This document describes the instruction to demonstrate the operation of TLS1.3 Client 10Gbps IP Core (TLS10GC-IP) on ZCU106 and KCU116 Evaluation Board. In this demonstration, TLS10GC-IP is used to establish a secure connection using the Transport Layer Security protocol version 1.3 over TCP. This involves handling the TLS1.3 handshake, encrypting and decrypting data transferred between the user and server. Additionally, HTTPS is selected as the application layer protocol to simplify the testing of data transfer between a standard server and the TLS10GCdemo.

This instruction explains the process for users to use TLS10GCdemo as a client for uploading or downloading data patterns from the provided example node.js server, obtaining results similar to use a web browser. This instruction also covers the use of the “server” application to test transfer speed between a PC and TLS10GCdemo, as well as the comparison of test results between two FPGA boards.

1 Environment Setup

To operate TLS10GCdemo, please prepare following test environment.

1) FPGA development board: ZCU106 or KCU116 board.

2) Test PC with 10 Gigabit Ethernet or connecting with 10 Gigabit Ethernet card.

3) 10 Gb Ethernet cable:

i) 10 Gb SFP+ Passive Direct Attach Cable (DAC) which has 1-m or less length

ii) 10 Gb SFP+ Active Optical Cable (AOC)

iii) 2x10 Gb SFP+ transceiver (10G BASE-R) with optical cable (LC to LC, Multimode)

4) Micro USB cable for JTAG connection connecting between ZCU106 board and Test PC.

5) Micro USB cable for UART connection connecting between ZCU106 board and Test PC.

6) Vivado tool for programming FPGA installed on Test PC.

7) Serial console software such as TeraTerm installed on PC. The setting on the console is Baudrate=115200, Data=8-bit, Non-parity and Stop=1.

8) Demo configuration file (To download these files, please visit our web site at www.design-gateway.com)

Figure 1 TLS10GCdemo environment on ZCU106 board

Figure 2 TLS10GCdemo environment on KCU116 board

2 PC Setup

Before running demo, please check the network setting on PC. The example of setting 10 Gb Ethernet card is described as follows.

2.1 IP setting

Figure 3 Setting IP address for PC

1) Open Local Area Connection Properties of 10 Gb connection, as shown in the left window of Figure 3.

2) Select “TCP/IPv4” and then click Properties.

3) Set IP address = 192.168.7.26 and Subnet mask = 255.255.255.0, as shown in the right window of Figure 3.

2.2 Speed and duplex setting

Figure 4 Set Link Speed = 10 Gbps

1) On Local Area Connection Properties window, click “Configure”, as shown in Figure 4.

2) On Advanced Tab, select “Speed and Duplex”. Set the value to “10 Gbps Full Duplex” for running 10 Gigabit transfer test, as shown in Figure 4.

2.3 Network properties setting

Some of network parameter setting may affect to network performance. The example of network properties setting as follows.

1) On “Interrupt Moderation” window, select “Disabled” to disable interrupt moderation which would minimize the latency during transferring data, as shown in Figure 5.

Figure 5 Interrupt Moderation

2) On “Interrupt Moderation Rate” window, set value to “OFF”, as shown in Figure 6.

Figure 6 Interrupt Moderation Rate

3) On “Jumbo packet” window, set value to “9014 Bytes”, as shown in Figure 7.

Figure 7 Jumbo packet

4) On “Receive Buffers” window, set value to the maximum value, as shown in Figure 8.

Figure 8 Receive Buffers

5) On “Transmit Buffers” window, set value to the maximum value, as shown in Figure 9.

Figure 9 Transmit Buffers

3 Node.js server

In this demonstration, a secure HTTPS server is implemented using Node.js. The server listens on port 60001 for HTTPS connection.

All necessary files are provided in the server folder, which includes:

1) serverDemo.js: The main script for running the HTTPS server.

2) key.pem and cert.pem: Sample private key* and server certificate for establishing HTTPS connections.

3) uploadMenu.html: A sample HTML page that allows users to upload data to the server via the HTTP POST method using a web browser.

