Synopsys Secure Interfaces.

Jerry Lotto is HPC’s Senior Technical Marketing Manager at Synopsys.

Leave a Comment