Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
?
EE Times-Asia > EDA/IP
?
?
EDA/IP??

Security in silicon: A guide to secure, high-speed SoC devices (Part 2)

Posted: 18 Oct 2007 ?? ?Print Version ?Bookmark and Share

Keywords:security in silicon? high-speed SoC? secure devices?

Analysis of this system revealed that the software portion of the Data Plane functionality often posed a significant processing burden on the general purpose CPU. Specifically for small packets, this processing burden created an overall performance bottleneck, with the CPU being utilized for 100 percent of the cycles.

Data plane offloading
To overcome this bottleneck, SafeNet decided to implement the complete Data Plane functionality into a dedicated, very efficient SoC hardware systemthe Inline Security Engine. The Inline Security Engine�s value lies in its unique capability to maximize data plane offloading from a host processor to dedicated inline security hardware.

As a key element of the Inline Security Engine, the Packet Classification and Flow Processor modules ensure that time-consuming packet-by-packet security processing is fully offloaded from the host processor, along with any cryptographic processing implemented by the Inline Packet Engine module.

Implementing software-originated functionality in hardware brings along the challenges of preserving flexibility and handling complexity. The Inline Security Engine addresses these challenges by using micro-programmable hardware that can be updated in the field to accommodate for future changes in standards.

The sophisticated micro-engines operate in parallel configurations and allow complex security operations to be performed on the packet and administration data at high speeds, making the inline security system much more efficient than any general purpose processor. With the Inline Security Engine, the general-purpose processor is not involved in processing packets that belong to an existing data flow. This allows the processor to dedicate its clock cycles to data flow setup and other processing tasks. Furthermore, the micro-engines still allow packets to be handed off to the general purpose CPU, in order to allow for additional software-based processing, if desired.

The result is a high-performance security solution that delivers Gigabit rate processing (Figure 2).

The micro-programs that control the Packet Classification and Flow Processor�s operations are stored in RAM, making them field-upgradeable. This feature is extremely useful if security standards or protocols change, or if non-standard functionality needs to be implemented on the SoC.

NetworkI/FPacketClassifier/FlowProcessorSafeXcel IPInline PacketEnginePacketClassifier/FlowProcessorNetworkI/F/TCPOffloadCPUMemoryI/FPKATRNGInternal SOC busSafeXcel IP Inline Security EngineQuickSecDriverControl PlaneOtherPeripheralsData PlaneGeneric 32-bit memory interfaces / VCIGeneric 32bit streaming I/OGeneric 32-bit streaming I/O

Figure 2: Example of the Inline Security Architecture.
Click image to view Figure 2

Control planepacket classification and flow processing
While traditional offerings need to rely on external packet classification, i.e. classification performed by another processor, the Inline Security Engine includes micro-programmed hardware assist for this time-consuming task.

For every packet, the Packet Classifiers and Flow Processors perform a sanity check, decide how the packet needs to be processed (either by the host processor or by the Inline Packet Engine) or whether it needs to be discarded (filtering). Then they take care of the associated administration tasks, such as transform and flow information updates. This way, the Packet Classifiers and Flow Processors autonomously instruct the Inline Packet Engine as to which operation needs to be performed on the packet.

The Inline Packet Engine implements various data manipulation functions on incoming data as instructed by the Packet Classifier and Flow Processor, including data insertion, data removal, data replacement, data retrieval, and crypto, hash and checksum operations. In order to achieve Gigabit rate throughputs, the Inline Packet Engine uses a three-stage processing pipeline.


?First Page?Previous Page 1???2???3?Next Page?Last Page



Article Comments - Security in silicon: A guide to secu...
Comments:??
*? You can enter [0] more charecters.
*Verify code:
?
?
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

?
?
Back to Top