SafeNet, The Foundation of Information Security
 
 
 
sample image
Blank
   SafeXcel IP – MACsec Inline Security Engine
Blank
SafeXcel IP MACsec
Blank

SafeXcel IP - MACsec Inline Security Engine

Silicon-proven Intellectual Property (IP) solution for accelerating MACsec security processing through unique data plane offloading.

Support for cryptographic security has become a basic requirement for many networking and mobile silicon devices. This creates a challenge for semiconductor designers who realize that cryptographic security processing needs assist from dedicated hardware to achieve the levels of throughput required by today's applications. The SafeXcel IP MACsec Inline Security Engine takes a significant step beyond traditional hardware cryptographic acceleration by providing full frame processing and autonomous key lookup (classification) functionality.

High-Performance MACsec Security Processing

The SafeXcel IP MACsec Inline Security Engine's value lies in its unique ability to accept frames directly from the ethernet link, autonomously transforming them into regular ethernet frames for handoff to the network layer or switch fabric, and vice versa. This capability allows the Security Engine to be inserted directly into any existing frame processing system, without imposing additional processing burden on other parts of the architecture. By selecting the SafeXcel IP MACsec Inline Security Engine, the customer can leave all the MACsec related frame processing to the SafeNet IP, allowing him to focus on the core functionality of his system.

Embedded Hardware Packet Classification

The SafeXcel IP MACsec Inline Security Engine provides full data plane security processing at Layer 2. This capability is enabled by the engine’s unique Frame Classifiers and is not offered by other security IP vendors. Instead of the need to rely on external classification, i.e. classification performed by another processor, the SafeXcel IP MACsec Inline Security Engine includes hardware assist for this time-consuming task. For every packet, the Frame Classifiers perform a sanity check, decide how the packet needs to be processed (either by the host processor or by the MACsec Packet Engine) or whether it needs to be discarded (filtering), and take care of the associated administration, such as transform and flow information updates. The Frame Classifiers autonomously instruct the MACsec Packet Engine which operations needs to be performed on the packet.

Integrated Software Support for MACsec

Integrated software support is increasingly becoming a critical success factor for complex SoCs in general and MACsec solutions in particular. SoC vendors and their partners need to be able to provide complete platforms to the OEMs, consisting of integrated hardware and software. In line with this trend, hardware security functionality in an SoC needs to be supported by state-of-the-art software in order to make the SoC successful in its market. The SafeXcel IP MACsec Inline Security Engine has been designed to work seamlessly with SafeNet’s QuickSec/MACsec toolkit. The MACsec toolkit’s advanced architecture allows data plane processing to be offloaded to an SoC’s MACsec Inline Security Engine, thereby maximizing application performance. The toolkit also enforces policies upon the Frame Classifier as part of its control plane functionality. This integration of the MACsec software on your SoC will create an excellent value proposition to your customers.

Features

  • Allows direct connection to Ethernet MAC; no external host interaction required to determine key material etc.
  • Performing MACsec frame transforms including AES-GCM encryption and:
    • SecTAG insertion and removal
    • ICV checking/removal and calculation/insertion
    • Sequence number checking
    • Decoupled control and data plane operation
  • Low latency
  • Supports 5-stage pipeline, allowing the core to accept frame data back-to-back
  • Supports multiple ports, SecY's and Security Channels simultaneously
  • Built-in MACsec metering (statistics etc)
  • Built-in functionality for deciding, and acting on, forwarding, pass, drop, encrypt or decrypt operation, at full line rates
  • Classification capability beyond Layer 2; classification can include other packet fields, which can be particularly useful for implementing policy decisions on egress frames (packets to be sent out onto the wire)
  • Capable of servicing a full duplex 10 Gbps Ethernet connection at a clock speed of 250MHz, even for the smallest frame sizes
  • Multiple speed grades available with core speed up to 24 Gbps at maximum clock speed
  • No external SDRAM or CAM required
  • Fully supported by the MACsec toolkit!

Cryptography support

  • AES-GCM

Deliverables

  • Synthesizable Verilog RTL source code
  • RTL test bench
  • Simulation script
  • Synthesis script
  • User documentation
  • Driver software

Benefits

  • Includes Hardware Frame Classification
  • Superior throughput across all packet sizes
  • Integrated with MACsec software toolkit
  • Easy to integrate
  • Flexible, modular architecture
  • High degree of integration
  • World-class support
     Company | Site Map | Privacy Statement | Contact Us | Send Feedback | Terms & Conditions of Sale
     © 2009 SafeNet Inc. All rights reserved. | Use of this website signifies your agreement to the Terms of Use.