Decryption Ingress Per-Port Interface Signal Descriptions - 1.0 English

This is the bypass enable signal for the packet which starts on segment 0 or 1. When this signal is set, the packet bypasses the decryption and authentication functions and passes through the decryption core unchanged. The decryption core only samples this input during the start of packet. This signal is valid for all crypto modes.

This is the bypass enable signal for the packet which starts on segment 2 or 3. See description for dec_igr_prtif_crypto_byp_p0 for more details.

This is the bypass enable signal for the packet which starts on segment 6 or 7. See description for dec_igr_prtif_crypto_byp_p0 for more details.

This signal selects the CipherSuite for the packet which starts on segment 0 or 1. The encoding is as follows:

• 2'h0: GCM-AES-128 (GCM-AES-ESP-128 in IPsec mode)
• 2'h1: GCM-AES-256 (GCM-AES-ESP-256 in IPsec mode)
• 2'h2: GCM-AES-XPN-128 (GCM-AES-ESP-ESN-128 in IPsec mode)
• 2'h3: GCM-AES-XPN-256 (GCM-AES-ESP-ESN-256 in IPsec mode)

This signal selects the CipherSuite for the packet which starts on segment 2 or 3. For more details, see description for dec_igr_prtif_crypto_cipher_suite_p0[1:0].

This signal selects the CipherSuite for the packet which starts on segment 4 or 5. For more details, see description for dec_igr_prtif_crypto_cipher_suite_p0[1:0].

This signal selects the CipherSuite for the packet which starts on segment 6 or 7. For more details, see description for dec_igr_prtif_crypto_cipher_suite_p0[1:0].

This is the byte offset at which the encrypted payload starts for the packet which starts on segment 0 or 1. This signal is only valid for MACsec, BulkCrypto, and BulkECB modes. In MACsec, the offset value specifies the number of bytes after the end of the SecTAG that are only integrity protected and not encrypted. The valid offset values for MACsec are 0, 30, and 50; other values are treated as 0. In BulkCrypto and BulkECB the offset value specifies the number of bytes from the beginning of the packet that are only integrity protected and not encrypted. The valid offset values for BulkCrypto and BulkECB are from 0 to 63. The decryption block samples this input only during the start of packet.

This is the byte offset at which the encrypted payload starts for the packet which starts on segment 2 or 3. For more details, see description for dec_igr_prtif_crypto_conf_offset_p0[5:0].

This is the byte offset at which the encrypted payload starts for the packet which starts on segment 4 or 5. For more details, see description for dec_igr_prtif_crypto_conf_offset_p0[5:0].

This is the byte offset at which the encrypted payload starts for the packet which starts on segment 6 or 7. For more details, see description for dec_igr_prtif_crypto_conf_offset_p0[5:0].

This signal indicates the ICV for the ingress packet which ends on segment 0 or 1 in BulkCrypto mode. Byte 0 of the ICV is mapped to bits [127:120] and byte 15 is mapped to bits [7:0] of this signal.

In MACsec and IPsec mode, this port is reused for the following signals for the packet which starts on segment 0 or 1:

Bits [31:0]: MACsec SSCI for extended packet numbering.

Bits [63:32]: Upper 32 bits (bits [63:32]) of the packet number for MACsec and IPsec packets associated with external SAs when extended packet numbering is used.

Bits [95:64]: 32-bit replay window size for MACsec and IPsec for internal SAs.

This signal indicates the ICV for the ingress packet which ends on segment 2 or 3 in BulkCrypto mode. Byte 0 of the ICV is mapped to bits [127:120] and byte 15 is mapped to bits [7:0] of this signal.

In MACsec and IPsec mode, this port is reused for the following signals for the packet which starts on segment 2 or 3:

Bits [31:0]: MACsec SSCI for extended packet numbering.

Bits [63:32]: Upper 32 bits (bits [63:32]) of the packet number for MACsec and IPsec packets associated with external SAs when extended packet numbering is used.

Bits [95:64]: 32-bit replay window size for MACsec and IPsec for internal SAs.

This signal indicates the ICV for the ingress packet which ends on segment 4 or 5 in BulkCrypto mode. Byte 0 of the ICV is mapped to bits [127:120] and byte 15 is mapped to bits [7:0] of this signal.

