Securing Terabit Ethernet Networks with 1.6T MACsec Security Modules

• Importance of Security for High-Speed Ethernet Connections
• Introducing Synopsys HPC MACsec Security IP Modules
• Key Features
• System-Level Implementation Use Cases
• Summary

In the realm of high-performance computing (HPC) and data centers, Ethernet is one of the interfaces of choice due to its scalability, reliability, and broad industry support. Ethernet's ability to efficiently handle large volumes of data makes it ideal for HPC environments that require high-speed data transmission and seamless integration with existing infrastructure. The growth of connectivity for data centers is being fueled by advancements in artificial intelligence (AI) and the proliferation of connected devices, which drive the need for increased bandwidth and superior network speeds.

Emerging standards, such as Ultra Ethernet and UALink are being developed to support massive AI networks, scaling up to one million nodes. The rapid adoption of HPC rates for Ethernet is evident, moving beyond 800Gbps, towards 1.6Tbps and even higher to 3.2Tbps, with significant growth in the deployment of high-speed Ethernet switches in data centers. This trend is supported by cloud service providers, who are expected to drive a substantial portion of the spending on data center switches, propelling the adoption of higher-speed Ethernet-based technologies.

As these environments continue to evolve, the demand for robust data security measures becomes increasingly critical to protect sensitive information and maintain operational integrity.

The importance of security for high-speed Ethernet connections is increasingly critical because while they enable rapid data transfer, they are susceptible to security threats such as Denial of Service (DoS) attacks, eavesdropping, man-in-the-middle attacks and replay attacks. To mitigate these risks, robust security protocols are necessary.

This growing need for enhanced security is driven by several factors:

• Growing Volume of Sensitive Data: HPC workloads contain sensitive data, encompassing critical business information, personal data, and intellectual property. Protecting this data from unauthorized access and breaches is essential to maintaining trust and operational integrity.
• Rise in Attacks and Expanding Attack Surface: The rapid proliferation of devices connected to the cloud has significantly broadened the attack surface, making networks more vulnerable to security threats. This expansion has led to a corresponding rise in cyberattacks, including sophisticated methods that exploit network vulnerabilities. As a result, there is an urgent need for stronger security protocols to defend against these threats, ensuring that network services remain secure and reliable.
• Compliance with Laws, Regulations, and Standards: In response to the evolving threat landscape, compliance with stringent laws, regulations, and standards has become a critical driver for enhanced security. Organizations such as DOE, NASA, and EuroHPC are now mandating FIPS 140-3 or equivalent link protection for external or multi-tenant fabric links. This regulatory pressure underscores the necessity for robust security measures that not only protect data but also ensure adherence to legal and industry requirements, thereby safeguarding organizational reputation and avoiding potential penalties.

Media Access Control Security (MACsec) is the standard protocol for Ethernet HPC fabrics, offering essential Layer 2 security that safeguards network communication against these threats. By securing each hop between nodes or switches, MACsec is particularly effective in protecting Ethernet environments, ensuring the integrity and confidentiality of data as it traverses the network. As data centers continue to evolve and handle increasing volumes of sensitive information, the role of MACsec in providing a secure networking environment without compromising the link data rates becomes even more critical.

Synopsys has introduced its HPC multi-channel MACsec Security Modules, engineered to efficiently support high data rates, ranging from 200Gbps to 1.6Tbps, with built-in scalability to reach throughputs up to 3.2Tbps.

Synopsys stands out as the only company offering a complete IP solution, including 224G Ethernet PHY, MAC and PCS controller, Verification IP and now with a broader MACsec portfolio, including multi-channel HPC MACsec, reducing integration risk. This comprehensive suite of IP allows for seamless pre-integration, significantly simplifying the development process for system-on-chip (SoC) and system-in-package (SiP) designers. By ensuring consistent system interfaces, Synopsys reduces the complexity typically associated with incorporating multiple IPs from different vendors, thereby shortening time-to-market, reducing risk and maintaining operational continuity. The pre-integrated solutions not only enhance performance but also ensure compliance with industry standards, making them ideal choices for high-performance computing environments.

Figure 1 below provides a detailed view of the high-level architecture of the new Synopsys HPC MACsec Security Modules.

Figure 1. High-level architecture of the Synopsys HPC MACsec Security Modules

The Synopsys HPC MACsec Security Modules boast several advanced features that enhance both security and performance:

• Industry Standards Support: adhere to IEEE 802.1AE, 802.1AEbn and 802.1BR standards, ensuring alignment with latest industry requirements for secure networking
• Scalable Throughput and Multi-Channel Support: designed to handle full line-rate data throughput efficiently for various networking configurations, supporting multiple channels and parallel packet processing, including 4x200G, 4x400G, 2x800G, and 1x1.6T
• High Performance Low Latency Cryptography: FIPS 140-3 ready pipelined AES-GCM/GMAC cryptographic engine
• Extensive Security Associations: configurable selection of number of security associations, up to 1024 for TX and up to 4096 for RX, allowing for comprehensive management of secure connections across multiple devices
• VLAN Tagging Support: capable to handle multiple VLAN tags (several VLAN in-the-clear modes), to facilitate organized and secure data traffic management within complex network environments
• Plug-and-play with Synopsys MACs for 1.6T, 800G, 400G and 200G
• Other Features include: fixed latency mode, jumbo frames, AES-GCM-XPN Mode, efficient multi-rule lookup, and ARM CCA support

These features collectively ensure that the Synopsys HPC MACsec Security Modules provide both high-performance networking and robust data security, making them particularly suitable to the latest and next generations of high speed Ethernet interconnects.

The Synopsys HPC MACsec Security Modules support a broad range of use cases for different types of system level architectures, such as the ones captured below: "Plug and Play with 1.6T MAC" and "LookAside with 1.6T MAC."

The "Plug and Play" approach facilitates automatic data handling between the MACsec and MAC, allowing the system to send and fetch data effortlessly. This setup ensures that the system interfaces remain consistent, appearing the same as they would in a configuration without MACsec, thereby simplifying the integration process and maintaining operational continuity. The HPC MACsec Security Module can also be used in different system configurations, where multiple and different Synopsys MACs are driven by a single MACsec instance.

Figure 2. Plug and Play with 1.6T MAC

The "LookAside" example involves a more hands-on approach, where the system takes responsibility for transferring data between MACsec and MAC. The system must package the data appropriately to meet specific performance requirements, ensuring efficient data management. Additionally, the system is tasked with managing the clock ratio between different IPs, which is crucial for maintaining synchronization and optimizing performance across the network infrastructure.

Figure 3. LookAside with 1.6T MAC

Together, these two implementation options enhance the adaptability and efficiency of the Synopsys Secure Ethernet Solution offering, catering to diverse use cases with optimal performance and latency across AI and data centers network infrastructure.

The introduction of the multi-channel MACsec Security Modules family augments Synopsys’ portfolio of Ethernet solutions securing the most advanced HPC interconnects. As the only vendor in the world offering a complete IP solution, including silicon-proven 224G Ethernet PHY IP, MAC and PCS controllers, Verification IP and MACsec, Synopsys provides a unique, pre-integrated solution that delivers several key benefits to customers. This comprehensive offering ensures shorter time to market by simplifying the design process and reducing development time through seamless integration.

For more information on these innovative solutions and how they can benefit your projects, visit the Synopsys HPC MACsec webpage.