Statistic Counters Definitions

Statistics in the HSC Subsystem are based on the MACsec definitions and naming and, where appropriate, are applied to the other supported cryptography modes (i.e., IPsec, BulkCrypto, BulkECB). Two types of statistics are captured for TX and RX paths; Secure Entity (SecY) and Secure Channel (SC). The HSC Subsystem supports 40 sets of SecY stats and 512 sets of internal SC statistics. Statistics for SCs associated with external SAs can be tracked through the external statistics interface.

SC-based statistics are associated with either two or four SAs. This is a per-direction configuration option which can be set by configuring the ctl_enc_four_sa_per_sc_mode field in the OVERALL_CONTROL_REG_ENC register for TX and ctl_dec_four_sa_per_sc_mode field in the OVERALL_CONTROL_REG_DEC register for RX. The default configuration is to two SAs per SC.

When ctl_enc/dec_four_sa_per_sc_mode = 1'b0, you have SC_INDEX[18:0] = SA_INDEX[19:1]. Thus, SA index 0 and 1 are associated with the SC index 0, SA index 2 and 3 are associated with the SC index 1 and so on.

When ctl_enc/dec_four_sa_per_sc_mode = 1'b1, we have SC_INDEX[17:0] = SA_INDEX[19:2]. Thus, SA index 0, 1, 2, and 3 are associated with the SC index 0, SA index 4, 5, 6, and 7 are associated with SC index 1 and so on.

The following table shows the statistics supported for each cryptography mode in the HSC Subsystem.

Table 1. Supported Statistics Counter per Crypto Mode
Statistic	MACsec	IPsec	BulkCrypto	BulkECB
TX SecY
STAT_TX_SECY_UNTAGGED_PACKETS	✓	-	-	-
STAT_TX_SECY_TOO_LONG_PACKETS	✓	✓	✓	✓
STAT_TX_SECY_PROTECTED_OCTETS	✓	✓	✓	✓
STAT_TX_SECY_ENCRYPTED_OCTETS	✓	✓	✓	✓
TX SC
STAT_TX_SC_PROTECTED_PACKETS	✓	✓	✓	✓
STAT_TX_SC_ENCRYPTED_PACKETS	✓	✓	✓	✓
RX SecY
STAT_RX_SECY_UNTAGGED_PACKETS	✓	-	-	-
STAT_RX_SECY_NO_TAG_PACKETS	✓	-	-	-
STAT_RX_SECY_BAD_TAG_PACKETS	✓	-	-	-
STAT_RX_SECY_NO_SA_PACKETS	✓	-	-	-
STAT_RX_SECY_NO_SA_ERROR_PACKETS	✓	-	-	-
STAT_RX_SECY_VALIDATED_OCTETS	✓	✓	✓	✓
STAT_RX_SECY_DECRYPTED_OCTETS	✓	✓	✓	✓
RX SC
STAT_RX_SC_LATE_PACKETS	✓	-	-	-
STAT_RX_SC_DELAYED_PACKETS	✓	-	-	-
STAT_RX_SC_NOT_VALID_PACKETS	✓	-	-	-
STAT_RX_SC_INVALID_PACKETS	✓	✓	✓	-
STAT_RX_SC_UNCHECKED_PACKETS	✓	-	-	-
STAT_RX_SC_OK_PACKETS	✓	✓	✓	-

The definition of some statistics in MACsec is tied to the implementation of replay protection. Because the HSC Subsystem implements the replay protection only for internal SAs, the following SC statistics are only available for SCs associated with internal SAs. Hence, the following statistics are not valid for external SC's on the external statistics interface:

STAT_RX_SC_LATE_PACKETS
STAT_RX_SC_DELAYED_PACKETS
STAT_RX_SC_NOT_VALID_PACKETS
STAT_RX_SC_INVALID_PACKETS
STAT_RX_SC_UNCHECKED_PACKETS
STAT_RX_SC_OK_PACKETS

Similarly, the following IPsec statistics are not valid for external SCs on the external statistics interface:

