Implementation of the new LAN security standard IEEE 802.1ae (MACsec) requires the NIST standard AES cipher in the GCM mode for encryption and message authentication, as well as header parsing and formatting operations on the transmitted and received packets. MACsec Security Processor (MSP) IP cores by IP Cores, Inc. are designed for high data rates and implement complete line-rate packet processing with no per-packet CPU intervention. The MSP10-512/256 cores are tuned for 100 Gbps applications on modern FPGAs that require 256 bit AES keys.
The design is fully synchronous and available as RTL source code.
IEEE 802.1ae (MACsec) 100G Security Processor with Avalon-ST Interface
Overview
Key Features
- Small size combined with high performance: ?100 Gbps performance at 315 MHz clock rate
- Self-contained
- Back-to-back packet processing
- 64 bytes shortest packet at full data rate
- Low latency: 48 clocks input-to-output
- Two cores: MSP10-AST512E implements encryption for egress (Tx); MSP10-AST512E implements decryption for ingress (Rx).
- Glueless interface to Altera Avalon-ST interfaces 512 bits wide.
- The MSP10-AST512E presents a sink interface to the system side, source interface for the MAC.
- MSP10-AST512D presents a sink to the MAC, source to the rest of the system.
- Compatible with Altera 100-Gbps Ethernet MAC and PHY MegaCore
- MAC shall be configured to remove the preamble and FCS on Rx (default)
- Support for the 256 bit AES key per IEEE 802.1AEbn standard (128 bit version is also available)
- Simple microprocessor interface for control (address/data/write/read/read acknowledge). Adapters for popular microprocessor buses are available.
- Provides MACsec header parsing and modification:
- Insertion and removal of the SecTag including the packet number (PN) and an optional SCI
- RX packet validation
- Insertion, validation and removal of the ICV
- Replay protection based on the PN windowing
- Includes key storage, lookup, and expansion
- Configurable key lookup for Tx is based on MAC header (MAC addresses and VLAN)
- Key lookup for Rx is based either on MAC header or the SCI
- Support for Galois Counter Mode Encryption and authentication (GCM), Galois Message Authentication (GMAC)
- Support for Extended Packet Numbering per IEEE 802.1AEbw (GCM-AES-XPN-256)
- Flow-through design
- Test bench provided
- Sample software for 802.1X-2010 (a.k.a. 802.1af, KEYsec, 802.1x-REV) key agreement (MKA) is provided
- Deliverables include test benches and optional NIST algorithm validation
- WLAN 802.1ae MACsec
- HDL Source Licenses
- Synthesizable Verilog RTL source code
- Self-checking Test environment
- Test-bench
- Test-vectors
- Expected results
- User Documentation
- Optional GCMVS NIST validation
- Netlist Licenses
- Post-synthesis EDIF
- Testbench (self-checking)
- vectors for testbenches
- Expected results