Statistics in the HSC Subsystem are based on the MACsec definitions and naming and, where appropriate, are applied to the other supported cryptography modes (i.e., IPsec, BulkCrypto, BulkECB). Two types of statistics are captured for TX and RX paths; Secure Entity (SecY) and Secure Channel (SC). The HSC Subsystem supports 40 sets of SecY stats and 512 sets of internal SC statistics. Statistics for SCs associated with external SAs can be tracked through the external statistics interface.
SC-based statistics are associated with either two or four SAs. This is a
per-direction configuration option which can be set by configuring the ctl_enc_four_sa_per_sc_mode
field in the
OVERALL_CONTROL_REG_ENC register for TX and ctl_dec_four_sa_per_sc_mode
field in the OVERALL_CONTROL_REG_DEC register
for RX. The default configuration is to two SAs per SC.
When ctl_enc/dec_four_sa_per_sc_mode
=
1'b0
, you have SC_INDEX[18:0] = SA_INDEX[19:1].
Thus, SA index 0 and 1 are associated with the SC index 0, SA index 2 and 3 are
associated with the SC index 1 and so on.
When ctl_enc/dec_four_sa_per_sc_mode
=
1'b1
, we have SC_INDEX[17:0] = SA_INDEX[19:2].
Thus, SA index 0, 1, 2, and 3 are associated with the SC index 0, SA index 4, 5, 6, and
7 are associated with SC index 1 and so on.
The following table shows the statistics supported for each cryptography mode in the HSC Subsystem.
Statistic | MACsec | IPsec | BulkCrypto | BulkECB |
---|---|---|---|---|
TX SecY | ||||
STAT_TX_SECY_UNTAGGED_PACKETS | ✓ | - | - | - |
STAT_TX_SECY_TOO_LONG_PACKETS | ✓ | ✓ | ✓ | ✓ |
STAT_TX_SECY_PROTECTED_OCTETS | ✓ | ✓ | ✓ | ✓ |
STAT_TX_SECY_ENCRYPTED_OCTETS | ✓ | ✓ | ✓ | ✓ |
TX SC | ||||
STAT_TX_SC_PROTECTED_PACKETS | ✓ | ✓ | ✓ | ✓ |
STAT_TX_SC_ENCRYPTED_PACKETS | ✓ | ✓ | ✓ | ✓ |
RX SecY | ||||
STAT_RX_SECY_UNTAGGED_PACKETS | ✓ | - | - | - |
STAT_RX_SECY_NO_TAG_PACKETS | ✓ | - | - | - |
STAT_RX_SECY_BAD_TAG_PACKETS | ✓ | - | - | - |
STAT_RX_SECY_NO_SA_PACKETS | ✓ | - | - | - |
STAT_RX_SECY_NO_SA_ERROR_PACKETS | ✓ | - | - | - |
STAT_RX_SECY_VALIDATED_OCTETS | ✓ | ✓ | ✓ | ✓ |
STAT_RX_SECY_DECRYPTED_OCTETS | ✓ | ✓ | ✓ | ✓ |
RX SC | ||||
STAT_RX_SC_LATE_PACKETS | ✓ | - | - | - |
STAT_RX_SC_DELAYED_PACKETS | ✓ | - | - | - |
STAT_RX_SC_NOT_VALID_PACKETS | ✓ | - | - | - |
STAT_RX_SC_INVALID_PACKETS | ✓ | ✓ | ✓ | - |
STAT_RX_SC_UNCHECKED_PACKETS | ✓ | - | - | - |
STAT_RX_SC_OK_PACKETS | ✓ | ✓ | ✓ | - |
The definition of some statistics in MACsec is tied to the implementation of replay protection. Because the HSC Subsystem implements the replay protection only for internal SAs, the following SC statistics are only available for SCs associated with internal SAs. Hence, the following statistics are not valid for external SC's on the external statistics interface:
- STAT_RX_SC_LATE_PACKETS
- STAT_RX_SC_DELAYED_PACKETS
- STAT_RX_SC_NOT_VALID_PACKETS
- STAT_RX_SC_INVALID_PACKETS
- STAT_RX_SC_UNCHECKED_PACKETS
- STAT_RX_SC_OK_PACKETS
Similarly, the following IPsec statistics are not valid for external SCs on the external statistics interface:
- STAT_RX_SC_INVALID_PACKETS
- STAT_RX_SC_OK_PACKETS
Here is a summary of the statistics increment rules with respect to SA index:
- TX/RX SECY statistics behavior is independent of SA index.
