Visible to Intel only — GUID: okp1672351404974
Ixiasoft
Visible to Intel only — GUID: okp1672351404974
Ixiasoft
1. Introduction
Updated for: |
---|
Intel® Quartus® Prime Design Suite 23.1 |
As shown in the figure above, each node has at least one unidirectional secure channel (transmitter to receiver). Each secure channel is associated with an identifier called Secure Channel Identifier (SCI). Each node, which expects to receive the traffic sent through a particular transmit secure channel, must be configured with a matching receive secure channel. This receive secure channel must have an SCI corresponding to the SCI of the transmit secure channel of the peer. Control logic that maintains the key look-up tables stores the keys based on SCI. If the incoming packet does not have the optional SCI field, then the receiver MACsec frame uses a local SCI with the received destination MAC address along with a fixed port number.
Within each secure channel (both transmit and receive) secure associations are defined. Each secure association has a corresponding Secure Association Key and is identified by the Association Number (AN) field of the SecTAG header. Secure associations have a limited duration, hence both sides need to establish a new secure association and switch to it once the old one expires. This is called key rotation. MACsec 802.1AE protocol does not cover the key exchange between a key server within the LAN and any key client. There is another standard defined for this called "IEEE 802.1X for port-based network access control".
A MACsec packet starts with an Ethernet header with an EtherType of 0x88E5. This is followed by the MACsec SecTAG, which contains information that helps the receiver identify the decryption key, as well as a packet number (for replay protection). Within each secure association, replay protection can be performed by checking the Packet Number field of the SecTAG header against the packet number locally incremented. For strict reception ordering and replay protection, the replay protection window is to set to 0. A non-zero replay window is necessary to support the use of MACsec over provider networks that reorder frames. Frames within the window can be received out of order. Each MACsec packet has a unique sequential packet number and each packet number can only be used once in a given secure association. A secure association retires once the packet number reaches the maximum possible or programmed value.
The MACsec system level example design provides you with a starting point for your application development. It can help accelerate your design cycle and enable you to invest your resources to add unique value to your product. Currently, only the MACsec IP is released in Quartus without any integrated MACsec software. When using the stand-alone MACsec IP, you need to integrate it with your own MACsec software for both the data path and control path to make your solution functional.
This design demonstrates the key integrated components of Intel Agilex 7 FPGA which supports IPs such as PCIe Endpoint HIP, MCDMA, Crypto HIP, MACsec and Ethernet MAC HIP. It presents the example of an inline MACsec function between two host systems on a LAN connected through the QSFP link with Ethernet MACs configured to support 25G or 100G. The whole system is arranged in a single development kit (DevKit) which supports multiple MAC and MACsec IPs. A Host machine connected through the PCIe interface is configured as two Virtual Machines (VMs) tied to two PCIe PFs (physical functions), each driving the data and control paths independently. Software running on the host machines also enables CLI (Command Line Interface) for any user-specific testing.