Get Started Today! Contact Us For More Information

MACsec Toolkit

Highly Configurable Ethernet-Security Integration Solution

Meeting the Demand for Secure Networking Equipment Using MACsec

In today’s  Enterprise, network security is a top priority, driven by the need to  prevent costly data breaches and to meet compliance requirements such as  PCI,HIPPA,and Sarbanes-Oxley. Due to these requirements, Enterprise  networks now need to be secured to prevent data leakage within the  physical network infrastructure of routers, bridges and switches; across  a range of connected devices, such as IP phones, and printers.  Delivering products with this level of security can be a challenge for  vendors, who often lack the knowledge and expertise in cryptography and  standards necessary to meet these stringent requirements in a timely  manner.

To meet this need, INSIDE Secure provides a complete solution through its MACsec software toolkit and family of SafeXcel Hardware IP MACsec Security Engines. The MACsec toolkit supports rapid MACsec integration  by device manufacturers that build IP phones, switches, bridges, and  routers for Layer 2 LAN and Metro Ethernet communications. Leading  vendors of Ethernet switch fabric and PHY devices use SafeXcel Hardware  IP engines to reach speeds up to 100 Gbps. When built into the same  platform, this hardware/software combination provides a complete and  standard   compliant MACsec solution, which ensures auditable compliance while reducing development cost and time to market.


MACsec for High Performance Layer 2 Security

IPsec and SSL VPNs are ideal security solutions for addressing the remote access demands associated with mobile networking. The emergence of high-speed LAN and MAN networks have driven the demand for Layer 2 security solutions that support high-performance, low latency, and simple key management functions while addressing compliance requirements.

Media Access Controller (MAC) security standard (known as MACsec) specifies how all or part of a LAN network can be transparently secured. MAC Security provides connectionless user data confidentiality, frame data integrity, and data origin authenticity.  

The MACsec security architecture specifies two main components:  

  • A control plane defined in 802.1X-2010 (formerly 802.1X-REV), which provides an authenticated key agreement protocol (MKA), EAPOL a protocol to carry EAP over LAN and an announcement protocol.
  • A data plane protocol defined in 802.1AE, which protects frames transmitted on the LAN.
  • Both of which need to be secured based on an understanding of the relevant standards and cryptography required to properly address this.

A Complete MAC Security Solution for IEEE 802.1x -2010 and 802.1AE

INSIDE’s MACsec Toolkit is highly portable, well documented and commented ANSI C source code suitable for a wide range of platforms and enables developers to embed MACsec capabilities into new and existing products.  It offers a complete functional software implementation allowing you to test, simulate, and prototype your solutions early (even before the actual hardware is taped off) and speed time to market, with less development cost, while significantly reducing risk.

The MACsec Toolkit implements all the functionalities defined in IEEE standards 802.1AE, and 802.1X-2010. In particular, it supports MKA, Network Announcements, EAPOL, PACP logic, Virtual ports, Extended sequence numbers and AES-GCM-256. In addition, it reuses proven components from the QuickSec® IPsec  toolkit such as EAP, TLS RADIUS client, certificate manager, and cryptographic libraries.


Reducing Development Costs and Time to Market.

MACsec Toolkit has been designed to easily integrate with an existing product. In particular both the 802.1X-2010 and the 802.1AE specifications are implemented within their own modules with well-defined APIs.

A typical switch manufacturer may only integrate the 802.1X-2010 Port Access Entity module with its existing switch software architecture and interface using the MACsec LMI API to its hardware implementation of MACsec data plane (e.g. INSIDE EIP-160). This integration has a low footprint and deterministic memory allocation.

A typical host such as an IP phone has low data throughput requirements. It should then integrate both the 802.1X-2010 Port Access Entity module and the 802.1AE SoftSec module.  The SoftSec module may use a hardware implementation of AES-GCM (e.g. INSIDE EIP-38 AES-GCM IP core) through SoftSec Crypto API.


Pre-Integrated Hardware and Software Support for High Speed Scaling

The MACsec toolkit includes an optimized software implementation of AES-GCM and 802.1AE transforms. It provides a well- defined API for interfacing between the hardware and software components, allowing for simple integration with third party hardware. The MACsec toolkit is straight-forward to integrate with Inside’s SafeXcel-IP cores including the EIP-38 AES-GCM IP core, the EIP-60 inline MACsec frame engine, and the EIP-160 flow through MACsec security engine. The solution supports low latency cut through modes and speeds scaling beyond 100Gbps.


Conform to the Latest Standards and Future-Proof your Products

Following the QuickSec® family tradition, the MACsec toolkit is highly interoperable and provides the latest security functionality defined in IEEE standards 802.1X, 802.1AE, and 802.1X-2010.  The enduring INSIDE commitment to the security market and its standardization assure that the QuickSec® products stay current with these complex and evolving standards. Inside’s experience and participation in the field of security protocol standardization (e.g. IETF, IEEE and other organizations) guarantees that our customers always have a head-start on changing and emerging security standards.