![9
• Catalog solutions include:
• Single port, MACsec/VLAN-in-clear for rates of 1G / 2.5G / 10G / 25G / 50G / 100G
• [New] Next generation single-port IPs with pre-emption from 1 to 50G TSN Ethernet
• Multichannel (TDM) MACsec for 100G to 800G: EIP-163/164. Optional support for proprietary classification
and other custom extensions
• Full-featured control plane product
• MACsec Toolkit: IEEE 802.1X (EAP + MKA). Includes a SW data plane for development purpose
• Non-MACsec TDM Silicon IP products for >1Tbps AES-GCM encryption
• Scalable AES-GCM engine
• IPsec AES-GCM transform engine for NICs
• TLS/IPsec and wireless algorithm (3GPP) packet engines: EIP-196/EIP-197
• TLS/IPsec/MACsec Toolkits implementing the key exchange protocol for all three security
stacks (MatrixSSL/QuickSec)
Rambus MACsec Offering](https://image.slidesharecdn.com/rds-2020-securing-data-in-motion-with-macsec-201216112920/85/Protecting-Data-In-Motion-with-MACsec-Gijs-Willemse-Rambus-Design-Summit-2020-9-320.jpg)
Protecting Data In Motion with MACsec - Gijs Willemse - Rambus Design Summit 2020
- 1. Protecting Data in Motion with MACsec Fall 2020 Gijs Willemse Sr. Director of Product Management
- 2. 2 • Data that is transferred between two devices and/or servers • Many different sources and application • Consumer electronics, Mobile devices, IoT • Automotive, Infrastructure, Edge devices • Cloud servers, Data centers, others • Many different transmission medium • Wireless: Mobile (3GPP) and WiFi (or combinations) • Wired: Copper, Optical, long distance optical (OTN) • Why do I need Secure Communication? • Medium is in the public domain • Transferred data is vulnerable for many different attacks, including: physical, man-in-the-middle, (D)DoS, Sniffing, Spoofing… What is “Data in Motion”
- 3. 3 MACsec • Media Access Control Security (IEEE) • Protect Ethernet links • Switch – Switch • Switch – Host • Host – Host • Extensions to deploy over VLAN Crypto • Products generally require FIPS 140-2 algorithm validated before deployment in public domain Protecting Data in Motion: Use Secure Communication Protocols Session TCP / UDP IP Layer 2 (Link) Layer 1 (Physical) Application TCP / UDP IP Layer 2 (Link) Layer 1 (Physical) IPsec MACsec Client Server OSI Protocol Stack TLS Crypto IPsec • Internet Protocol Security (IETF) • Set up a Virtual Private Network Secure IP traffic between • Network – Network • Network – Host • Host – Host TLS (SSL) • Transport Layer Security (IETF) • Secure communications between two applications • Web Browser – Web Server • Client App – Cloud API • Sensor chip – App Processor
- 4. 4 • Meet line rate throughput • Speed of optical links goes up to 800Gbps and fastest switches handle >10Tbps of traffic • Limit Latency • Realtime application is factory, medical or even consumer space have strict latency requirements • Response times must be minimized • Applications require constant latency • Support Prioritization • TSN Ethernet layer define prioritization: pre-emption of packets is required • Cope with network diversity and various deployments • Networks are virtual • Connections can be hop-by-hop, but also end-to-end • Traffic passes different networks and infrastructures Requirements for Secure Communication
- 5. 5 • MACsec is the L2 security standard, widely deployed in PHYs, switches, firewalls, gateways, NICs and 5G equipment • Advantages of MACsec • Scalable crypto • Low latency • Fully inline datapath • Negligible SW overhead • Implementation Challenges • Line rate under all conditions • Prioritization / Frame Preemption • Rambus has portfolio that covers all ranges and features optimized for the modern Ethernet requirements, including custom classification. Meets line-rate under all conditions • The only provider of control plane software MACsec Security PHY MACsec classifier MACsec transformation MAC/PCS PTP MAC/PCS Line: 8x112G SerDes Switch MACsec classifier MACsec transformation Bufferingand multiplexing MAC/ PCSMAC/ PCSMAC/ PCS MAC/ PCSMAC/ PCSMAC/ PCS optionalPTP
- 6. 6 • Ethernet is getting adopted in aerospace, automotive, manufacturing and utility industries • Enables new levels of connectivity and cost reduction. • Enables new uses cases • These applications require deterministic traffic • TSN group of standards is defined • Adding: priority queues, minimum jitter, preemption, shaping/scheduling, time. • TSN features are integrated into Ethernet subsystem • Ethernet PHYs • Switches • Gateways • Automotive/industrial TSN SOCs Time Sensitive Networking (TSN Ethernet)
- 7. 7 • TSN Ethernet does requires data protection. Yes, MACsec is a logical choice. • Addition of Security must keep deterministic behavior of the Ethernet traffic • This raises implementation challenges that are not covered by standards and must be resolved • It must be possible to interleave packets, allowing priority packets to interrupt regular traffic • Crypto works on native cipher block sizes (typical 16B), interruption of a data stream requires complex state/date storage • Rambus MACsec IPs support TSN, targeting MACsec-capable Ethernet ports • Lowest latency of fixed latency modes • Side-band signaling to interact with external PTP modules and classifiers • Preemption support by processing two interleaved streams per port • Preemption support by processing IEEE802.3br fragments while keeping the fragment size, latency and relation unchanged TSN MACsec: Translating Challenges into Solutions
- 8. 8 Deployment in SoC/switch and PHY SOC PHY MAC merge sublayer eMAC pMAC System MAC TSN MACsec Line MAC PCS DMA PHY SOC TSN MACsec MAC merge sublayer eMAC pMAC PCS DMA / Switch Interface
- 9. 9 • Catalog solutions include: • Single port, MACsec/VLAN-in-clear for rates of 1G / 2.5G / 10G / 25G / 50G / 100G • [New] Next generation single-port IPs with pre-emption from 1 to 50G TSN Ethernet • Multichannel (TDM) MACsec for 100G to 800G: EIP-163/164. Optional support for proprietary classification and other custom extensions • Full-featured control plane product • MACsec Toolkit: IEEE 802.1X (EAP + MKA). Includes a SW data plane for development purpose • Non-MACsec TDM Silicon IP products for >1Tbps AES-GCM encryption • Scalable AES-GCM engine • IPsec AES-GCM transform engine for NICs • TLS/IPsec and wireless algorithm (3GPP) packet engines: EIP-196/EIP-197 • TLS/IPsec/MACsec Toolkits implementing the key exchange protocol for all three security stacks (MatrixSSL/QuickSec) Rambus MACsec Offering
- 10. Thank you For more information: gwillemse@rambus.com