MACsec Intel® FPGA IP User Guide

ID 736108
Date 4/03/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

6.4.2.1. Bypass Packet

During the MACsec secure frame verification check, there are a few cases where the IP can bypass the whole Crypto process and redirect the packet to the Controlled port. For example, when there is no SA found for the packet and the validateFrames is not equal to STRICT.

In order to simplify the MACsec IP implementation, the MACsec IP sends the packet with the AAD_Len = FFFF_FFFF. The Crypto AES treats all the payloads as AAD and returns the payloads as cleartext together with the 16B ICV. The MACsec IP then discards the 16B ICV on the Crypto Egress.

Table 53.  Crypto Ingress Interface Showing Bypass Packet
TID[31:26] - Stream ID Packet 1 X X
TID[25:16] - Channel Packet 1 X X
TID[15:10] - Stream Packet 0 0 0
TID[9:0] - Channel Packet 0 23 6
Data[127:0] IV + AAD_Len (FFFF_FFFF) DATA (Pkt 0)
Data[255:128] DATA (Pkt 0) DATA (Pkt 0)
Data[383:256] DATA (Pkt 0) DATA (Pkt 0)
Data[511:384] DATA (Pkt 0) IDLE
Table 54.  Crypto Egress Interface Showing Bypass Packet
TID[31:26] - Stream ID Packet 1 X X
TID[25:16] - Channel Packet 1 X X
TID[15:10] - Stream Packet 0 0 0
TID[9:0] - Channel Packet 0 23 6
Data[127:0] DATA (Pkt 0) DATA (Pkt 0)
Data[255:128] DATA (Pkt 0) DATA (Pkt 0)
Data[383:256] DATA (Pkt 0) MAC (Discard)
Data[511:384] DATA (Pkt 0) IDLE