DEV Community

Cover image for What is MACsec, and why is it important?
AWS Community Builders profile image Luis Horvath
Luis Horvath for AWS Community Builders

Posted on

What is MACsec, and why is it important?

#aws #networking #security #directconnect

Last month, I cleared up the AWS Advanced Networking certification.
It was a challenging exam, where the topics were not too broad but too deep.

Diving through the Direct Connect service, you will be asked about MACsec in different scenarios. But what is MACsec?

Before discussing it, we should understand the Direct Connect service, aka the DX service. But first, let's go through a couple of examples 👀

How many of you have experienced this in the past? 😂

Fun Image

Imagine you are the networking architect responsible for Black Friday's sales night of an important e-commerce.

You have workloads between your on-premises and AWS, and your app relies on VPN Connectivity. The sales are starting, and some systems are failing because of timeouts; slowly, nothing is working, and the customers can't navigate through the website...

Fun Image 2

Imagine for one second the amount of money big e-commerce companies can lose if their systems fail during sales time. We are speaking about millions of dollars/euros of lost revenue, and your boss will have this banger in the head for your last 1&1.

The Direct Connect service creates dedicated network connections between customers on-premises in a Data Center and AWS, outside the public internet.

It was born in 2011 to end the lack of control and transparency of hybrid workloads caused by using VPN through the public internet.

Imagine having a private highway where your information flows and where there are no traffic jams. Technically speaking, you are directly connected from your router to the edge router of AWS using fiber. You no longer rely on the public internet to connect there, and you have SLA.

I have crafted a small comparison of the pros and cons of each service.

VPN Over the Internet
VPN

In a hybrid-cloud scenario, VPN is the fastest way to achieve the goal, but there are some downsides if you have to rely on the solution:

  • The connection is Encrypted, but it is not private; it flows through the internet
  • No end-to-end SLAs
  • DDoS risk
  • Unpredictable latency - There is no control over the routing; this impacts the latency
  • Limited throughput – up to 1.25 Gbps per flow - (It can scale with the use of a transit gateway and ECMP)
  • Low setup costs but high egress traffic costs after a certain amount of data

Separator

AWS Direct Connect
AWS Direct Connect

This solution is not the fastest/cheapest to deploy; it is more complicated to design, but it provides some advantages like:

  • DDoS free - the connection is outside of the public internet
  • Private Connection but not encrypted by default (possibility of MACsec 👀 or IPsec encryption)
  • Predictable and Stable latency
  • High throughput – from 50Mbps up to 400Gbps
  • You can use LACP to create a LAG and bundle links together working as one (up to 4 times 10GE and 2 times 100GE)
  • Cost-effective solution after a certain amount of downloaded/egress data
  • Advanced resilient architectures can be achieved (with a proper design)
  • Connection backed with an enterprise-grade SLA

What to choose: Direct Connect or VPN?

This will depend on the company's needs; SLA, latency, bandwidth, and time to deploy are some factors that will help you make the final decision.

Direct Connect vs VPN

Resiliency and SLA are critical factors in our example. So, it's crystal clear why we should have had this type of setup rather than relying on a connection that doesn't have SLA, and we can't control.

The Direct Connect service comes in two flavors: Hosted or Dedicated.

  • Hosted Connections: VLANs provided over an AWS Direct Connect partner. The partner owns and manages the physical connection. The customer can create VLANs that start at 50 Mbps and continue to 25 Gbps.
  • Dedicated Connection: physical port provisioned directly to a customer. It requires setting up a cross-connect at an AWS Direct Connect location (extra charges) per port. The available bandwidths are 1, 10, 100, and 400 GE.
Okay, but what is MACsec?

Flork meme

MACsec (802.1AE) stands for Media Access Control Security.
It is a point-to-point Layer 2 encryption, which adds an extra security layer at Dedicated Direct Connects.

MACsec is available at some locations, but not all of them are supported.
This encryption is available for ports of 10, 100, and 400GE.

MACsec provides:

  • Confidentiality: by encrypting the information that is sent (the payload is encrypted).
  • Data Integrity: by adding additional fields to ensure that data cannot be modified in transit without being detected.
  • Data Origin authenticity: both parties can see that frames have been sent by the other trusted peer in a MACsec relationship.
  • Replay protection: attackers cannot capture and resend old frames to trick the system
  • Super high-speed encrypted throughput: it is designed to work at near-line-rate speeds

MACsec Concepts:

  • The MACsec Key Agreement Protocol (MKA) manages peer discovery, authentication, and encryption key generation.

