SNLA462 January   2025 DP83TC817S-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction to MACsec
  5. 2Critical Role of MACsec in Automotive Security
    1. 2.1 Real World Applications
    2. 2.2 Common Security Threats
    3. 2.3 MACsec Security Measures
  6. 3How MACsec Works in a System
  7. 4MACsec Block
  8. 5MACsec at the PHY Level
  9. 6Conclusion

4 MACsec Block

An Ethernet frame is a data link layer unit of data and is the underlying Ethernet physical layer transfer mechanism. Each Ethernet frame starts with an Ethernet header, which contains destination and source MAC addresses as the first two fields. The middle section of the frame is payload data including any headers for other protocols carried in the frame. The frame ends with a frame check sequence (FCS), which is used to detect any in-transit corruption of data.

  • Destination MAC Address: 6 bytes - Identifies the recipient.
  • Source MAC Address: 6 bytes - Identifies the sender.
  • EtherType or Length: 2 bytes - Indicates the type of payload or length of the payload.
  • Payload: N bytes - The data being transmitted.
  • Frame Check Sequence (FCS): 4 bytes - Error-checking code to make sure of data integrity.

MACsec adds security features to the standard Ethernet frame. Below is the structure of a MACsec frame:

  • Destination MAC Address: 6 bytes
  • Source MAC Address: 6 bytes
  • SecTAG: 8-16 bytes - The security tag, which includes key information and security parameters.
  • Payload: N bytes (encrypted data)
  • Integrity Check Value (ICV): 8 or 16 bytes - Makes sure of integrity of the data.
  • Frame Check Sequence (FCS): 4 bytes
Unencrypted Ethernet Frame vs MACsec Ethernet Frame Figure 4-1 Unencrypted Ethernet Frame vs MACsec Ethernet Frame

The SecTAG is a critical part of the MACsec frame, providing essential security information. It contains the following:

  • EtherType: 2 bytes - Indicates the frame is a MACsec frame. The MACsec ethertype is 0x88e5.
  • TAG Control Information (TCI/AN): 1 Byte - Contains several pieces of info such as encryption/confidentiality presence and the association number.
  • Packet Number (PN): 4-6 bytes - Used to prevent replay attacks by numbering the frames.
  • Short Length (SL): 1 byte - Indicates the length of the payload (optional).
  • SCI (Secure Channel Identifier): 8 bytes - Uniquely identifies the secure communication channel.
MACsec SecTAG Figure 4-2 MACsec SecTAG

MACsec Features implemented in the MACsec Frame:

  • EtherType: In both normal and MACsec frames, the EtherType field indicates the type of payload. For MACsec, it specifically identifies that the frame contains MACsec data.
  • SecTAG:
    • SCI: The secure channel identifier makes sure that the frame belongs to a specific secure channel.
    • AN: Distinguishes different security associations within the same channel, allowing multiple secure connections simultaneously.
    • PN: Provides protection against replay attacks by making sure each frame has a unique number.
  • Payload: In a MACsec frame, the payload is encrypted. Making sure confidentiality of the data being transmitted.
  • ICV: Provides integrity by making sure the frame has not been altered during transit. The cryptographic checksum is calculated over the entire frame (except the FCS) using preshared keys.