Search

CN-117395019-A - Automatic in-band media access control security (MACsec) key update for re-timer devices

CN117395019ACN 117395019 ACN117395019 ACN 117395019ACN-117395019-A

Abstract

The present disclosure relates to automatic in-band media access control security MACSEC key updates for retimer devices. A system for automatic in-band MACsec encryption key updating includes a physical layer retimer device attachable to a host system connected to a peer device via a secure ethernet link incorporating egress and ingress channels for encrypted data traffic. The host system generates an encryption key update for each secure egress or ingress channel, which is sent in-band as an ethernet packet via the secure egress channel. Key updates are identified and extracted from the outgoing data traffic by the retimer device, which identifies a particular encryption key (e.g., corresponding to a particular outgoing channel or incoming channel) for which each key update is intended.

Inventors

  • CHIDAMBALA SRINIVAS
  • YAKA RAJIV R
  • YENER STEVEN R

Assignees

  • AVAGO TECHNOLOGIES GENERAL IP

Dates

Publication Date
20240112
Application Date
20230523
Priority Date
20220711

Claims (20)

  1. 1. An apparatus, comprising: a system-side receiver in data communication with the host device via a plurality of N egress channels, where N is an integer; a system-side transmitter in data communication with the host device via a plurality N of ingress channels; at least one security block in data communication with the system-side receiver and the system-side transmitter, the at least one security block configured to encrypt or decrypt at least one data packet transmitted via an nth egress channel or an nth ingress channel based on an nth encryption key corresponding to at least one of the N egress channel or the N ingress channel, where N is an integer and n+.n; packet filtering logic in data communication with the system-side receiver, the packet filtering logic configured for identifying at least one key update received from the host device, the key update corresponding to the nth encryption key; and A microcontroller in data communication with the packet filtering logic and with the at least one security block, the microcontroller configured to: receiving each identified key update from the packet filtering logic; and Updating the nth encryption key based on the identified key update.
  2. 2. The device of claim 1, wherein the microcontroller is configured to: generating a confirmation packet indicating successful update of the nth encryption key; and The acknowledgement packet is forwarded to the host device via the plurality of N ingress channels.
  3. 3. The device of claim 1, wherein the device is in data communication with the host device via a system-side Application Specific Integrated Circuit (ASIC) physically coupled to the host device, the system-side ASIC configured to: receiving the at least one key update from the host device; generating at least one keybag comprising the keybag, wherein the data packet filtering logic is configured to identify the keybag based on the keybag; and The at least one key package is forwarded to the device via the N egress channels.
  4. 4. A device according to claim 3, wherein: the at least one key package includes an identifier field indicating at least one of the nth ingress channel or the nth egress channel; and is also provided with Wherein the microcontroller is configured to update the nth encryption key based on the identifier field.
  5. 5. The device of claim 4, wherein the identifier field includes at least one of a source address, a destination address, or EtherType.
  6. 6. The device of claim 1, wherein the device is a media access security (MACsec) retimer device.
  7. 7. The device of claim 1, wherein the at least one security block comprises: at least one egress security block configured to encrypt at least one egress data packet transmitted via the N egress channels; and At least one ingress security block configured to decrypt at least one ingress data packet transmitted via the N ingress channels.
  8. 8. A system, comprising: a host device configured for establishing an ethernet link to at least one peer device, the ethernet link comprising: n egress channels configured for transmitting one or more egress data packets from the host device to the at least one peer device, wherein N is an integer; and N ingress channels configured for receiving one or more ingress data packets from the at least one peer device to the host device; and A retimer device physically coupled to the host device and electronically interposed between the host device and the at least one peer device, the retimer device comprising: a system-side receiver in data communication with the host device via the plurality of N egress channels; a system-side transmitter in data communication with the host device via the plurality of N ingress channels; at least one security block in data communication with the system-side receiver and the system-side transmitter, the at least one security block configured to encrypt or decrypt at least one data packet transmitted within the ethernet link based on an nth encryption key corresponding to at least one of an nth egress channel or an nth ingress channel, where N is an integer and n+.n; data packet filtering logic in data communication with the system-side receiver, the data packet filtering logic configured for identifying at least one key update generated by the host device and received from the host device via the plurality of N egress channels, the at least one key update corresponding to the nth encryption key; and A microcontroller in data communication with the packet filtering logic and with the at least one security block, the microcontroller configured to: receiving each identified key update from the packet filtering logic; and Updating the nth encryption key based on the identified key update.
  9. 9. The system of claim 8, wherein the microcontroller is configured to: generating at least one acknowledgement packet indicating a successful update of the nth encryption key; and The acknowledgement packet is forwarded to the host device via the system-side transmitter.
  10. 10. The system of claim 8, further comprising: a system-side Application Specific Integrated Circuit (ASIC) physically coupled to the host device and electronically interposed between the host device and the retimer device, the system-side ASIC configured to: receiving the at least one key update from the host device; generating at least one keybag comprising the keybag, wherein the data packet filtering logic is configured to identify the keybag based on the keybag; and The at least one key package is forwarded to the retimer device via the plurality of N egress channels.
  11. 11. The system of claim 10, wherein: the at least one key package includes an identifier field corresponding to at least one of the nth ingress channel or the nth egress channel; and is also provided with Wherein the microcontroller is configured to update the nth encryption key based on the identifier field.
  12. 12. The system of claim 11, wherein the identifier field includes at least one of a source address, a destination address, or EtherType.
  13. 13. The system of claim 8, wherein the retimer device is a media access security (MACsec) retimer device.
  14. 14. The system of claim 8, wherein the at least one security block comprises: at least one egress security block configured to encrypt at least one egress data packet transmitted via the plurality of N egress channels; and At least one ingress security block configured to decrypt at least one ingress data packet transmitted via the plurality of N ingress channels.
  15. 15. A method, comprising: providing an ethernet link between a host device and one or more peer devices, the ethernet link comprising N egress channels and N ingress channels, wherein N is an integer; providing, via a retimer device physically coupled to the host device, at least one security block configured to encrypt or decrypt at least one data packet transmitted via an nth egress channel or an nth ingress channel based on an nth encryption key corresponding to at least one of the N egress channel or the N ingress channel, where N is an integer and n+.n; generating at least one key update corresponding to the nth encryption key via the host device; generating at least one keybag based on the generated key update; transmitting the at least one key package to the retimer device via the N egress channels; identifying, via the retimer device, the at least one key update from the N egress channels; determining, via the retimer device, the nth egress channel or the nth ingress channel corresponding to the at least one key update; and Updating the nth encryption key corresponding to the determined nth egress channel or nth ingress channel via the retimer device based on the at least one key update.
  16. 16. The method as recited in claim 15, further comprising: generating, via the retimer device, at least one acknowledgement packet indicating a successful update of the encryption key; and The at least one acknowledgement packet is transmitted to the host device via the retimer device.
  17. 17. The method according to claim 15, wherein: generating at least one keybag based on the generated keyupdate comprises: receiving the at least one key update via a system-side Application Specific Integrated Circuit (ASIC) physically coupled to the host device and electronically interposed between the host device and the retimer device; and Generating the at least one key update via the system side ASIC; and Transmitting the at least one keybag to the retimer device via the N egress channels includes forwarding the at least one keybag to the retimer device via the system-side ASIC.
  18. 18. The method of claim 17, wherein identifying the at least one key update from the N egress channels via the re-timer device comprises: the at least one key update is identified based on an identifier field associated with the at least one key package, the identifier field indicating at least one of the nth ingress channel or the nth egress channel.
  19. 19. The method of claim 18, wherein the identifier field is associated with at least one of a source address, a destination address, or EtherType.
  20. 20. The method of claim 15, wherein the retimer device is a medium access security (MACsec) retimer device.

