MACsec Intel® FPGA System Design User Guide

Download PDF
ID 767516
Date 3/31/2024
Public
Document Table of Contents
Document Table of Contents x
1. Introduction 2. Architecture 3. Interface Overview 4. Parameters 5. Configuration Registers 6. Software Architecture 7. Generating the System Design 8. Document Revision History for MACsec System Design User Guide A. Release Notes
1. Introduction x
1.1. Terminology 1.2. Release Information 1.3. System Requirements
2. Architecture x
2.1. System Architecture 2.2. Data Path Between Ethernet MAC and MACsec 2.3. Data Path Between MACsec and MCDMA 2.4. Data Path Between MACsec and Packet Generator/Checker (Packet Client) 2.5. Data Path Illustrations 2.6. Interrupts 2.7. Packet FIFO 2.8. AXI-ST Rate Controller 2.9. Error Handling 2.10. Top Level Signals
2.2. Data Path Between Ethernet MAC and MACsec x
2.2.1. Ethernet Subsystem
2.2.1. Ethernet Subsystem x
2.2.1.1. Data Receiving from MACsec to E/F-Tile Hard IP 2.2.1.2. Data Transmitting from E/F-tile Hard IP to MACsec 2.2.1.3. Order of Ethernet Transmission 2.2.1.4. E/F-Tile Hard IP Reset Sequence
2.3. Data Path Between MACsec and MCDMA x
2.3.1. AXI-ST Multi-Segment to Single-Segment Conversion 2.3.2. MCDMA
2.4. Data Path Between MACsec and Packet Generator/Checker (Packet Client) x
2.4.1. Packet Client 2.4.2. Packet Generation and Check
2.5. Data Path Illustrations x
2.5.1. MACsec Interface Signal Names
2.6. Interrupts x
2.6.1. MCDMA MSI-X Table Configuration
3. Interface Overview x
3.1. Clocking 3.2. Resets
5. Configuration Registers x
5.1. System Register Map
5.1. System Register Map x
5.1.1. Packet Client Register Map 5.1.2. Interrupt Controller Register Map
6. Software Architecture x
6.1. MACsec Key Agreement Protocol 6.2. Driver Functional Requirements 6.3. Software Requirements 6.4. Software Overview 6.5. MACsec IP APIs Sequence 6.6. Functions 6.7. Software Tools
6.4. Software Overview x
6.4.1. McDMA Driver Kernel Module 6.4.2. MACsec IP APIs 6.4.3. Linux MACsec Driver Kernel Module 6.4.4. IP Tool 6.4.5. WPA Supplicant
6.4.2. MACsec IP APIs x
6.4.2.1. SDK
6.5. MACsec IP APIs Sequence x
6.5.1. MACsec Initialization Sequence
6.5.1. MACsec Initialization Sequence x
6.5.1.1. MACsec Reset Sequence 6.5.1.2. TX Configuration Sequence 6.5.1.3. RX Configuration Sequence 6.5.1.4. TX Rekeying Sequence 6.5.1.5. RX Rekeying Sequence 6.5.1.6. Cut Through/Store Forward Mode 6.5.1.7. User Single/Multi Port Settings 6.5.1.8. Encrypt/Decrypt Port 6.5.1.9. Port Priority 6.5.1.10. Interrupt Generation and Register
6.5.1.1. MACsec Reset Sequence x
6.5.1.1.1. GLOBAL Reset 6.5.1.1.2. PORT Reset 6.5.1.1.3. Secure Association (SA) Reset
6.6. Functions x
6.6.1. macsec_initilize 6.6.2. macsec_get_attributes 6.6.3. macsec_get_sa_attributes 6.6.4. macsec_set_attributes 6.6.5. macsec_set_sa_attributes 6.6.6. macsec_read_register 6.6.7. macsec_write_register 6.6.8. macsec_set_port_configuration 6.6.9. macsec_rate_configuration 6.6.10. macsec_single_or_multi_port 6.6.11. macsec_crypto_mode 6.6.12. macsec_port_priority 6.6.13. macsec_register_isr
6.7. Software Tools x
6.7.1. IP Tool 6.7.2. WPA_Supplicant 6.7.3. CLI Debug Tool
6.7.3. CLI Debug Tool x
6.7.3.1. Functional Requirements 6.7.3.2. Features Overview 6.7.3.3. Design with HOST 6.7.3.4. Netlink Interface 6.7.3.5. SDK 6.7.3.6. Design Overview
7. Generating the System Design x
7.1. Software Requirements 7.2. Obtaining the Reference Design 7.3. Reference Design Directory Structure 7.4. Simulation Command Arguments 7.5. Simulation Test Cases 7.6. Complete Simulation Command 7.7. Simulation Requirements 7.8. Running Non-UVM Simulation 7.9. Running UVM Simulation 7.10. Building, Installing, and Running the Software 7.11. Building the Hardware Design
7.4. Simulation Command Arguments x
7.4.1. Simulation -d Options
1. Introduction
2. Architecture
3. Interface Overview
4. Parameters
5. Configuration Registers
6. Software Architecture
7. Generating the System Design
8. Document Revision History for MACsec System Design User Guide
A. Release Notes

