MACsec Intel® FPGA IP User Guide

Download PDF
ID 736108
Date 6/26/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. Functional Description 6. Configuration Registers for MACsec IP 7. MACsec Intel® FPGA IP Example Design 8. MACsec Intel FPGA IP User Guide Archives 9. Document Revision History for the MACsec Intel FPGA IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Device Speed Grade Support and Theoretical Throughput 1.6. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Description 1.2.2. IP Core Applications
1.2.2. IP Core Applications x
1.2.2.1. SmartNIC 1.2.2.2. Ethernet Bridge + Inline MACsec
2. Interface Overview x
2.1. Block Diagram 2.2. Interfaces 2.3. Clocking Domains
2.2. Interfaces x
2.2.1. IP Interface Signals 2.2.2. IP Interface Signal Timing Diagram/Waveforms 2.2.3. Clocks, Resets, and Interrupts
2.2.1. IP Interface Signals x
2.2.1.1. Common Port Mux Interface 2.2.1.2. Common Port Demux Interface 2.2.1.3. Controlled Port Mux Interface 2.2.1.4. Controlled Port Demux Interface 2.2.1.5. Uncontrolled Port RX Interface 2.2.1.6. Uncontrolled Port TX Interface 2.2.1.7. Crypto RX Interface 2.2.1.8. Crypto TX Interface 2.2.1.9. Management Interface 2.2.1.10. Decrypt Port Mux Management Interface 2.2.1.11. Decrypt Port Demux Management Interface 2.2.1.12. Encrypt Port Mux Management Interface 2.2.1.13. Encrypt Port Demux Management Interface 2.2.1.14. Crypto IP Management Bus 2.2.1.15. Miscellaneous Control Signals
2.2.2. IP Interface Signal Timing Diagram/Waveforms x
2.2.2.1. Common Port Mux Interface Waveform 2.2.2.2. Common Port Demux Interface Waveform 2.2.2.3. Controlled Port Mux Interface Waveform 2.2.2.4. Controlled Port Demux Interface Waveform 2.2.2.5. Uncontrolled Port RX Interface Waveform 2.2.2.6. Uncontrolled Port TX Interface Waveform 2.2.2.7. Crypto RX Waveform 2.2.2.8. Crypto TX Waveform 2.2.2.9. MACsec Management Interface (Read) 2.2.2.10. MACsec Management Interface (Write)
3. Parameters x
3.1. MACsec Intel FPGA IP Parameter Settings
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Reset Transactions 4.5. MACsec Software Initialization Sequence
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
5. Functional Description x
5.1. AXI-ST Common/Controlled/Uncontrolled Ports 5.2. Packet Parser and Classifier 5.3. SA Lookup and Update 5.4. Encryption Framer/DeFramer 5.5. Decryption Framer/Deframer 5.6. Packet Aggregator/Disaggregator 5.7. Cryptographic AES 5.8. Error Handling 5.9. Packet Statistics
5.1. AXI-ST Common/Controlled/Uncontrolled Ports x
5.1.1. AXI-ST Single Packet Mode 5.1.2. AXI-ST Multi Packet Mode 5.1.3. User Interface Data Streaming 5.1.4. AXI-ST Ready Latency 5.1.5. Port and Secure Channel Mapping 5.1.6. Port and Crypto Channel Mapping 5.1.7. Minimum Packet Size 5.1.8. Byte Ordering 5.1.9. Controlled/Uncontrolled Port Muxing
5.1.3. User Interface Data Streaming x
5.1.3.1. Single Packet Mode Data Stream 5.1.3.2. Multi Packet Mode Data Stream
5.2. Packet Parser and Classifier x
5.2.1. Packet Parser 5.2.2. Packet Classifier
5.3. SA Lookup and Update x
5.3.1. Packet Actions 5.3.2. Packet Buffer 5.3.3. New Channel Assignment 5.3.4. Anti-Replay Protection
5.3.1. Packet Actions x
5.3.1.1. Packet Encrypt 5.3.1.2. Packet Decrypt 5.3.1.3. Packet Discard 5.3.1.4. PDU Validation
5.4. Encryption Framer/DeFramer x
5.4.1. Channel Allocation 5.4.2. Packet Framer 5.4.3. VLAN Tagging
5.4.2. Packet Framer x
5.4.2.1. Bypass Packet 5.4.2.2. Stream Interleaving
5.4.3. VLAN Tagging x
5.4.3.1. No VLAN Tag 5.4.3.2. VLAN Tag (Not in Clear) 5.4.3.3. VLAN Tag (Clear)
5.5. Decryption Framer/Deframer x
5.5.1. XPN Recovery 5.5.2. Replay Check Update 5.5.3. Packet Deframer
5.6. Packet Aggregator/Disaggregator x
5.6.1. Packet Aggregator 5.6.2. Packet Disaggregator
5.7. Cryptographic AES x
5.7.1. Register Address Ordering 5.7.2. Byte Order Swapping 5.7.3. Byte Ordering
5.8. Error Handling x
5.8.1. Packet Error Handling 5.8.2. Memory Blocks ECC Errors 5.8.3. Crypto Errors 5.8.4. System-Level Errors
7. MACsec Intel® FPGA IP Example Design x
7.1. Simulation Requirements 7.2. Steps to Run Simulation 7.3. Port Configurations 7.4. Multi Interface Buffering Muxing/Demuxing 7.5. 2x25 GbE (Encryption + Decryption) 7.6. Packet Generator/Checker 7.7. Clocking
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. Functional Description
6. Configuration Registers for MACsec IP
7. MACsec Intel® FPGA IP Example Design
8. MACsec Intel FPGA IP User Guide Archives
9. Document Revision History for the MACsec Intel FPGA IP User Guide

