MACsec Protocol Engine for 10/100/1000 Ethernet

Overview

The MAC-SEC-1G IP core implements a compact and configurable custom-hardware protocol engine for the IEEE 802.1AE (MACsec) standard. It supports all cipher suites provisioned by the MACsec standard and the VLAN-in-Clear improvement and is silicon- and performance-optimized for networks operating up to 1Gbps.

Featuring a configurable number of Security Associations (up to 64k), this protocol engine supports multiple security channels and can implement multiple Security Entities (SecYs). It operates in full duplex mode, at line speed per direction for 1000/100/10 Mbps connections. It does so by implementing a 32-bit wide data path, which provides adequate performance while minimizing silicon resources.

Designed for ease of integration, the MAC-SEC-1G core is a fully synchronous, single-clock domain design that uses standardized interfaces and can be optionally pre-integrated with companion cores available from CAST.

The control and status registers of the core are accessible via a generic 32-bit memory-mapped slave interface. Interface bridg-es delivered with the core can convert this generic host interface to a generic 8-bit memory-mapped interface or a 32-bit APB, AHB-Lite, Avalon-MM, or Wishbone interface. Packet data are input and output via AXI Stream interfaces with configurable data width, enabling direct connection to Ethernet MACs, PTP timestamping units, or other higher-layer protocol engines. Interface bridges and a DMA engine capable of driving the AXI Stream interfaces are available separately and can be used in cases where it is preferable to move data to and from the core over a memory-mapped bus. The core can be delivered pre-integrated with the Low-Latency Ethernet MAC or any of the Ethernet TSN cores available from CAST.

Key Features

MACsec Protocol Engine

Compliant to IEEE 802.1AE-2018 and IEEE 802.1AEbw.
Implements both GCM-AES and GCM-AES-XPN modes with 128- and 256-bit keys.
Multiple number of Security Channels, Security Associations and Security Entities
Maximum number of security associations is synthesis-time configurable in the range of 1 to 64k.
Supports 802.1Q Tag in the Clear (VLAN-in-Clear) as defined by CISCO’s WAN MACsec

Performance and Size

Compact 32-bit data path.
Full-duplex, line-speed operation at 10/100/1000 Mbps

Easy to Integrate

AXI stream interfaces with configurable data-width allow direct connection with eMAC or higher layer protocol engines.
Companion DMA cores can be used for integration as a memory-mapped peripheral.
Uses a generic 32-bit slave interface & bridges to 32-bit APB, AHB-Lite, Avalon-MM, or Wishbone, or an 8-bit generic microcontroller interface.
Reports status, statistics & errors in CSRs
Optionally pre-integrated with tri-mode Low-Latency Ethernet MAC, TCP/UDP/IP hardware stacks, and TSN cores;

Straightforward to Implement

Available in LINT-clean, scan-ready, synthesizable RTL source code format or as a targeted FPGA netlist.
Single clock-domain design with no multi-cycle or false paths.
Platform-Independent – Can be implemented on any FPGA device or ASIC technology.

Block Diagram

Applications

The MAC-SEC-1G core provides hardware-accelerated MACsec protection for end-to-end transmission in industrial, automotive, IoT edge, and other devices with Ethernet connectivity. While it works well with third-party cores, the MAC-SEC-1G is especially well suited for use with the Low-Latency eMAC, the UDP/IP and TCP/IP hardware stacks, and the TSN Endpoint and Switch cores available from CAST. These can be licensed as a pre-integrated subsystem, enabling the rapid, low-risk development of secure Ethernet connections.

Deliverables

Consistent with CAST’s quality standards, this core has been rigorously verified, is LINT-clean and scan-ready, and is delivered with everything required for a trouble-free implementation. It is available in System Verilog RTL source code or as a targeted FPGA netlist, and its deliverables include a sophisticated testbench, sample synthesis and simulation scripts, and comprehensive documentation.

Technical Specifications

Request Info