STAT_RX_SC_INVALID_PACKETS
STAT_RX_SC_OK_PACKETS

Here is a summary of the statistics increment rules with respect to SA index:

TX/RX SECY statistics behavior is independent of SA index.
1. Internal statistics counters increment for both internal SA index and external SA index
2. External statistics interface shows increment for both internal SA index and external SA index
TX SC statistics behavior is different for internal SA index and external SA index.
1. Internal statistics counters increment for internal SA index only.
2. External statistics interface shows increment for both internal SA index and external SA index.
RX SC statistics behavior depends on protocol as well as SA index value.
1. Internal statistics counters increment for internal SA index only.
2. External statistics interface
  1. BulkCrypto shows increment for both internal SA index and external SA index.
  2. MACsec/IPsec shows increment for internal SA index only.

Statistics have slightly different definitions in each of the cryptography modes. The following tables provide definitions of the relevant counts for each mode. Counts are always incremented during the end of packet cycle and are shown in decrementing order of precedence for each path. For a given packet, if a statistic is incremented, other statistics below it in the table are not incremented. The exception to this rule is octet counts, which increment with the packet counts.

The following table provides definitions of each counter for MACsec based on Figure 10-3 and Figure 10-4 in the IEEE 802.1AE-2018 MACsec specification. Note the ingress control signal associated with a received packet determines if that packet updates certain statistics. In the following table, “rv” represents the received frame for validation.

Table 2. MACsec Statistics Counter Descriptions
MACsec Statistic	Internal Statistics Counters	External Statistics Interface	Definition
TX
STAT_TX_SECY_UNTAGGED_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when enc_igr_prtif_crypto_mode_p* == MACsec, AND enc_igr_prtif_crypto_byp_p* == 1
STAT_TX_SECY_TOO_LONG_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when enc_igr_prtif_crypto_byp_p* == 0, AND transmitted frame length is greater than the maximum frame length for the associated channel (SecY) configured through the c<SecY>_cfg_tx_max_frm_len field in the C<SecY>_CTL_TX_GENERAL_REG register. The transmitted frame length includes all bytes received from the ingress AXI4-Stream interface, the SecTAG size (8 or 16 bytes SecTAG), and the ICV size (16 bytes).
STAT_TX_SECY_ENCRYPTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after SecTAG to last byte before ICV when enc_igr_prtif_crypto_auth_only_p* == 0, AND enc_igr_prtif_crypto_byp_p* == 0. If there is a non-zero confidentiality offset (enc_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_enc_bcnt_excl_off_bytes = 1 in OVERALL_CONTROL_REG_ENC register to exclude these bytes.
STAT_TX_SECY_PROTECTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after SecTAG to last byte before ICV when enc_igr_prtif_crypto_auth_only_p* == 1, AND enc_igr_prtif_crypto_byp_p* == 0
STAT_TX_SC_ENCRYPTED_PACKETS	SA index < 1024 See 2.a above	Every SA index See 2.b above	The number of packets when enc_igr_prtif_crypto_byp_p* == 0, AND enc_igr_prtif_crypto_auth_only_p* == 0
STAT_TX_SC_PROTECTED_PACKETS	SA index < 1024 See 2.a above	Every SA index See 2.b above	The number of packets when enc_igr_prtif_crypto_byp_p* == 0, AND enc_igr_prtif_crypto_auth_only_p* == 1
RX
STAT_RX_SECY_UNTAGGED_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when dec_igr_prtif_crypto_byp_p* == 1, AND dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND dec_igr_prtif_macsec_validation_mode_p* != 2’h2 (Strict)
STAT_RX_SECY_NO_TAG_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when dec_igr_prtif_crypto_byp_p* == 1, AND dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict)
STAT_RX_SECY_BAD_TAG_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND SecTAG Validation fails. Note: SecTAG Validation is performed based on Section 9.12 of the IEEE 802.1AE-2018 standard.
STAT_RX_SECY_NO_SA_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_mode_p* == 2’b0 (MACsec), AND (dec_igr_prtif_macsec_sa_in_use_p* == 1’b0), AND ! (dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict) OR rv.SecTAG.cbit = = 1’b1).
STAT_RX_SECY_NO_SA_ERROR_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_mode_p* == 2’h0 (MACsec), AND (dec_igr_prtif_macsec_sa_in_use_p* == 1’b0), AND (dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict) OR rv.SecTAG.cbit == 1’b1).
STAT_RX_SECY_VALIDATED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after SecTAG to last byte before ICV when dec_igr_prtif_crypto_auth_only_p* == 1, AND dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_macsec_validation_mode_p* != 2’h0 (Disabled).
STAT_RX_SECY_DECRYPTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after SecTAG to last byte before ICV when dec_igr_prtif_crypto_auth_only_p* == 0, AND dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_macsec_validation_mode_p* != 2’h0 (Disabled) If there is a non-zero confidentiality offset (dec_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_dec_bcnt_excl_off_bytes = 1 in the OVERALL_CONTROL_REG_DEC register to exclude these bytes.
STAT_RX_SC_LATE_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_replay_prot_en_p* == 1, AND PN of the received frame is less than the lowest acceptable packet number for the SA.
STAT_RX_SC_NOT_VALID_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	The number of packets when dec_igr_prtif_crypto_byp_p== 0, AND (dec_igr_prtif_macsec_validation_mode_p == 2’h0 (Disabled), OR integrity check fails), AND (dec_igr_prtif_macsec_validation_mode_p* == 2’h2 (Strict) OR rv.SecTAG.cbit == 1’b1).
STAT_RX_SC_INVALID_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_macsec_validation_mode_p* == 2’h01 (Check), AND integrity check fails.
STAT_RX_SC_DELAYED_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_crypto_replay_prot_en_p* == 0, AND replay check fails (PN < lowestPN).
STAT_RX_SC_UNCHECKED_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND dec_igr_prtif_macsec_validation_mode_p* == 2’h0 (Disabled).
STAT_RX_SC_OK_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	The number of packets when dec_igr_prtif_crypto_byp_p* == 0, AND Packet received without any of the above errors.

