MACsec Intel® FPGA IP User Guide

ID 736108
Date 10/21/2022

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

1.2.1. IP Description

This section describes the MACsec IP which provides data confidentiality and integrity for the Ethernet protocol. MACSec is commonly used for securing data between the Cloud and data centers or Secure IoT devices on a LAN.

The MACsec IP is highly-parameterizable block which provides a cost-effective turnkey solution by leveraging scalability. The MACsec IP shares commonality on infrastructure and interfaces with other FPGA IPs, for example, AXI-ST and AXI-Lite buses. This ensures the seamless assembling of the MACsec IP with other FPGA IPs into a coherent FPGA design.

The MACsec IP provides:
  • IEEE Std 802.1AE-2018 compliance
  • Support for all cipher suites (GCM-AES-128/256, GCM-AES-XPN-128/256)
  • SecTAG and ICV insertion/removal
  • Options for VLAN tags in Clear Text (integrity protected only) or VLAN tags in Secure Data (confidential and integrity protected)
  • Configurable "store-and-forward" or "cut-through" modes for each stream
  • Support for stream interleaving on User/AES interface
  • Support for Controlled and Uncontrolled ports with configurable data widths
  • Support for Confidentiality Offset for GCM-AES-128/256 cipher suites (non XPN version)
  • Support for 2 Tx and 2 Rx security channels (SC) per port
  • Security Association is 4 per SC, for a total of up to 1024 SA for 64 ports
  • Scalable architecture provides seamless integration with ICA AES-GCM HIP for best performance, area, and latency.
  • Support for up to 200Gbps AES and SM4 Inline Crypto Accelerator HIP bandwidth in one direction (half-duplex) or 100Gb full-duplex or a mix of the two with total of 200Gb.
  • User packet bypass metadata to support PTP use cases
  • Optional RX Replay Protection Check based on Replay Window, Lowest Acceptable PN, or Next PN.
  • 64 bits MACsec Statistic Counters per MACsec specification on each SC and SA.
  • Standard interfaces with AMBA-compliant protocol:
    • AXI4 Stream interfaces for the tile and application logic paths
    • AXI-Lite interfaces for the management paths