MACsec Intel® FPGA IP User Guide

Download PDF
ID 736108
Date 10/21/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. MACsec Intel® FPGA IP Example Design 6. Functional Description 7. Configuration Registers for MACsec IP 8. Document Revision History for the MACsec Intel FPGA IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Device Speed Grade Support and Theoretical Throughput 1.6. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Description 1.2.2. IP Core Applications
1.2.2. IP Core Applications x
1.2.2.1. SmartNIC 1.2.2.2. Ethernet Bridge + Inline MACsec
2. Interface Overview x
2.1. Block Diagram 2.2. Interfaces 2.3. Clocking Domains
2.2. Interfaces x
2.2.1. IP Interface Signals 2.2.2. IP Interface Signal Timing Diagram/Waveforms 2.2.3. Clocks, Resets, and Interrupts
2.2.1. IP Interface Signals x
2.2.1.1. Common Port Mux Interface 2.2.1.2. Common Port Demux Interface 2.2.1.3. Controlled Port Mux Interface 2.2.1.4. Controlled Port Demux Interface 2.2.1.5. Uncontrolled Port RX Interface 2.2.1.6. Uncontrolled Port TX Interface 2.2.1.7. Crypto RX Interface 2.2.1.8. Crypto TX Interface 2.2.1.9. Management Interface 2.2.1.10. Decrypt Port Mux Management Interface 2.2.1.11. Decrypt Port Demux Management Interface 2.2.1.12. Encrypt Port Mux Management Interface 2.2.1.13. Encrypt Port Demux Management Interface 2.2.1.14. Crypto IP Management Bus
2.2.2. IP Interface Signal Timing Diagram/Waveforms x
2.2.2.1. Common Port Mux Interface Waveform 2.2.2.2. Common Port Demux Interface Waveform 2.2.2.3. Controlled Port Mux Interface Waveform 2.2.2.4. Controlled Port Demux Interface Waveform 2.2.2.5. Uncontrolled Port RX Interface Waveform 2.2.2.6. Uncontrolled Port TX Interface Waveform 2.2.2.7. Crypto RX Waveform 2.2.2.8. Crypto TX Waveform 2.2.2.9. MACsec Management Interface (Read) 2.2.2.10. MACsec Management Interface (Write)
3. Parameters x
3.1. MACsec Intel FPGA IP Parameter Settings
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Reset Transactions 4.5. MACsec Software Initialization Sequence 4.6. MACsec Software Rekeying
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
5. MACsec Intel® FPGA IP Example Design x
5.1. Port Configurations 5.2. Multi Interface Buffering Muxing/Demuxing 5.3. 2x25 GbE (Encryption + Decryption) 5.4. Packet Generator/Checker 5.5. Clocking
6. Functional Description x
6.1. AXI-ST Common/Controlled/Uncontrolled Ports 6.2. Packet Parser and Classifier 6.3. SA Lookup and Update 6.4. Encryption Framer/DeFramer 6.5. Decryption Framer/Deframer 6.6. Packet Aggregator/Disaggregator 6.7. Cryptographic AES 6.8. Error Handling 6.9. Packet Statistics
6.1. AXI-ST Common/Controlled/Uncontrolled Ports x
6.1.1. AXI-ST Single Packet Mode 6.1.2. AXI-ST Multi Packet Mode 6.1.3. User Interface Data Streaming 6.1.4. AXI-ST Ready Latency 6.1.5. Port and Secure Channel Mapping 6.1.6. Port and Crypto Channel Mapping 6.1.7. Minimum Packet Size 6.1.8. Byte Ordering 6.1.9. Controlled/Uncontrolled Port Muxing
6.1.3. User Interface Data Streaming x
6.1.3.1. Single Packet Mode Data Stream 6.1.3.2. Multi Packet Mode Data Stream
6.2. Packet Parser and Classifier x
6.2.1. Packet Parser 6.2.2. Packet Classifier
6.3. SA Lookup and Update x
6.3.1. Packet Actions 6.3.2. Packet Buffer 6.3.3. New Channel Assignment 6.3.4. Anti-Replay Protection
6.3.1. Packet Actions x
6.3.1.1. Packet Encrypt 6.3.1.2. Packet Decrypt 6.3.1.3. Packet Discard
6.3.1.3. Packet Discard x
6.3.1.3.1. PDU Validation
6.4. Encryption Framer/DeFramer x
6.4.1. Channel Allocation 6.4.2. Packet Framer 6.4.3. VLAN Tagging
6.4.2. Packet Framer x
6.4.2.1. Bypass Packet 6.4.2.2. Stream Interleaving
6.4.3. VLAN Tagging x
6.4.3.1. No VLAN Tag 6.4.3.2. VLAN Tag (Not in Clear) 6.4.3.3. VLAN Tag (Clear)
6.5. Decryption Framer/Deframer x
6.5.1. XPN Recovery 6.5.2. Replay Check Update 6.5.3. Packet Deframer
6.6. Packet Aggregator/Disaggregator x
6.6.1. Packet Aggregator 6.6.2. Packet Disaggregator
6.7. Cryptographic AES x
6.7.1. Register Address Ordering 6.7.2. Byte Order Swapping 6.7.3. Byte Ordering
6.8. Error Handling x
6.8.1. Packet Error Handling 6.8.2. Memory Blocks ECC Errors 6.8.3. Crypto Errors 6.8.4. System-Level Errors
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. MACsec Intel® FPGA IP Example Design
6. Functional Description
7. Configuration Registers for MACsec IP
8. Document Revision History for the MACsec Intel FPGA IP User Guide

