MACsec Intel® FPGA IP User Guide

ID 736108
Date 10/02/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

5.1.6. Port and Crypto Channel Mapping

The following table shows the mapping between the MACsec IP Common/Controlled, SA, and crypto channel number. Both encryption and decryption Common/Controlled ports should use a different TID to reference to a different SA entry. For example, traffic on encryption Common/Controlled port 0 can use TID = 0 and traffic on decryption Common/Controlled port 0 should use another TID = 1. as the Crypto QHIP cannot handle interleaving encryption/decryption within the same stream.

When both the MAX_CRYPTO_CH and MAX_CTRL_PORT parameters are configured to non-default values, the Crypto channels assigned to each port/stream follow the table below. For example, if MAX_CRYPTO_CH = 1024 and MAX_TX_TID = 32, Crypto channels assigned to Tx port/stream 0 (Tx TID = 0) are 0 – 7 and 256 – 263.
Table 32.  Mapping between MACsec Common/Controlled SA and Crypto Channel
Port (Identify through AXI-ST TID[5:0]) SA (for each $port (0 .. (MAX_CRYPTO_CH/16 -1))) Crypto Channel Number
Tx Port i (TID = $port mod MAX_TX_TID)

TX_LANE_SC0_SA0_*[$port]

0 + ($port * 8)

TX_LANE_SC0_SA1_*[$port]

1 + ($port * 8)

TX_LANE_SC0_SA2_*[$port]

2 + ($port * 8)

TX_LANE_SC1_SA3_*[$port]

3 + ($port * 8)

TX_LANE_SC1_SA0_*[$port]

4 + ($port * 8)

TX_LANE_SC1_SA1_*[$port]

5 + ($port * 8)

TX_LANE_SC1_SA2_*[$port]

6 + ($port * 8)

TX_LANE_SC1_SA3_*[$port]

7 + ($port * 8)
The table below shows the port/stream to Crypto channel assignment equation. For example, if MAX_CRYPTO_CH = 1024 and MAX_TX_TID = 32, Crypto channels assigned to Rx port/stream 0 (Rx TID = 0 after offset) are 512 – 527 and 768 – 774.
Table 33.  Crypto Channel Assignment Equation
Port (Identify through AXI-ST TID[5:0]), RX request TID is after offset which starts at 0 SA (for each $port (0 .. (MAX_CRYPTO_CH/16 -1))) Crypto Channel Number
Rx Port i (TID = $port mod (MAX_CTRL_PORT - MAX_TX_TID)

RX_LANE_SC0_SA0_*[$port ]

0

0 + (MAX_CRYPTO_CH/2 + ($port * 8))
RX_LANE_SC0_SA1_*[$port ] 1 + (MAX_CRYPTO_CH/2 + ($port * 8))
RX_LANE_SC0_SA2_*[$port ] 2 + (MAX_CRYPTO_CH/2 + ($port * 8))
RX_LANE_SC0_SA3_*[$port ] 3 + (MAX_CRYPTO_CH/2 + ($port * 8))
RX_LANE_SC1_SA0_*[$port ] 4 + (MAX_CRYPTO_CH/2 + ($port * 8))
RX_LANE_SC1_SA1_*[$port ] 5 + (MAX_CRYPTO_CH/2 + ($port * 8))
RX_LANE_SC1_SA2_*[$port ] 6 + (MAX_CRYPTO_CH/2 + ($port * 8))
RX_LANE_SC1_SA3_*[$port ] 7 + (MAX_CRYPTO_CH/2 + ($port * 8))

The SADB is organized per port up to a maximum of 64 ports. Each port is assigned with 2 Tx SCs (4 Tx SAs) and 2 Rx SCs (4 Rx SAs) and the lookup on the port SCs/SAs is done using a stream ID (AXI-ST TID) of the request. Since the Tx and Rx ports cannot share the same stream ID, half of the SAs are wasted. For example, Tx port requests cannot lookup on Rx SAs and Rx port requests cannot lookup on Tx SAs. RX back pressure is expected with UCP traffic.

To overcome this issue, an Rx port request stream ID is applied with an offset before the lookup is performed. The Rx port request stream ID always starts from 0 after applying the offset. The MAX_CRYPTO_CH specifying the maximum supported Crypto channel IDs by the MACsec IP is evenly distributed between the Tx and Rx ports. All Rx ports are further divided as MAX_CRYPTO_CH/2 channel IDs per Rx port. The Crypto channels assigned to each Tx port remains the same, which is 8.

Example 1:

Assuming 32 Tx port and 32 Rx port (MAX_TX_TID = 32, MAX_CTRL_PORT = 64, MAX_CRYPTO_CH = 1024).
  • Channel ID assigned to Tx Ports – 0 – 512
  • Channel ID assigned to Rx Ports – 512 - 1023
  • 32 Tx ports stream ID = 0 – 31
  • 32 Rx ports stream ID = 32 – 63

Before SA lookup, the 32 Rx port stream ID is deducted with MAX_TX_PORT (32). The final Rx port stream ID used for SA lookup is 0 – 31.