In MACsec and IPsec mode, this port is reused for the following signals for the packet which starts on segment 4 or 5:

Bits [31:0]: MACsec SSCI for extended packet numbering.

Bits [63:32]: Upper 32 bits (bits [63:32]) of the packet number for MACsec and IPsec packets associated with external SAs when extended packet numbering is used.

Bits [95:64]: 32-bit replay window size for MACsec and IPsec for internal SAs.

This signal indicates the ICV for the ingress packet which ends on segment 6 or 7 in BulkCrypto mode. Byte 0 of the ICV is mapped to bits [127:120] and byte 15 is mapped to bits [7:0] of this signal.

In MACsec and IPsec mode, this port is reused for the following signals for the packet which starts on segment 6 or 7:

Bits [31:0]: MACsec SSCI for extended packet numbering.

Bits [63:32]: Upper 32 bits (bits [63:32]) of the packet number for MACsec and IPsec packets associated with external SAs when extended packet numbering is used.

Bits [95:64]: 32-bit replay window size for MACsec and IPsec for internal SAs.

This input is used to provide information that is used for GCM-AES algorithm in various crypto modes for packet that starts on segment 0 and 1.

In BulkCrypto, it represents Initialization Vector (nonce) for the GCM-AES. Byte 0 of the IV is mapped to bits [95:88] and byte 11 is mapped to bits [7:0].

In MACsec mode, this signal represents the 96-bit Salt value for GCM-AES when 64-bit packet numbering is used. Byte 0 of the salt is mapped to bits [95:88] and byte 11 is mapped to bits [7:0]. When 32-bit packet numbering is used with 8-byte SecTAG length, you must provide the value of SCI through bits [63:0] of this signal.

In IPsec mode, bits [95:64] of this signal represent the 32-bit Salt value which is used along with the IV (which is extracted from the ESP packet) to form the nonce value for the GCM-AES algorithm. Byte 0 of the salt is mapped to bits [95:88] and byte 3 is mapped to bits [71:64].

The decryption block only samples this input during the start of packet.

PortIF Ingress Decryption IV / Salt: This input is used to provide information that is used for GCM-AES algorithm in various crypto modes for packet that starts on segment 2 and 3. See description for dec_igr_prtif_crypto_iv_salt_p0 for more details.

PortIF Ingress Decryption IV / Salt: This input is used to provide information that is used for GCM-AES algorithm in various crypto modes for packet that starts on segment 4 and 5. See description for dec_igr_prtif_crypto_iv_salt_p0 for more details.

PortIF Ingress Decryption IV / Salt: This input is used to provide information that is used for GCM-AES algorithm in various crypto modes for packet that starts on segment 6 and 7. See description for dec_igr_prtif_crypto_iv_salt_p0 for more details.

This input identifies the crypto algorithm used for Port 1 in 100G Fixed Port mode. For more details, see description for dec_igr_prtif_crypto_mode_p0[1:0].

This input identifies the crypto algorithm used for Port 2 in 100G or 200G Fixed Port mode. For more details, see description for dec_igr_prtif_crypto_mode_p0[1:0].

This input identifies the crypto algorithm used for Port 3 in 100G Fixed Port mode. For more details, see description for dec_igr_prtif_crypto_mode_p0[1:0].

This signal represents the Security Association (SA) Index for the packet which starts on segment 0 or 1. This is provided by the user after processing the header. The SA index values from 0 to 1023 are allocated to internal SAs. The SA index is used as the index to internal tables storing AES keys and statistics/error counters. When the core is configured to support 4 SAs per SC, bits [19:2] represent the SC number; otherwise, bits [19:1] are used as the SC number when the core is configured to support 2 SAs per SC. The decryption block samples this input only during the start of packet. This signal is valid for all crypto modes.

This signal represents the Security Association (SA) Index for the packet which starts on segment 2 or 3. For more details, see description for dec_igr_prtif_crypto_sa_index_p0[19:0].

This signal represents the Security Association (SA) Index for the packet which starts on segment 4 or 5. For more details, see description for dec_igr_prtif_crypto_sa_index_p0[19:0].

This signal represents the Security Association (SA) Index for the packet which starts on segment 6 or 7. For more details, see description for dec_igr_prtif_crypto_sa_index_p0[19:0].

