Computer networks, such as those that are compliant with the IEEE 802® suite of protocols, may be deployed in many different settings. For example, local area networks (LANs), including Ethernet networks, may be deployed within a corporate, campus, or home environment. Multiple LANs may be joined into one or more metropolitan area networks (MANs). Due to the wide range of deployment conditions and settings of such networks, it may be difficult or impossible to prevent unauthorized access (or attempts at access) thereto. Consequently, attempts have been made to protect the data and resources of such networks. For example, attempts have been made to maintain confidentiality of transmitted data, and to prevent unauthorized data (e.g., from unauthorized devices) from propagating on the network(s).
For example, protocols associated with the suite of IEEE 802.1® protocols have been developed to circumvent malicious attacks, theft of information, and other unauthorized network uses. For example, the IEEE 802.1AE standard, also known as MACSec, has been developed. MACSec may thus be used, for example, to identify unauthorized devices on a LAN, and/or to prevent propagation of data from such devices. MACSec uses cryptography techniques, such as exchange of cryptographic keys and associated encryption/decryption and authentication techniques, to provide network security at Layer 2 (the link layer) of the Open Systems Interconnection (OSI) model.
MACSec or other security techniques may be implemented within one or more networking chips of a network switch or other network device. However, the user of a networking chip may desire to prevent a network provider from accessing information in a frame sent across the network. Therefore, it may be desirable to develop encryption or authentication schemes to prevent unauthorized access to the frame.
When a frame is sent through multiple networks and/or multiple MACSec providers or users, it may occur that MACSec (or other suitable security protocol) is implemented two or more times for the same frame (or stream of frames). Such techniques may be referred to as double-layer encryption techniques, e.g., as double layer MACSec. For example, the MACSec standard refers to an example scenario in which an Ethernet frame is protected by a double-layer MACSec scheme between two end points defined be two user networks, when the Ethernet frame is tunneled through a provider network that applies its own MACSec implementation. However, due to the manner in which frames are processed and forwarded in a flow-through fashion and at line-speed through network devices, such as switches, it may be difficult to provide such double layer protection in an efficient and cost-effective manner.