Protocol aware MACsec Packet Engine with classifier and in-line interface for Multi Channel (Flex)Ethernet.

100..400..500Gbps, programmable rules, no CPU required, supports all IEEE MACsec and ClearTags requirements.

Supported by Driver Development Kit, QuickSec MACsec toolkit.

Product description

MACsec is ideally positioned to provide secure WAN (Layer-IP-2) interconnect without the need for routing, allowing networks to be secured from the Inside Secure. MACsec-IP-163/164 use cases include: protecting links for cloud computing, data center interconnect, and network appliances providing enterprise layer 2 security. Special VLAN tags as well as ClearTags frame formats are natively supported.

MACsec-IP-164 multi channel flow through MACsec Engines integration scheme

Full duplex MACsec solutions comprise of three IP components per direction: the MACsec classifier (MACsec-IP-163), the MACsec transform engine (MACsec-IP-164) and the MACsec-IP-218 rate controller each capable of line speed processing with rate control.

The MACsec-IP-166 is a MACsec engine with integrated VLAN and MACsec packet classification logic and all required statistics counters. The available MACsec-IP-166 configurations cover the applications ranging from 100 Gbps to 400 Gbps and 500 & 600Gbps with higher frequencies. The MACsec-IP-166 is designed to be integrated with one or more Ethernet MACs one the line side and optionally also on the system side (PHY designs). It supports up to 20 channels aggregating to 500Gbps (at 840MHz) with a granularity of 5Gbps for each individual channel. A handshaked host bus interface is used to control the MAC-IP-166.

Performance/area (ingress/egress):

  • MACsec-IP-166d: 100Gbps FDX @468.75MHz.
  • MACsec-IP-166h: 400Gbps FDX @680MHz.
  • MACsec-IP-166h: 500Gbps FDX @840MHz.
  • MACsec-IP-166h: 600Gbps FDX @1008MHz.
  • The area is highly affected by the number of supported SAs and the choice of TCAM implementation. Please contact Inside Secure for details.
  • Frequencies up to 1GHz ASIC are supported.
Other information

Key Benefits:

  • Silicon-proven implementation.
  • Fast and easy to integrate into SoCs.
  • Flexible layered design.
  • Complete range of configurations.
  • World-class technical support.
  • Driver Development Kit.

High Performance Multi Channel Support

  • 100Gbps @478.50MHz
  • 400Gbps @680MHz
  • 500Gbps @840MHz
  • Performance is given for all packet sizes & transformations with 8-byte average IPG for standard MACsec and mixed lengths for the extended modes.
  • Tolerant to any IPG value within a scope of the 1024-bit data path width.
  • Cut-through processing support, resulting in a minimum latency of 65 ns in both directions, including MACsec transformation, at 840 MHz.
  • Fixed latency is achieved per channel. Example: 100G and 400G reaching 54 ns and 48 ns respectively for the transformation and 20ns for the classification.
  • Time-sliced interface with up to 32 channels (20 channels by default).
  • Aggregate throughput of 400G to 500G depending on frequency.

Flexible Ethernet Support:

  • Full flexibility in aggregating Ethernet channels into FlexEthernet (FlexE).
  • Max FlexE channel rate equals to total aggregate throughput.
  • Supporting mixed FlexE and Ethernet cases.
  • Low-rate modes: individual channels can go to 10Mbit.
  • Each channel has two modes: MACsec and static bypass.
  • Supported Ethernet cases: 1x400G, 5x100G, 10x50G, 20x25G, 20x10G.
  • Mixed Ethernet cases: for example 1x400G + 1x100G.

Classification by MACsec-163:

  • Control Packet Detector with extensive set of programmable rules.
  • Header parser supporting up to 4 x VLAN tags with per-channel programmable settings.
  • MACsec parser with per-channel programmable Ethertype
  • MACsec parsing after VLAN headers.
  • Input signals to provide classification results from external logic.
  • 8 x MAC DA fields to match.
  • 8 x the most inner Ethertype fields to match.
  • 2 x combinations of MAC DA and Ethertype.
  • MAC DA range.
  • 44-bit MAC DA “constant” field to match.
  • 48-bit MAC DA “constant” field to match.
  • MACsec KaY packet.
  • Interface to bit-masked TCAM with 8-levels of priority.
  • Synthesizable, logic-based TCAM is included by default.
  • TCAM shell may be replaced with technology-optimized implementation.

MACsec Processing Features:

  • IEEE 802.1AE , 802.1AEbn, IEEE 802.1AEbw compliant.
  • All cipher suites supported (GCM-AES-128/256, GCM-AES-XPN-128/256).
  • MACsec extensions: passing up to 4 x VLAN tags in clear. ClearTags option.
  • Statistics counter support (64 bits for frame & octet counters), in saturating or wrapping mode (programmable).
  • Programmable confidentiality offset (0..127 Bytes).
  • SecTAG insertion and removal.
  • ICV checking/removal and calculation/insertion.
  • Packet number generation and checking.
  • Post-processing controls frame and octet statistics counters at global, SA and VLAN (User Priority) levels.
  • Hardware offload for the nextPN and lowestPN update from the host (KaY)

Ingress Path Consistency Checking

  • Performed on bypassed and MACsec processed frames.
  • 16 to 128 (16 to 256 for EIP-160d)-entry programmable matching table with separate drop/transfer decisions.
  • Separate drop/transfer decision for control/non-control frames in case of non-match.

Miscellaneous

  • Transparent synchronized transfer of LPidle (IEEE Std. 802.1az) and line/local/remote fault detection signals through the processing engine.
  • MTU checking (and optional oversize dropping) dependent on VLAN User Priority level for VLAN frames. Separate check for non-VLAN frames.
  • Local interrupt controller to combine internal interrupts into one interrupt output.
  • Separate internal interrupt events (if external interrupt controller is used)
  • Support for AES-ECB, AES-CTR, AES-GCM/GMAC transformation for FIPS certification of the crypto core.
  • A pass-through bus on which data is passed unmodified along with the packet (its width is compile-time configurable).
  • An output interface to indicate the number of bytes added/removed from the packet during processing.

Debug Features:

  • Debug registers to monitor and test critical logic.
  • 40-bit wide debug output bus that can be used to monitor internal buses and states in real-time.

Interfaces:

  • 1024-bit packet interface with channel ID per data word.
  • Internal buffering protects against the under runs caused by packet modifications with MACsec.
  • A pass-through bus on which data is passed unmodified along with the packet (its width is compile-time configurable).
  • An output interface to indicate the number of bytes added to the packet during processing.
  • Transparent synchronized transfer of line/local/remote fault detection signals through the processing engine.
  • Passing low-power pseudo frame indication.
  • 32-bit handshaked control register interface.
  • On-chip RAM interfaces. Allow Error Detection and Correction implementation (external to the core).
  • On-chip RAM interface has input to handle the uncorrectable ECC errors and count uncorrectable and correctable errors.
  • Local interrupt controller to combine internal interrupts and per-channel interrupts into one interrupt output.
  • Interface to external CAM (optional). By default, RxSC CAM is implemented internally in registers.

Verification

  • Set of test vectors for chip integration verification.
  • Integration test vectors in a human-readable format.
  • Python / Verilog based verification environment.
  • 100% verification coverage.
Contact