Implementation of the LAN security standard IEEE 802.1ae (MACsec) requires the NIST standard AES cipher in the GCM mode for encryption and message authentication, as well as header parsing and formatting operations on the transmitted and received packets. MACsec Security Processor (MSP) IP cores by IP Cores, Inc. are designed for high data rates and implement complete line-rate packet processing with no per-packet CPU intervention.
MSP7-32 cores are tuned for 6-15 Gbps applications in the FPGA and ASIC technologies that require 256 bit AES keys.
The design is fully synchronous and available as RTL source code.
Function Description
The MSP7 implementation fully supports the IEEE 802.1ae (MACsec) algorithm for 128-bit bit keys, including AES support in Galois Counter Mode (GCM) per NIST publication SP800-38D http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf.
The core is designed for flow-through operation. MSP7 supports encryption and decryption modes (encrypt-only and decrypt-only options are available.
- Tx Processing
On encryption, for each frame the core:
- Obtains the SC index from the LLID and looks up the current SA key
- Inserts the SecTag, including the PN and an optional SCI
- Encrypts and authenticates the frame, based on the values on the E and C inputs
- Appends the ICV tag to the packets
- Updates the PN
- Updates the statistics counters
- Rx Processing
On decryption, for each frame the core:
- Obtains the SC index from the LLID and looks up the current SA key
- Allows pass-through fro KaY frames
- Validates the SecTag and SCI, if present
- Checks that the packet number PN is within the PN window
- Decrypts the frame, if encrypted
- Calculates the ICV tag, if the frame is authenticated, and compares to the one in the frame
- Removes the ICV tag, appended to the frame
- Updates the PN window
- Updates the statistics counters
