DOCA Documentation v2.10.0

MACsec Full Offload

Note

MACsec full offload is supported at alpha level only.

MACsec Full offload feature, also known as MACsec inline Full offload, enables the user to offload MACsec crypto encryption and decryption, MACsec headers encapsulation and decapsulation, and Anti replay operations to the hardware.

Note

Hardware implementation supports GCM-AES & GCM-AES-XPN encryption schemes and is supported with ConnectX-7 onwards.

Note

MACsec introduced in MOFED v5.9 requires a minimal Kernel version of 6.1.

To enable the feature, support in both kernel and adapter firmware is required.

For support in the kernel, make sure the following flags are set as follows:

  • CONFIG_MACSEC=y

  • CONFIG_MLX5_EN_MACSEC=y

For support in firmware, use version xx.34.0364 and up.

IProute2 Configuration

Configuring Physical Interface

  • Client side:

    Copy
    Copied!
                

    ip address flush <physical_device> ip address add <client_physical_device_ip> dev <physical interface> ip link set dev <physical_device> up

  • Server side:

    Copy
    Copied!
                

    ip address flush <physical_device> ip address add <server_physical_device_ip> dev <physical interface> ip link set dev <physical_device> up

Add MACsec Device

  • Client side:

    Copy
    Copied!
                

    ip link add link <physical_device> <macsec_device> type macsec sci <client_sci> client on

  • Server side:

    Copy
    Copied!
                

    ip link add link <physical_device> <macsec_device> type macsec sci <server_sci> client on

Offload MACsec Device

  • Client side:

    Copy
    Copied!
                

    ip macsec offload <macsec_device> mac

  • Server side:

    Copy
    Copied!
                

    ip macsec offload <macsec_device> mac

Add MACsec rules:

  • Client side:

    Copy
    Copied!
                

    ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <client_key_id> <client_key> ip macsec add <macsec_device> rx sci <server_sci> on ip macsec add <macsec_device> rx sci <server_sci>sa <sa_num> pn <inital_packet_number> on key <server_key_id> <server_key>

  • Server side:

    Copy
    Copied!
                

    ip macsec add <macsec_device> tx sa <sa_num>pn <inital_packet_number>on key <server_key_id> <server_key> ip macsec add <macsec_device> rx sci <client_sci> on ip macsec add <macsec_device> rx sci <client_sci>sa <sa_num> pn <inital_packet_number> on key <client_key_id> <client_key>

Configure MACsec device IPs:

  • Client side:

    Copy
    Copied!
                

    ip address flush <macsec_device> ip address add <client_macsec_device_ip> dev <macsec_device> ip link set dev <macsec_device> up

  • Server side:

    Copy
    Copied!
                

    ip address flush <macsec_device> ip address add <server_macsec_device_ip> dev <macsec_device> ip link set dev <macsec_device> up

Configuration Example

Client side:

Copy
Copied!
            

ip address flush enp8s0f0 ip address add 1.1.1.1/24 dev enp8s0f0 ip link set dev enp8s0f0 up ip link add link enp8s0f0 macsec0 type macsec sci 1 encrypt on ip macsec offload macsec0 mac ip macsec add macsec0 tx sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16 ip macsec add macsec0 rx sci 2 on ip macsec add macsec0 rx sci 2 sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5 ip address flush macsec0 ip address add 2.2.2.1/24 dev macsec0 ip link set dev macsec0 up

Server side:

Copy
Copied!
            

ip link del macsec0 ip address flush enp8s0f0 ip address add 1.1.1.2/24 dev enp8s0f0 ip link set dev enp8s0f0 up ip link add link enp8s0f0 macsec0 type macsec sci 2 encrypt on ip macsec offload macsec0 mac ip macsec add macsec0 tx sa 0 pn 1 on key 00 ead3664f508eb06c40ac7104cdae4ce5 ip macsec add macsec0 rx sci 1 on ip macsec add macsec0 rx sci 1 sa 0 pn 1 on key 00 dffafc8d7b9a43d5b9a3dfbbf6a30c16 ip address flush macsec0 ip address add 2.2.2.2/24 dev macsec0 ip link set dev macsec0 up

Note

Use ip macsec show command to check configuration.

To verify traffic is offloaded, check MACsec counters by running ethtool -S <physical_device> | grep macsec.

Info

Refer to the Linux Manual page for more information.

© Copyright 2025, NVIDIA. Last updated on Feb 26, 2025.