The following table provides definitions of each counter for IPsec.

Table 3. IPsec Statistics Counter Descriptions
IPsec Statistic	Internal Statistics Counters	External Statistics Interface	Definition
TX
STAT_TX_SECY_TOO_LONG_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when enc_igr_prtif_crypto_byp_p* = = 0, AND transmitted frame length is greater than the maximum frame length for the associated channel (SecY) which is configured through the c<SecY>_cfg_tx_max_frm_len fieldin the C<SecY>_CTL_TX_GENERAL_REG register. The transmitted frame length includes all bytes received from the ingress AXI4-Stream interface, ESP header, Initialization Vector, ESP trailer, and ICV.
STAT_TX_SECY_ENCRYPTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after Payload Initialization Vector (IV) to last byte before ICV when enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 0.
STAT_TX_SECY_PROTECTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after Payload Initialization Vector (IV) to last byte before ICV when enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 1 .
STAT_TX_SC_ENCRYPTED_PACKETS	SA index < 1024 See 2.a above	Every SA index See 2.b above	The number of packets with enc_igr_prtif_crypto_byp_p* = = 0 AND enc_igr_prtif_crypto_auth_only_p* = = 0.
STAT_TX_SC_PROTECTED_PACKETS	SA index < 1024 See 2.a above	Every SA index See 2.b above	The number of packets with enc_igr_prtif_crypto_byp_p* = = 0 AND enc_igr_prtif_crypto_auth_only_p* = = 1.
RX
STAT_RX_SECY_VALIDATED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after Payload Initialization Vector (IV) to the last byte before ICV when dec_igr_prtif_crypto_byp_p* = = 0 AND dec_igr_prtif_crypto_auth_only_p* = = 1.
STAT_RX_SECY_DECRYPTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes first byte after first byte after Payload Initialization Vector (IV) to the last byte before ICV when dec_igr_prtif_crypto_byp_p* = = 0 AND dec_igr_prtif_crypto_auth_only_p* = = 0.
STAT_RX_SC_INVALID_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	dec_igr_prtif_crypto_byp_p* == 0, AND (integrity check fails OR (dec_igr_prtif_crypto_replay_prot_en_p* = = 1 AND IPsec replay check fails) ).
STAT_RX_SC_OK_PACKETS	SA index < 1024 See 3.a above	SA index < 1024 See 3.b.ii above	The number of packets with dec_igr_prtif_crypto_byp_p* == 0 AND Packet received without any of the above errors.

