Home   About Us   News   Contact Us
 

MSP7-32/MSP7-64 MACsec IP core for FPGA or ASIC

Introduction

Implementation of the LAN security standard IEEE 802.1ae (MACsec) requires the NIST standard AES cipher in the GCM mode for encryption and message authentication, as well as header parsing and formatting operations on the transmitted and received packets. MACsec Security Processor (MSP) IP cores by IP Cores, Inc. are designed for high data rates and implement complete line-rate packet processing with no per-packet CPU intervention.
MSP7-32 cores are tuned for 6-15 Gbps applications in the FPGA and ASIC technologies that require 256 bit AES keys.
The MSP7-64/256 cores are tuned for 10-25 Gbps applications in the FPGA and ASIC technologies that require 256 bit AES keys.
The design is fully synchronous and available as RTL source code.
Applications
IEEE 802.1ae MACsec
Features 

MSP7-32:
  • Small size combined with high performance:
    • 5 Gbps performance at the 15+ MHz clock rate 
    • 12.5 Gbs performance at the 390+MHz clock rate
  • Flow-through design with back-to-back packet processing
    • 41-byte-long shortest input packet on encryption
    • 56-byte-long shortest input packet on decryption at full data rate
    • 16,000 bytes maximum packet size
  • Low latency, for the 10 Gbps configuration
    • 34 clocks input-to output on encryption(start-to-start of the packet), 36-37 clocks(last-to-last word of the packet
    • 39 clocks for decryption(start-to-start), 37 clocks(last-to-last)
  • 32-bit wide aligned AXI-S data interface with flow control
    • The MSP7 contains two datapaths, one for Tx(encryption), one for Rx(decryption).The Tx datapath presents a sink(slave) interface to the unecrypted side, source(master) interface on the encrypted side. Rx datapath presents a sink to the encrypted, source to the unecrypted side
  • Core utilizes three clocks: one for the Tx datapath, one for Rx and one for control
MSP7-64: 
  • Small size combined with high performance:
    • 10 Gbps performance at the 15+ MHz clock rate 
    • 25 Gbs performance at the 390+MHz clock rate
  • Flow-through design with back-to-back packet processing
    • 64 bytes shortest input packet at full data rate   
    • 16,000 bytes maximum packet size
Symbol
Pin Description

Name Type Description
Generic
Clk Input   Core clock signal
Rst Input   Core reset signal
Eclk Input  Encryption (Tx) datapath clock
Dclk Input   Decryption (Rx) datapath clock
Configuration. The signals in this group typically have constant values during the core operation
E_Derror[2:0] Input
E_Qerror[31:0] Output

Error signal.

E_secen Input   Enable encryption for this packet.
E_scid[ ] Input   Secure channel selection for the packet.
E_Dtagvalid Input  PTP tag
E_Dtag[15:0] Input   PTP tag.
E_Qtagvalid Output  PTP tag
E_Qtag[15:0] Output  Bypassed PTP tag.
D_Derror[2:0] Input  Error signal.
Packet information. The signals in this group are to be asserted with the first or last word of the packet
D_Qerror[31:0] Output   Error signal.
D_Dtime[79:0] Input   PTP time stamp
D_Qtime[79:0] Output   Bypassed PTP time stamp.
 
Function Description
 

The MSP7 implementation fully supports the IEEE 802.1ae (MACsec) algorithm for 128-bit bit keys, including AES support in Galois Counter Mode (GCM) per NIST publication SP800-38D http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf.

The core is designed for flow-through operation. MSP7 supports encryption and decryption modes (encrypt-only and decrypt-only options are available.
 
Tx Processing
 

 On encryption, for each frame the core:

  • Obtains the SC index from the LLID and looks up the current SA key
  • Inserts the SecTag, including the PN and an optional SCI
  • Encrypts and authenticates the frame, based on the values on the E and C inputs
  • Appends the ICV tag to the packets
  • Updates the PN
  • Updates the statistics counters
 
Rx Processing
 

On decryption, for each frame the core:

  • Obtains the SC index from the LLID and looks up the current SA key
  • Allows pass-through fro KaY frames
  • Validates the SecTag and SCI, if present
  • Checks that the packet number PN is within the PN window
  • Decrypts the frame, if encrypted
  • Calculates the ICV tag, if the frame is authenticated, and compares to the one in the frame
  • Removes the ICV tag, appended to the frame
  • Updates the PN window
  • Updates the statistics counters

 
 
Export Permits
The core can be a subject of the US export control. It is the customer's responsibility to check with relevant authorities regarding the re-export of equipment containing the AES encryption technology. See the IP Cores, Inc. licensing basics page, http://ipcores.com/exportinformation.htm, for links to US government sites and more details.
Deliverables
HDL Source Licenses
Synthesizable Verilog RTL source code
Testbench (self-checking)
User Documentation
Optional GCMVS NIST validation
Optional UNH validation
 
Contact Information
IP Cores, Inc.
3731 Middlefield Rd.
Palo Alto, CA 94303, USA
Phone: +1 (650) 815-7996
E-mail: [email protected]
www.ipcores.com
 
 
IP Cores, Inc., 3731 Middlefield Rd., Palo Alto, CA 94303, USA Phone: +1 (650) 815-7996 | E-mail: [email protected] | www.ipcores.com
Copyright © 2008- , All Right Reserved, IP Cores, Inc. Home | About Us | News | Contact Us | Privacy Policy | Export Information