MACsec encryption extends the value of copper-based Ethernet LANs

Story

February 20, 2019

Mike Southworth

Curtiss-Wright

There is vastly more copper-based twisted-pair Ethernet infrastructure deployed on military and aerospace platforms than there is fiber-optic cable-based wiring. For one thing, the cost of copper cabling and its related connectors keeps being driven downward by the economies of scale brought about by its widespread use, helping to make it virtually ubiquitous. But fiber-optic cabling, until fairly recently, was the only practical choice for applications that required high-speed 10 Gbit/s connectivity. Driving demand for higher-speed Ethernet is the increased use of applications such as HD video surveillance on deployed platforms, resulting in ever-larger high-resolution file sizes.

There is vastly more copper-based twisted-pair Ethernet infrastructure deployed on military and aerospace platforms than there is fiber-optic cable-based wiring. For one thing, the cost of copper cabling and its related connectors keeps being driven downward by the economies of scale brought about by its widespread use, helping to make it virtually ubiquitous. But fiber-optic cabling, until fairly recently, was the only practical choice for applications that required high-speed 10 Gbit/s connectivity. Driving demand for higher-speed Ethernet is the increased use of applications such as HD video surveillance on deployed platforms, resulting in ever-larger high-resolution file sizes.

One downside to fiber optics compared to copper wiring – since it uses thin strands of ultrapure glass to transport photons in a digital pattern – is the need for specialized knowledge and equipment for its installation and maintenance. The comparatively fragile glass fibers are fairly unforgiving, limiting, to take one example, the amount of curvature that can be reliably supported, which means that fiber-optic cabling is unsuitable in some applications. Since its introduction, however, fiber-optic cabling has been able to boast one unassailable advantage over copper: Light traveling down the glass strands emits no electromagnetic interference (EMI) signal, making it impervious to hacking. In comparison, the electrical signals used in traditional copper Ethernet network cable are more prone to radio-frequency disturbance and EMI, especially in longer cables or those that are bundled with other copper cables. That has helped make fiber optic the go-to architecture for secure deployed applications.

In recent years, fiber optics has lost its exclusivity in regards to 10 GbE support. Formerly limited to 1 Gbit speeds, copper is now a viable alternative to fiber for 10 GbE. When 10GBase-T was first introduced, it was limited to very short cable length distances, finding use mainly in applications such as server farms, where a one-foot distance between devices is sufficient. Further hampering its widespread utility was the fact that 10GBase-T PHYs were only available in commercial temperature versions. Today, 10GBase-T supports industrial temperature ranges and cable distances up to 100 m, making it a great solution for many embedded applications.

What’s more, thanks to a recent technology advancement, copper-based Ethernet can now be made far more secure. Two years ago, the IEEE MAC Security standard, known as MACSec (IEEE 802.1AE), was added to the mainline Linux kernel (as of kernel 4.6). MACSec provides MAC-layer point to point encryption on an Ethernet link between two devices on local area networks (LANs). MACsec is used for authentication and encryption of traffic over Ethernet on Layer 2 LAN networks. For Layer 3 networks, IPSec is used instead. MACsec and IPsec operate on different network layers, with IPsec working on IP packets and MACsec working on Ethernet frames, enabling it to protect all DHCP and ARP traffic. IPsec, on the other hand, is able to work across routers, while MACsec’s utility is targeted at LANs.

Although, MACsec, which uses GCM-AES-128 or -256 cryptographic cyphers, has been around for more than a decade, there has been a huge increase in its implementation since its inclusion in Linux. When encryption is enabled, MACSec does not allow any unencrypted packets to be transmitted or received from the same physical interface. Like IPsec and SSL, MACsec defines a security infrastructure to provide data confidentiality, data integrity, and data-origin authentication. The combination of low cost, support for high-speed Ethernet, and the encryption provided by MACsec means that copper-based networks now provide system designers with a compelling cost-effective alternative in applications where fiber optics once reigned supreme. (Figure 1.)

Fiber-optic cabling does have a significant weight advantage over the much heavier copper wiring. But one advantage that MACsec offers for SWaP [size, weight. and power] reduction is that it can eliminate the need for a standalone encryptor on some copper-based networks. Moreover, copper, unlike fiber optics, can support Power over Ethernet (PoE), eliminating the need for individual power cables for each device. Network devices based on the Cisco Systems’ IOS management software often enable users to easily control power to each Ethernet port via PoE, providing great flexibility for assigning wattage limits and selecting which ports can be used to power devices.

Switching solutions that support both copper-based and fiber-optic interfaces enable military and aerospace system integrators to leverage the unique advantages of both technologies.

Figure 1: MACSec-enabled switches and computers encrypt Ethernet traffic between LAN devices to prevent data loss or transmission/reception by unauthorized devices.