6.3.1.3.1. PDU Validation

A received MPDU is valid if and only if it comprises a valid SecTAG, one or more octets of Secure Data, and an ICV. For example:

  1. It comprises at least 17 octets.
  2. Octets 1 and 2 compose the MACsec EtherType.
  3. The V bit in the TCI is clear.
  4. If the ES or the SCB bit in the TCI is set, then the SC bit is clear.
  5. Bits 7 and 8 of octet 4 of the SecTAG are clear.
  6. If the C and SC bits in the TCI are clear, the MPDU comprises 24 octets plus the number of octets indicated by the SL field if that is non-zero and at least 72 octets otherwise.
  7. If the C bit is clear and the SC bit is set, then the MPDU comprises 32 octets plus the number of octets indicated by the SL field if that is non-zero and at least 80 octets otherwise.
  8. If the C bit is set and the SC bit is clear, then the MPDU comprises 8 octets plus the minimum length of the ICV as determined by the Cipher Suite in use at the receiving SecY, plus the number of octets indicated by the SL field if that is non-zero and at least 48 additional octets otherwise.
  9. If the C and SC bits are both set, the frame comprises at least 16 octets plus the minimum length of the ICV as determined by the Cipher Suite in use at the receiving SecY, plus the number of octets indicated by the SL field if that is non-zero and at least 48 additional octets otherwise.

If the C and SC bits are both set, the frame comprises at least 16 octets plus the minimum length of the ICV as determined by the Cipher Suite in use at the receiving SecY, plus the number of octets indicated by the SL field if that is non-zero and at least 48 additional octets otherwise.

Items 1 and 6-9 do not have explicit logic implemented in the MACsec IP to check for these conditions. Instead when these conditions are violated, the ICV comparison fails and the IP drops the packet.

If the received frame is marked as invalid, and the validateFrames control is Strict or the C bit in the SecTAG is set, the frame is discarded and the InPktsNotValid counter is incremented. Otherwise, the frame is delivered to the Controlled port, and the appropriate counter is incremented as follows:
  1. If the frame is not valid and validateFrames is set to Check, InPktsInvalid; otherwise,
  2. If the received PN is less than the lowest acceptable PN (treating a 32-bit PN value of zero as 2^32 and a 64-bit PN value of zero as 2^64), InPktsDelayed; otherwise,
  3. If the frame is not valid, InPktsUnchecked; otherwise,
  4. InPktsOK
Level Two Title