In IPsec mode, the HSC Subsystem processes data based on IETF RFC4106, RFC4303, RFC4543, and RFC8221. These RFC documents describe the use of AES in Galois/Counter Mode (in other words, GCM-AES) as an IPsec Encapsulating Security Payload (ESP) mechanism for confidentiality and data origin authentication. Some details from these RFCs are presented here to explain the functionality of the HSC Subsystem, however user familiarly with the IPsec protocol is assumed.
The HSC Subsystem supports the following IPsec-specific capabilities:
- IPv4 and IPv6 protocols
- IPsec Tunnel and Transport modes
- Encapsulating Security Payload (ESP)
- Confidentiality, integrity, replay protection and authentication (GCM-AES-ESP)
- Integrity without confidentiality (AES-GMAC)
- Both 32-bit Sequence Number and 64-bit Extended Sequence Number (ESN)
The HSC Subsystem supports only ESP and does not support Authentication Header (AH) or AH-ESP protocols for IPsec.
The HSC Subsystem does not process IP headers (other than the ESP header). For the encryption path, the user logic is required to remove any IP headers from the packet before presenting the payload to the HSC Subsystem. User logic is also required to re-insert the IP headers into the packet once it emerges from the HSC Subsystem. On the decryption path, any IP headers (other than the ESP header) must similarly be removed by the user logic before the packet enters the HSC Subsystem.
When encryption and authentication are enabled, the ESP packet contains both confidentiality-covered and integrity-protected fields. The following figure shows the format of the ESP packet in that case.
The ESP header consists of the Security Parameter Index (SPI[31:0]
) and Sequence Number (SN[31:0]
). The SPI is an arbitrary 32-bit value that is used by a receiver
to identify the Security Association (SA) to which an incoming packet is bound. The SN
is an unsigned 32-bit field that contains the lower 32 of a counter value that increases
by one for each packet sent, i.e., a per-SA packet sequence number. The SN is used at
the receiver for replay protection. When an SA is established, the packet counter at the
sender is set to 0 and is incremented for each packet. This means that the first packet
sent using a given SA has a sequence number of 1. If replay protection is enabled, the
transmitted sequence number must never be allowed to cycle. For example, when 32-bit
sequence numbering is used, SA must be established prior to the transmission of 232 packets.
The ESP payload begins with the Initialization Vector (IV[63:0]
) and
follows with a number (including 0) of remaining payload bytes. An optional Traffic Flow
Confidentiality (TFC) Padding may be included to conceal the characteristics of certain
traffic flows.
This is followed by the ESP trailer which includes Padding to ensure that the Integrity
Check Value (ICV[127:0]
) is aligned on a 4-byte boundary. The Pad
Length (PadLength[7:0]
) and Next Header
(NextHeader[7:0]
) fields are also part of the ESP trailer that
precedes the ICV. On the encryption path, the HSC Subsystem supports
a maximum of three Padding bytes. This is the minimum number of bytes required to ensure
that ICV is aligned on a 4-byte boundary. On the decryption path, the HSC Subsystem can handle up to 16 Padding bytes.
On the encryption path, user logic is responsible for providing the SPI[31:0]
on the enc_igr_prtif_macsec_sectag_ssci_p0
through enc_igr_prtif_macsec_sectag_ssci_p3
input ports. Likewise, the SN[31:0]
is provided on enc_igr_prtif_crypto_pkt_num_p0
through enc_igr_prtif_crypto_pkt_num_p3
ports. The Salt[31:0]
and ESP IV[63:0]
are provided
on the enc_igr_prtif_crypto_iv_salt_p0
through enc_igr_prtif_crypto_iv_salt_p3
input ports. All of these
inputs are provided to the HSC Subsystem along at
the beginning of the packet. The NextHeader[7:0]
is
provided on the enc_igr_prtif_macsec_sectag_shortlen_p0
through enc_igr_prtif_macsec_sectag_shortlen_p3
input
ports which are not used for MACsec SecTAG when IPsec is enabled.
dec_egr_axis_tuser_err<M>
signal corresponding to its EOP is
asserted.When HSC Subsystem encryption and authentication are enabled, ESP uses the GCM-AES-ESP algorithm. In the context of GCM-AES-ESP, the GCM-AES IV is called a nonce. It is defined as follows:
The Additional Authenticated Data (AAD) is defined as:
The Plaintext is defined as:
On the encryption path, the HSC Subsystem
encrypts the Plaintext. It also creates gaps in the data stream and inserts the ESP
header, ESP IV[63:0]
, ESP trailer, and ICV. As part of
the ESP trailer, the HSC Subsystem calculates the
required number of Padding bytes and sets the Pad Length field appropriately. Note that
the ESP IV[63:0]
value is not encrypted nor is it
included in the ICV computation.
On the decryption path, user logic provides the SPI[31:0]
, SN[31:0]
, and IV[63:0]
in-band on the AXI4-Stream interface data bus. The Salt[31:0]
is provided on the enc_igr_prtif_crypto_iv_salt_p0
through enc_igr_prtif_crypto_iv_salt_p3
input ports at the beginning of the
packet.
