MACsec Intel® FPGA IP User Guide

Download PDF
ID 736108
Date 3/31/2024
Public
Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. Functional Description 6. Configuration Registers for MACsec IP 7. MACsec Intel® FPGA IP Example Design 8. MACsec Intel FPGA IP User Guide Archives 9. Document Revision History for the MACsec Intel FPGA IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Device Speed Grade Support and Theoretical Throughput 1.6. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Description 1.2.2. IP Core Applications
1.2.2. IP Core Applications x
1.2.2.1. SmartNIC 1.2.2.2. Ethernet Bridge + Inline MACsec
2. Interface Overview x
2.1. Block Diagram 2.2. Interfaces 2.3. Clocking Domains
2.2. Interfaces x
2.2.1. IP Interface Signals 2.2.2. IP Interface Signal Timing Diagram/Waveforms 2.2.3. Clocks, Resets, and Interrupts
2.2.1. IP Interface Signals x
2.2.1.1. Common Port Mux Interface 2.2.1.2. Common Port Demux Interface 2.2.1.3. Controlled Port Mux Interface 2.2.1.4. Controlled Port Demux Interface 2.2.1.5. Uncontrolled Port RX Interface 2.2.1.6. Uncontrolled Port TX Interface 2.2.1.7. Management Interface 2.2.1.8. Decrypt Port Mux Management Interface 2.2.1.9. Decrypt Port Demux Management Interface 2.2.1.10. Encrypt Port Mux Management Interface 2.2.1.11. Encrypt Port Demux Management Interface 2.2.1.12. Crypto IP Management Bus 2.2.1.13. Miscellaneous Control Signals
2.2.2. IP Interface Signal Timing Diagram/Waveforms x
2.2.2.1. Common Port Mux Interface Waveform 2.2.2.2. Common Port Demux Interface Waveform 2.2.2.3. Controlled Port Mux Interface Waveform 2.2.2.4. Controlled Port Demux Interface Waveform 2.2.2.5. Uncontrolled Port RX Interface Waveform 2.2.2.6. Uncontrolled Port TX Interface Waveform 2.2.2.7. Crypto RX Waveform 2.2.2.8. Crypto TX Waveform 2.2.2.9. MACsec Management Interface (Read) 2.2.2.10. MACsec Management Interface (Write)
3. Parameters x
3.1. MACsec Intel FPGA IP Parameter Settings
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Reset Transactions 4.5. MACsec Software Initialization Sequence
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
5. Functional Description x
5.1. AXI-ST Common/Controlled/Uncontrolled Ports 5.2. Packet Parser and Classifier 5.3. SA Lookup and Update 5.4. Encryption Framer/DeFramer 5.5. Decryption Framer/Deframer 5.6. Packet Aggregator/Disaggregator 5.7. Cryptographic AES 5.8. Error Handling 5.9. Packet Statistics
5.1. AXI-ST Common/Controlled/Uncontrolled Ports x
5.1.1. AXI-ST Single Packet Mode 5.1.2. AXI-ST Multi Packet Mode 5.1.3. User Interface Data Streaming 5.1.4. AXI-ST Ready Latency 5.1.5. Port and Secure Channel Mapping 5.1.6. Port and Crypto Channel Mapping 5.1.7. Minimum Packet Size 5.1.8. Byte Ordering 5.1.9. Controlled/Uncontrolled Port Muxing
5.1.3. User Interface Data Streaming x
5.1.3.1. Single Packet Mode Data Stream 5.1.3.2. Multi Packet Mode Data Stream
5.2. Packet Parser and Classifier x
5.2.1. Packet Parser 5.2.2. Packet Classifier
5.3. SA Lookup and Update x
5.3.1. Packet Actions 5.3.2. Packet Buffer 5.3.3. New Channel Assignment 5.3.4. Anti-Replay Protection
5.3.1. Packet Actions x
5.3.1.1. Packet Encrypt 5.3.1.2. Packet Decrypt 5.3.1.3. Packet Discard 5.3.1.4. PDU Validation
5.4. Encryption Framer/DeFramer x
5.4.1. Channel Allocation 5.4.2. Packet Framer 5.4.3. VLAN Tagging
5.4.2. Packet Framer x
5.4.2.1. Bypass Packet 5.4.2.2. Stream Interleaving
5.4.3. VLAN Tagging x
5.4.3.1. No VLAN Tag 5.4.3.2. VLAN Tag (Not in Clear) 5.4.3.3. VLAN Tag (Clear)
5.5. Decryption Framer/Deframer x
5.5.1. XPN Recovery 5.5.2. Replay Check Update 5.5.3. Packet Deframer
5.6. Packet Aggregator/Disaggregator x
5.6.1. Packet Aggregator 5.6.2. Packet Disaggregator
5.7. Cryptographic AES x
5.7.1. Register Address Ordering 5.7.2. Byte Order Swapping 5.7.3. Byte Ordering
5.8. Error Handling x
5.8.1. Packet Error Handling 5.8.2. Memory Blocks ECC Errors 5.8.3. Crypto Errors 5.8.4. System-Level Errors
7. MACsec Intel® FPGA IP Example Design x
7.1. Simulation Requirements 7.2. Steps to Run Simulation 7.3. Port Configurations 7.4. Multi Interface Buffering Muxing/Demuxing 7.5. 4x25 GbE (Encryption + Decryption) 7.6. Packet Generator/Checker 7.7. Clocking
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. Functional Description
6. Configuration Registers for MACsec IP
7. MACsec Intel® FPGA IP Example Design
8. MACsec Intel FPGA IP User Guide Archives
9. Document Revision History for the MACsec Intel FPGA IP User Guide