  • Both routers must be associated with a Connectivity Association Key (CAK) and a Connection Key Name (CKN). The CAK is a shared secret key, while the CKN is an identifier for the CAK. The same CAK/CKN must be configured on both devices.

  • Secure Association Key (SAK): This is the key generated by the MKA using the CKN/CAK pair provided. The generated SAK encrypts the frame payload.

  • Secure Channel: Each router creates a Secure Channel to send traffic to the other participant. Because they are unidirectional, one channel is used to send and the other to receive. The Secure Channels are assigned an Identifier, the Secure Channel Identifier (SCI).

MACsec encapsulation

MACsec modifies the ethernet frames by inserting a Security Tag (SecTAG) and an Integrity Check Value (ICV). The Ethertype and the Payload are encapsulated and encrypted by the SAK.

macsec

The SecTAG contains information about the Packet Number (PN), the Secure Channel Identifier (SCI) used to send traffic between the devices, and other control flags.

The ICV allows the receiving device to verify the integrity and authenticity of the frame. If, for any reason, a different value than the expected is received, the frame will be dropped.

The information (Payload) can not be decrypted without the SAK, and with all these mechanisms, the exchange of information is secure.

How does it work?

MACsec process

The MACsec interaction process consists of three phases:

  • Session Negotiation: Both routers will use MKA to authenticate peers and generate the same SAK to encrypt the information. For a detailed view of this step, Huawei has a great guide: MACsec Key System

  • Secure Communication: The sender uses the SAK to encrypt the data, and the receiver uses it to decrypt it. If the frame has been tampered, or the packet number is repeated or incorrect, the frame will be dropped.

  • Session keepalive: The MKA protocol defines a session keepalive timer. If, after a time, there is no communication between the devices, the session will be declared as insecure, and the negotiation process kick again.

How is the setup?

It´s as easy as following the 5-step guide from AWS.

Who is the target?

Companies that handle sensitive or confidential information require point-to-point encryption to prevent data snooping and ensure the integrity of the information during transmission.

What are the pros compared to an IPsec VPN?

  • Because the information is encrypted at Layer 2, MACsec scales from megabits to terabits per second. With MACsec, we can reach near-line-rate speeds.
  • The MACsec is easier to set up and manage than IPsec VPN.
  • MACsec works at Layer 2, being agnostic to higher-layer protocols. Applications and networking configurations don´t need to be aware of MACsec.

What are the cons?

  • MACsec requires Dedicated Direct Connect, which has upfront higher costs than using a standard VPN over the internet.

  • Since MACsec is only supported on Dedicated DX, you must colocate in an AWS DX PoP (Point of Presence) or rely on a connectivity partner capable of extending MACsec frames to AWS locations like DE-CIX. This limits flexibility compared to IPsec, which works over any internet connection.

  • While MACsec is a standard, not all networking hardware supports it. This may require upgrades to compatible gear to support this technology.

  • MACsec is a point-to-point encryption that only protects the link between two devices. If your data travels beyond Direct Connect, MACsec can’t secure it.

In conclusion, MACsec provides a powerful security solution for AWS Direct Connect, offering Layer 2 encryption that ensures data integrity and privacy over dedicated connections at near-line-rate speeds. It is the perfect alternative to IPsec VPNs for high throughput connections.

Now that you know how to secure your hybrid workloads, avoid doing this in your application 🌚

Meme

If you liked this article, give it some ❤️ and make sure to follow me on dev.to, see you in the next networking article!

Top comments (0)

Read next

abstractmusa profile image

How to Simulate High CPU Usage on AWS Ubuntu Instances for Testing and Performance Optimization

Md Abu Musa -

adzhydra profile image

Azure OpenAI vs OpenAI

Adam -

megha_shivhare_5038dc1047 profile image

AWS Global Infrastructure Explained for Newcomers

Megha Shivhare -

pcmagas profile image

Implications of using Aws cognito in Laravel 11 that uses the pool's user_id as application's User Id.

Dimitrios Desyllas -