MACsec Engine

The MACsec Engine implements the latest IEEE 802.1AE specification, providing connectionless data integrity, data origin authenticity and confidentiality on OSI layer 2.

The scalable architecture provides low-latency, line rate acceleration of frame encapsulation, encryption and replay protection. The multi-channel structure makes the engine extremely suitable for use in switches, enabling per-port security with a single IP instantiation. Integration options with either performance or area-optimized AES-GCM IP cores enables a high level of scalability enabling unrivalled trade-off possibilities between throughput, area and latency.

Implementation aspects

At its very core, the MACsec Engine is completely technology-agnostic and can be integrated in a wide range of FPGA and ASIC technologies. On FPGA, the engine can use vendor-specific optimizations to reach very high throughput goals.

Features

    • ASIC and FPGA
    • Multi-channel support for link aggregation or FlexE
    • Throughput from 1 Gbps up to 800 Gbps
    • 32 to 1024 bits datapath
    • Compliant with IEEE 802.1AE-2018
      – Supports AES-GCM-128/256
      – Extended Packet Numbering (optional)
      – Confidentiality Offset (optional)
    • Classification based on MAC, SCI, VLAN ID
    • Generic interface to TCAM
    • VLAN-in-the-clear mode
    • Bypass mode
    • Data interface: AMBA 4 AXI-Stream
    • Control interface: AMBA 4 APB

Applications

  • Cloud & data center interconnection
  • Secure IP/MPLS (replace MPLS over GRE + IPsec)
  • Secure IoT devices on LAN
  • In-vehicle communication with Automotive Ethernet

Reference: BA451