5.1. AXI-ST Common/Controlled/Uncontrolled Ports

The MACsec IP user interface supports 6 AXI-ST ports (transmit lane Common/Controlled/Uncontrolled/ ports and receive lane Common/Controlled/Uncontrolled/ ports). The maximum bandwidth supported by the MACsec IP is 200Gbps and therefore the aggregated bandwidth of all ports must not exceed 200Gbps. In the scenario where the desired bandwidth exceeds the port bandwidth, backpressure occurs to avoid buffer overflow.

All port data widths are configurable between 64, 128, 256, and 512 bits. The maximum bandwidth supported is 200Gbps when the width of the interface between the port mux and demux blocks and the MACsec processing blocks is 512 bits.

The AXI-ST ports support both AXI-ST Single Packet Mode and AXI-ST Multi Packet Mode. There are 2 lanes which exist within the MACsec IP, one is the Transmit Tx Lane and the other is the Receive Rx Lane.

The AXI-ST Common/Controlled/Uncontrolled ports support 16 bits of metadata which tag along with incoming packets. These 16 bits of metadata are sent through the AXI-ST TUSER interface which is available when the METADATA_EN parameter is configured to ENABLE. This feature is mainly used in PTP where PTP packets are sent through the MACsec IP together with PTP sideband signals and local counter values to support PTP 1- step and 2-step modes.

The AXI-ST TID is used to indicate the Port/Stream ID and this ID tags along with the packet flowing through the MACsec encryption/decryption lane. You can use the TID to identify the source of the packet and route the packet to its destination accordingly. The packet order per stream is maintained.

Traffic that requires encryption or decryption is sent through the MACsec Controlled port. In the case of traffic that doesn’t need to be encrypted or decrypted, it can be submitted through the Uncontrolled port. Traffic from both ports is merged and sent to the Common port on the transmit lane.

On the transmit lane, the Uncontrolled port traffic is muxed together with Controlled port traffic at the Common port before sending it out from the MACsec IP. The switching between CP/UCP has no priority bit. The switching happens from CP to UCP when the transmission of packets from all CP ports are finished, and when there is no incoming CP packet for more then 6 clock cycles. The switching from UCP to CP takes place when UCP reaches tlast=1. There is a potential performance impact on the transmit lane as the IP is muxing 200Gbps traffic from Controlled/Uncontrolled ports into a single Common port. It is your responsibility to make sure the total bandwidth of both Controlled/Uncontrolled port doesn’t exceed the maximum bandwidth supported by the MACsec IP, which is 200Gbps. You need to handle the flow control on the MACsec IP Controlled/Uncontrolled ports so that no overflows (packet drops) happen on the Mux/Demux interfaces due to unmatched bandwidth.

On the receive lane, when the Common port traffic is parsed and no MACsec Ethertype is detected, the traffic is routed to the Uncontrolled port. The Uncontrolled port sees all traffic including encrypted packets and non-MACsec packets. You are then required to process the traffic and extract the packets. By default, the Uncontrolled ports on transmit and receive lanes are disabled.


Section Content
AXI-ST Single Packet Mode
AXI-ST Multi Packet Mode
User Interface Data Streaming
AXI-ST Ready Latency
Port and Secure Channel Mapping
Port and Crypto Channel Mapping
Minimum Packet Size
Byte Ordering
Controlled/Uncontrolled Port Muxing

Level Two Title