IP Security For Broadcasters: Part 4 - MACsec Explained

IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.


All 12 articles in this series are available in our free 82 page eBook ‘IP Security For Broadcasters’ – download it HERE.

Articles in this series:


It’s worth remembering that the IP packet exists independently of the underlying transport stream. This is probably one of its greatest strengths as the IP packet does not need to change or be modified as it moves between different transport streams. An IP packet, with suitable routers, can easily hop between ethernet and Wi-Fi frames, as well as specific datacenter type transport streams such as HDLC (High-Level Data Link Control).

The Open Systems Interconnection model (OSI model) is a method of describing the different functionality within a communications system to facilitate abstraction. Furthermore, each layer must traverse through the other layers and then back again to communicate with its peer.

For example, a camera streaming unicast IP packets to a production switcher is a peer-to-peer connection. The camera will divide the images into layer-3 IP packets using a protocol such as SMPTE ST2110-20, then the IP packets will be encapsulated into the layer-2 data link layer frames such as ethernet. The ethernet frames will be converted into the layer-1 physical medium such as fiber, and this will be connected to the ethernet switcher, where the layer-2 ethernet frames will be sent to the production switcher. The production switcher, in turn, extracts the layer-2 ethernet frames from the layer-1 physical fiber, then extracts the layer-3 packets to IP, and then reconstructs the video using ST2110-20.

Flexible Security

This may sound like a convoluted process, but it does provide incredible flexibility. In the example above we assumed that the ethernet switcher would send frames to the production switcher using fiber, but this doesn’t have to be the case. It’s possible that the production switcher is connected using CAT8 cabling, and in this instance, the ethernet switch will convert the layer-1 fiber from the camera to the layer-1 CAT8 twisted pair cable to the production switcher, all without the IP datagram ever being changed. 

Figure 1 – The MACsec sequence relies on two trusted devices, such as ethernet switches exchanging a shared key using the MKA, when done, the next phase allows them to share the SAK and this is used to encrypt the payload and create the ICV (see text).

Figure 1 – The MACsec sequence relies on two trusted devices, such as ethernet switches exchanging a shared key using the MKA, when done, the next phase allows them to share the SAK and this is used to encrypt the payload and create the ICV (see text).

In networking terms, a LAN is a group of connected devices that share the same MAC (Media Access Control) broadcast address. That is, the devices are connected to the same layer-2 switch or layer-2 networked switches (it is possible to connect multiple layer-2 switches together to provide a homogeneous network). We tend to use layer-2 switch networks in LANs as they are faster than using a network of layer-3 routers and keep latency low. Security is much easier to maintain, and user-areas can be separated into logical units. For example, each studio can have its own VLAN (virtual LAN) so that ethernet frames are kept separate between the studios. Not only does this improve security, but it also keeps network congestion low which in turn keeps latency low.

Providing the data integrity and confidentiality found with IPsec’s VPN is difficult in layer-2 networks as routers are often needed to create the virtualized tunnels. To achieve the same levels of security in LANs we use the MACsec. Instead of working at layer-3, MACsec works at layer-2 and provides encryption for layer-2 frames between point-to-point devices.

Standardizing Security

The MACsec specification was standardized by the IEEE in 2006 as 802.1AE and adds two fields to the layer-2 ethernet frame: the security tag and the message authentication code using the ICV (Integrity Check Value). The ICV is used to validate the encrypted MACsec frame.

A MACsec security layer exists between two endpoints such as two ethernet switchers, or an ethernet switcher and a router. It’s even possible to establish a secure layer between an end device and an ethernet switch. One example of this would be connecting a camera to an ethernet switch, if the camera was MACsec enabled, then it would be possible to set up a secure link at the frame level to guarantee the integrity and validity of the streamed video data.

In a similar method to IPsec, MACsec establishes a link between the two devices to exchange pre-shared keys through the MACsec Key Agreement (MKA) process (IEEE 802.1X-2010), as shown in figure 1. Once this is complete, the two end devices further exchange keys to provide the Security Association Keys (SAK) which is then used to encrypt the whole layer-2 ethernet frame.

Figure 2 – the header type and payload are encrypted and the SecTAG and ICV are inserted, this will increase the ethernet frame size by 32 bytes. The ICV is used to authenticate the MAC addresses, SecTAG and encrypted payload and header.

Figure 2 – the header type and payload are encrypted and the SecTAG and ICV are inserted, this will increase the ethernet frame size by 32 bytes. The ICV is used to authenticate the MAC addresses, SecTAG and encrypted payload and header.

As can be seen from figure 2, the original ethernet frame including the header, type and payload is encrypted using the SAK and embedded in a new MACsec frame where the SecTag and ICV are inserted. The source and destination MAC addresses are not encrypted but they are included in the ICV calculation using the SAK, therefore, only authenticated devices can change the ICV.

When a device, such as an ethernet switcher receives the frame, it first validates the source and destination MAC addresses, SecTag and encrypted payload against the ICV. If they match, then the frame is processed, and the payload is decrypted. If they do not match, then it is assumed the frame has been tampered with and will be dropped.

Unicast And Multicast Encryption

One of the fundamental advantages of MACsec over IPsec is that MACsec can encrypt unicast, multicast and broadcast frames. Although there have been some efforts to achieve this with IPsec, many of them are proprietary. It’s particularly important for broadcasters to be able to secure multicast distribution as this is an efficient method used to stream video to multiple destinations.

Also, MACsec is operating at layer 2, so it is not concerned with the higher protocols such as IP, ICMP, ARP and RIP, giving it the potential to secure many more protocols without any additional effort. Furthermore, MACsec was designed to operate in hardware so becomes an intrinsic part of the network interface card, and in doing so keeps latency very low.

Network security relying on the exchange of keys is only as secure as the key management system. If a hostile actor can access the key repository, then they can access any data within the network, even if it is encrypted. Therefore, effective management of the secure key repository is paramount, and access must be guaranteed by the broadcaster’s IT department.

MACsec provides another level of security for broadcasters with quite different applications than those found in IPsec. This helps improve LAN security but does rely on connected devices, such as cameras, microphones, production switchers and multiviewers, being MACsec compliant to achieve the best security.

Part of a series supported by

You might also like...

Expanding Display Capabilities And The Quest For HDR & WCG

Broadcast image production is intrinsically linked to consumer displays and their capacity to reproduce High Dynamic Range and a Wide Color Gamut.

Standards: Part 20 - ST 2110-4x Metadata Standards

Our series continues with Metadata. It is the glue that connects all your media assets to each other and steers your workflow. You cannot find content in the library or manage your creative processes without it. Metadata can also control…

Delivering Intelligent Multicast Networks - Part 2

The second half of our exploration of how bandwidth aware infrastructure can improve data throughput, reduce latency and reduce the risk of congestion in IP networks.

If It Ain’t Broke Still Fix It: Part 1 - Reliability

IP is an enabling technology which provides access to the massive compute and GPU resource available both on- and off-prem. However, the old broadcasting adage: if it ain’t broke don’t fix it, is no longer relevant, and potentially hig…

NDI For Broadcast: Part 2 – The NDI Tool Kit

This second part of our mini-series exploring NDI and its place in broadcast infrastructure moves on to exploring the NDI Tools and what they now offer broadcasters.