XIP1213H from Xiphera is a high-speed  Intellectual Property (IP) core implementing the MACsec protocol as standardized in IEEE Std 802.1AE-2018.
The MACsec protocol defines a security infrastrucure for Layer 2 (as per the OSI model) traffic by assuring that a received frame has been sent by a transmitting station that claimed to send it. Furthermore, the traffic between stations is both encrypted to provide data confidentiality and authenticated to provide data integrity.
XIP1213H uses Advanced Encryption Standard with 256 bits long key in Galois Counter Mode (AES-GCM) to protect data confidentiality, data integrity, and data origin authentication. The cipher suite is denoted either as GCM-AES-XPN-256 if the eXtended Packet Numbering (XPN)  is in use, or as GCM-AES-XPN-256 if XPN is not in use. Both GCM-AES-256 and GCM-AES-XPN-256 use Xiphera’s IP core XIP1113H as the underlying building block for AES-GCM.
XIP1213H is best suited for traffic on 10/25/40 Gbps links . XIP1213H can also in selected cases be retrofitted to existing FPGA designs without requiring a board re-spin, either if there are enough FPGA resources available or if a pin-compatible FPGA with additional resources can be used.
Key management (including key exchange) lies outside the scope of 802.1AE, and hence the functionality of XIP1213H is based on the assumption that key management is performed by externally to XIP1213H.
XIP1213H has been designed for easy integration with FPGA- and ASIC-based designs in a vendor-agnostic design methodology, and the functionality of XIP1213H does not rely on any FPGA manufacturer-specific features.
The functionality of XIP1213H is divided into the transmit (Tx) and receive (Rx) datapaths, which operate independently of each other. The underlying cipher suite GCM-AES-(XPN)-256 is consequently instantiated twice, both for the Rx and Tx datapaths.
MACsec operation is based on the concepts of unidirectional Secure Channels (SC) and Security Associations (SA) within each channel. Each SA uses its own Secure Association Key (SAK); establishing and managing keys is not part of the MACsec standard.
A high-level functionality of the Tx datapath (See also Figure 1) includes the SAK key lookup based on the Association Number (AN)  value. Additionally, a monotonically increasing Packet Number (PN)  is calculated, and this will be used as the Initialization Vector (IV) by the cipher suite.
The cipher suite in the transmit datapath of XIP1213H operates in the encryption and Integrity Check Value (ICV) calculation mode, meaning that it encrypts the incoming plaintext blocks into ciphertext blocks, and additionally calculates a 128 bits long ICV value from both the incoming plaintext and associated data. The original Ethernet frame is updated by adding a Security Tag (SecTAG)  starting with the MACsec type (0x88E5), encrypting the original EtherType with the payload, and appending the calculated ICV to the end of the original message.
After receiving an incoming MACsec frame, the first functionality of the Rx datapath is the SAK key  lookup. After the right SAK has been identified, the cipher suite in the receive path of XIP1213H operates in the decryption and tag validity checking mode. This means that the cipher suite decrypts the incoming ciphertext blocks into plaintext blocks, and validates the received ICV by calculating the ICV from the incoming ciphertext and associated data blocks and comparing the resulting value with the received ICV value. As defined by the GCM mode of operation, associated data is included in the ICV calculation. If the ICV checking is successful, the receive datapath returns the original frame by removing the SecTAG and ICV, and replacing the MACsec type with the original EtherType.
XIP1213H also supports the bypass mode, where an incoming packet passes through the XIP1213H unaltered.
For more technical and commercial details, including FPGA resources & peak performance as well as ordering instructions, open the full product brief in PDF. Contact us by sending and email to , and we’ll get back to you as soon as possible.
Figure 1: Internal high-level block diagram of XIP1213H
 Xiphera’s high-speed (denoted by ’H’ at the end of the ordering code) IP cores are designed to maximize the achievable FPGA performance.
 The eXtensible Packet Numbering (XPN), which was added to the MACsec standard in 2013, extends the packet number (PN) to 64 bits from the original 32 bits.
 The maximum achievable linerate depends on the FPGA.
 The highest throughput is achieved for long messages.
 AN is a two bits long value identifying up to four different SAs within the context of an SC.
 PN was originally standardized as 32 bits long, but support for XPN has extended it to 64 bits.
 The length of the SecTAG is either 8 or 16 bytes.
 The number of SAKs is parameterizable in XIP1213H with the default value being eight (8).
Xiphera Ltd © 2021