MACsec Engine

The MACsec Engine implements the latest IEEE 802.1AE specification, providing connectionless data integrity, data origin authenticity and confidentiality on OSI layer 2.

The scalable architecture provides low-latency, line rate acceleration of frame encapsulation, encryption and replay protection. The multi-channel structure makes the engine extremely suitable for use in switches, enabling per-port security with a single IP instantiation. Integration options with either performance or area-optimized AES-GCM IP cores enables a high level of scalability enabling unrivalled trade-off possibilities between throughput, area and latency.

Implementation aspects

At its very core, the MACsec Engine is completely technology-agnostic and can be integrated in a wide range of FPGA and ASIC technologies. On FPGA, the engine can use vendor-specific optimizations to reach very high throughput goals.

Features

• ASIC and FPGA
• Multi-channel support for link aggregation or FlexE
• Throughput from 1 Gbps up to 800 Gbps
• 32 to 1024 bits datapath
• Compliant with IEEE 802.1AE-2018
  – Supports AES-GCM-128/256
  – Extended Packet Numbering (optional)
  – Confidentiality Offset (optional)
• Classification based on MAC, SCI, VLAN ID
• Generic interface to TCAM
• VLAN-in-the-clear mode
• Bypass mode
• Data interface: AMBA 4 AXI-Stream
• Control interface: AMBA 4 APB

Applications

• Cloud & data center interconnection
• Secure IP/MPLS (replace MPLS over GRE + IPsec)
• Secure IoT devices on LAN
• In-vehicle communication with Automotive Ethernet

Reference: BA451