At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.
1G to 100G Single-Port MACsec Engine
Contact
Product BriefComplete and compliant MACsec Packet Engine with classification, transformation and statistics for rates from 1GbE to 100GbE. Widely adopted in the industry
How the MACsec-IP-160 works
The MACsec-IP-160 engine provides complete MACsec processing for a port. It contains a flexible classifier with a table of programable rules with the programmable actions. The transformation engine supports all features and ciphers of the standard MACsec and VLAN-in-clear extension. The processing results are reflected in the MACsec-compliant statistics as additional non-standard counters. MACsec-IP-160 offers optional post-decryption consistency checking with a set of programmable rules.
The MACsec-IP-160 engine is a basis for building various use cases. Beside traditional point-to-point and point-to-multipoint use cases, it is also deployed in protecting carrier networks with bypass/drop/protect policy that is controlled per VLAN EVC.
The MACsec-IP-160 can be used in combination with external classifier and accepts secure channel pointer or packet bypass indication.
Integration
The MACsec-IP-160 engines offers flexibility on integration into the customer’s Ethernet subsystem. It can be used as a FIFO-like component, or a fixed-latency engine with a push interface.
Customers can implement MACsec processing with IEEE1588 timestamping in the Tx MAC (unencrypted PTP) as well as timestamping ahead of the MACsec (supporting both – encrypted and encrypted PTP).
To implement fixed-latency mode at egress direction, Rambus offers the Rate-Control-IP-218, a programmable module that shapes the traffic according to line rate and accounts the MACsec added header/trailer.
MACsec Fundamentals
For end-to-end security of data, it must be secured both when at rest (stored on a connected device) and when in motion (communicated between connected devices). For data at rest, a hardware root of trust anchored in silicon provides that foundation upon which all device security is built. Similarly, MACsec security anchored in hardware at the foundational communication layer (Layer 2) provides that basis of trust for data in motion over Ethernet-based networks.Solution Offerings
Full line-rate throughput
- Optimized for 1G, 10G, 25G, 50G, 100G rates
- Lowest and fixed latency modes
Feature reach
- Flexible classifier
- IEEE 802.1AE-2018 compliance
- VLAN-in-clear
- FIPS certification support
- Forward-looking hardware and software compatibility
- Very efficient hardware-software interaction
Highly configurable
- Numerous options for optimal area, throughput and features trade-off
Software and integration support
- Rate-Control-IP-218 rate shaper
- Driver Development Kit
- IEEE 802.1X Toolkit
- World-class support from Rambus MACsec experts
Packet Interface
- Cut-through FIFO interface
- 128-bit (1G to 50G), 512-bit (100G)
- External classification inputs
- SOP and EOP pass-through bus for side-band information
- Lowest and fixed-latency modes
SA and classification scaling
- SA (16 to 256)
- Post-decryption consistency check (optional)
Control interface
- Simple 32-bit interface
- Interrupts
Protocol support
- Full IEEE 802.1AE-2018 compliance
- IEEE 802.1AE
- IEEE 802.1AEbn
- IEEE 802.1AEbw
- IEEE 802.1AEcg
- MACsec with up to 2x VLAN-in-clear
NIST CAVP compliance for FIPS 140-3 validation
- Support for basic AES and AES-GCM transformations
Packages
- Silicon IP
- Driver Development Kit
Complete Documentation
- Hardware integration guide
- Hardware and software
- Reference manuals
- Programming guides
- IP-XACT Register description
Tools and Scripts
- Verilog for synthesis and simulation
- All scripts and support files needed for standard EDA tool flows
Integration Support
- Complete verification test bench
- Comprehensive set of test vectors
Secure Networking Basics: MACsec, IPsec, and SSL/TLS/DTLS
The MACsec, IPsec and SSL/TLS/DTLS protocols are the primary means of securing data in motion (communicated between connected devices). These protocols can be anchored in hardware or implemented in software as part of an end-to-end security architecture. This white paper provides fundamental information on each of these protocols including their interrelationships and use cases.
Resources
Videos
