Protocol aware MACsec Packet Engine with classifier and in-line interface for Single Channel Ethernet.
1..100Gbps, programmable rules, no CPU required, supports all IEEE MACsec requirements.
Supported by Driver Development Kit, QuickSec MACsec toolkit.
MACsec is ideally positioned to provide secure WAN (Layer-2) interconnect without the need for routing, allowing networks to be secured from the Inside Secure. MACsec-IP-160 use cases include: protecting links for cloud computing, data center interconnect, network appliances providing enterprise layer 2 security, automotive interconnect, ethernet PHY devices with embedded MACsec support, end-station security solutions for laptops, PCs, printers and network servers.
The MACsec-IP-160 is a MACsec engine with integrated VLAN and MACsec packet classification logic and all required statistics counters. The available MACsec-IP-160 configurations cover the applications ranging from 1 Gbps to 100 Gbps. The MACsec-IP-160 is designed to be integrated with an Ethernet MAC to form a plug-in MACsec solution between the system and an Ethernet MAC, or with two Ethernet MACs to form a plug-in MACsec solution between an existing Ethernet MAC (“system-side”) and an existing Ethernet PHY (“line-side”). A handshaked host bus interface is used to control the MAC-IP-160. Full duplex MACsec solutions comprise of an ingress (MACsec-IP-160i) and an egress (MACsec-IP-160e) core, each capable of line speed processing.
- MACsec-IP-160s: 1Gbps FDX @125MHz, 220K+190K gates.
- MACsec-IP-160a: 10Gbps FDX @312.5MHz, 430K+395K gates.
- MACsec-IP-160b: 20Gbps FDX @312.5MHz, 520K+490K gates.
- MACsec-IP-160c: 40Gbps FDX @468.75MHz, 640K+610K gates.
- MACsec-IP-160d: 100Gbps FDX @468.75MHz, 1550K+1470K gates.
- The gate counts are highly affected by the number of supported SAs. Data is provided for 16SAs, more SAs up to 256 per direction can be supported.
- Frequencies up to 800Mhz ASIC and 200MHz FPGA are supported.
- Silicon-proven implementation.
- Fast and easy to integrate into SoCs.
- Flexible layered design.
- Complete range of configurations.
- World-class technical support.
- Driver Development Kit.
- VLAN and Q-in-Q tag detection.
- MACsec tag detection and sub-classification (absent, valid, invalid and KaY frame).
- MACsec tag after VLAN detection.
- Programmable “control frame” classification.
- 16 to 128 (16 to 256 for EIP-160d)-entry programmable rule lookup with attached operation selection (drop, bypass, MACsec process) and SA information for the MACsec processing.
- 8-entry programmable non-matching flow operation selection (drop, bypass), depending on MACsec tag sub-classification and control frame classification.
- Explicit classification feature, allowing for external selection of the processing flow while ignoring the internal classification.
- Cut-through processing support, resulting in a latency that is below 176 ns in both directions, including MACsec transformation, at 312.5 MHz.
- Latency is configurable, allowing constant start-of-frame latency for all types of transformations.
MACsec Processing Features:
- IEEE 802.1AE , 802.1AEbn, IEEE 802.1AEbw compliant.
- All cipher suites supported (GCM-AES-128/256, GCM-AES-XPN-128/256).
- MACsec transform with the VLAN Tag bypassing.
- Statistics counter support (64 bits for frame & octet counters), in saturating or wrapping mode (programmable).
- Programmable confidentiality offset (0..127 Bytes).
- SecTAG insertion and removal.
- ICV checking/removal and calculation/insertion.
- Packet number generation and checking.
- Post-processing controls frame and octet statistics counters at global, SA and VLAN (User Priority) levels.
- Hardware offload for the nextPN and lowestPN update from the host (KaY)
Ingress Path Consistency Checking
- Performed on bypassed and MACsec processed frames.
- 16 to 128 (16 to 256 for EIP-160d)-entry programmable matching table with separate drop/transfer decisions.
- Separate drop/transfer decision for control/non-control frames in case of non-match.
- Transparent synchronized transfer of LPidle (IEEE Std. 802.1az) and line/local/remote fault detection signals through the processing engine.
- MTU checking (and optional oversize dropping) dependent on VLAN User Priority level for VLAN frames. Separate check for non-VLAN frames.
- Local interrupt controller to combine internal interrupts into one interrupt output.
- Separate internal interrupt events (if external interrupt controller is used)
- Support for AES-ECB, AES-CTR, AES-GCM/GMAC transformation for FIPS certification of the crypto core.
- A pass-through bus on which data is passed unmodified along with the packet (its width is compile-time configurable).
- An output interface to indicate the number of bytes added/removed from the packet during processing.
- Debug registers to monitor and test critical logic.
- 40-bit wide debug output bus that can be used to monitor internal buses and states in real-time.
- 128-bit (512-bit for EIP-160d) wide streaming input frame data with side-band lpidle/error signaling.
- 128-bit (512-bit for EIP-160d) wide streaming output frame data with side-band lpidle/error signaling and classification result.
- 32-bit handshaked control register interface.
- On-chip RAM interface to single port (1RW)
- Transform Record RAM: 128 bits wide (384 bits wide for EIP-160d) with 32-bit word enables.
- On-chip RAM interface to two port (1R1W) statistics RAM: 64 bits wide.
- On-chip RAM interfaces allow Error Detection and
- Correction implementation (external to EIP-160).
- Set of test vectors for chip integration verification.
- Integration test vectors in a human-readable format.
- Python / Verilog based verification environment.
- 100% verification coverage.