MACsec Engine

The MACsec Engine implements the latest IEEE 802.1AE specification, providing connectionless data integrity, data origin authenticity and confidentiality on OSI layer 2.

The scalable architecture provides low-latency, line rate acceleration of frame encapsulation, encryption and replay protection. The multi-channel structure makes the engine extremely suitable for use in switches, enabling per-port security with a single IP instantiation. Integration options with either performance or area-optimized AES-GCM IP cores enables a high level of scalability enabling unrivalled trade-off possibilities between throughput, area and latency.

Implementation aspects

At its very core, the MACsec Engine is completely technology-agnostic and can be integrated in a wide range of FPGA and ASIC technologies. On FPGA, the engine can use vendor-specific optimizations to reach very high throughput goals.

Features

• • ASIC and FPGA
  • Multi-channel support for link aggregation or FlexE
  • Throughput from 1 Gbps up to 800 Gbps
  • 32 to 1024 bits datapath
  • Compliant with IEEE 802.1AE-2018
    – Supports AES-GCM-128/256
    – Extended Packet Numbering (optional)
    – Confidentiality Offset (optional)
  • Classification based on MAC, SCI, VLAN ID
  • Generic interface to TCAM
  • VLAN-in-the-clear mode
  • Bypass mode
  • Data interface: AMBA 4 AXI-Stream
  • Control interface: AMBA 4 APB

Applications

• Cloud & data center interconnection
• Secure IP/MPLS (replace MPLS over GRE + IPsec)
• Secure IoT devices on LAN
• In-vehicle communication with Automotive Ethernet

Reference: BA451