- Internal statistics counters increment for both internal SA index and external SA index
- External statistics interface shows increment for both internal SA index and external SA index
- TX SC statistics behavior is different for internal SA index and
external SA index.
- Internal statistics counters increment for internal SA index only.
- External statistics interface shows increment for both internal SA index and external SA index.
- RX SC statistics behavior depends on protocol as well as SA index
value.
- Internal statistics counters increment for internal SA index only.
- External statistics interface
- BulkCrypto shows increment for both internal SA index and external SA index.
- MACsec/IPsec shows increment for internal SA index only.
Statistics have slightly different definitions in each of the cryptography modes. The following tables provide definitions of the relevant counts for each mode. Counts are always incremented during the end of packet cycle and are shown in decrementing order of precedence for each path. For a given packet, if a statistic is incremented, other statistics below it in the table are not incremented. The exception to this rule is octet counts, which increment with the packet counts.
The following table provides definitions of each counter for MACsec based on Figure 10-3 and Figure 10-4 in the IEEE 802.1AE-2018 MACsec specification. Note the ingress control signal associated with a received packet determines if that packet updates certain statistics. In the following table, “rv” represents the received frame for validation.
MACsec Statistic | Internal Statistics Counters | External Statistics Interface | Definition |
---|---|---|---|
TX | |||
STAT_TX_SECY_UNTAGGED_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when enc_igr_prtif_crypto_mode_p* == MACsec, AND enc_igr_prtif_crypto_byp_p* == 1 |
STAT_TX_SECY_TOO_LONG_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when enc_igr_prtif_crypto_byp_p* == 0, AND
transmitted frame length is greater than the maximum frame length for
the associated channel (SecY) configured through the
c<SecY>_cfg_tx_max_frm_len field in the
C<SecY>_CTL_TX_GENERAL_REG register. The transmitted frame length includes all bytes received from the ingress AXI4-Stream interface, the SecTAG size (8 or 16 bytes SecTAG), and the ICV size (16 bytes). |
STAT_TX_SECY_ENCRYPTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after SecTAG to last byte before ICV
when enc_igr_prtif_crypto_auth_only_p* == 0, AND
enc_igr_prtif_crypto_byp_p* == 0. If there is a non-zero confidentiality offset (enc_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_enc_bcnt_excl_off_bytes = 1 in OVERALL_CONTROL_REG_ENC register to exclude these bytes. |
STAT_TX_SECY_PROTECTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after SecTAG to last byte before ICV when enc_igr_prtif_crypto_auth_only_p* == 1, AND enc_igr_prtif_crypto_byp_p* == 0 |
STAT_TX_SC_ENCRYPTED_PACKETS | SA index < 1024 See 2.a above |
Every SA index See 2.b above |
The number of packets when enc_igr_prtif_crypto_byp_p* == 0, AND enc_igr_prtif_crypto_auth_only_p* == 0 |
STAT_TX_SC_PROTECTED_PACKETS | SA index < 1024 See 2.a above |
Every SA index See 2.b above |
The number of packets when enc_igr_prtif_crypto_byp_p* == 0, AND enc_igr_prtif_crypto_auth_only_p* == 1 |
RX | |||
STAT_RX_SECY_UNTAGGED_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 1, AND dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND dec_igr_prtif_macsec_validation_mode_p* != 2’h2 (Strict) |
STAT_RX_SECY_NO_TAG_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 1, AND dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict) |
STAT_RX_SECY_BAD_TAG_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND
dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND SecTAG Validation
fails. Note: SecTAG Validation is performed based on Section
9.12 of the IEEE 802.1AE-2018 standard.
