Enhancing Ethernet Security with MACsec

By Harinee Rathod

June 22, 2026

Understanding MACsec in Today’s Ethernet World

Today, Ethernet is being widely adopted across domains ranging from high-performance computing (HPC) and cloud data centers to automotive systems, where security has become a critical requirement. If network security is compromised, sensitive data can be modified, intercepted, or stolen, leading to serious reliability and privacy concerns. Ethernet was originally designed for high-speed data transfer and interoperability between devices. However, traditional Ethernet does not provide built-in mechanisms for securing data traffic, such as encryption or authenticity protection. This is where MACsec comes into the picture.  Media Access Control Security (MACsec) helps bridge this security gap by identifying and preventing the security threats at Data Link Layer (Layer 2) of Ethernet communication.

MACsec ensures data confidentiality, integrity, and authenticity for Ethernet communication. MACsec uses the Advanced Encryption Standard with Galois/Counter Mode (AES-GCM), which enables both encryption and integrity protection with high performance. Unlike security protocols such as Transport Layer Security and Internet Protocol Security, which operate at upper layers of the networking stack, MACsec is implemented directly at the Ethernet port level. This allows Ethernet links to be secured transparently at the Data Link Layer without requiring modifications to higher-layer protocols such as IP, TCP, UDP, or application software. MACsec is standardized under IEEE 802.1AE and is widely adopted in systems where secure and reliable Ethernet communication is essential.

Today, MACsec is widely deployed in environments where both high-speed communication and strong security are essential. In cloud data centers and enterprise networks, MACsec helps secure traffic between switches, routers, and servers against unauthorized access and packet tampering. In 5G infrastructure, MACsec protects fronthaul and backhaul communication carrying massive amounts of network traffic. The growing adoption of Automotive Ethernet has also increased the importance of MACsec, where secure communication between Electronic Control Units (ECUs) is critical for vehicle reliability and safety. Similarly, in HPC systems and secure chip-to-chip communication, MACsec provides hardware-level link security while maintaining high throughput and low latency.

Inside a MACsec Frame

Before MACsec protection is applied, a standard Ethernet frame contains the Destination MAC address, Source MAC address, EtherType field, payload, and Frame Check Sequence (FCS). As shown below.

When the frame enters the MACsec processing engine, MACsec modifies the frame structure by inserting a Security Tag (SecTAG) after the Source MAC address and appending an Integrity Check Value (ICV) before the frame check sequence (FCS). As shown below.

Let’s first look at the SecTAG. It carries control and security-related information such as the Packet Number (PN), Association Number (AN), Tag Control Information (TCI), Short Length (SL), and optionally the Secure Channel Identifier (SCI). These fields help the receiving device identify the secure channel, detect replay attacks, and process the frame correctly.

After the SecTAG is inserted, MACsec encrypts the Ethernet payload using AES-GCM. Encryption ensures that sensitive information carried within the Ethernet frame cannot be read by unauthorized devices while traversing the network.

Once encryption is completed, MACsec generates an Integrity Check Value (ICV), which acts as a cryptographic integrity tag appended near the end of the frame. The receiving device uses the ICV to verify that the frame has not been modified or tampered with during transmission.

MACsec inserts a dedicated EtherType value of 0x88E5 after the Source MAC address to identify a MACsec‑protected frame, while the original EtherType is preserved inside the encrypted payload.

How MACsec Secures Communication

Before secure communication begins, both devices must first authenticate each other and establish encryption keys. MACsec uses the MACsec Key Agreement (MKA) protocol to manage this process. MKA authenticates peers using the CAK and derives Secure Association Keys (SAKs) used by MACsec for frame encryption.

The communicating devices share a secret key called the Connectivity Association Key (CAK), which is used by MKA to authenticate peers. Once authentication is successful, MKA derives and distributes Secure Association Keys (SAKs) that are used by MACsec for frame encryption.

After the secure connection is established, MACsec starts encrypting Ethernet frames using AES-GCM. Each transmitted frame also carries a Packet Number (PN) inside the SecTAG. When replay protection is enabled, the receiving device validates the Packet Number to detect duplicated or replayed packets.

That's how MACsec provides data authenticity, confidentiality, integrity, and replay protection.

MACsec Verification with Cadence VIP

With the availability of the Cadence Verification IP for Ethernet MACsec, adopters can start working with these specifications immediately, ensuring compliance with the standard and achieving the fastest path to IP and SoC verification closure. Incorporating the latest protocol updates, the mature and comprehensive Cadence Verification IP (VIP) for the Ethernet protocol provides a complete bus functional model (BFM), integrated automatic protocol checks, and coverage model. Designed for easy integration in test benches at IP, system-on-chip (SoC), and system levels, the VIP for Ethernet helps you reduce the time to test, accelerate verification closure, and ensure end-product quality. The VIP for Ethernet runs on all major simulators and supports System Verilog and e-verification languages and associated methodologies, including the Universal Verification Methodology (UVM).