In this presentation, we will be talking about protecting data in motion, examining what is the most appropriate protocol and what can Rambus do to protect your data when transferred from device to device.
Read also our primer: https://www.rambus.com/blogs/macsec/
2. 2
• Data that is transferred between two devices and/or servers
• Many different sources and application
• Consumer electronics, Mobile devices, IoT
• Automotive, Infrastructure, Edge devices
• Cloud servers, Data centers, others
• Many different transmission medium
• Wireless: Mobile (3GPP) and WiFi (or combinations)
• Wired: Copper, Optical, long distance optical (OTN)
• Why do I need Secure Communication?
• Medium is in the public domain
• Transferred data is vulnerable for many different attacks, including:
physical, man-in-the-middle, (D)DoS, Sniffing, Spoofing…
What is “Data in Motion”
3. 3
MACsec
• Media Access Control Security
(IEEE)
• Protect Ethernet links
• Switch – Switch
• Switch – Host
• Host – Host
• Extensions to deploy over VLAN
Crypto
• Products generally require FIPS
140-2 algorithm validated before
deployment in public domain
Protecting Data in Motion: Use Secure Communication Protocols
Session
TCP / UDP
IP
Layer 2 (Link)
Layer 1 (Physical)
Application
TCP / UDP
IP
Layer 2 (Link)
Layer 1 (Physical)
IPsec
MACsec
Client Server
OSI Protocol Stack
TLS
Crypto
IPsec
• Internet Protocol Security (IETF)
• Set up a Virtual Private Network
Secure IP traffic between
• Network – Network
• Network – Host
• Host – Host
TLS (SSL)
• Transport Layer Security (IETF)
• Secure communications
between two applications
• Web Browser – Web Server
• Client App – Cloud API
• Sensor chip – App Processor
4. 4
• Meet line rate throughput
• Speed of optical links goes up to 800Gbps and fastest switches handle >10Tbps of traffic
• Limit Latency
• Realtime application is factory, medical or even consumer space have strict latency requirements
• Response times must be minimized
• Applications require constant latency
• Support Prioritization
• TSN Ethernet layer define prioritization: pre-emption of packets is required
• Cope with network diversity and various deployments
• Networks are virtual
• Connections can be hop-by-hop, but also end-to-end
• Traffic passes different networks and infrastructures
Requirements for Secure Communication
5. 5
• MACsec is the L2 security standard, widely deployed in PHYs, switches, firewalls, gateways, NICs
and 5G equipment
• Advantages of MACsec
• Scalable crypto
• Low latency
• Fully inline datapath
• Negligible SW overhead
• Implementation Challenges
• Line rate under all conditions
• Prioritization / Frame Preemption
• Rambus has portfolio that covers all ranges and features optimized for the modern Ethernet
requirements, including custom classification. Meets line-rate under all conditions
• The only provider of control plane software
MACsec Security
PHY
MACsec
classifier
MACsec
transformation
MAC/PCS
PTP
MAC/PCS
Line:
8x112G
SerDes
Switch
MACsec
classifier
MACsec
transformation
Bufferingand
multiplexing
MAC/
PCSMAC/
PCSMAC/
PCS
MAC/
PCSMAC/
PCSMAC/
PCS
optionalPTP
6. 6
• Ethernet is getting adopted in aerospace, automotive, manufacturing and utility industries
• Enables new levels of connectivity and cost reduction.
• Enables new uses cases
• These applications require deterministic traffic
• TSN group of standards is defined
• Adding: priority queues, minimum jitter, preemption, shaping/scheduling, time.
• TSN features are integrated into Ethernet subsystem
• Ethernet PHYs
• Switches
• Gateways
• Automotive/industrial TSN SOCs
Time Sensitive Networking (TSN Ethernet)
7. 7
• TSN Ethernet does requires data protection. Yes, MACsec is a logical choice.
• Addition of Security must keep deterministic behavior of the Ethernet traffic
• This raises implementation challenges that are not covered by standards and must be resolved
• It must be possible to interleave packets, allowing priority packets to interrupt regular traffic
• Crypto works on native cipher block sizes (typical 16B), interruption of a data stream requires complex
state/date storage
• Rambus MACsec IPs support TSN, targeting MACsec-capable Ethernet ports
• Lowest latency of fixed latency modes
• Side-band signaling to interact with external PTP modules and classifiers
• Preemption support by processing two interleaved streams per port
• Preemption support by processing IEEE802.3br fragments while keeping the fragment size, latency
and relation unchanged
TSN MACsec: Translating Challenges into Solutions
8. 8
Deployment in SoC/switch and PHY
SOC
PHY
MAC merge sublayer
eMAC pMAC
System MAC
TSN MACsec
Line MAC
PCS
DMA
PHY
SOC
TSN MACsec
MAC merge sublayer
eMAC pMAC
PCS
DMA / Switch Interface
9. 9
• Catalog solutions include:
• Single port, MACsec/VLAN-in-clear for rates of 1G / 2.5G / 10G / 25G / 50G / 100G
• [New] Next generation single-port IPs with pre-emption from 1 to 50G TSN Ethernet
• Multichannel (TDM) MACsec for 100G to 800G: EIP-163/164. Optional support for proprietary classification
and other custom extensions
• Full-featured control plane product
• MACsec Toolkit: IEEE 802.1X (EAP + MKA). Includes a SW data plane for development purpose
• Non-MACsec TDM Silicon IP products for >1Tbps AES-GCM encryption
• Scalable AES-GCM engine
• IPsec AES-GCM transform engine for NICs
• TLS/IPsec and wireless algorithm (3GPP) packet engines: EIP-196/EIP-197
• TLS/IPsec/MACsec Toolkits implementing the key exchange protocol for all three security
stacks (MatrixSSL/QuickSec)
Rambus MACsec Offering