Hardware-based security for high-level protection.

XIP1211B: MACSEC AES128-GCM

MACsec (IEEE 802.1AE) IP Core


Introduction

XIP1211B from Xiphera is a balanced [1] Intellectual Property (IP) core implementing the MACsec protocol as standardized in IEEE Std 802.1AE-2018.

The MACsec protocol defines a security infrastrucure for Layer 2 (as per the OSI model) traffic by assuring that a received frame has been sent by a transmitting station that claimedto send it. Furthermore, the traffic between stations is both encrypted to provide data confidentiality and authenticated to provide data integrity.

XIP1211B uses Advanced Encryption Standard with 128 bits long key in Galois Counter Mode (AES-GCM) to protect data confidentiality, data integrity, and data origin authentication. The cipher suite is denoted either as GCM-AES-XPN-128 if the eXtended Packet Numbering (XPN) [2] is in use, or as GCM-AES-XPN-128 if XPN is not in use. Both GCM-AES-128 and GCM-AES-XPN-128 use Xiphera’s IP core XIP1111B as the underlying building block for AES-GCM.

XIP1211B is best suited for traffic on 1 Gbps links, and can be deployed using low-cost FPGA families. XIP1211B can also in selected cases be retrofitted to existing FPGA designs without requiring a board re-spin, either if there are enough FPGA resources available or if a pin-compatible FPGA with additional resources can be used.

Key management (including key exchange) lies outside the scope of 802.1AE, and hence the functionality of XIP1211B is based on the assumption that key management is performed by externally to XIP1211B. XIP1211B has been designed for easy integration with FPGA- and ASIC-based designs in a vendor-agnostic design methodology, and the functionality of XIP1211B does not rely on any FPGA manufacturer-specific features.

Key features

  • Moderate resource requirements: The entire XIP1211B requires less than 12500 Adaptive Lookup Modules (ALMs) (Intel® Cyclone® V), and does not require any multipliers or DSPB locks in a typical FPGA implementation.
  • Performance: XIP1211B achieves a throughput in the Gbps range [3], for example up to 2.2 Gbps in Xilinx® Artix®-7 family.
  • Standard Compliance: XIP1211B is fully compliant with the MACsec protocol as standardized in IEEE Std 802.1AE-2018. The cipher suite (GCM-AES-128 or GCM-AES-XPN-128) is fully compliant with the Advanced Encryption Algorithm (AES) standard, as well as with the Galois Counter Mode (GCM) standard.
  • Test Vector Compliance: XIP1211B passes the relevant test vectors specified in Annex C of IEEE Std 802.1AE-2018.
  • 32-bit FIFO Interfaces ease the integration of XIP1211B with other FPGA logic and/or control software.

Functionality

The functionality of XIP1211B is divided into the transmit (Tx) and receive (Rx) datapaths, which operate independently of each other. The underlying cipher suite GCM-AES-(XPN)-128 is consequently instantiated twice, both for the Rx and Tx datapaths.

MACsec operation is based on the concepts of unidirectional Secure Channels (SC) and Security Associations (SA) within each channel. Each SA uses its own Secure Association Key (SAK); establishing and managing keys is not part of the MACsec standard.

A high-level functionality of the Tx datapath includes the SAK key lookup based on the Association Number (AN) [4] value. Additionally, a monotonically increasing Packet Number (PN) [5] is calculated, and this will be used as the Initialization Vector (IV) by the cipher suite.

The cipher suite in the transmit datapath of XIP1211B operates in the encryption and Integrity Check Value (ICV) calculation mode, meaning that it encrypts the incoming plaintext blocks into ciphertext blocks, and additionally calculates a 128 bits long ICV value from both the incoming plaintext and associated data. The original Ethernet frame is updated by addinga Security Tag (SecTAG) [6] starting with the MACsec type (0x88E5), encrypting the original EtherType with the payload, and appending the calculated ICV to the end of the original message.

After receiving an incoming MACsec frame, the first functionality of the Rx datapath is the SAK key [7] lookup. After the right SAK has been identified, the cipher suite in the receive path of XIP1211B operates in the decryption and tag validity checking mode. This means that the cipher suite decrypts the incoming ciphertext blocks into plaintext blocks, and validates the received ICV by calculating the ICV from the incoming ciphertext and associated data blocks and comparing the resulting value with the received ICV value. As defined by the GCM mode of operation, associated data is included in the ICV calculation. If the ICV checking is successful, the receive datapath returns the original frame by removing the SecTAG and ICV,and replacing the MACsec type with the original EtherType.

XIP1211B also supports the bypass mode, where an incoming packet passes through the XIP1211B unaltered.


For more technical and commercial details, including FPGA resources & peak performance as well as ordering instructions, open the full product brief in PDF. Contact us by sending and email to email_career.png, and we’ll get back to you as soon as possible.

Open full product brief

Block diagram

Figure 1: Internal high-level block diagram of XIP1211B

Figure 1: Internal high-level block diagram of XIP1211B.

Footnotes

[1] Xiphera’s balanced (denoted by ’B’ at the end of the ordering code) IP cores strike a balanced compromise between performance and FPGA resource usage.

[2] The eXtensible Packet Numbering (XPN), which was added to the MACsec standard in 2013, extends the packet number (PN) to 64 bits from the original 32 bits.

[3] The highest throughput is achieved for long messages.

[4] AN is a two bits long value identifying up to four different SAs within the context of an SC.

[5] PN was originally standardized as 32 bits long, but support for XPN has extended it to 64 bits.

[6] The length of the SecTAG is either 8 or 16 bytes.

[7] The number of SAKs is parameterizable in XIP1211B with the default value being eight (8).


Visit the product family page