IV[63:0]
from the packet, decrypts the Ciphertext, extracts
the NextHeader[7:0]
field from the packet, and places
it on the dec_egr_prtif_ipsec_next_header_p0
through
dec_egr_prtif_ipsec_next_header_p3
output ports as
the last cycle of the packet emerges from the HSC Subsystem. The HSC Subsystem
indicates whether the ICV check failed on the dec_egr_prtif_crypto_icv_chk_fail_p0
through dec_egr_prtif_crypto_icv_chk_fail_p3
ports. To protect against attacks,
the HSC Subsystem decryption path implements a
replay protection (anti-replay) mechanism. When replay protection is enabled, the
HSC Subsystem maintains the lower and upper
bounds of the anti-replay window as well as the corresponding bit sequence of the
anti-replay window for each SA. Once the validation of the packet has been done by the
Cipher Suite, HSC Subsystem performs the
anti-replay check which may result in the packet being marked for discard. A Cipher Suite specifies the cryptographic algorithms together with the values of
parameters (for example, key size) to be used by those algorithms. The HSC Subsystem supports the IPsec Cipher Suites listed in the following
table. This includes use of these Cipher Suites for authentication-only (integrity
protection) as indicated by the enc_igr_prtif_crypto_auth_only_p0
through enc_igr_prtif_crypto_auth_only_p3
(dec_igr_prtif_crypto_auth_only_p0
through
dec_igr_prtif_crypto_auth_only_p3
) input ports.
Cipher Suite | prtif_crypto_suite[1:0] |
---|---|
GCM-AES-ESP-128 | 2'b00 |
GCM-AES-ESP-256 | 2'b01 |
GCM-AES-ESP-ESN-128 | 2'b10 |
GCM-AES-ESP-ESN-256 | 2'b11 |
prtif_crypto_suite
refers in the
encryption path to enc_igr_prtif_crypto_cipher_suite_p0[1:0]
through
enc_igr_prtif_crypto_cipher_suite_p3[1:0]
and in the decryption
path to dec_igr_prtif_crypto_cipher_suite_p0[1:0]
through
dec_igr_prtif_crypto_cipher_suite_p3[1:0]
.When encryption is disabled and authentication-only is enabled, the ESP packet contains only integrity-protected fields. This uses the AES Galois Message Authentication Code (GMAC). The following figure shows the format of the ESP packet in that case.
When authentication-only is selected, ESP AES-GMAC sets the nonce as follows:
The Additional Authenticated Data (AAD) is defined as:
The Plaintext is defined as:
IV[63:0]
is included in the ICV computation when encryption is
disabled and authentication-only is enabled.For high-speed IPsec applications, a 64-bit Sequence Number may be used. However, only the lower 32 bits of the SN are transmitted in the ESP header of each packet. The higher 32 bits are maintained as part of the SN counter by both transmitter and receiver and are included in the computation of the ICV.
When encryption and authentication are enabled the ESP packet contains both confidentiality-covered and integrity-protected fields. The following figure shows the format of the ESP packet when Extended Sequence Number (ESN) is enabled.
When encryption and authentication are enabled and Extended Sequence Number (ESN) is enabled, the nonce is defined as:
With ESN enabled, the Additional Authenticated Data (AAD) is defined as:
The Plaintext is defined as:
When Extended Sequence Number (ESN) is enabled, user logic provides all bits of the
SN[63:0]
on enc_igr_prtif_crypto_pkt_num_p0
through enc_igr_prtif_crypto_pkt_num_p3
ports.
IV[63:0]
value is not encrypted nor is it included in the
ICV computation. Also, note that the SN[63:31]
bits
are not transmitted with the ESP packet.On the decryption path, the HSC Subsystem
maintains the upper and lower bounds of the anti-replay window for each SA on the
decryption path. This allows it to determine SN[63:32]
for any packet that belongs to a Security Association (SA) that is stored internal to
the HSC Subsystem. When ESN is selected and the
frame belongs to an external SA, you are responsible for providing SN[63:32]
on the dec_igr_prtif_crypto_icv_p0
through dec_igr_prtif_crypto_icv_p3
inputs (which are not used for ICV purposes
for IPsec).
When the validation of the packet has been done, the HSC Subsystem performs an anti-replay check which may result in the packet being marked for discard.
When encryption is disabled and authentication-only is enabled, the ESP packet contains only integrity-protected fields. This uses the AES Galois Message Authentication Code (GMAC). The following figure shows the format of the ESP packet when Extended Sequence Number (ESN) is enabled.
When authentication-only is selected and Extended Sequence Number (ESN) is enabled, ESP AES-GMAC sets the nonce as follows:
With ESN enabled, the Additional Authenticated Data (AAD) is defined as:
The Plaintext is defined as:
IV[63:0]
is included in the ICV computation. Also, due to ESN, SN[63:32]
is included in the ICV computation, but those
bits are not transmitted on the encryption path or received on the decryption
path.