Enabling Multiple MACsec Connections Over a Single Link for Interconnection Fabric Customers

We are pleased to share a recent configuration that demonstrates how customers of interconnection fabrics can leverage multiple MACsec (Media Access Control Security) sessions over a single physical link, in addition to their regular services. This configuration allows customers to securely connect with multiple cloud service providers using distinct MACsec sessions, all while utilizing the same underlying physical infrastructure for both secure and standard services.

Overview

Background

As interconnection fabrics become more integral for organizations connecting to various cloud providers, ensuring secure and efficient data transmission is essential. MACsec, defined by IEEE 802.1AE, provides encryption of Layer 2 Ethernet traffic, enhancing security. Traditionally, the MACsec standard mandates the encryption of both Ethernet frames and VLAN tags. In our configuration, we implement clear tag mode, also known as WAN mode or VLAN-level MACsec, which allows VLAN tags to remain unencrypted for proper segmentation and handling of multiple sessions on a shared physical link, ensuring smooth operation without sacrificing security.

Key Benefits

Efficient Infrastructure Usage: By aggregating multiple MACsec sessions over a single physical link, both secure MACsec and regular services can be run concurrently, optimizing infrastructure use.
Session Differentiation: VLAN tags (in clear tag mode) are used to differentiate between multiple MACsec sessions over the same link, providing clear traffic segmentation without compromising security.
Simplified Connectivity: This configuration simplifies and secures connectivity between customers and multiple cloud service providers within the interconnection fabric.
Operational Flexibility: Customers can securely interact with multiple cloud providers via distinct MACsec sessions without needing dedicated links for each connection, making it a flexible solution for interconnection fabric environments.

Technology Stack

This configuration is based on Nokia SR-OS 23.10, which provides the necessary flexibility and security to implement MACsec in interconnection fabrics. Nokia SR-OS’s robust support for Layer 2 encryption and its compatibility with complex networking environments makes it an ideal choice for this scenario.

Use Case

The configuration is particularly relevant for customers in interconnection fabrics such as IXPs (Internet Exchange Points) or data center environments where multiple cloud service providers need to be securely connected over a shared infrastructure. With clear tag mode (WAN mode or VLAN-level MACsec), the setup enables traffic segmentation and the simultaneous use of secure and non-secure services, enhancing both security and efficiency.