4) server/log/: A folder containing example testing files. (DG.html, bike.html, pinkpanther.html and rex.html)

These files are sent to clients with the HTTP header “Content-Type: text/html”.

5) server/video/: A folder for storing additional test files.

Files in this folder are sent to clients with the HTTP header “Content-Type: application/octet-stream”.

Users can add additional files to either the server/log/ or server/video/ directories. These files will then be available as downloadable resources, depending on the requested URL.

When serverDemo.js is executed*, IP address and port number of server are displayed on console, as shown in Figure 10.

Figure 10 Server console when serverDemo.js is executed

Remark

* Since TLS10GC-IP supports two signature algorithms, rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256, the key and certificate must correspond to either an RSA key or an ECDSA key using the secp256r1 curve. By default, the provided example key and certificate use RSA. For testing with ECDSA, alternative files are also provided as ecdsa_key.pem and ecdsa_cert.pem. To switch the Node.js server to use ECDSA, replace key.pem and cert.pem with ecdsa_key.pem and ecdsa_cert.pem, respectively.

** When testing serverDemo.js with TLS10GCdemo, the FPGA board must be programmed before executing serverDemo.js to ensure that the server can detect the Ethernet interface between the FPGA board and the PC and can communicate properly.

By default, serverDemo.js does not verify data to optimize transfer speed. However, users can enable the data verification feature by including the “-v” parameter when executing serverDemo.js, as shown in Figure 11.

Figure 11 Server console when enabling verifying data

In case of client cannot access node.js server, please check firewall setting as below,

1) Go to Windows Defender Firewall with Advanced Security

2) Click on “Inbound Rules”

3) Search for “Node.js JavaScript Runtime” and open its properties

4) Go to “Protocols and Ports” tab and set Protocol type = TCP, Local port = Specific Ports that server on PC open. By default, the sample server opens port 60001. Local port number is set to 60001, as shown in Figure 12.

5) Go to “Advanced” tab and mark the profile boxes that match the network profile of ethernet card, as shown in Figure 13.

Figure 12 Protocols and Ports setting

Figure 13 Advanced setting

Clients can download data patterns or existing files located in the server/log or server/video folders by sending a GET request with the appropriate URL.

For downloading data pattern, there are four data patterns which are increasing binary, decreasing binary, increasing text and decreasing text pattern. When the server receives a GET request for a data pattern, it logs the pattern type and the requested data length on the console, as shown in Figure 14.

Figure 14 Server console when client download data pattern

For downloading existing files from server/log or server/video folder, if the specified file exists, the server responds with that file. The file path of the requested resource is logged on the server console, as shown in Figure 15.

Figure 15 Server console when client download ./log/DG.html

Clients can upload data to the server by sending a POST command followed by uploaded data. After the transfer is complete, received data, length of data and transfer speed are displayed on the server console, as shown in Figure 16. If data length is more than 16 kB, the server console shows only data length and transfer speed.

Figure 16 Server console when client upload data

4 Test software on PC

Due to the encrypting/decrypting process in the TLS protocol, Node.js server on the PC cannot achieve full-speed data transfer between PC and TLS10GC-IP. The “server” application is designed to run on the PC similar to the Node.js server for testing the performance of TLS10GC-IP via ethernet. The server opens port 60001 for HTTPS connection. Users can select the ethernet IP address for testing corresponding to the IP address of the 10 Gb Ethernet card, as shown in Figure 17.

Figure 17 Server application console

For upload speed testing, after the handshake process is completed, “server” application will receive TxData from the client and count the number of received data to validate whether it matches the value form the URL. To achieve optimal data transfer speed, the received data will remain undecrypted and unverified. Then the transfer speed is displayed on the server console, as shown in Figure 18.

For download speed testing, after the handshake process is completed, “server” application will prepare the encrypted data pattern corresponding to the data pattern from the URL and continuously send it to the client. The download speed will be displayed on the server application console, as shown in Figure 19.

Figure 18 Server application console when testing upload speed

Figure 19 Server application console when testing download speed

5 Client web browser

Users can use a web browser for downloading data from server by GET method and uploading data to the server via POST method.

