MACsec enabling the secured interconnect for next-gen cloud providers
2021-03-23 | 6 min read
Data center interconnect enables hyperscale service – but raises security alerts!
In the last decade, we have heard an increasing number of data breaches - including a few high-profile incidents like fiber tapping Google’s and Yahoo’s private backbones. As enterprises move more of their IT infrastructure and mission-critical applications to the cloud, they demand very high security from cloud service providers. To provide a global service to pool resources, balance workloads, and provide business data closer to the edge, cloud service providers typically interconnect two or more individual data centers. This is also known as data center interconnect (DCI). High-speed fiber connectivity over short, medium, or long distances are used to implement DCI.
Fiber optic networks, which is sometimes assumed to be inherently secure, can be vulnerable to fiber tapping, which enables data to be captured and copied without alteration as it is transmitted over a fiber. The hyperscalers, therefore, are adopting encryption technologies across their DCI links to provide data security to the enterprises.
Layer 2 encryption gains popularity as a solution
The choice of encryption technique is driven by the cost and overhead on the high-speed data links. IPsec is widely used for traditional virtual private network (VPN) connectivity over Internet, but it suffers from high overhead and other disadvantages when applied to DCI. Here, encryption applied at a lower layer is a better choice.
MACsec 802.1AE is an industry-standard security technology that provides secure communication for Ethernet networks. It operates at the link layer (Layer 2) and secures point-to-point links or shared Ethernet networks to provide confidentiality, integrity, and authenticity for user data. MACsec can protect against most security threats, including denial of service, intrusion, man-in-the-middle, playback attacks, and passive wiretapping. MACsec has extremely popular as an encryption technology in the DCI market. Silicon vendors and network equipment manufacturers (NEMs) now support MACsec in most next-generation chips, routers, switches, and other products they are building.
Validation is tricky for a hardware-based encryption technique
MACsec encryption and decryption is performed in hardware to support line-rate encryption throughput for high-speed Ethernet. Many silicon vendors have MACsec built into PHY or their switch chips. NEMs use the MACsec functions in chips and integrate them at the system level with software to manage connectivity associations and distribute secure association key (SAK) used by hardware for encryption/decryption. The functionality and performance of the encryption engine built into the hardware is the most critical component that needs a thorough validation. This requires sophisticated test tools capable of stressing the encryption engine at high speeds like 100GE or even at 400GE.
Vendors may perform back-to-back validation with their own devices to save cost in the short run but run the risk of pitfalls like false corrects due to a bug in the encryption algorithm or ICV calculation not captured as both devices have the same bug. This is just one example of back-to-back validation potential pitfalls that can lead to interoperability issues in the field. To understand validation methods in detail, read the Keysight blog - MACsec Hardware Testing—Why Back-to-Back Validation Falls Short
In the addition to the data plane, the MACsec control plane for key distribution (MKA) is equally venerable if not validated properly. This software-based component carries the responsibility to ensure proper MKA session establishment, peer authentication, key exchange, scale and performance, and interoperability. Thorough validation of protocol function and scale is critical for successful MACsec operation. For interested network engineers dealing with this challenge, the Keysight blog on MACsec MKA Validation provides excellent insight.
The industry's first MACsec test solution for high-speed Ethernet
As a leader in the network test and measurement market, we at Keysight are working with the leading data center and cloud service providers. We are committed to provide tools and techniques that enable adoption of new technologies like MACsec. In fact, we offer a comprehensive MACsec test solution to help the MACsec test challenges for DCI and avoid major issues in the field. For more details about the Keysight solution, please review the MACsec Test Solution datasheet.