Security Icon

Security

MACsec-IP-160 / EIP-160 Single Channel flow through MACsec Engines, upto 100Gbps

The MACsec-IP-160 (EIP-160) is an IP family for accelerating MACsec up to 100 Gbps, serving single channel Ethernet designs. The MACsec-IP-160 is a high-performance streaming MACsec frame processing engine that provides hardware acceleration for the complete MACsec frame transform along with frame classification and statistics counter updates. Once the MACsec-IP-160 is configured, no CPU is required for processing tasks.

Protocol aware MACsec Packet Engine with classifier and in-line interface for Single Channel Ethernet.

1..100Gbps, programmable rules, no CPU required, supports all IEEE MACsec requirements.

Supported by Driver Development Kit, QuickSec MACsec toolkit.

How the MACsec-IP-160 works

MACsec is ideally positioned to provide secure WAN (Layer-2) interconnect without the need for routing, allowing networks to be secured from the Inside Secure. MACsec-IP-160 use cases include: protecting links for cloud computing, data center interconnect, network appliances providing enterprise layer 2 security, automotive interconnect, ethernet PHY devices with embedded MACsec support, end-station security solutions for laptops, PCs, printers and network servers.

Diagram: MACsec-IP Single Channel flow through Engine
MACsec-IP Single Channel flow through Engine

The MACsec-IP-160 is a MACsec engine with integrated VLAN and MACsec packet classification logic and all required statistics counters. The available MACsec-IP-160 configurations cover the applications ranging from 1 Gbps to 100 Gbps. The MACsec-IP-160 is designed to be integrated with an Ethernet MAC to form a plug-in MACsec solution between the system and an Ethernet MAC, or with two Ethernet MACs to form a plug-in MACsec solution between an existing Ethernet MAC (“system-side”) and an existing Ethernet PHY (“line-side”). A handshaked host bus interface is used to control the MAC-IP-160. Full duplex MACsec solutions comprise of an ingress (MACsec-IP-160i) and an egress (MACsec-IP-160e) core, each capable of line speed processing.

Performance/area (ingress/egress):

  • MACsec-IP-160s: 1Gbps FDX @125MHz, 220K+190K gates.
  • MACsec-IP-160a: 10Gbps FDX @312.5MHz, 430K+395K gates.
  • MACsec-IP-160b: 20Gbps FDX @312.5MHz, 520K+490K gates.
  • MACsec-IP-160c: 40Gbps FDX @468.75MHz, 640K+610K gates.
  • MACsec-IP-160d: 100Gbps FDX @468.75MHz, 1550K+1470K gates.
  • The gate counts are highly affected by the number of supported SAs. Data is provided for 16SAs, more SAs up to 256 per direction can be supported.
  • Frequencies up to 800Mhz ASIC and 200MHz FPGA are supported.

Features & Benefits

Key Benefits:

  • Silicon-proven implementation.
  • Fast and easy to integrate into SoCs.
  • Flexible layered design.
  • Complete range of configurations.
  • World-class technical support.
  • Driver Development Kit.
 

Classification:

  • VLAN and Q-in-Q tag detection.
  • MACsec tag detection and sub-classification (absent, valid, invalid and KaY frame).
  • MACsec tag after VLAN detection.
  • Programmable “control frame” classification.
  • 16 to 128 (16 to 256 for EIP-160d)-entry programmable rule lookup with attached operation selection (drop, bypass, MACsec process) and SA information for the MACsec processing.
  • 8-entry programmable non-matching flow operation selection (drop, bypass), depending on MACsec tag sub-classification and control frame classification.
  • Explicit classification feature, allowing for external selection of the processing flow while ignoring the internal classification.
 

Latency:

  • Cut-through processing support, resulting in a latency that is below 176 ns in both directions, including MACsec transformation, at 312.5 MHz.
  • Latency is configurable, allowing constant start-of-frame latency for all types of transformations.
 

MACsec Processing Features:

  • IEEE 802.1AE , 802.1AEbn, IEEE 802.1AEbw compliant.
  • All cipher suites supported (GCM-AES-128/256, GCM-AES-XPN-128/256).
  • MACsec transform with the VLAN Tag bypassing.
  • Statistics counter support (64 bits for frame & octet counters), in saturating or wrapping mode (programmable).
  • Programmable confidentiality offset (0..127 Bytes).
  • SecTAG insertion and removal.
  • ICV checking/removal and calculation/insertion.
  • Packet number generation and checking.
  • Post-processing controls frame and octet statistics counters at global, SA and VLAN (User Priority) levels.
  • Hardware offload for the nextPN and lowestPN update from the host (KaY)
 

Ingress Path Consistency Checking

  • Performed on bypassed and MACsec processed frames.
  • 16 to 128 (16 to 256 for EIP-160d)-entry programmable matching table with separate drop/transfer decisions.
  • Separate drop/transfer decision for control/non-control frames in case of non-match.
 

Miscellaneous

  • Transparent synchronized transfer of LPidle (IEEE Std. 802.1az) and line/local/remote fault detection signals through the processing engine.
  • MTU checking (and optional oversize dropping) dependent on VLAN User Priority level for VLAN frames. Separate check for non-VLAN frames.
  • Local interrupt controller to combine internal interrupts into one interrupt output.
  • Separate internal interrupt events (if external interrupt controller is used)
  • Support for AES-ECB, AES-CTR, AES-GCM/GMAC transformation for FIPS certification of the crypto core.
  • A pass-through bus on which data is passed unmodified along with the packet (its width is compile-time configurable).
  • An output interface to indicate the number of bytes added/removed from the packet during processing.
 

Debug Features:

  • Debug registers to monitor and test critical logic.
  • 40-bit wide debug output bus that can be used to monitor internal buses and states in real-time.
 

Interfaces

  • 128-bit (512-bit for EIP-160d) wide streaming input frame data with side-band lpidle/error signaling.
  • 128-bit (512-bit for EIP-160d) wide streaming output frame data with side-band lpidle/error signaling and classification result.
  • 32-bit handshaked control register interface.
  • On-chip RAM interface to single port (1RW)
  • Transform Record RAM: 128 bits wide (384 bits wide for EIP-160d) with 32-bit word enables.
  • On-chip RAM interface to two port (1R1W) statistics RAM: 64 bits wide.
  • On-chip RAM interfaces allow Error Detection and
  • Correction implementation (external to EIP-160).
 

Verification

  • Set of test vectors for chip integration verification.
  • Integration test vectors in a human-readable format.
  • Python / Verilog based verification environment.
  • 100% verification coverage.
CryptoManager Root of Trust Cover

The CryptoManager Root of Trust

Built around a custom RISC-V CPU, the Rambus CryptoManager Root of Trust (CMRT) is at the forefront of a new category of programmable hardware-based security cores. Siloed from the primary processor, it is designed to securely run sensitive code, processes and algorithms. More specifically, the CMRT provides the primary processor with a full suite of security services, such as secure boot and runtime integrity, remote attestation and broad crypto acceleration for symmetric and asymmetric algorithms.
Download White Paper

Related Markets & Applications

FREE Webinar: Understanding Fault Injection Attacks and Their Mitigation