For downloading data pattern, user can input URL in the following format,

https://ip:port/direction/pattern/length

Where ip represent server’s IP address in dot-decimal notation

port represent server’s port number

direction represent download or upload

pattern represent data pattern

b1: increasing binary pattern, t1: increasing text pattern,

b0: decreasing binary pattern, t0: decreasing text pattern

length represent data length in byte

As shown in Figure 20, server’s IP address is 192.168.7.26, port number is 60001 and the user's URL is https://192.168.7.26:60001/download/t1/123. Secure connection is established, the 123-byte increasing text pattern is displayed in the web browser.

Figure 20 Increasing text pattern shown in web browser

Remark

· Our tested web browser is Google Chrome version 116.0.5845.141.

· The certificate used in this demonstration is self-signed, meaning it was not issued by a certification authority (CA). When attempting to access the server with a self-signed certificate, the web browser may display a "Not Secure" alert.

· In case of downloading a binary pattern, a “Save as” dialog window appears. Users can save the file and view the binary data after the download process is complete.

For downloading existing files in server/log or server/video folder, users can input URL in the following format,

https://ip:port/download/log/filename or https://ip:port/download/video/filename, respectively.

When user inputs https://192.168.7.26:60001/download/log/DG.html and DG.html exists in log folder. The secure connection is established, the html page is downloaded and displayed on the web browser, as shown in Figure 21.

Figure 21 DG.html shown in web browser

Users can securely upload data through web browser by requesting uploadMenu.html from https://192.168.7.26:60001/upload/menu. Upload menu is displayed in the web browser, as shown in Figure 22. Users can select the data pattern and data length. The html page will prepare the data and send a POST command along with the data pattern to the server when the “POST” button is pressed. Because the length of the data is greater than or equal to 16,000 bytes, only the data length and transfer speed are displayed on server console when the upload is completed, as shown in Figure 23.

Figure 22 Secured upload page

Figure 23 Server’s console when client upload large data

6 Board Setup

Follow these steps to set up the ZCU106 FPGA development board:

1) Make sure power switch is off and connect power supply to FPGA development board.

2) Connect two USB cables between FPGA board and PC via micro-USB ports.

3) Power on system.

4) Download configuration file and firmware to FPGA board by following step,

a) open Vivado TCL shell.

b) change current directory to download folder which includes demo configuration file.

c) Type “TLS10GCTest.bat”, as shown in Figure 24.

Figure 24 Example command script for download configuration file

Follow these steps to set up the KCU116 FPGA development board:

1) Make sure the power switch is off and connect the power supply to KCU116 development board.

2) Connect USB cable between PC to JTAG micro-USB port.

3) Power on the system.

4) Open Vivado Hardware Manager to program FPGA by following steps.

i) Click open Hardware Manager.

ii) Open target -> Auto Connect.

iii) Select FPGA device to program bit file.

iv) Click Program device.

v) Click “…” to select program bit file.

vi) Click Program button to start FPGA Programming.

Figure 25 Program Device

7 Serial Console

Users can set the parameters, download and upload data by using the following command. The TLS10GCdemo commands and their usage will be displayed, as shown in Figure 26. Detailed information about each command is described in Topic 8 Command Details.

Figure 26 Serial console

8 Command Details

8.1 Set FPGA IP address

command> setip ddd.ddd.ddd.ddd[/dd]

This command is used to set FPGA’s IP address and subnet mask using CIDR notation. By default, the FPGA is assigned the IP address 192.168.7.84/24.

8.2 Set FPGA port number

command> setport ddddd

This command is used to set the static port number of FPGA in decimal format. By default, the FPGA’s port number is set to be dynamic. Dynamic ports range from 49152 to 65535. Users can enable dynamic port again after specifying a port number by using “setport dynamic” command.

8.3 Set FPGA MAC address

command> setmac hh-hh-hh-hh-hh-hh

This command is used to set FPGA’s MAC address in hexadecimal format. The default FPGA’s MAC address is 00-01-02-03-04-05.