|
STAT_RX_SECY_NO_SA_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_mode_p* == 2’b0 (MACsec), AND (dec_igr_prtif_macsec_sa_in_use_p* == 1’b0), AND ! (dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict) OR rv.SecTAG.cbit = = 1’b1). |
STAT_RX_SECY_NO_SA_ERROR_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND (dec_igr_prtif_macsec_sa_in_use_p* == 1’b0), AND (dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict) OR rv.SecTAG.cbit == 1’b1). |
STAT_RX_SECY_VALIDATED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after SecTAG to last byte before ICV when dec_igr_prtif_crypto_auth_only_p* == 1, AND dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_macsec_validation_mode_p* != 2’h0 (Disabled). |
STAT_RX_SECY_DECRYPTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after SecTAG to last byte before ICV
when dec_igr_prtif_crypto_auth_only_p* == 0, AND
dec_igr_prtif_crypto_byp_p* == 0, AND
dec_igr_prtif_macsec_validation_mode_p* != 2’h0 (Disabled) If there is a non-zero confidentiality offset (dec_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_dec_bcnt_excl_off_bytes = 1 in the OVERALL_CONTROL_REG_DEC register to exclude these bytes. |
STAT_RX_SC_LATE_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_replay_prot_en_p* == 1, AND PN of the received frame is less than the lowest acceptable packet number for the SA. |
STAT_RX_SC_NOT_VALID_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
The number of packets when dec_igr_prtif_crypto_byp_p*== 0, AND (dec_igr_prtif_macsec_validation_mode_p* == 2’h0 (Disabled), OR integrity check fails), AND (dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict) OR rv.SecTAG.cbit == 1’b1). |
STAT_RX_SC_INVALID_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_macsec_validation_mode_p* == 2’h01 (Check), AND integrity check fails. |
STAT_RX_SC_DELAYED_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_replay_prot_en_p* == 0, AND replay check fails (PN < lowestPN). |
STAT_RX_SC_UNCHECKED_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_macsec_validation_mode_p* == 2’h0 (Disabled). |
STAT_RX_SC_OK_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND Packet received without any of the above errors. |
The following table provides definitions of each counter for IPsec.
IPsec Statistic | Internal Statistics Counters | External Statistics Interface | Definition |
---|---|---|---|
TX | |||
STAT_TX_SECY_TOO_LONG_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when
enc_igr_prtif_crypto_byp_p* = = 0, AND transmitted frame length is
greater than the maximum frame length for the associated channel (SecY)
which is configured through the c<SecY>_cfg_tx_max_frm_len fieldin
the C<SecY>_CTL_TX_GENERAL_REG register. The transmitted frame length includes all bytes received from the ingress AXI4-Stream interface, ESP header, Initialization Vector, ESP trailer, and ICV. |
STAT_TX_SECY_ENCRYPTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after Payload Initialization Vector (IV) to last byte before ICV when enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 0. |
STAT_TX_SECY_PROTECTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after Payload Initialization Vector (IV) to last byte before ICV when enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 1 . |
STAT_TX_SC_ENCRYPTED_PACKETS | SA index < 1024 See 2.a above |
Every SA index See 2.b above |
The number of packets with enc_igr_prtif_crypto_byp_p* = = 0 AND enc_igr_prtif_crypto_auth_only_p* = = 0. |
STAT_TX_SC_PROTECTED_PACKETS | SA index < 1024 See 2.a above |
Every SA index See 2.b above |
The number of packets with enc_igr_prtif_crypto_byp_p* = = 0 AND enc_igr_prtif_crypto_auth_only_p* = = 1. |
RX | |||
STAT_RX_SECY_VALIDATED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after Payload Initialization Vector (IV) to the last byte before ICV when dec_igr_prtif_crypto_byp_p* = = 0 AND dec_igr_prtif_crypto_auth_only_p* = = 1. |
STAT_RX_SECY_DECRYPTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes first byte after first byte after Payload Initialization Vector (IV) to the last byte before ICV when dec_igr_prtif_crypto_byp_p* = = 0 AND dec_igr_prtif_crypto_auth_only_p* = = 0. |
STAT_RX_SC_INVALID_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
dec_igr_prtif_crypto_byp_p* == 0, AND (integrity check fails OR (dec_igr_prtif_crypto_replay_prot_en_p* = = 1 AND IPsec replay check fails) ). |
STAT_RX_SC_OK_PACKETS | SA index < 1024 See 3.a above |
SA index < 1024 See 3.b.ii above |
The number of packets with dec_igr_prtif_crypto_byp_p* == 0 AND Packet received without any of the above errors. |
The following table provides definitions of each counter for BulkCrypto and BulkECB.