Table 34.  SADB
Port Stream ID SADB SC/SA Channel ID
Tx Port 0 TX_LANE_SC*_SA*_*[0] 0 – 7, 256 - 263
Rx Port 32 RX_LANE_SC*_SA*_*[0,32] 512 - 519, 768 – 774
Tx Port 1 TX_LANE_SC*_SA*_*[1] 8 – 15, 264 - 271
Rx Port 33 RX_LANE_SC*_SA*_*[1,33] 520 – 527, 775 - 783
  :    
Tx Port 31 TX_LANE_SC*_SA*_*[31] 248 – 255, 504 - 511
Rx Port 63 RX_LANE_SC*_SA*_*[31,63] 760 - 767, 1016 – 1023

Below are examples of a few possible configurations:

1 full duplex Ethernet port (port 0, Encrypt or Decrypt):
  • MAX_CTRL_PORT = 2, MAX_TX_TID = 1
  • Ethernet Port 0 Rx > Port Mux (TID = 0) > MACSEC IP > Port Demux (TID = 0) > Ethernet Port 0 Tx
2 full duplex Ethernet ports (port 0 - (Encrypt), port 1 - (Decrypt)):
  • MAX_CTRL_PORT = 2, MAX_TX_TID = 1
  • Ethernet Port 0 Rx > Port Mux (TID = 0) > MACSEC IP > Port Demux (TID = 0) > Ethernet Port 0 Tx
  • Ethernet Port 1 Rx > Port Mux (TID = 1) > MACSEC IP > Port Demux (TID = 1) > Ethernet Port 1 Tx
3 full duplex Ethernet ports (port 0,1 - (Encrypt), port 2 - (Decrypt)):
  • MAX_CTRL_PORT = 4, MAX_TX_TID = 2
  • Ethernet Port 0 Rx > Port Mux (TID = 0) > MACSEC IP > Port Demux (TID = 0) > Ethernet Port 0 Tx
  • Ethernet Port 1 Rx > Port Mux (TID = 1) > MACSEC IP > Port Demux (TID = 1) > Ethernet Port 1 Tx
  • Ethernet Port 2 Rx > Port Mux (TID = 2) > MACSEC IP > Port Demux (TID = 2) > Ethernet Port 2 Tx
4 full duplex Ethernet ports (port 0,1 - (Encrypt), port 2,3 - (Decrypt)):
  • MAX_CTRL_PORT = 4, MAX_TX_TID = 2
  • Ethernet Port 0 Rx > Port Mux (TID = 0) > MACSEC IP > Port Demux (TID = 0) > Ethernet Port 0 Tx
  • Ethernet Port 1 Rx > Port Mux (TID = 1) > MACSEC IP > Port Demux (TID = 1) > Ethernet Port 1 Tx
  • Ethernet Port 2 Rx > Port Mux (TID = 2) > MACSEC IP > Port Demux (TID = 2) > Ethernet Port 2 Tx
  • Ethernet Port 3 Rx > Port Mux (TID = 3) > MACSEC IP > Port Demux (TID = 3) > Ethernet Port 3 Tx
4 full duplex Ethernet ports (port 0,1,2 - (Encrypt), port 3 - (Decrypt)):
  • MAX_CTRL_PORT = 4, MAX_TX_TID = 3
  • Ethernet Port 0 Rx > Port Mux (TID = 0) > MACSEC IP > Port Demux (TID = 0) > Ethernet Port 0 Tx
  • Ethernet Port 1 Rx > Port Mux (TID = 1) > MACSEC IP > Port Demux (TID = 1) > Ethernet Port 1 Tx
  • Ethernet Port 2 Rx > Port Mux (TID = 2) > MACSEC IP > Port Demux (TID = 2) > Ethernet Port 2 Tx
  • Ethernet Port 3 Rx > Port Mux (TID = 3) > MACSEC IP > Port Demux (TID = 3) > Ethernet Port 3 Tx
4 simplex Ethernet ports (port 0,1,5,6 - (Encrypt), port 2,3,7,8 - (Decrypt)):
  • MAX_CTRL_PORT = 4, MAX_TX_TID = 2
  • Ethernet Port 0 Rx > Port Mux (TID = 0) > MACSEC IP > Port Demux (TID = 0) > Ethernet Port 5 Tx
  • Ethernet Port 1 Rx > Port Mux (TID = 1) > MACSEC IP > Port Demux (TID = 1) > Ethernet Port 6 Tx
  • Ethernet Port 2 Rx > Port Mux (TID = 2) > MACSEC IP > Port Demux (TID = 2) > Ethernet Port 7 Tx
  • Ethernet Port 3 Rx > Port Mux (TID = 3) > MACSEC IP > Port Demux (TID = 3) > Ethernet Port 8 Tx