MACsec Intel® FPGA IP User Guide

ID 736108
Date 3/31/2024
Document Table of Contents

5.3.4. Anti-Replay Protection

For packets identified to go through the Receive Rx lane, the Anti-Replay Protection check is performed on the packet. Upon successfully obtaining an SA from the SA lookup process, a comparison is made between the received packet number in the MACsec header versus the nextPN field in the SA. Comparison is done between the received Packet Number in the MACsec header versus the lowest acceptable PN (Min PN) field in the SA. The Packet is discarded if “Received PN < Min PN”.

For Rx decryption, the next_pn and lowest acceptable pn updates only happen on the deframer where the request passes the secure frame verification check.

The Anti-Replay Protection check can be disabled through the REPLAYPROTECT parameter.