We have detected your current browser version is not the latest one. Xilinx.com uses the latest web technologies to bring you the best online experience possible. Please upgrade to a Xilinx.com supported browser:Chrome, Firefox, Internet Explorer 11, Safari. Thank you!

Showing results for 
Search instead for 
Did you mean: 

MACsec IP for FPGAs Improves Data Center Security

Xilinx Employee
Xilinx Employee
0 0 37.5K

(Excerpted and adapted from the latest issue of Xcell Journal)


By Paul Dillien and Tom Kean, PhD


An obvious tactic for protecting information is to encrypt data as it transits the network and moves around the data center. Encryption ensures that, should the data be intercepted by an unauthorized party sniffing the link, it cannot be read. Ideally, too, the data should be authenticated to ensure its integrity. Message authentication is designed to detect where the original encrypted data has been altered, either by means of a transmission error or from being maliciously tampered with by an attacker seeking to gain an advantage.


The popularity of the Ethernet standard has driven down costs, making it even more attractive, and this virtuous circle ensures the continuance of Ethernet as the Layer 2 technology of choice. However, up until a few years ago, the specification did not include any encryption, leaving the job to technologies such as IPsec that operate in the upper layers of the communications protocol stack.


Now, a new extension to Ethernet adds a raft of security measures, under the specification IEEE 802.1AE. Specified a few years ago, this technology features an integrated security system that encrypts and authenticates messages while also detecting and defeating a range of attacks on the network. The specification is known as the Media Access Control Security standard, or more commonly as MACsec, and Algotronix set out several years ago to produce IP cores that provide hardware-accelerated encryption over a range of data rates. (Algotronix also supplies an intellectual-property core for IPsec that has a very similar interface to the MACsec product and would be a good choice in systems that need to support both standards.)


The concept of MACsec is that nodes on a network form a set of trusted entities. Each node can receive both encrypted and plaintext messages, and the system policy can dictate how each is handled. The core includes a bypass option for plaintext messages, which are not authenticated or verified. Unlike protocols such as IPsec, which operates at Layer 3/4 and is an end-to-end technology, MACsec decrypts and verifies each packet whenever a packet enters or leaves an Ethernet LAN.


The reason that data centers might choose to use Layer 2 connectivity for moving packets inside the center is to achieve high speed with a minimum of latency and overhead data in the packet. By contrast, in communications using secure Layer 3 technologies such as IPsec, the message has to be passed up the stack for processing, with added latency. A Layer 2 solution also eliminates the complexities of creating Layer 3 security policies. Data centers can adopt MACsec to provide protection behind the firewall or use it on direct links between data centers.


A customizable FPGA solution is ideal for MACsec, as the market is fragmented by differing requirements. It was a natural evolution for Algotronix to develop a MACsec core, because we had already created a range of crypto engines called AES-GCM. These cores operate at 1G, 10G and 40G. We achieved that speed by pipelining, increasing the clock speed and moving progressively from, say, Xilinx Artix to Kintex devices and then on to Virtex FPGAs. We are adopting these techniques to push the throughput to 100G on Virtex UltraScale devices.


The performance we can achieve using an IP core in an FPGA is selectable to support anywhere from Gigabit Ethernet to 10 GbE (that is, the actual throughput through the core under worst-case conditions), with 40G and 100G versions planned. This is much faster than a software-based system could achieve. The cores are normally connected directly to the hardware MAC, as shown in Figure 1, because software on the embedded processor on the FPGA chip can struggle to transfer data fast enough to handle their throughput. If the security functions are implemented in hardware and additionally, unencrypted keys are never available to software, then the system is less vulnerable to common software-based attacks such as Trojan horses and viruses.



Algotronix MACsec IP Core.jpg



Another important consideration is the dramatic power saving in systems where FPGAs accelerate algorithms such as cryptographic functions that would otherwise be implemented in software. FPGAs are dramatically more power efficient than a software solution.



This blog is an excerpt. To read the full article in the latest issue of Xcell Journal, click here.