TLV-to-MUC Express: Post-quantum MACsec in VXLAN

MACsec in VXLAN is an end-to-end security protocol for protecting Ethernet frames traveling over IP networks. It can provide a high-speed Ethernet encryption while supporting the virtualization of a large network such as data center network. Although MACsec addresses most of security threats, it is not immune against quantum attacks which are a future, yet disastrous threat against public-key cryptography in use. In this paper, we demonstrate a new solution for a MACsec protocol over VXLAN in a post-quantum setting. Instead of a standard MACsec key agreement protocol, we use an ephemeral key exchange protocol and an end-to-end authentication scheme, both of which are based on post-quantum cryptography. To measure the impact on the performance, we established a quantum-secure link between Germany and Israel using MACsec in VXLAN over public IP networks. We verified that the impact on the latency and throughput is minimal. Our experiment confirms that quantum-secure virtualized links can be already established in a long-distance without changing their infrastructure.