Infrastructure as a Service

Infrastructure as a Service

Join us to learn more from a community of collaborative experts and IBM Cloud product users to share advice and best practices with peers and stay up to date regarding product enhancements, regional user group meetings, webinars, how-to blogs, and other helpful materials.

 View Only

Bolstering Security: Introducing MACSec on Direct Link Dedicated

By Premnath Jaganathan posted 16 hours ago

  

In the ever-changing world of cyber threats, IBM Cloud strives to deliver best-in-class network security for clients around the globe.

The Direct Link team is excited to announce the general availability launch of Media Access Control Security feature for Direct Link Dedicated.  Initial markets supported include Toronto, Montreal, Dallas, and Washington D.C & Madrid.

About IBM Cloud Direct Link Dedicated for VPC:

IBM Cloud Direct Link Dedicated for VPC offers a high-speed, OSI Layer 3 direct connection between customers’ on-premises infrastructure and IBM Cloud VPC and Classic Infrastructure —delivering low latency and up to 10 Gbps throughput. Designed for enterprises with nearby colocation facilities or service providers managing customer circuits, this single-tenant, fiber-based solution ensures secure, seamless hybrid cloud connectivity.

Why MACSec ?

MACsec offers hardware-based encryption, ensuring minimal latency and high throughput, crucial for high bandwidth applications.

MACsec has the ability to secure all Ethernet traffic, including control plane protocols like ARP and DHCP.  MACSec’s excels in offering granular, high-performance security for local Ethernet links.  Additional benefits: 

  • Protection Against Layer 2 Threats: Safeguards against MAC spoofing, ARP poisoning, and eavesdropping within local network.

  • Secures Control Plane Protocols: Protects DHCP, ARP, and LLDP, enhancing network infrastructure resilience. 

  • Granular LAN Security: Encrypts Ethernet frames, offering more localized security than IPsec.

  • Line-Rate Performance with Low Latency: Hardware-based encryption/decryption ensures minimal performance impact, even at high bandwidths. Offers Lower latency compared to software-based encryption.

  • Lower CPU overhead: MACsec uses dedicated hardware for encryption, reducing CPU load compared to IPsec's software-based processing.

  • Protection Against Passive Attacks: Guards against wiretapping, intrusion, and playback attacks.

  • Complements Higher-Layer Security: Provides a security layer that addresses local network vulnerabilities not directly covered by protocols like IPsec.

How MACSec works? 

This Layer 2 network standard (IEEE 802.1AE) fortifies Ethernet-connected devices through:

  • Origin Authentication: Peer MACsec devices undergo authentication to establish a secure session using a Connectivity Association Key (CAK). This CAK consists of a name and a secret, both of which must precisely match on communicating devices.

  • Replay Protection: A customizable window size allows the acceptance of a defined number of out-of-sequence frames, mitigating replay attacks.

  • Data Confidentiality: Once a secure session is active, data is encrypted using a Secure Association Key (SAK) derived via the MACsec Key Agreement (MKA) protocol, ensuring data privacy.

  • Data Integrity: Alongside data protection, an Integrity Check Value (ICV) is appended to each frame. This value must align with the expected value at the receiving end, guaranteeing data hasn't been tampered with.

This feature provides a configurable MACsec policy, encompassing a primary CAK and an optional fallback CAK. The fallback CAK acts as a contingency, securing the MACsec session if a name or secret discrepancy arises with the primary CAK between peers. CAK secrets are securely stored as Hyper Protect Crypto Services (HPCS) key resources within the customer's HPCS instance. Once peers are configured with a MACsec policy and CAK(s), the Direct Link will initiate a MACsec session, safeguarding data frames exchanged between the customer’s MACsec device and the IBM cross-connect switch. 

MACsec coverage will continue to expand beyond its current locations. All new Direct Link switch installations will be MACsec-capable. Future support for multiple primary CAKs with lifetimes will enable customers to preconfigure CAK rotations

What’s Next?

  • Use limited period promo code VPC1000, which gives you USD 1,000 worth of free IBM Cloud credits to start your IBM Cloud Direct Link Dedicated journey.

  • Learn more about IBM Cloud Direct Link https://www.ibm.com/products/direct-link

Written By:

Premnath Jaganathan

0 comments
4 views

Permalink

https://community.ibm.com/community/user/blogs/premnath-jaganathan/2025/06/23/bolstering-security-introducing-macsec-on-direct-l