8.4 Set Gateway IP address

command> setgatewayip ddd.ddd.ddd.ddd

This command is used to set gateway’s IP address in dotted-decimal format. The default gateway’s IP address is 192.168.7.2. Users can input setgatewayip command followed by a valid IP address.

8.5 Enable showkey mode

command> showkey <1: enable, 0: disable>

This command is used to enable showkey mode. When showkey mode is enabled, the TLS traffic ticket for encryption/decryption is displayed on the serial console, as shown in Figure 27. Users can use the TLS traffic ticket as (Pre)-Master-Secret log file for Wireshark* to decrypt transferred data between the client and server.

Figure 27 Serial console when showkey mode is enabled

*Wireshark, a network packet analyzer tool used for network troubleshooting, analysis, and security purposes.

8.6 Enable showcert mode

command> showcert <1: enable, 0: disable>

This command is used to enable showcert mode. When showcert mode is enabled, the server’s certificate stored in CertRam is displayed on the serial console, as shown in Figure 28. The certificate information is displayed in hexadecimal format, which corresponds to the result obtained by using openssl command: openssl x509 -in cert.pem -outform der | hexdump -C, as shown in Figure 29.

Figure 28 Serial console when showcert mode is enabled

Figure 29 Certificate information from openssl command

8.7 Download data

command> myGET https://hostname[:port]/urlpath

Where hostname represents the server’s domain name or IP address in dot-decimal notation

port represents the server’s port number

urlpath represents the path to the desired resource on the server

This command simulates the HTTP GET method to request a resource from the server. If the user specifies a domain name as the hostname and it matches an existing hostname-to-IP mapping*, the corresponding IP address from the table is used. If no match is found, the function prompts the user to manually enter the IP address in dot-decimal notation, as shown in Figure 30. This IP address is then used as the network parameter and saved into the hostname-to-IP mapping for future use.

Figure 30 Prompt for IP address input when domain name is unmatched

If the user does not specify a port number, a default value “443” is used.

After sending the request to the server, the demonstration processes the server’s response based on the format of the urlpath, as described in the following sub-sections

8.7.1 Download data pattern

To download a data pattern from the example Node.js server, users can specify the urlpath in the format:

download/pattern/length

Where pattern represents the data pattern

length represents the data length in byte

In this case, the verification feature is enabled. If the received data matches the expected pattern, the total length of received data and the download speed are displayed on the serial console.

If the received data length exceeds 16 kB, “Data Length is too large, Show only Transfer speed” is displayed instead of the received data, as shown in Figure 31.

Figure 31 Serial console when downloading large data

In this demonstration, the maximum data length is limited at 2 GB for testing with the test software and 1 GB for testing with serverDemo.js, respectively. If a request exceeds the maximum allowed length, the server returns an error. This causes the verification to fail, and both the expected and received data are shown on the serial console.

8.7.2 Download data in video folder

To test download speed without verification, users can download existing files from the video folder of the example Node.js server using the urlpath format:

download/video/filename

Where filename represents the name of the file in video folder.

In this case, the verification feature is disabled. The TLS10GCdemo software parses the expected data length from the HTTP response. If the received length matches the expected value, both the total data size and download speed are displayed on the serial console.

8.7.3 Download data in log folder

To download files stored in the log folder, Users can specify the urlpath in the format:

download/log/filename

Where filename represents the name of file in log folder

In this case, the verification feature is disabled. The TLS10GCdemo software displays the received data on the serial console until either an alert is received from the server or a timeout occurs.

For example, user can enter:

myGET https://ip:port/download/log/DG.html

This command requests the file DG.html located in the server’s log folder. The received content is then shown on the serial console, as illustrated in Figure 32.

Figure 32 Serial console when downloading DG.html

8.8 Send a general HTTP GET request

Users can send arbitrary HTTP GET requests by specifying a custom urlpath. If the urlpath does not match the formats defined in sections 8.7.1, 8.7.2 or 8.7.3, theTLS10GCdemo will send a GET request using the provided urlpath. In this case, the verification feature is disabled. The received data is displayed directly on the serial console.

