MACsec Intel FPGA System Design User Guide

ID 767516
Date 3/03/2023

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

2.8. AXI-ST Rate Controller

The MACsec IP does not support back pressure in the current implementation. For example, If the MACsec is being configured to work at 25G rate, then it is your responsibility to control the incoming traffic from different interfaces (uncontrolled/controlled ports) to ~70% of the rate defined to accommodate the SecTAG Header which the MACsec IP inserts into the data traffic which is a significant overhead during lower packet sizes. Logic coordinates between the two interfaces (uncontrolled, controlled ports) and can decide weights for each interface. This is implemented with parameters during compile time. This logic de-asserts the tready to different sources of traffic i.e. from MCDMA to uncontrolled port (MKA traffic) and from packet generator to controlled port.

The design to control the aggregated input rate to accommodate the overheads inserted by MACSec which targets the actual line rate is shown in the figure below. There are multiple ways of doing this.

As mentioned above, there is a need to distribute the total bandwidth statically between two interfaces of MACSec i.e. control path (uncontrolled port) and data path (controlled port) where the priority can be given to data path as in Deficit Weighted Round Robin (DWRR) scheduler.
Figure 26. Rate Controller Module (Highlighted in Red)
If the MACsec IP expects the controlled rate at every packet level, then the number of idle cycles to be inserted by rate controller depends on the number of valid data cycles received. Granularity of these calculations are restricted to clock cycle for ease of timing, i.e. it assumes that all the data bytes are valid in EOP (8 Byte granularity on a 64 bit bus). The design assumes the maximum possible data rate as “Bus width x Clock frequency”, i.e. for a 25G MACSec, controlled port data width is 64b running at 400 MHz which results in max rate of 25.6 Gbps (MACSEC_MAX_RATE) passed to module as a parameter. The number of idle cycles required after end of the current packet depends on another parameter (MACSEC_MAX_IN_RATE) that defines the expected input rate. For example, if the expected input rate is 12 Gbps then the number of idle cycles for each valid clock cycle in a packet is defined by a local parameter as (MACSEC_MAX_RATE/MACSEC_MAX_IN_RATE). The design maintains a counter that increments by this ratio on every valid cycle between start of packet and end of packet. The same counter decrements after EOP cycle until it reaches 0. During this time, the AXI-ST TREADY is de-asserted.
Figure 27. Null Cycles Inserted After Every Packet Transfer