MACsec Intel® FPGA IP User Guide

ID 736108
Date 3/31/2024
Public
Document Table of Contents

5.7. Cryptographic AES

The diagram below shows the egress packet flow using a MACsec pattern profile. This is a single 256 bit or 128 bit key that would be used in a GCM encrypt (+ authenticate) or decrypt (+ authenticate) operation.
Figure 29. Egress Packet Flow Using MACsec Pattern Profile (with a Single 256 Bit or 128 Bit Key)

Additional Authenticated Data (AAD) is GCM’s additional authenticated data that does not require encryption or decryption but only requires authentication. For this traffic pattern, the supported AAD length is 2^32 bytes).

Data or text is either the clear text or the cipher text or data that requires encryption or decryption. The size of this data could be up to the maximum allowed by GCM, which is 2^32 bits.

Initialization vector is the 96 bit initialization vector required for every GCM operation. It is 96 bits in length for this pattern.

The diagram below shows the egress packet flow using a MACsec pattern profile. The 16B ICV is dropped into Crypto QHIP and not sent back to the MACsec IP. Only the ICV comparison result (TUSER.auth_error) is sent back to the MACsec IP.
Figure 30. Egress Packet Flow Using MACsec Pattern Profile (with 16B ICV Dropped into Crypto QHIP)