Bolstering security: Introducing MACsec on Direct Link Dedicated

The Direct Link team is excited to announce the general availability of the Media Access Control security (MACsec) feature for Direct Link Dedicated. MACsec offers hardware-based encryption, ensuring minimal latency and high throughput, crucial for high bandwidth applications. It will be available on 1 June 2025, and initial supported markets include Toronto, Montreal, Dallas and Washington DC.

IBM Cloud Direct Link Dedicated for VPC offers a high-speed, OSI Layer 3 direct connection between customers’ on-premises infrastructure and IBM Cloud VPC and Classic Infrastructure—delivering low latency and up to 10 Gbps throughput. Designed for enterprises with nearby colocation facilities or service providers managing customer circuits, this single-tenant, fiber-based solution ensures secure, seamless hybrid cloud connectivity.

MACsec secures all Ethernet traffic, including control plane protocols such as ARP and DHCP.  MACsec excels at providing granular, high-performance security for local Ethernet links. Additional benefits include:  

• Protection against Layer 2 threats: Safeguards against MAC spoofing, ARP poisoning and eavesdropping within the local network.
• Secures control plane protocols: Protects DHCP, ARP and LLDP, enhancing overall network infrastructure resilience.
• Granular LAN security: Encrypts Ethernet frames at Layer 2, delivering more localized security compared to IPsec.
• Line-rate performance with low latency: Hardware-based encryption and decryption ensures minimal performance impact, even at high bandwidths. Offers lower latency compared to software-based encryption.
• Lower CPU overhead: Encryption is handled by dedicated hardware, reducing CPU load compared to IPsec's software-based processing.
• Protection against passive attacks: Guards against wiretapping, intrusion and replay attacks.
• Complements higher-layer security: Adds a local security layer that addresses network vulnerabilities not covered by higher-layer protocols like IPsec.

This Layer 2 network standard (IEEE 802.1AE) fortifies Ethernet-connected devices through several key mechanisms:

• Origin authentication: Peer MACsec devices authenticate each other using a Connectivity Association Key (CAK) consisting of a name and a secret, both of which must exactly match between peers.
• Replay protection: A configurable window allows the acceptance of a defined number of out-of-sequence frames, defending against replay attacks.
• Data confidentiality: Once a secure session is active, data is encrypted using a Secure Association Key (SAK) derived through the MACsec Key Agreement (MKA) protocol, ensuring data privacy.
• Data integrity: Each frame includes an Integrity Check Value (ICV), which must match expected values at the receiving end, guaranteeing data hasn't been tampered with.

This feature provides a configurable MACsec policy, with a primary CAK and an optional fallback CAK. The fallback CAK acts as a backup, securing the MACsec session if a name or secret discrepancy arises with the primary CAK between peers. CAK secrets are securely stored as Hyper Protect Crypto Services (HPCS) key resources within the customer's HPCS instance. Once peers are configured with a MACsec policy and CAK(s), the direct link will initiate a MACsec session, safeguarding data frames exchanged between the customer’s MACsec-capable device and the IBM cross-connect switch.

MACsec coverage will continue to expand beyond its current locations. All new Direct Link switch installations will be MACsec-capable. Future support for multiple primary CAKs with lifetimes will enable customers to preconfigure CAK rotations.

Use limited period promo code VPC1000, which gives you USD 1,000 worth of free IBM Cloud credits to start your IBM Cloud Direct Link Dedicated journey.

Learn more about IBM Cloud Direct Link