Description

Automatic in-band media access control security (MACsec) key update for re-timer devices Technical Field Embodiments of the inventive concepts disclosed herein are generally directed to secure ethernet communications, and more particularly, to retimer applications over a large number of secure channels. Background Media access control security (MACsec) retimer devices are used in secure ethernet links (e.g., host-to-host, host-to-switch) to encrypt or decrypt ethernet traffic near the Physical (PHY) layer. For example, the retimer encrypts outbound (egress) traffic sent by the host device and decrypts inbound (ingress) traffic received by the host device. MACsec retimers can have up to hundreds of secure data channels, each data channel using an encryption key, such as Advanced Encryption Standard (AES)/galois/counter mode (GCM), to encrypt or decrypt traffic within the channel. For example, the AES/GCM encryption key must be updated every second. Such encryption keys are derived by the host device and communicated to the retimer device via control registers, such as management data input/output (MDIO) registers. Although MDIO register hardware may support a large number of secure channels, the slow data rate associated with MDIO limits the speed at which encryption keys may be refreshed before the key expires (e.g., if not refreshed within one second). The low throughput associated with MDIO creates a bottleneck for the number of secure channels that can actually be supported by the secure ethernet system. Disclosure of Invention In a first aspect, a physical layer medium access control security (MACsec) retimer apparatus is disclosed. In an embodiment, the retimer device may be physically connected to a host device and include a system-side receiver and transmitter for communicating with the host device via N secure egress channels and N secure ingress channels, respectively (e.g., via which the host device may maintain secure ethernet links to one or more peer devices), where N is an integer. The retimer device includes a security block for encrypting egress data traffic transmitted from the host device to the peer device via the secure egress channel based on the egress or ingress channel-specific MACsec encryption key and decrypting data traffic transmitted to the host device via the secure ingress channel. The host device generates a key update for each encryption key and sends the key update in-band over the egress data channel. The retimer device includes data packet filtering logic for identifying and extracting each encryption key update generated by the host device from outgoing data traffic and forwarding the key update to a microcontroller in communication with the secure block. The retimer device identifies a particular egress or ingress channel associated with each extracted key update and updates a corresponding encryption key based on the key update. In another aspect, a system is disclosed. In an embodiment, the system includes a host network device and a retimer device (e.g., a physical layer MACsec retimer device) physically connected to the host device, and via the retimer device, the host network device may establish a secure ethernet link to one or more peer network devices remotely located from a local host network device. For each connected peer device, the secure ethernet link includes a secure unidirectional egress channel (via which the host device transmits encrypted data packets to the peer device) and a secure unidirectional ingress channel (via which the host device receives encrypted data packets from the peer device). According to the egress and ingress channel-specific encryption keys, the retimer device encrypts egress (outbound) packets transmitted by the host device and encrypts ingress (inbound) packets for receipt by the host device. In an embodiment, the host device may generate a key update for each encryption key and transmit the key update in-band over the secure egress channel. The retimer device identifies each key update from the outbound data traffic and the particular egress/ingress channel for which the key update is intended. The retimer device updates the encryption key corresponding to the identified egress/ingress channel based on the key update. In another aspect, a method for in-band encryption key updating is disclosed. In an embodiment, the method includes providing an ethernet link between a host network device and a peer network device, the link including a secure egress channel through which the host device transmits encrypted data packets to the peer device and a secure ingress channel through which the host device receives encrypted data packets transmitted by the peer device. The method includes providing, via a retimer device physically attached to the host device, a security block for encrypting data packets sent to the peer device via the secure egress channel (and decrypting data packets sent from the peer device to the host device via the