BlogNetwork SecuritySecurity OperationsCore RoutingNetworkingSecurity
Blog5 minute read

Core Routing Security: MACsec

The use of MACsec within network cores is exploding in popularity due to rising security demands and recent hardware advancements. This article explores MACsec's evolution, benefits and deployment considerations to help get you on your way to securing your high-speed core links.

In this blog

  1. Why MACsec Is Gaining Popularity in the Core
  2. MACsec: Technical Basics
  3. Considerations for Deployment
  4. Closing thoughts

As network operators strive towards zero-trust architectures and encrypted transport, MACsec is gaining renewed momentum.  Once seen as a technology reserved for WAN edge routers and campus switches, MACsec is now experiencing explosive growth on high-capacity links in the network core.  In this blog post, we'll explore what's driving this shift and why now is the time to jump on board.

A Brief History: MACsec's Slow Journey to the Core

MACsec (IEEE 802.1AE) was originally ratified in 2006 as a Layer 2 encryption standard to provide hop-by-hop confidentiality, integrity, and authentication (the all-important "CIA" triad). In its early days, MACsec found a foothold in data center interconnects and enterprise access switches, thanks to its ability to secure Ethernet frames with minimal overhead.

But in the core?  Not so much.  High-speed network cores have historically relied on a variety of transport types, not just Ethernet.  This diminished the desirability of MACsec, as it could not provide full-coverage to non-Ethernet links.  In addition, the prevailing assumption has been that core backbone links are inherently secure.  Encryption—if deployed at all—was done at higher layers, like IPsec (Layer 3) or TLS (Layer 4+).  Carrier gear prioritized throughput and scale over encryption, and many platforms simply lacked the hardware to support MACsec at higher-speed rates such as 100G or 400G.

That's all changed in the last several years.   Ethernet has established a dominant stranglehold over Layer 2 transport, pushing vendors to start building native MACsec directly into their Forwarding ASICs.  This enables line-rate encryption without sacrificing performance, even on core links running hundreds of gigabits per second.

 Why MACsec Is Gaining Popularity in the Core

Several trends are converging to make MACsec in the core more relevant than ever:

1. Regulatory Pressure and Enterprise Expectations

Many enterprise customers, especially in finance and government sectors, are now demanding encryption across all segments, including the core transport layer. MACsec offers a way to deliver this without re-engineering Layer 3 routing architectures.

2. Fiber Tap Concerns in Metro and Long-Haul

Physical security isn't what it used to be. Incidents of fiber tapping—either malicious or accidental—have prompted operators to reassess the assumption that core transport links are secure by default. MACsec offers hop-by-hop encryption and integrity checks at the physical layer.

3. Zero Trust Principles in Carrier Environments

Carriers are adopting "zero trust" postures in their own core infrastructures—not just at the network edge. That means reducing implicit trust in the core, particularly across edge peering interfaces.

4. Hardware Maturity

The latest routing ASICs (like Cisco's Silicon One, Juniper's Trio, and Nokia's FPx) include MACsec support natively.  This eliminates the previous performance limitations and licensing barriers associated with running MACsec via bolt-on FPGA or PHY chips.

 

 MACsec: Technical Basics

MACsec provides confidentiality, integrity, and authentication (CIA) between Ethernet-connected routers.  MACsec encrypts at Layer 2—just above the physical layer—meaning it protects all traffic on the link equally.  This contrasts with IPsec and TLS, which require higher overhead since they maintain unique sessions per IP or TCP traffic flow.

Step 1: Authentication

Before confidentiality and integrity can be achieved, MACsec must first create an authentication standard for connected routers to identify themselves and their peers.  This is accomplished using a long-lived Connectivity Association Key (CAK) that allows routers to determine who is trustworthy and who is not.

Step 2: Confidentiality

Confidentiality (encryption) is achieved by generating a short-lived Security Association Key (SAK) from the long-lived CAK.  The SAK is then regularly updated and used to derive the cryptographic session keys.  MACsec leverages the AES-GCM cryptography algorithm, with support for 128- through 256-bit ciphers.

Step 3: Integrity

Last but certainly not least, MACsec provides integrity by using an Integrity Check Value (ICV) to see if a packet has been tampered with while in transit.  This integrity function is a core part of MACsec that is always on, as opposed to encryption which is optional.

Frame Format

MACsec adds a SecTAG and an ICV (Integrity Check Value) to the Ethernet frame:

  • SecTAG includes the Security Association Identifier and packet number in a 16-byte header
  • ICV verifies the integrity of the encrypted payload in a 16-byte tail
A diagram of a computer server AI-generated content may be incorrect.
MACsec Frame Format

All of this is done in hardware at line rate—so latency impact is negligible when properly configured.

 

 Considerations for Deployment

1. Key Management

Manual key configuration may be viable for a few links but doesn't scale. For larger deployments, integrate MACsec with a RADIUS server or EAP framework for dynamic key exchange.

2. Interoperability

MACsec is a standard, but implementation differences exist between vendors. Avoid mixed-vendor links unless validated—particularly in high-speed environments such as the network core.

3. Redundancy and Failure Modes

MACsec may drop frames silently if there's a mismatch in key state or replay counters. This makes observability important—monitoring MACsec session state and frame drop counters is crucial.

4. Optic Compatibility

While MACsec is performed by the router, not the transceiver, some vendors require a MACsec-verified transceiver be used to ensure signal integrity and latency requirements.  In these cases, the router may refuse to establish MACsec unless the transceiver is verified, especially for 100G and 400G links.  You'll need to ensure hardware compatibility across both ends.

 Closing thoughts

MACsec is now a practical, high-performance method for encrypting direct links between core routers. As carriers adopt stronger security postures and demand encrypted transport, MACsec is quickly moving from "nice to have" to "must have".  With support baked into modern carrier-grade platforms, there are few remaining excuses not to deploy it as a first-line defense for core links.