5.9. Packet Statistics

The MACsec statistic counters are implemented according to the MACsec 802.1AE-2018 specification. These counters are accessible through the Management Interface. Each counter is 64 bits wide and each port has one set of statistic counters as listed in the table below. The counter values roll over when they overflow.

Upon reset deassertion, all counters are reset to 0. As the port becomes active with MACsec traffic entering the MACsec IP for processing, these counters start counting. During a rekeying process, for example, SW switch from 1 Tx SA to another Tx SA, the old Tx SA is invalidated (SA_EN_TRN CSR bit = 0) and the equivalent statistic counters for the particular port are reset by SW. Traffic using the new Tx SA triggers all the counters to start counting from zero.

The statistic counters reset is fully controlled by SW.
Table 59.  Packet Statistics
Counter Description Counter Source
Receive/Decryption Statistics
InPktsNoTag The number of received packets without a SecTAG discarded because VALIDATEFRAMES was 'strict' SA Lookup
InPktsBadTag The number of received packets discarded with an invalid SecTAG, zero value PN, or invalid ICV SA Lookup
InPktsNoSA The number of received packets with an unknown SCI or for an unused SA SA Lookup
InPktsNoSAError The number of packets discarded because the received SCI is unknown or the SA is not in use. SA Lookup
InPktsOverrun The number of packets discarded because they exceeded cryptographic performance capabilities SA Lookup
InPktsOK The number of packets received for this SC is successfully validated and within the replay window. SA Lookup
InPktsUnchecked The number of packets received for this SC, while VALIDATEFRAMES is 'disabled'. SA Lookup
InPktsInvalid The number of packets, for this SC, that fails validation but can be received because VALIDATEFRAMES is 'check' and the data is not encrypted (so the original frame can be recovered). SA Lookup
InPktsNotValid The number of packets discarded, for this SC, because validation fails and VALIDATEFRAMES is 'strict' or the data is encrypted (so the original frame can not be recovered). SA Lookup
InPktsDelayed The number of received packets, for this SC, with PN lower than the lowest acceptable PN and REPLAYPROTECT false. SA Lookup
InPktsLate The number of packets discarded, for this SC, because the received PN is lower than the lowest acceptable PN and REPLAYPROTECT is true. SA Lookup
InOctetsValidated The number of plaintext octets recovered from packets that are integrity protected but not encrypted. Framer/Deframer
InOctetsDecrypted The number of plaintext octets recovered from packets that are integrity protected and encrypted. Framer/Deframer
Transmit/Encryption Statistics
OutPktsUntagged The number of packets transmitted without a SecTAG because SECY_PROTECT_FRAMES_ENABLE is configured false. Framer/Deframer
OutPktsTooLong The number of transmit packets discarded because their length is greater than the ifMtu of the Common port. Framer/Deframer
OutPktsProtected The number of packets transmitted with integrity protected but not encrypted in transmitted frames. Framer/Deframer
OutPktsEncrypted The number of packets transmitted with integrity protected and encrypted in transmitted frames. Framer/Deframer
OutOctetsProtected The number of plain text octets integrity protected but not encrypted in transmitted frames. Framer/Deframer
OutOctetsEncrypted The number of plain text octets integrity protected and encrypted in transmitted frames. Framer/Deframer
Level Two Title