Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Interface

High integration makes IPSec fly

Posted: 16 Dec 2002 ?? ?Print Version ?Bookmark and Share

Keywords:internet protocol security? ipsec? network security? network processor? security processor?

The information superhighway is more important than ever today, yet it faces increasing security threats, elevating the need for improved and ubiquitous security built into the hardware of every node in the network. This requires that base security functionality, such as data confidentiality and data integrity, be built into every network device so that every packet placed on the network has all of the security and protection that is affordable and possible.

However, security is an afterthought in many networking equipment designs. We need to rethink network security - where, when, and under what conditions security features should be added.

Currently, there are three primary ways to add security functions to networking hardware equipment. The first and most common method is to use a co-processor coupled with a network processor or a general purpose processor. As data rates go up, this method becomes less practical because the packet must traverse shared resources such as data buses or memory four times.

The second method is to add a security processor inline with a network processor. While this approach can achieve high data rates, the inline security processor must perform many of the same functions as the network processor, such as packet reassembly; thus, work must be repeated and silicon area must be duplicated.

The third method is to integrate the encryption circuitry into the same silicon as the network processor, thereby adding security functionality into the network processor while maintaining wire rate and minimizing new silicon area. As new network line cards are designed, an integrated solution will prove beneficial.

When designing a network security product, one must consider both the packet-processing and the security requirements. A general purpose processor coupled with a security co-processor will not be fast enough to achieve 10Gbps rates with existing products. It is possible to couple an existing network processor, such as the Intel IXP1200, with a security co-processor, but today's security ICs offer only co-processor architectures, and these are insufficient.

In the next-generation IXP2850, we chose to integrate security and cryptographic capabilities on-chip, not only because it is the best way to achieve affordable and ubiquitous security throughout the network, but because it is a more efficient way to provide security. In terms of performance, this integrated approach is more than sufficient to encrypt and authenticate Internet Protocol Security (IPSec) at 10Gbps Ethernet rates even when 100 percent of the traffic is secured.

In our design, we use a cryptographic unit that incorporates much of the functionality needed for many of the basic algorithms but in a way that is easily integrated into the basic data-flow pipeline of the network processing unit (NPU). The cryptography unit consists of several algorithms that provide data confidentiality and data integrity. Each algorithm has its own set of trade-offs and challenges in terms of silicon area, parallelism, and symmetry.

The added security functionality supports the Data Encryption Standard (DES), 3DES, and the AES algorithms along with the Secure Hash Algorithm (SHA-1) for data authentication directly in hardware. It consists of two 3DES cores, one AES core, and two SHA-1 cores. It is possible to process the data via the SHA-1 cores either before or after the ciphers have processed the data.

The IXP2850 has two such cores.

It is important to add the cryptographic functionality in a way that leverages the network processor features. In the case of Intel network processors, that means taking advantage of multiple, multithreaded processing elements called microengines.

While this multithreaded model is one of the strengths of the NPU architecture that we chose to leverage, it provided some design challenges. For instance, since the security functions are somewhat orthogonal - depending on the configuration - it is desirable to fully use all security hardware in parallel.

But enabling this parallelism in hardware requires careful management of common components such as global buses, local memory, and data-stalling methods.

Although it is important to achieve 10Gbps rates on a single interface, it is also important to aggregate, for example, 101Gbps interfaces. When multiple interfaces are connected to the network processor, the data of a particular packet might be interleaved with other packet data in the receive buffer.

Careful integration of the cryptographic engine pipeline into the NPU results in a cipher data path that delivers more than 25 million IPSec packets per second. This is sufficient performance to encrypt and authenticate IPSec at 10bps rates when 100 percent of the traffic needs to be secured.

- Wajdi Feghali

Security Architect

Intel Corp.

- Brad Burres

Senior Component Design Engineer

Intel Corp.

- Gilbert Wolrich

Senior Architect

Intel Corp.

- Douglas Carrigan

Strategic Marketing Manager

Intel Corp.

Article Comments - High integration makes IPSec fly
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top