MACsec Intel® FPGA IP User Guide

ID 736108
Date 3/31/2024
Public
Document Table of Contents

1.2.1. IP Description

This section describes the MACsec IP which provides data confidentiality and integrity for the Ethernet protocol. MACSec is commonly used for securing data between the Cloud and data centers or Secure IoT devices on a LAN.

The MACsec IP is highly-parameterizable block which provides a cost-effective turnkey solution by leveraging scalability. The MACsec IP shares commonality on infrastructure and interfaces with other FPGA IPs, for example, AXI-ST and AXI-Lite buses. This ensures the seamless assembling of the MACsec IP with other FPGA IPs into a coherent FPGA design.

The MACsec IP provides:
  • IEEE Std 802.1AE-2018 compliance
  • Support for all cipher suites (GCM-AES-128/256, GCM-AES-XPN-128/256)
  • SecTAG and ICV insertion/removal
  • Options for VLAN tags in Clear Text (integrity protected only) or VLAN tags in Secure Data (confidential and integrity protected)
  • Support for stream interleaving on User/AES interface
  • Support for Controlled and Uncontrolled ports
  • Support for Confidentiality Offset for GCM-AES-128/256 cipher suites (non XPN version)
  • Support for 2 Tx and 2 Rx security channels (SC) per port
  • Security Association is 4 per SC
  • Scalable architecture provides seamless integration with ICA AES-GCM HIP for best performance, area, and latency.
  • User packet bypass metadata to support PTP use cases
  • Optional RX Replay Protection Check based on Replay Window, Lowest Acceptable PN, or Next PN.
  • 64 bits MACsec Statistic Counters per MACsec specification on each SC and SA.
  • Standard interfaces with AMBA-compliant protocol:
    • AXI4 Stream interfaces for the tile and application logic paths
    • AXI-Lite interfaces for the management paths