These inputs can be used to propagate sideband signals through the decryption pipeline for the packet which starts on segment 0 or 1. The decryption block samples this input during the start of packet. The data on these inputs is carried through the decryption pipeline and delivered on the corresponding spare_out outputs, during the start of packet. This signal is valid for all crypto modes.

These inputs can be used to propagate sideband signals through the decryption pipeline for the packet which starts on segment 2 or 3. For more details, see description for dec_igr_prtif_crypto_spare_in_p0[31:0].

These inputs can be used to propagate sideband signals through the decryption pipeline for the packet which starts on segment 4 or 5. For more details, see description for dec_igr_prtif_crypto_spare_in_p0[31:0].

These inputs can be used to propagate sideband signals through the decryption pipeline for the packet which starts on segment 6 or 7. For more details, see description for dec_igr_prtif_crypto_spare_in_p0[31:0].

This input must be set to 0.

This input must be set to 0.

This input must be set to 0.

This input must be set to 0.

Specifies the GCM-AES key corresponding to the packet which starts on segment 0 or 1 and associated with external SAs (that is, SA index values greater than or equal to 1024). The decryption block samples this input during the start of packet. This signal is valid for all crypto modes. For 256-bit keys, byte 0 is mapped to bits [255:248] and byte 31 is mapped to bits [7:0]. For 128-bit keys, byte 0 is mapped to bits [127:120] and byte 15 is mapped to bits [7:0].

Specifies the GCM-AES key corresponding to the packet which starts on segment 2 or 3 and associated with external SAs. For more details, see description for dec_igr_prtif_ext_key_p0[255:0].

Specifies the GCM-AES key corresponding to the packet which starts on segment 4 or 5 and associated with external SAs. For more details, see description for dec_igr_prtif_ext_key_p0[255:0].

Specifies the GCM-AES key corresponding to the packet which starts on segment 6 or 7 and associated with external SAs. For more details, see description for dec_igr_prtif_ext_key_p0[255:0].

This input reflects the setting of the inUse flag for the SA associated with the packet that starts on segment 0 or 1. The decryption block samples this input only during the start of packet. This signal is only valid for MACsec mode.

This input reflects the setting of the inUse flag for the SA associated with the packet that starts on segment 2 or 3. For more details, see description for dec_igr_prtif_macsec_sa_in_use_p0.

This input reflects the setting of the inUse flag for the SA associated with the packet that starts on segment 4 or 5. For more details, see description for dec_igr_prtif_macsec_sa_in_use_p0.

This input reflects the setting of the inUse flag for the SA associated with the packet that starts on segment 6 or 7. For more details, see description for dec_igr_prtif_macsec_sa_in_use_p0.

This indicates the frame validation mode for the SA corresponding to the packet which starts on segment 0 or 1. Frame verification in MACsec is subject to the frame validation mode and the replay protection configurations as described in Section 10.6 of the IEEE 802.1AE-2018 standard. The encoding for the frame validation mode is as follows:

• 2'h0: Disabled Mode. In this mode the decryption block forwards all untagged packets as well as packets failing the ICV check, without flagging an error. The packets are delivered with SecTAG and ICV removed and payload decrypted (if the E bit in the SecTAG is set).
• 2'h1: Check Mode. In this mode, packets received without a SecTAG are delivered without flagging an error. All packets received with a SecTAG are checked for integrity and confidentiality protection violations, and a violation causes the error indication to be set. Packets are delivered with SecTAG and ICV removed and payload decrypted (if the E bit in the SecTAG is set).
• 2'h2: Strict Mode. In this mode, all packets received without a SecTAG are flagged with an error. All packets received with a SecTAG and failing the integrity/confidentiality protection check are also flagged. Packets are delivered with SecTAG and ICV removed and payload decrypted (if the E bit in the SecTAG is set).
• 2'h3: Reserved.

The decryption block samples this input only during the start of packet. This signal is only valid for MACsec mode.

This indicates the frame validation mode for the SA corresponding to the packet which starts on segment 2 or 3. For more details, see description for dec_igr_prtif_macsec_validation_mode_p0[1:0].

This indicates the frame validation mode for the SA corresponding to the packet which starts on segment 4 or 5. For more details, see description for dec_igr_prtif_macsec_validation_mode_p0[1:0].

This indicates the frame validation mode for the SA corresponding to the packet which starts on segment 6 or 7. For more details, see description for dec_igr_prtif_macsec_validation_mode_p0[1:0].