MACsec-IP-165 / EIP-165 Flow through MACsec for PHY devices, up to 100Gbps

Features & Benefits

Key Benefits:

• Silicon-proven implementation.
• Fast and easy to integrate into SoCs.
• Flexible layered design.
• Complete range of configurations.
• World-class technical support.
• Driver Development Kit.

Classification:

• VLAN and Q-in-Q tag detection.
• MACsec tag detection and sub-classification (absent, valid, invalid and KaY frame).
• MACsec tag after VLAN detection.
• Programmable “control frame” classification.
• 16 to 128 (16 to 256 for EIP-165d)-entry programmable rule lookup with attached operation selection (drop, bypass, MACsec process) and SA information for the MACsec processing.
• 8-entry programmable non-matching flow operation selection (drop, bypass), depending on MACsec tag sub-classification and control frame classification.
• Explicit classification feature, allowing for external selection of the processing flow while ignoring the internal classification.

Latency:

• Cut-through processing support, resulting in a latency that is below 150 ns in both directions, including MACsec transformation, at 468.755 MHz.
• Latency is configurable, allowing constant start-of-frame latency for all types of transformations.

MACsec Processing Features:

• IEEE 802.1AE , 802.1AEbn, IEEE 802.1AEbw compliant.
• All cipher suites supported (GCM-AES-128/256, GCM-AES-XPN-128/256).
• MACsec transform with the VLAN Tag bypassing.
• Statistics counter support (64 bits for frame & octet counters), in saturating or wrapping mode (programmable).
• Programmable confidentiality offset (0..127 Bytes).
• SecTAG insertion and removal.
• ICV checking/removal and calculation/insertion.
• Packet number generation and checking.
• Post-processing controls frame and octet statistics counters at global, SA and VLAN (User Priority) levels.
• Hardware offload for the nextPN and lowestPN update from the host (KaY)

Ingress Path Consistency Checking

• Performed on bypassed and MACsec processed frames.
• 16 to 128 (16 to 256 for EIP-165d)-entry programmable matching table with separate drop/transfer decisions.
• Separate drop/transfer decision for control/non-control frames in case of non-match.

Miscellaneous

• Transparent synchronized transfer of LPidle (IEEE Std. 802.1az) and line/local/remote fault detection signals through the processing engine.
• MTU checking (and optional oversize dropping) dependent on VLAN User Priority level for VLAN frames. Separate check for non-VLAN frames.
• Local interrupt controller to combine internal interrupts into one interrupt output.
• Separate internal interrupt events (if external interrupt controller is used)
• Support for AES-ECB, AES-CTR, AES-GCM/GMAC transformation for FIPS certification of the crypto core.
• A pass-through bus on which data is passed unmodified along with the packet (its width is compile-time configurable).
• An output interface to indicate the number of bytes added/removed from the packet during processing.

Debug Features:

• Debug registers to monitor and test critical logic.
• 40-bit wide debug output bus that can be used to monitor internal buses and states in real-time.

Interfaces

• Line and system side interfaces should connect to an external MAC
• Line-side RX interface (FIFO) – 256-bit wide.
• Line-side TX interface (FIFO) – 256-bit wide.
• System-side RX interface (FIFO) – 256-bit wide.
• System-side TX interface (FIFO) – 256-bit wide.
• 32-bit TCM Host interface.
• Single interrupt output from internal interrupt 
controller.
• Separate interrupt outputs from ingress and egress 
MACsec engines.

Verification

• Set of test vectors for chip integration verification.
• Integration test vectors in a human-readable format.
• Python / Verilog based verification environment.
• 100% verification coverage.