BulkCrypto/BulkECB Statistic | Internal Statistics Counters | External Statistics Interface | Definition |
---|---|---|---|
TX | |||
STAT_TX_SECY_TOO_LONG_PACKETS | Every SA index See 1.a above |
Every SA index See 1.b above |
The number of packets when
enc_igr_prtif_crypto_byp_p* = = 0, AND transmitted frame length is
greater than the maximum frame length for the associated channel (SecY)
which is configured through the c<SecY>_cfg_tx_max_frm_len field
in the C<SecY>_CTL_TX_GENERAL_REG register. The transmitted frame length includes all bytes received from the ingress AXI4-Stream interface. |
STAT_TX_SECY_ENCRYPTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes all bytes from the ingress AXI4-Stream interface when enc_igr_prtif_crypto_auth_only_p* = = 0, AND enc_igr_prtif_crypto_byp_p* = = 0. If there is a non-zero confidentiality offset (enc_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_enc_bcnt_excl_off_bytes = 1 in OVERALL_CONTROL_REG_ENC register to exclude these bytes. |
STAT_TX_SECY_PROTECTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes all bytes from the ingress AXI4-Stream interface when enc_igr_prtif_crypto_auth_only_p* = = 1, AND enc_igr_prtif_crypto_byp_p* = = 0. |
STAT_TX_SC_ENCRYPTED_PACKETS | SA index < 1024 See 2.a above |
Every SA index See 2.b above |
The number of packets with enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 0. |
STAT_TX_SC_PROTECTED_PACKETS | SA index < 1024 See 2.a above |
Every SA index See 2.b above |
The number of packets with enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 1. |
RX | |||
STAT_RX_SECY_VALIDATED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes all bytes from the ingress AXI4-Stream interface when dec_igr_prtif_crypto_auth_only_p* = = 1, AND dec_igr_prtif_crypto_byp_p* = = 0. |
STAT_RX_SECY_DECRYPTED_OCTETS | Every SA index See 1.a above |
Every SA index See 1.b above |
Byte count includes all bytes from the ingress
AXI4-Stream interface when
dec_igr_prtif_crypto_auth_only_p* = = 0, AND dec_igr_prtif_crypto_byp_p*
= = 0. If there is a non-zero confidentiality offset (dec_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_decc_bcnt_excl_off_bytes = 1 in the OVERALL_CONTROL_REG_DEC register to exclude these bytes. |
STAT_RX_SC_INVALID_PACKETS | SA index <
1024 See 3.a above |
Every SA
index See 3.b.i above |
The number of packets when dec_igr_prtif_crypto_byp_p* = = 0, AND integrity check fail. This stat is only valid for BulkCrypto. |
STAT_RX_SC_OK_PACKETS | SA index <
1024 See 3.a above |
Every SA
index See 3.b.i above |
The number of packets when dec_igr_prtif_crypto_byp_p* = = 0, AND Packet received without any of the above errors. This stat is only valid for BulkCrypto. |