MACsec Intel® FPGA IP User Guide

ID 736108
Date 10/21/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

6.4.2.1. Bypass Packet

During the MACsec secure frame verification check, there are a few cases where the IP can bypass the whole Crypto process and redirect the packet to the Controlled port. For example, when there is no SA found for the packet and the validateFrames is not equal to STRICT.

In order to simplify the MACsec IP implementation, the MACsec IP sends the packet with the AAD_Len = FFFF_FFFF. The Crypto AES treats all the payloads as AAD and returns the payloads as cleartext together with the 16B ICV. The MACsec IP then discards the 16B ICV on the Crypto Egress.

Table 49.  Crypto Ingress Interface Showing Bypass Packet
TID[31:26] - Stream ID Packet 1 X X
TID[25:16] - Channel Packet 1 X X
TID[15:10] - Stream Packet 0 0 0
TID[9:0] - Channel Packet 0 23 6
Data[127:0] IV + AAD_Len (FFFF_FFFF) DATA (Pkt 0)
Data[255:128] DATA (Pkt 0) DATA (Pkt 0)
Data[383:256] DATA (Pkt 0) DATA (Pkt 0)
Data[511:384] DATA (Pkt 0) IDLE
Table 50.  Crypto Egress Interface Showing Bypass Packet
TID[31:26] - Stream ID Packet 1 X X
TID[25:16] - Channel Packet 1 X X
TID[15:10] - Stream Packet 0 0 0
TID[9:0] - Channel Packet 0 23 6
Data[127:0] DATA (Pkt 0) DATA (Pkt 0)
Data[255:128] DATA (Pkt 0) DATA (Pkt 0)
Data[383:256] DATA (Pkt 0) MAC (Discard)
Data[511:384] DATA (Pkt 0) IDLE