Hardware Design And Implementation Of Media Access Control Security Protocol

People's requirements for network security are getting higher and higher.Security protocols such as TLS and IPsec have been proposed to ensure the security of communication at the network layer,but there has been a lack of protection protocols for the lower layer—the data link layer.The emergence of the MACsec(Media Access Control Security)protocol has filled it up.This vacancy.The MACsec protocol provides secure MAC layer data transmission and reception services,and functions include Ethernet frame user data encryption,Ethernet frame integrity check,data source authenticity verification,and anti-replay protection.However,enabling the MACsec service in network communication will reduce the data transmission rate in the network.In order to reduce the rate loss caused during the MACsec processing as much as possible,high-performance MACsec protocol hardware implementation is particularly important.Based on the analysis of the IEEE802.1AE protocol,a high-performance MACsec hardware design is implemented,and two methods are adopted to improve the performance of the GCM-AES algorithm and multi-channel parallel operation to accelerate the MACsec processing process.In terms of optimizing the performance of the GCM-AES algorithm,the pipeline structure of the AES encryption process is redivided,and the complex S-box process is divided into 5 stages with a relatively balanced delay.Therefore,the entire AES process forms a 10-stage inter-cycle pipeline.The 6-level sub-pipeline,a total of 60-level pipeline structure,improves the throughput rate of the AES module;at the same time,based on the characteristics of the GHASH algorithm,a new 2-degree parallel calculation method is adopted to perform GHASH operations on two groups of data that need to be authenticated.It effectively reduces the number of step-by-step iterations,reduces the delay of the GHASH module,and improves the throughput rate of the GHASH module.In the design of multiple MACsec processing channels,the receiving channel ISEC and the sending channel ESEC have designed 4 parallel MACsec processing channels,and the Ethernet frames sent from the DMA to the MACsec processing module are sequentially sent to 0,1,2,3 channels are processed,and then sent to the buffer in BUFFER in turn.Through the optimization of the above two aspects,the high-performance MACsec hardware design has been completed.A simulation verification environment is built for the design of high-performance MACsec hardware.The randomness of the System Verilog language is used to generate a large number of excitations input to the module under test and the parameters that need to be configured.Sufficient simulation results verify that the design can correctly provide MACsec services.When the simulation clock frequency is 100 MHz,the throughput rate reaches about 20 Gbps.Finally,the FPGA hardware implementation is completed on the basis of simulation.The comprehensive results show that the clock frequency can reach 100 MHz.The experimental results show that the MACsec hardware design functions are correct and the system is stable,which basically meets the needs of high-performance MACsec processing.