MACsec Protocol Engine for 1G/10G+ Ethernet

The MAC-SEC-MG IP core implements a compact and configurable custom-hardware protocol engine for the IEEE 802.1AE (MACsec) standard. It supports the AES-GCM and AES-GCM-XPN cipher suites provisioned by the MACsec standard and the VLAN-in-Clear improvement. The engine is silicon- and performance-optimized for networks operating from 2.5 Gbps to 10 Gbps and beyond; up to 16.75 Gbps is possible with this core.

Featuring a configurable number of Security Associations (up to 64k), this protocol engine supports multiple security channels and can implement multiple Security Entities (SecYs). It operates in full-duplex mode at line speed in each direction for 2.5 Gbps to 16.75 Gbps connections. It does so by implementing a 128-bit wide data path, which provides adequate performance while minimizing silicon resources.

Designed for ease of integration, the MAC-SEC-MG core is a fully synchronous, single-clock domain design that uses standardized interfaces and can be optionally pre-integrated with companion cores available from CAST.

The control and status registers of the core are accessible via a generic 32-bit memory-mapped slave interface. Interface bridges delivered with the core can convert this generic host interface to a 32-bit AMBA® APB or AHB-Lite, Avalon®-MM, or Wishbone interface. Packet data are input and output via AXI Stream interfaces with configurable data width, enabling direct connection to Ethernet MACs, PTP timestamping units, or other higher-layer protocol engines. Interface bridges and a DMA engine capable of driving the AXI Stream interfaces are available separately. They can be used in cases where moving data to and from the core is preferable over a memory-mapped bus. The core can be delivered pre-integrated with the Low-Latency Ethernet MAC or any Ethernet TSN cores available from CAST.

• Encrypts and decrypts using the AES Rijndael Block Cipher Algorithm
• Implemented according to the IEEE P1619™/D16 standard
• NIST-Validated
• Capable of processing 128 bits/cycle
• Employs user-programmable key size of 128 or 256 bits
• Two architectural versions:
  • The AES-XTS-X version is smaller and can process 128 bits/cycle for all key sizes
  • The AES-XTS-X2 version can process 256 bits/cycle for all key sizes
• Arbitrary IV length
• Easy integration & implementation
  • Works with the integrated key expansion function
  • Fully synchronous, uses only the rising clock-edge, single-clock domain, no false or multicycle timing paths, scan-ready, LINT-clean, reusable design
  • Simple input and output interface, optionally bridged to AMBA™ interfaces or integrated with a DMA engine
• Available in VHDL or Verilog source code format, or as a targeted FPGA netlist

• The MAC-SEC-MG core provides hardware-accelerated MACsec protection for end-to-end transmission in industrial, automotive, IoT edge, and other devices with Ethernet connectivity. While it works well with third-party cores, the MAC-SEC-MG is especially well suited for use with the Low-Latency eMAC (LLEMAC), the UDP/IP (1G/10G/25G) and TCP/IP hardware stacks, and the TSN Endpoint and Switch cores available from CAST. These can be licensed as a pre-integrated subsystem, enabling the rapid, low-risk development of secure Ethernet connections.

MACsec Protocol Engine

• Compliant with IEEE 802.1AE-2018 and IEEE 802.1AEbw
• Implements both GCM-AES-128/256 and GCM-AES-XPN-128/256 modes
• Supports NIST encryption standards:
  • AES FIPS PUB 197
  • GCM RFC 5647
• Supports up to 2¹⁶ secure associations
• Supports 802.1Q Tag in the Clear (VLAN-in-Clear) as defined by CISCO’s WAN MACsec

Performance and Size

• Compact 128-bit data path
• Full-duplex, line-speed operation at up to 16.75 Gbps

Easy to Integrate

• AXI-Stream port, with configurable data width, allows direct connection with LLEMAC or higher-layer protocol engines
• Uses a generic 32-bit slave interface for configuration of the core & bridges to 32-bit APB, AHB-Lite, Avalon-MM, or Wishbone
• Reports status, statistics, & errors in CSRs
• Companion cores from CAST:
  • DMA for integration as a memory-mapped peripheral
  • Low-Latency Ethernet MAC
  • UDP/IP and TCP/IP hardware stacks
  • TSN Endpoints and Switches

Straightforward to Implement

• Available in LINT-clean, scan-ready, synthesizable RTL source code format or as a targeted FPGA netlist
• Single clock-domain design with no multi-cycle or false paths
• Platform-independent – can be implemented on any FPGA device or ASIC technology