Media Access Control Security (MACsec) is an IEEE 802.1AE‑compliant data encryption technology that operates at Layer 2 of the Ethernet stack. It enables end‑to‑end secure transmission over physical links by encrypting Ethernet frames hop‑by‑hop and providing integrity protection, effectively preventing eavesdropping, tampering, and forgery. As a native Layer‑2 solution, MACsec is the core technology for safeguarding dedicated line communications.
Core Technical Principles
Encryption & Authentication Mechanism
MACsec uses the Galois/Counter Mode – Advanced Encryption Standard (GCM‑AES) algorithm to encrypt data and generate a Message Authentication Code (MAC) for integrity verification.
AES‑128: Strong encryption for up to 10 Gbps links.
AES‑256: Enhanced security for up to 100 Gbps links.
GCM‑AES‑XPN‑256: Designed for ≥100 Gbps, prevents PN wraparound.
Features
GCM-AES-128
GCM-AES-256
GCM-AES-XPN-256
Encryption algorithms
AES-128 (128-bit key)
AES-256 (256-bit key)
AES-256 (256-bit key)
Key length
128 bits (16 bytes)
256 bits (32 bytes)
256 bits (32 bytes)
Integrity protection
Galois/Counter Mode (GCM)
GCM
GCM
Packet number (PN)
32 bits (prone to wraparound)
32 bits (prone to wraparound)
64 bits (ultra high-speed linkages supported)
Security
High (128-bit key)
Extremely high (256-bit key)
Extremely high (256-bit key + 64-bit PN with wraparound prevention)
Applicable bandwidth
≤ 10Gbps
≤ 100Gbps
≥ 100Gbps
Applicable scenarios
Low and medium basic security requirements
High security requirements (finance and government affairs)
Ultra high-speed linkages and long-term encrypted sessions (data centers)
Key Management System
MACsec relies on three core components:
CAK (Connectivity Association Key) : Master key pre‑shared securely between endpoints (e.g., via offline exchange or KMS).
CKN (Connectivity Association Key Name) : Logical identifier for the CAK to avoid exposing the key directly.
SAK (Secure Association Key) : Derived from CAK, dynamically generated and periodically updated to enhance security.
Extended features: Extended Packet Number (XPN)
Solves the 32‑bit PN wraparound issue in high‑speed environments by supporting 64‑bit PNs, making it ideal for dedicated lines with 100 Gbps or higher bandwidth.
Application Strengths
Secure & Natural Supplement to Direct Connect
Traditional Direct Connect (e.g., MPLS, dark fiber) offer physical isolation but lack data encryption. MACsec adds Layer‑2 encryption, delivering a dual guarantee of “physical isolation + data encryption.”
Typical Use Cases:
Financial sector: Capital data transfer between bank headquarters and branches.
Government agencies: Cross‑regional communication for government systems.
Enterprise interconnection: Sensitive data exchange between global headquarters and branch offices.
MACsec vs. IPSec
Features
MACsec
IPSec
Encryption Layer
Layer 2 (Ethernet frame)
Layer 3 (IP packet)
Deployment Location
Layer-2 devices, such as switches and routers
Layer-3 devices, such as routers and firewalls
Performance Overhead
Low (hardware acceleration supported)
Relatively high (depend on CPU processing)
Compatibility
MACsec support required from devices on both ends
Widely supported and compatible with all IP networks
Applicable Scenarios
Point-to-point dedicated lines and data center interconnection
Cross-network and cross-ISP transmission over complex paths
Selection Guidance
Choose IPSec for end‑to‑end encryption over complex or multi‑ISP paths.
Choose MACsec for high‑performance direct connections with stringent security needs.
Step-by-Step Guide
1. Enable MACsec
Customers can enable the MACsec capability when creating a port.
Note:
MACsec is currently supported on 10G, 40G, and 100G physical ports in selected regions (e.g., Hong Kong, China). For other ports or regions, please submit a ticket.
2. Configure MACsec
2.1 On Customer Device
Complete MACsec configuration and enable it on your local router. Record CKN and CAK for consistency checks.
Recommended default parameters from Tencent Cloud (final values subject to protocol negotiation):
Parameter
Description
CKN length
A string with 64 hexadecimal characters (0–9 and A–F).
10G connections support 32 hexadecimal characters. 40G and 100G connections support 64 hexadecimal characters.
CAK length
A string with 64 hexadecimal characters (0–9 and A–F).
10G connections support 32 hexadecimal characters. 40G and 100G connections support 64 hexadecimal characters.
Cipher suites
10G: GCM-AES-128.
40G and 100G: GCM-AES-XPN-256 and GCM-AES-256.
Key server priority
0
Encryption offset
0
Integrity Check Value (ICV) indicator
Yes
CAK update interval
PN Rollover
Window size
0
2.2 Key Creation (Cloud Side)
After the Direct Connect is provisioned, go to the DC details page → MACsec tab → Create Key. Enter key name, CKN, and CAK. Ensure cloud-side settings match the device configuration, then click Confirm or Cancel.
Note:
Ensure that the MACsec key configuration on this end is the same as that of the peer switch.
2.3 MACsec configuration on the cloud side
MACsec is disabled by default. Enable it and associate with a created key. Set mode to forced encryption and choose cipher suite per port rate and security needs:
10G ports: GCM‑AES‑128
40G/100G ports: GCM‑AES‑256 or GCM‑AES‑XPN‑256
You can view the configuration after key association.
2.4 Verification
Method 1: Check MACsec and encryption status on your router.
Method 2: Perform ping tests from the cloud side.
Best Practices
Key Management Security: Distribute CAK via a secure channel to prevent leakage.
Compatibility Testing: Verify MACsec compatibility across devices from different vendors (e.g., XPN support).
Network Integration: Ensure MACsec does not disrupt routing protocols such as OSPF and BGP.