The following table provides definitions of each counter for BulkCrypto and BulkECB.

Table 4. BulkCrypto/BulkECB Statistics Counter Descriptions
BulkCrypto/BulkECB Statistic	Internal Statistics Counters	External Statistics Interface	Definition
TX
STAT_TX_SECY_TOO_LONG_PACKETS	Every SA index See 1.a above	Every SA index See 1.b above	The number of packets when enc_igr_prtif_crypto_byp_p* = = 0, AND transmitted frame length is greater than the maximum frame length for the associated channel (SecY) which is configured through the c<SecY>_cfg_tx_max_frm_len field in the C<SecY>_CTL_TX_GENERAL_REG register. The transmitted frame length includes all bytes received from the ingress AXI4-Stream interface.
STAT_TX_SECY_ENCRYPTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes all bytes from the ingress AXI4-Stream interface when enc_igr_prtif_crypto_auth_only_p* = = 0, AND enc_igr_prtif_crypto_byp_p* = = 0. If there is a non-zero confidentiality offset (enc_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_enc_bcnt_excl_off_bytes = 1 in OVERALL_CONTROL_REG_ENC register to exclude these bytes.
STAT_TX_SECY_PROTECTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes all bytes from the ingress AXI4-Stream interface when enc_igr_prtif_crypto_auth_only_p* = = 1, AND enc_igr_prtif_crypto_byp_p* = = 0.
STAT_TX_SC_ENCRYPTED_PACKETS	SA index < 1024 See 2.a above	Every SA index See 2.b above	The number of packets with enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 0.
STAT_TX_SC_PROTECTED_PACKETS	SA index < 1024 See 2.a above	Every SA index See 2.b above	The number of packets with enc_igr_prtif_crypto_byp_p* = = 0, AND enc_igr_prtif_crypto_auth_only_p* = = 1.
RX
STAT_RX_SECY_VALIDATED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes all bytes from the ingress AXI4-Stream interface when dec_igr_prtif_crypto_auth_only_p* = = 1, AND dec_igr_prtif_crypto_byp_p* = = 0.
STAT_RX_SECY_DECRYPTED_OCTETS	Every SA index See 1.a above	Every SA index See 1.b above	Byte count includes all bytes from the ingress AXI4-Stream interface when dec_igr_prtif_crypto_auth_only_p* = = 0, AND dec_igr_prtif_crypto_byp_p* = = 0. If there is a non-zero confidentiality offset (dec_igr_prtif_crypto_conf_offset_p* != 0), these bytes are also included in the count by default. You can set ctl_decc_bcnt_excl_off_bytes = 1 in the OVERALL_CONTROL_REG_DEC register to exclude these bytes.
STAT_RX_SC_INVALID_PACKETS	SA index < 1024 See 3.a above	Every SA index See 3.b.i above	The number of packets when dec_igr_prtif_crypto_byp_p* = = 0, AND integrity check fail. This stat is only valid for BulkCrypto.
STAT_RX_SC_OK_PACKETS	SA index < 1024 See 3.a above	Every SA index See 3.b.i above	The number of packets when dec_igr_prtif_crypto_byp_p* = = 0, AND Packet received without any of the above errors. This stat is only valid for BulkCrypto.

Statistic Counters Definitions - 1.0 English

Versal Adaptive SoC Integrated 400G High Speed Channelized Cryptography Engine Subsystem Product Guide (PG372)