MACsec Engine, 1G to 25G, Full Duplex, Integrated

Overview

Key Features

• CLASSIFICATION
• VLAN and Q-in-Q tag detection.
• MACsec tag detection and sub-classification (absent, valid, invalid and KaY frame).
• MACsec tag after VLAN headers.
• Programmable “control frame” classification.
• 16-entry programmable rule lookup with attached operation selection (drop, bypass, MACsec process) and SA information for the MACsec processing.
• 8-entry programmable non-matching flow operation selection (drop, bypass), depending on MACsec tag sub-classification and control frame classification.
• Explicit classification feature (egress flow only), allowing for external selection of the processing flow while ignoring the internal classification.
• MACsec PROCESSING FEATURES
• IEEE 802.1AE compliant
• IEEE 802.1AEbn compliant
• IEEE 802.1AEbw compliant
• All cipher suites supported (GCM-AES-128/256, GCM-AES-XPN-128/256)
• IEEE Std. 802.1AE MACsec statistics counter support (extended to 64 bits wide for frame and octet counters), in saturating or wrapping mode (programmable).
• Programmable confidentiality offset (0 – 127 Bytes).
• SecTAG insertion and removal,
• ICV checking/removal and calculation/insertion.
• Sequence number generation and checking.
• Low latency by using cut-through processing (starting operations before the complete frame is received).
• Post-processing controls frame and octet statistics counters at global, flow and VLAN (User Priority) levels.
• INGRESS PATH CONSISTENCY CHECKING
• Performed on bypassed and MACsec processed frames.
• 16 entry programmable matching table with separate drop/transfer decisions.
• Separate drop/transfer decision for control/non-control frames in case of non-match.
• MISCELLANEOUS
• Synchronized transfer of line/local/remote fault detection signals between line- and system-side interfaces.
• MTU checking (and optional oversize dropping) dependent on VLAN User Priority level for VLAN frames. Separate check for non-VLAN frames.
• DEBUG FEATURES
• Support for error detection and correction circuits on the on-chip RAMs, allows monitoring and testing these circuits as well as shutting the engine down in case of uncorrectable errors.
• Debug registers to monitor and test critical parts of the logic.
• 40-bits wide debug output bus that can be used to monitor internal buses and states in real-time.
• INTERFACES
• Line and system side interfaces can connect to an external MAC
• Line-side RX interface (FIFO) – 64-bit wide.
• Line-side TX interface (FIFO) – 64-bit wide.
• System-side RX interface (FIFO) – 64-bit wide.
• System-side TX interface (FIFO) – 64-bit wide.
• 32-bit AMBA APB3 Host interface (on separate clock).
• Single interrupt output from internal interrupt controller.
• Separate interrupt outputs from ingress and egress MACsec engines.
• VERIFICATION
• Set of test vectors for chip integration verification.
• Integration test vectors in structured format.
• Python / Verilog based verification environment.
• 100% verification coverage.

Benefits

• Complete HW/SW system.
• Driver Development Kit.
• High-speed MACsec Frame Engine
• Silicon-proven implementation
• Fast and easy to integrate into SoCs.
• Flexible layered design.
• Complete range of configurations.
• World-class technical support.

Applications

• Network appliances providing Enterprise Network Security at Layer-2 using MACsec,
• End-station security solutions for laptops, PCs, printers and network servers.

Deliverables

• Documentation
• Programmer Manual
• Integration Manual
• Verification Specification
• Synthesizable Verilog RTL source code
• Self-checking RTL test bench, including test vectors and expected result vectors
• Simulation scripts
• Configurations:
• EIP-165b-16:
• 902k gates
• 64 bits/clk
• up to 800 MHz

Technical Specifications