MACsec Frame Engines

DRM & Content Protection »
Security Solutions for Android »
Security Toolkits »
Semiconductor IP »
Security Processors »
Embedded Security Solutions Collateral »

Related Links

Content Protection Engine »
Security Protocol Engines »
Platform Security Engines »
Cryptography Engines »

Contact Embedded Security Contact one of our Embedded Security representatives. Send us a message»

The SafeXcel-IP MACsec Frame Engines provide acceleration of complete MACsec frame transform, as specified in IEEE Std 802.1AE™-2006. The engine relies on other parts of the system to provide the functionality to determine the processing parameters and key material to use for the frame transform; the so-called classification function. At the high data rates that MACsec allows, this classification function may put a significant burden on the system.

The engines allow the system to process frames cut-through or hold and forward. Independent of these solutions, the SafeXcel-IP-160 and -IP-60 are capable of maintaining line speed for all frame sizes.

AuthenTec’s MACsec Frame Engines include:

SafeXcel-IP-60 [Product Brief]
Ultra High Performance In-line AES-GCM MACsec Frame Engine Family

Using AES-GCM, the SafeXcel-IP-60 MACsec Frame engine is capable at offloading IEEE 802.1AE MACsec (or basic AES-GCM) transformations including SegTAG insertion and removal, ICV calculation/insertion and checking/removal and packet number generation and checking at extreme line speeds. The SafeXcel-IP-60 is available in three performance grades, offering transformation rates at 500MHz of 25Gbps through 60Gbps for all frame sizes. The SafeXcel-IP-60 relies on classification by the embedded host CPUs.

The Frame Engine offers cut through processing at very low latencies and low latency jitter with a programmable Confidentiality Offset. Embedding one or more SafeXcel-IP-60 Frame Engines in your design offers extremely fast processing at efficient power dissipation and a low gate count footprint for systems with multiple 10Gbps ports. The SafeXcel-IP-60 can support one 40 or 100Gbps port, multiple 10Gbps or 1Gbps ports or any combination of these.

SafeXcel-IP-62 [Product Brief]
Ultra High Performance Inline AES-GCM Packet Engine Family

The SafeXcel-IP-62 extends the SafeXcel-IP-60 MACsec only engine with IPsec and FC-SP functionality. Using AES-GCM, this engine is capable at offloading MACsec, IPsec and FC-SP transformations including header and trailer processing at extreme data rates. At transformation rates at 500MHz of 80Gbps for all packet sizes, including 64Byte packets the SafeXcel-IP-62 is the fastest Packet Engine available for you multi CPU Soc designs. Like the SafeXcel-IP-60, and the SafeXcel-IP-96, the SafeXcel-IP -62 also relies on classification by the embedded host CPUs. Embedding both an SafeXcel-IP-62 and a SafeXcel-IP-96 in one design offers a combination of support of widely used algorithms and extremely fast processing for systems with multiple 10Gbps ports.

SafeXcel-IP-96 [Product Brief]
High Performance In-line Packet Engine Family
When MACsec is only one of many security protocols that needs to be supported the SafeXcel-IP-96 multi protocol Packet Engine is a suitable solution. The fast and versatile SafeXcel-IP-96 supports single or multi-processor designs with fast security protocol and crypto transformation functions including header and trailer processing. The SafeXcel-IP-96 relies on classification and flow processing by these processors. The SafeXcel-IP-96 offers the widest variety of protocols such as Ipse, SSL, TLS, DTLS, MACsec and sRTP using cipher functions such as 3DES (CBC), AES (CBC, CTR, GCM) and HMAC functions such as SHA-1, SHA-256, SHA-512 and MD5. Any of these algorithms are also available for bulk crypto, bulk hash or single –pass combined hash-crypt operations. At transformation rates at 500MHz of 2.5Gbps for 64Byte packets and 5Gbps for 1500Byte packets the SafeXcel-IP-96 is the most efficient PacketEngine for you multi CPU Soc designs.

SafeXcel-IP-160 [Product Brief]
High Performance Flow Through MACsec Security Engine Family with Classifiers

The SafeXcel-IP-160 is an SafeXcel-IP-60 MACsec Frame Engine extended with frame classification engines allowing a direct connection to 10G/1G Ethernet MACs. The solution offers implementation scenarios in switch ASICs where the engine is directly connected to the MAC/port logic. Alternatively implementation in a PHY device will create MACsec enable PHY. When extended with the QuickSec MACsec stack, this solution is the most ideal pure flow through MACsec fast path implementation offering maximum data plane offloading from a host processor, and inherits all functionality from the SafeXcel-IP-60.

The SafeXcel-160 provides full data plane processing at the L2 Ethernet network layer. This capability is enabled by the engine’s unique Frame Classifiers and Flow Processors and is not offered by other security vendors. While traditional offerings need to rely on external classification, the SafeXcel-IP-160 includes hardware assist for this time-consuming task. The SafeXcel-IP-160 autonomously inspects frames, determines required processing and instructs the Engine which transformation to execute.

Benefits

• High-speed MACsec Frame Engine

• Fast and easy to integrate into SoCs

• Flexible layered design, modular architecture

• World-class technical support

• Supported by QuickSec for MACsec

• Engines offered with and without Classification

• Engines offered as MACsec only or with MACsec and IPsec

• Performance grades from 10Gbps to 40Gbps to 100Gbps

• Supports 40, 45, 65, 90, 130nm CMOS nodes

Features

• Allows direct connection to Ethernet MAC; no external host interaction required to determine key material, etc.

• Performing IEEE 802.1ae MACsec packet transforms including AES-GCM encryption and:

- SecTAG insertion and removal

- Sequence number checking

- Programmable Confidentiality Offset

• Non MACsec bulk AES-CTR or AES-GCM capabilities

• Decoupled control and data plane operation

• Low latency, cut through processing, processing of frame can start before complete frame is received

• The pipe-lined architecture allows the core to accept data back-to-back

• Supports multiple ports, SecY’s and Security Channels simultaneously

• Built-in MACsec metering

• Built-in functionality for deciding, and acting on, performing the forwarding, drop, encrypt or decrypt operation, at full line rates

• Classification capability required for MACsec

• Capable of servicing a full duplex 10 Gbps Ethernet connection at a clock speed of 250MHz, even for the smallest frame sizes

• Multiple speed grades available

• No external SDRAM or CAM required

Deliverables

• Soft IP: Synthesizable Verilog RTL source code

• Documentation

- Hardware Specification

- Integration Manual

- Verification Specification

• Self-checking RTL test bench, including test vectors and expected result vectors

• Simulation scripts

• Synthesis scripts