1. Introduction

Updated for:
Intel® Quartus® Prime Design Suite 23.4
MACsec was standardized in 2006 by the IEEE (standard IEEE 802.1AE-2006) as a point-to-point security protocol providing data confidentiality, integrity, and origin authenticity for traffic over Layer 2 links in a larger security ecosystem for ethernet LAN. In MACsec, packets flow over unidirectional secure channels (SC), which are supported by secure associations (SA). The secure associations each use a separate, randomly generated key.
Figure 1. Ethernet LAN with Number of Channels

As shown in the figure above, each node has at least one unidirectional secure channel (transmitter to receiver). Each secure channel is associated with an identifier called Secure Channel Identifier (SCI). Each node, which expects to receive the traffic sent through a particular transmit secure channel, must be configured with a matching receive secure channel. This receive secure channel must have an SCI corresponding to the SCI of the transmit secure channel of the peer. Control logic that maintains the key look-up tables stores the keys based on SCI. If the incoming packet does not have the optional SCI field, then the receiver MACsec frame uses a local SCI with the received destination MAC address along with a fixed port number.

Within each secure channel (both transmit and receive) secure associations are defined. Each secure association has a corresponding Secure Association Key and is identified by the Association Number (AN) field of the SecTAG header. Secure associations have a limited duration, hence both sides need to establish a new secure association and switch to it once the old one expires. This is called key rotation. MACsec 802.1AE protocol does not cover the key exchange between a key server within the LAN and any key client. There is another standard defined for this called "IEEE 802.1X for port-based network access control".

The figure above also indicates that on a receive node, a host (Host 4 in this example) can have multiple secure channels as the number of transmit nodes which can communicate with it (for ease of understanding, consider a dummy switch in between). This ensures that Host 3 would not be able to decrypt the communication between Host 1 and Host 4. Similarly Host 1 can’t decrypt the communication between Host 4 and Host 2 because of their secure channel number differentiation.
Figure 2. An Ethernet Frame Before and After MACsec Processing and Encryption

A MACsec packet starts with an Ethernet header with an EtherType of 0x88E5. This is followed by the MACsec SecTAG, which contains information that helps the receiver identify the decryption key, as well as a packet number (for replay protection). Within each secure association, replay protection can be performed by checking the Packet Number field of the SecTAG header against the packet number locally incremented. For strict reception ordering and replay protection, the replay protection window is to set to 0. A non-zero replay window is necessary to support the use of MACsec over provider networks that reorder frames. Frames within the window can be received out of order. Each MACsec packet has a unique sequential packet number and each packet number can only be used once in a given secure association. A secure association retires once the packet number reaches the maximum possible or programmed value.

After the SecTAG comes the payload, which can be encrypted, and the ICV (Integrity Check Value), which is compared against a re-generated one by the crypto algorithm being used to guarantee that the packet is indeed created by a node which is in possession of the key and has not been modified on the way.
Figure 3. Top Level Block Diagram of Reference Design

The MACsec system level example design provides you with a starting point for your application development. It can help accelerate your design cycle and enable you to invest your resources to add unique value to your product. Currently, only the MACsec IP is released in Quartus without any integrated MACsec software. When using the stand-alone MACsec IP, you need to integrate it with your own MACsec software for both the data path and control path to make your solution functional.

This design demonstrates the key integrated components of Intel Agilex 7 FPGA F-Series and I-Series which supports IPs such as PCIe Endpoint HIP, MCDMA, Crypto HIP, MACsec and Ethernet MAC HIP. It presents the example of an inline MACsec function between two host systems on a LAN connected through the QSFP link with Ethernet MACs configured to support 25G or 100G. The whole system is arranged in a single development kit (DevKit) which supports multiple MAC and MACsec IPs. A Host machine connected through the PCIe interface is configured as two Virtual Machines (VMs) tied to two PCIe PFs (physical functions), each driving the data and control paths independently. Software running on the host machines also enables CLI (Command Line Interface) for any user-specific testing.


Section Content
Terminology
Release Information
System Requirements

Level Two Title