MACsec Intel® FPGA IP User Guide

ID 736108
Date 3/31/2024
Document Table of Contents

5.4. Encryption Framer/DeFramer

The Encryption Framer/Deframer is responsible for performing framing on the packet, which arrives after SA lookup and error checking on the packet when the packet returns from Crypto AES through packet disaggregator.

Below is a list of features implemented in the Encryption Framer/Deframer:
  • Upon packet arrival from SA lookup, channel allocation is performed by sending a key to the Crypto AES to allocate a new channel. Channel number is sent through the AXI-ST TID[9:0] signal.
  • SecTAG insertion is performed into the packet.
  • SA lookup result is packed into the packet payload, for example, IV, AAD.
  • IV – {SCI, PN[31:0]} when XPN_MODE = 0,
  • IV – {SSCI XOR SALT[95:64], SALT[63:0] XOR PN[63:0]} when XPN_MODE = 1
  • AAD – {Destination MAC Address, Source MAC Address, VLAN tag (In Clear), MACsec Header, {0B, 30B, 50B Offset Confidentiality}}
  • The tlast_empty ppmetadata indication is received from the Multi Interface Buffering Mux and rotation buffer data is submitted to Crypto without waiting for subsequent packet for data packing.
  • Equation to calculate AAD_Length is as below:
  • AAD_Length = 6 (DMAC) + 6 (SMAC) + (0 or 4, depending on VLAN tag) + (8 or 16 SecTAG depending on SCI existence) + TX_LANE_SC{0..1}_SA{0..3}_CONFID CSR
  • Packet bypass is performed if protectFrames of the packet is not set.
  • IV/Key byte order swapping occurs before sending to Crypto.
  • The user packet bypasses metadata storing per stream/port and it is pending for return packet.
  • Packet metadata carrys error indication for the packet entering and leaving the MACsec IP.
  • After the packet returns from the Crypto AES through the Packet Disaggregator, error handling is performed on the returned packet.
  • User packet bypass metadata is extracted from the stream/port FIFO and associated with the returned packet based on the stream/port ID.