For example, user can enter:

myGET https://example.com/index.html

This command connects to 23.192.228.84:443 (based on the hostname-to-IP mapping) and sends a GET request for the /index.html path. The example.com server response with HTTP 200 OK and returns the index.html file to the demo. The TLS10GCdemo displays the full HTTP response from the server including the contents of index.html, as shown in Figure 33.

Figure 33 Serial console when sending a general GET request

Remark

* The hostname-to-IP mapping is initialized with example web server entries, tested on 29-May-2025, in Bangkok, Thailand, as follows,

Hostname	IP address
www.google.com	142.250.199.14
example.com	23.192.228.84
xilinx.com	149.199.60.62
www.intel.com	96.17.248.184
www.reddit.com	199.232.165.140

Users can add additional hostname-to-IP mappings as needed, up to a maximum of 32 domain names for this demonstration.

8.9 Upload data

command> myPOST https://ip:port/upload/pattern/length

This command simulates POST method of HTTP to upload data to the server. Users can specify the data pattern and data length in the URL. After the upload is completed, the data length and upload speed are displayed, as shown in Figure 34 and Figure 35. On the server’s console, the number of data sent from the client and transfer speed is displayed. If the data length is less than 16 kB, the received data is also displayed, as shown in Figure 36.

Figure 34 Serial console when uploading large data

Figure 35 Serial console when uploading 123-byte data

Figure 36 Server console when uploading 123-byte data

8.10 Full duplex test

command> myFullduplex https://ip:port/fullduplex/pattern/length

This command is used to transfer data between the client and server in full duplex mode. It simulates POST method of HTTP with the fullduplex URL, which requests a data pattern from the server and uploads the data pattern to the server. Users can specify the data pattern and data length in the URL. After the transmission and reception of data are complete, the data length and transfer speed are displayed, as shown in Figure 37.

Figure 37 Serial console when full duplex mode is tested

9 Test setup when using 2 FPGA boards

9.1 Environment setup when using 2 FPGA boards

To operate TLS10GCdemo with TLS10GSdemo, please prepare following test environment.

1) FPGA development boards (ZCU106 as a client and ZCU102 as a server).

2) 10 Gb Ethernet cable:

a) 10 Gb SFP+ Passive Direct Attach Cable (DAC) which has 1-m or less length

b) 10 Gb SFP+ Active Optical Cable (AOC)

c) 2x10 Gb SFP+ transceiver (10G BASE-R) with optical cable (LC to LC, Multimode)

3) Micro USB cable for JTAG connection connecting between FPGA board and Test PC.

4) 2 Micro USB cable for UART connection connecting between ZCU102 board and Test PC and between ZCU106 board and Test PC.

5) Vivado tool for programming FPGA installed on Test PC.

6) Serial console software such as TeraTerm installed on PC. The setting on the console is Baudrate=115200, Data=8-bit, Non-parity and Stop=1.

7) Batch file named TLS10GCIPTest.bat” and TLS10GSIPTest.bat” (To download these files, please visit our web site at www.design-gateway.com)

Figure 38 TLS10GCdemo environment when using 2 FPGA boards

Follow step 1)-8) of Topic 6 Board Setup to prepare FPGA boards for running the demo. Run “TLS10GCTest.bat” to download configuration file and firmware to ZCU106 board as a client and run “TLS10GSTest.bat” to download configuration file and firmware to ZCU102 board as a server. The details of supported commands and their usage for TLS10GSdemo is described in the following link.

https://www.dgway.com/products/IP/TLS-IP/TLS10GSIP-instruction-xilinx-en/

9.2 Test sequence

9.2.1 Set parameters and start a server

1) Set network parameters of each FPGA board: IP address, port number, and mac address.

2) Set server’s certificate and RSA key information via serial console of server.

3) Start a server, as shown in Figure 39 by entering the following command in server’s console:

listenFor <client’s IP address> on <server’s port number>

Figure 39 Server and client console when parameters are set

9.2.2 Transmit data test (Server to client)

Enter the command myGET protocol://ip:port/download/pattern/length through client’s console to request the data pattern from TLS10GSdemo. Once the data transfer is complete, the transfer results and speed will be presented on both client’s and server’s consoles, as shown in Figure 40.

