Security IP icon

Security

1G to 100G Single-Port MACsec Engine

The MACsec-IP-160 is a versatile MACsec solution for silicon devices that require plug-and-play MACsec processing for an Ethernet port at full line rate. It provides classification, transformation and statistics for the IEEE0802.1AE standard MACsec. Additionally, it supports VLAN-in-clear use cases. The IP-160 is available in numerous configurations optimized for desired throughput range and number of secure connections. Supplied with software support, the MACsec-160 is the ideal solution for Ethernet PHYs, switches, automotive and 5G SoCs, broadband access chipsets and many other Ethernet-connected applications.

Complete and compliant MACsec Packet Engine with classification, transformation and statistics for rates from 1GbE to 100GbE. Widely adopted in the industry

All IEEE MACsec standards supported (including IEEE802.1AE-2018). Suitable for systems with IEEE1588 support
Supplied with the Driver Development Kit to accelerate time to market. Rambus offers MACsec Toolkit for IEEE 802.1X key management

How the MACsec-IP-160 works

The MACsec-IP-160 engine provides complete MACsec processing for a port. It contains a flexible classifier with a table of programable rules with the programmable actions. The transformation engine supports all features and ciphers of the standard MACsec and VLAN-in-clear extension. The processing results are reflected in the MACsec-compliant statistics as additional non-standard counters. MACsec-IP-160 offers optional post-decryption consistency checking with a set of programmable rules.

Single-port 1G to 100G MACsec Using MACsec-IP-160 Engine
Single-port 1G to 100G MACsec Using MACsec-IP-160 Engine

The MACsec-IP-160 engine is a basis for building various use cases. Beside traditional point-to-point and point-to-multipoint use cases, it is also deployed in protecting carrier networks with bypass/drop/protect policy that is controlled per VLAN EVC. 

The MACsec-IP-160 can be used in combination with external classifier and accepts secure channel pointer or packet bypass indication.

Integration

The MACsec-IP-160 engines offers flexibility on integration into the customer’s Ethernet subsystem. It can be used as a FIFO-like component, or a fixed-latency engine with a push interface.

Customers can implement MACsec processing with IEEE1588 timestamping in the Tx MAC (unencrypted PTP) as well as timestamping ahead of the MACsec (supporting both – encrypted and encrypted PTP).

To implement fixed-latency mode at egress direction, Rambus offers the Rate-Control-IP-218, a programmable module that shapes the traffic according to line rate and accounts the MACsec added header/trailer.

MACsec Fundamentals White Paper

MACsec Fundamentals

For end-to-end security of data, it must be secured both when at rest (stored on a connected device) and when in motion (communicated between connected devices). For data at rest, a hardware root of trust anchored in silicon provides that foundation upon which all device security is built. Similarly, MACsec security anchored in hardware at the foundational communication layer (Layer 2) provides that basis of trust for data in motion over Ethernet-based networks.

Solution Offerings

Full line-rate throughput

  • Optimized for 1G, 10G, 25G, 50G, 100G rates
  • Lowest and fixed latency modes
 

Feature reach

  • Flexible classifier
  • IEEE 802.1AE-2018 compliance
  • VLAN-in-clear
  • FIPS certification support
  • Forward-looking hardware and software compatibility
  • Very efficient hardware-software interaction
 

Highly configurable

  • Numerous options for optimal area, throughput and features trade-off
 

Software and integration support

  • Rate-Control-IP-218 rate shaper
  • Driver Development Kit
  • IEEE 802.1X Toolkit
  • World-class support from Rambus MACsec experts
 

Packet Interface

  • Cut-through FIFO interface
  • 128-bit (1G to 50G), 512-bit (100G)
  • External classification inputs
  • SOP and EOP pass-through bus for side-band information
  • Lowest and fixed-latency modes
 

SA and classification scaling

  • SA (16 to 256)
  • Post-decryption consistency check (optional)
 

Control interface

  • Simple 32-bit interface
  • Interrupts
 

Protocol support

  • Full IEEE 802.1AE-2018 compliance
  • IEEE 802.1AE
  • IEEE 802.1AEbn
  • IEEE 802.1AEbw
  • IEEE 802.1AEcg
  • MACsec with up to 2x VLAN-in-clear
 

FIPS 140-2 CAVP ready

  • Support for basic AES and AES-GCM transformations.

Packages

  • Silicon IP
  • Driver Development Kit
 

Complete Documentation

  • Hardware integration guide
  • Hardware and software
  • Reference manuals
  • Programming guides
  • IP-XACT Register description
 

Tools and Scripts

  • Verilog for synthesis and simulation
  • All scripts and support files needed for standard EDA tool flows
 

Integration Support

  • Complete verification test bench
  • Comprehensive set of test vectors
Secure Networking Basics cover

Secure Networking Basics: MACsec, IPsec, and SSL/TLS/DTLS

The MACsec, IPsec and SSL/TLS/DTLS protocols are the primary means of securing data in motion (communicated between connected devices). These protocols can be anchored in hardware or implemented in software as part of an end-to-end security architecture. This white paper provides fundamental information on each of these protocols including their interrelationships and use cases.

Don’t miss out on the Rambus Design Summit on October 8th!