MACsec Intel® FPGA IP User Guide

ID 736108
Date 10/21/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

6.5. Decryption Framer/Deframer

The Decryption Framer/Deframer is responsible for performing deframing on the packet, which arrives after SA lookup and when the packet returns from the Crypto AES through the packet disaggregator.

Below is a list of features implemented in the Decryption Framer/Deframer:

  • Upon packet arrival from SA lookup, channel allocation is performed by sending a key to the Crypto AES to allocate a new channel.
  • If USR_DATA_WIDTH is not 512b, the framer is required to accumulate enough bytes from subsequent request data bus per stream in the subsequent cycle for processing.
  • ICV is extracted from the packet payload and sent through the AXI-ST TUSER.auth_tag signal.
  • XPN recovery is performed if XPN_MODE = 1
  • SA lookup result is packed into the packet payload, for example, IV, AAD.
  • IV – {SCI, PN[31:0]} when XPN_MODE = 0
  • IV – {SSCI XOR SALT[95:64], SALT[63:0] XOR PN[63:0]} when XPN_MODE = 1
  • AAD – {Destination MAC Address, Source MAC Address, VLAN tag (In Clear), MACSEC Header}
  • AAD_Length = 6 (DMAC) + 6 (SMAC) + (0 or 4, depending on VLAN tag) + (8 or 16 SecTAG depending on SCI existence) + GLOBAL_CONFID_OFF CSR
  • The tlast_empty ppmetadata indication is received from the Multi Interface Buffering Mux and rotation buffer data is submitted to Crypto without waiting for subsequent packet for data packing.
  • The packet bypasses without decryption when the following conditions are met:
    • validaFrames != strict, no SecTAG is detected on the packet.
    • validateFrames = NULL
    • validateFrames = DISABLED and C bit is not set.
  • The user packet bypasses metadata storing per stream/port and is pending for the returned packet.
  • Packet metadata carries error indication for the packet entering and leaving the MACsec IP.
  • After the packet returns from the Crypto AES through the Packet Disaggregator, error handling is performed on the returned packet.
  • SecTAG and ICV are removed from the returned packet if no error is detected.
  • User packet bypass metadata is extracted from stream/port FIFO and associated with the returned packet based on the stream/port ID.