MACsec Full Offload

MACsec Full offload feature, also known as MACsec inline Full offload, enables the user to offload MACsec crypto encryption and decryption, MACsec headers encapsulation and decapsulation, and Anti replay operations to the hardware.

Warning

Hardware implementation supports GCM-AES & GCM-AES-XPN encryption schemes and is supported with ConnectX-7 onwards.

To enable the feature, support in both kernel and adapter firmware is required.

For support in the kernel, make sure the following flags are set as follows:

  • CONFIG_MACSEC=y

  • CONFIG_MLX5_EN_MACSEC=y

For support in firmware use the following version:

  • xx.34.0364 and up

IProute2 Configuration

Configuring Physical Interface

Client side:

  • ip address flush <physical_device>

  • ip address add <client_physical_device_ip> dev <physical interface>

  • ip link set dev <physical_device>up

Server side:

  • ip address flush <physical_device>

  • ip address add <server_physical_device_ip> dev <physical interface>

  • ip link set dev <physical_device>up

Add MACsec Device

Client side:

  • ip link add link <physical_device> <macsec_device> type macsec sci <client_sci> client on

Server side:

  • ip link add link <physical_device> <macsec_device> type macsec sci <client_sci> client on

Offload MACsec Device

Client side:

  • ip macsec offload <macsec_device> mac

Server side:

  • ip macsec offload <macsec_device> mac

Add MACsec rules:

Client side:

  • ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <client_key_id> <client_key>

  • ip macsec add <macsec_device> rx sci <server_sci> on

  • ip macsec add <macsec_device> rx sci <server_sci>sa <sa_num> pn <inital_packet_number> on key <server_key_id> <server_key>

Server side:

  • ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <server_key_id> <server_key>

  • ip macsec add <macsec_device> rx sci <client_sci> on

  • i p macsec add <macsec_device> rx sci <client_sci>sa <sa_num> pn <inital_packet_number> on key <client_key_id> <client_key>

Configure MACsec Device IPs:

Client side:

  • ip address flush <macsec_device>

  • ip address add <client_macsec_device_ip> dev <macsec_device>

  • ip link set dev <macsec_device> up

Server side:

  • ip address flush <macsec_device>

  • ip address add <server_macsec_device_ip> dev <macsec_device>

  • ip link set dev <macsec_device> up

Configuration Example

Client side:

  • ip address flush enp8s0f0

  • ip address add 1.1.1.1/24 dev enp8s0f0

  • ip link set dev enp8s0f0 up

  • ip link add link enp8s0f0 macsec0 type macsec sci 1 encrypt on

  • ip macsec offload macsec0 mac

  • ip macsec add macsec0 tx sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16

  • ip macsec add macsec0 rx sci 2 on

  • ip macsec add macsec0 rx sci 2 sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5

  • ip address flush macsec0

  • ip address add 2.2.2.1/24 dev macsec0

  • ip link set dev macsec0 up

Server side:

  • ip link del macsec0

  • ip address flush enp8s0f0

  • ip address add 1.1.1.2/24 dev enp8s0f0

  • ip link set dev enp8s0f0 up

  • ip link add link enp8s0f0 macsec0 type macsec sci 2 encrypt on

  • ip macsec offload macsec0 mac

  • ip macsec add macsec0 tx sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5

  • ip macsec add macsec0 rx sci 1 on

  • ip macsec add macsec0 rx sci 1 sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16

  • ip address flush macsec0

  • ip address add 2.2.2.2/24 dev macsec0

  • ip link set dev macsec0 up

Warning
  • Use: "ip macsec show" command to check configuration

  • To make sure traffic is offloaded, check MACsec counters: "ethtool -S <physical_device> | grep macsec"

Additional Resources

Linux Manual page: linux_manual

© Copyright 2023, NVIDIA. Last updated on Nov 27, 2023.