Figure 40 Server and client console when transfer data from server to client

9.2.3 Receive data test (Client to server)

Enter the command myPOST protocol://ip:port/upload/pattern/length through client’s console to transmit the data pattern from TLS10GCdemo to TLS10GSdemo. Once the data transfer is complete, the transfer results and speed will be presented on both client’s and server’s consoles, as shown in Figure 41.

Figure 41 Server and client console when transfer data from client to server

9.2.4 Full duplex test

Enter the command myFullduplex protocol://ip:port/fullduplex/pattern/length through client’s console to test transfer data in full duplex mode between TLS10GSdemo and TLS10GCdemo. Once the data transfer is complete, the transfer results and speed will be presented on both client’s and server’s consoles, as shown in Figure 42.

Figure 42 Server and client console when transfer data in full duplex mode

10 Test results

This demonstration, TLS10GCdemo is showcased for its ability to function as a secure client. The HTTPS protocol is chosen as the application layer to demonstrate that TLS10GC-IP can implement TLS1.3 to secure HTTP communication. The subsequent section details the test results when transferring data between each component, covering 2 main aspects: functionality testing and performance testing.

10.1 Functionality testing

TLS10GCdemo is designed to send HTTPS request to a server, demonstrating that TLS10GC-IP can handle TLS1.3 connection similar to a web browser. As shown in Figure 43 and Figure 44, a web browser requests a data pattern via the GET command and displays the received HTTP payload from the server on the browser, producing the same result on the serial console of TLS10GCdemo.

Figure 43 Test results when web browser download data from node.js server

Figure 44 Test results when TLS10GCdemo download data from node.js server

In the case of uploading data, TLS10GCdemo is capable of transmitting a data pattern with HTTP header to the server. The receiving results shown on the server console upon completing the reception of data from TLS10GCdemo, as shown as Figure 45, are similar to when receiving data from a web browser, as shown as Figure 46.

Figure 45 Test results when web browser upload data to node.js server

Figure 46 Test results when TLS10GCdemo upload data to node.js server

10.2 Performance testing

When the example node.js server is used as a server to communicate with TLS10GCdemo, the CPU manages encryption/decryption during data transfer, causing a decrease in transfer speed. To achieve the maximum throughput, the "server" application is used instead.

“Server” application is designed to encrypt data before transmission through the network in Tx mode, decrypt the last data block and verify the total received data size only in Rx mode. As shown in Figure 47 and Figure 48, the transfer speed is nearly by 10 Gbps and the utilization of the Intel i7 CPU is approximately 100%, as monitored by the PC's task manager. This indicates that if the CPU is tasked with encrypting/decrypting data while transferring data through the network, the transfer speed will be reduced.

Figure 47 Test results when TLS10GCdemo download data to “server” application

Figure 48 Test results when TLS10GCdemo upload data to “server” application

For full duplex mode, the transfer speed between “server” application and TLS10GCdemo decreases, as shown in Figure 49. This suggests that the CPU cannot handle both receiving and transmitting task in a secure connection to maintain the 10 Gbps throughput.

In the testing scenario between two FPGA boards, where TLS10GCdemo acts as a client and TLS10GSdemo as a server, cryptographic tasks, including encryption/decryption, are entirely offloaded to hardware. As shown in Figure 50, the throughput increases to 9360 Mbps, representing the maximum throughput achievable with TCP/IP in this demonstration.

Figure 49 Full duplex test results between TLS10GCdemo and “server” application

Figure 50 Full duplex test results between TLS10GSdemo and TLS10GCdemo

11 Revision History

Revision	Date (D-M-Y)	Description
1.05	10-Oct-25	Update setip command to support CIDR notation
1.04	30-May-25	- Update to support ecdsa_secp256r1_sha256 algorithm - Add sample demo for general web url
1.03	2-Apr-25	Add setgatewayip command
1.02	5-Mar-24	Add test results between 2 FPGA boards
1.01	22-Dec-23	Add full duplex test
1.00	8-Sep-23	Initial version release