Visible to Intel only — GUID: cnj1655595890682
Ixiasoft
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. Functional Description
6. Configuration Registers for MACsec IP
7. MACsec Intel® FPGA IP Example Design
8. MACsec Intel FPGA IP User Guide Archives
9. Document Revision History for the MACsec Intel FPGA IP User Guide
2.2.1.1. Common Port Mux Interface
2.2.1.2. Common Port Demux Interface
2.2.1.3. Controlled Port Mux Interface
2.2.1.4. Controlled Port Demux Interface
2.2.1.5. Uncontrolled Port RX Interface
2.2.1.6. Uncontrolled Port TX Interface
2.2.1.7. Crypto RX Interface
2.2.1.8. Crypto TX Interface
2.2.1.9. Management Interface
2.2.1.10. Decrypt Port Mux Management Interface
2.2.1.11. Decrypt Port Demux Management Interface
2.2.1.12. Encrypt Port Mux Management Interface
2.2.1.13. Encrypt Port Demux Management Interface
2.2.1.14. Crypto IP Management Bus
2.2.1.15. Miscellaneous Control Signals
2.2.2.1. Common Port Mux Interface Waveform
2.2.2.2. Common Port Demux Interface Waveform
2.2.2.3. Controlled Port Mux Interface Waveform
2.2.2.4. Controlled Port Demux Interface Waveform
2.2.2.5. Uncontrolled Port RX Interface Waveform
2.2.2.6. Uncontrolled Port TX Interface Waveform
2.2.2.7. Crypto RX Waveform
2.2.2.8. Crypto TX Waveform
2.2.2.9. MACsec Management Interface (Read)
2.2.2.10. MACsec Management Interface (Write)
Visible to Intel only — GUID: cnj1655595890682
Ixiasoft
5.5. Decryption Framer/Deframer
The Decryption Framer/Deframer is responsible for performing deframing on the packet, which arrives after SA lookup and when the packet returns from the Crypto AES through the packet disaggregator.
Below is a list of features implemented in the Decryption Framer/Deframer:
- Upon packet arrival from SA lookup, channel allocation is performed by sending a key to the Crypto AES to allocate a new channel.
- ICV is extracted from the packet payload and sent through the AXI-ST TUSER.auth_tag signal.
- XPN recovery is performed if XPN_MODE = 1
- SA lookup result is packed into the packet payload, for example, IV, AAD.
- IV – {SCI, PN[31:0]} when XPN_MODE = 0
- IV – {SSCI XOR SALT[95:64], SALT[63:0] XOR PN[63:0]} when XPN_MODE = 1
- AAD – {Destination MAC Address, Source MAC Address, VLAN tag (In Clear), MACSEC Header}
- AAD_Length = 6 (DMAC) + 6 (SMAC) + (0 or 4, depending on VLAN tag) + (8 or 16 SecTAG depending on SCI existence) + GLOBAL_CONFID_OFF CSR
- The tlast_empty ppmetadata indication is received from the Multi Interface Buffering Mux and rotation buffer data is submitted to Crypto without waiting for subsequent packet for data packing.
- The packet bypasses without decryption when the following conditions are met:
- validaFrames != strict, no SecTAG is detected on the packet.
- validateFrames = NULL
- validateFrames = DISABLED and C bit is not set.
- The user packet bypasses metadata storing per stream/port and is pending for the returned packet.
- Packet metadata carries error indication for the packet entering and leaving the MACsec IP.
- After the packet returns from the Crypto AES through the Packet Disaggregator, error handling is performed on the returned packet.
- SecTAG and ICV are removed from the returned packet if no error is detected.
- User packet bypass metadata is extracted from stream/port FIFO and associated with the returned packet based on the stream/port ID.