PTP over MACsec

Security is one of the most important factors in all kinds of networks, and Time Synchronization is crucial for time-sensitive applications, such as industrial automation, financial trading, and telecommunications, which require high-precision PTP synchronization.
Tampering with, blocking, spoofing, or otherwise affecting valid PTP transfer in a network could lead to devastating damage to such applications and networks, underlining the importance of securing PTP transfer.
To ensure this security, MACsec (IEEE 802.1AE) is implemented for Layer 2 encryption. MACsec provides data confidentiality and integrity by encrypting Ethernet frames, protecting against threats like eavesdropping and tampering.
However, using PTP over MACsec is not without challenges:
For PTP, highly accurate packet timestamping is required to achieve the required accuracy and stability of time synchronization within a network.
The encryption and decryption processes required for MACsec present significant challenges when applied to a sync-aware network, as they introduce variation and asymmetry in latency between timestamping planes.

This presents a significant problem, as PTP assumes a constant link delay, which is not the case with PTP over MACsec.
Therefore, this test case aims to validate the ability to maintain precise time synchronization while upholding network security with MACsec.
     
In this test, Keysight's emulated Telecom Grandmaster sent PTP traffic downstream towards Boundary-Clock 1 (T-BC-1). T-BC-1 then applied MACsec to the PTP packets and sent them further downstream towards T-BC-2, which received the encrypted PTP packets, decrypted them, and output them to the measurement device, in this case, the Keysight Time Sync Analyzer. As passing criteria, the BCs cTE should be inside the cascaded threshold of ITU-T G.8273.2, section 7.1.1, for the T-T-BC/T-TSC classes.
As PTP over MACsec is still relatively new and under development, only two Vendors—Juniper Networks and H3C—supported it. During this test, one T-BC, the Juniper ACX7100-32C, acted as T-BC-1, and three different BCs, the H3C S12500R, Juniper ACX7348, and Juniper MX304, acted as T-BC-2.

The results of the Juniper ACX7100-32C to the H3C S12500R are quite a lot different when compared to the results between the ACX7100-32C and ACX7348/MX304:
The constant time error (cTE) measured at the H3C SR12500R is around -80ns, at the Juniper MX304 around -16ns, and at the Juniper ACX7348 around 11ns. This big discrepancy between the Juniper ACX7100-32C to H3C SR12500R compared to Juniper ACX7100-32C to Juniper ACX7348 and Juniper ACX7100-32C to Juniper MX304 is most likely due to implementation differences on the different platforms when it comes to PTP over MACsec, which, as mentioned before, is still under development by most vendors.
Ultimately, these results in the Juniper ACX7100-32C to H3C SR12500R only being able to qualify as Class A Boundary Clocks, as per ITU-T G.8273.2, Appendix V, table V.1, which specifies a requirement of +/- 100ns cTE for media converter pairs. However, the Juniper ACX7100-32C to Juniper ACX7348 and ACX7100-32C to Juniper MX304 would qualify as Boundary Clock Class C, as the given requirements are +/- 20ns for media converter pairs, which both pairs pass.

We are happy to have tested interoperable PTP over MACsec and are looking forward to testing this once again next year, hopefully with more participating/supporting vendors. In the future, it might also be worthwhile to test PTP over MACsec with native tester support for devices and networks, as back-to-back device testing allows for the cancellation of time errors across the two devices; This is something we are looking forward to testing at next years event.