Protocol-IP-196 Multi-Protocol Engine with Classifier, Look-Aside, 5-10 Gbps

The Protocol-IP-196 Multi-Protocol Engine is a protocol-aware packet engine for accelerating IPSec, SSL/TLS, DTLS, 3GPP and MACsec up to 10 Gbps in multi-core application or communication processors offering a large selection of cipher algorithms. Designed for fast integration, maximum CPU offload and offering full transforms, it provides a reliable and cost-effective embedded IP solution that is easy to integrate into multi-core SoC designs. The Multi-Protocol Engine is pre-integrated with the DPDK, Linaro ODP and Linux crypto APIs. Therefore, this IP is designed for seamless integration of network security processing in systems, with its AMBA bus interfaces as well as these public APIs.

Protocol aware IPsec, SSL, TLS, DTLS, 3GPP and MACsec Packet Engine with virtualization, caches classifier and Look-Aside interface for multi-core application processors

5-10 Gbps, programmable, maximum CPU offload by classifier, supports new and legacy crypto algorithms, AMBA interface

Supported by Driver development kit, QuickSec IPsec toolkit, Linaro ODP, DPDK, Linux Crypto

How the Protocol-IP-196 Multi-Protocol Engine works

The Protocol-IP-196 Multi-Protocol Engine is a protocol-aware packet engine. With a Look-Aside bus interface, virtualization and embedded cache it is a highly efficient packet transform engine targeting security processing in complex SoCs in the emerging 5G network topologies. The Multi-Protocol engine is used as a bus master in the data plane of the system and processes packets with very little CPU intervention. This engine supports an AMBA (AXI, AHB, TCM) or a PLB SoC bus interface and can be delivered in different configurations to support IPsec, as well as SSL, TLS, DTLS and 3GPP. Compared to the Protocol-IP-93 it offers higher performance, more algorithms, protocol flexibility through token instructions and supports multi-core CPUs. Compared to the Protocol-IP-97 it offers the same raw performance, however with large latency compensation and pre-fetching, internal caches and full virtualization, it guarantees performance in a complex multi CPU system and with high CPU offload. Due to the virtualization, the Protocol-IP-196 also allows separation of security parameters and keys from the different CPUs and secure applications in the system.

Protocol-IP-196 Multi-Protocol Engine Block Diagram
Protocol-IP-196 Multi-Protocol Engine Block Diagram

The Protocol-IP-196 is designed to off-load the host processor to improve the speed of protocol operations and reduce power in gigabit application processors for: VPN routers, home media gateways, FTTH routers, IoT gateways; femtocells, base stations, cloud storage, 5G network SoCs, VPN appliances and surveillance cameras.

Performance for large packet sizes is 10 Gbps for any supported protocol, with minimal CPU load for existing flows. Gate count is between 500 and 700K gates depending on the configuration.

Secure Networking Basics cover

Secure Networking Basics: MACsec, IPsec, and SSL/TLS/DTLS

The MACsec, IPsec and SSL/TLS/DTLS protocols are the primary means of securing data in motion (communicated between connected devices). These protocols can be anchored in hardware or implemented in software as part of an end-to-end security architecture. This white paper provides fundamental information on each of these protocols including their interrelationships and use cases.

Features and Benefits

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • Driver development kit
  • Full virtualization, key separation at application and CPU level
  • Embedded cache
  • AMBA interfaces
  • NIST SP800-90A compliant DRGB
 

IPsec classification:

  • IPsec-ESP header parsing to look-up a flow
  • Fetch flow and corresponding transform record based 
on lookup result
  • Update flow statistics
  • Update transform statistics
  • Support for IPv4 and IPv6
 

IPsec transformation (IPv4 and IPv6):

  • Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4304, 4308, 4309, 4543, 4835, 4868, 4869, 6054,6379, 7321, 7539, 7634 and 8221)
  • IPsec ESP and AH tunnel & transport mode
  • Autonomous IPsec ESP packet classification and security association selection (both inbound and outbound)

  • Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets
  • Full sequence number processing, including ESN and full anti-replay check with various mask sizes
  • Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets
  • Append (outbound) / strip and verify (inbound) padding up to 255 bytes
 

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / TLS1.3 / DTLS1.0 / DTLS1.2:

  • Full single pass packet transforms according to latest RFCs (2246, 4346, 4347, 5246, 5288, 5289, 6101, 6347, 6460, 6655, 7539, 7905 and 8446)
  • Full header processing:
    • Insert header for outbound packets
    • Strip and verify header for inbound packets
    • Anti-replay check
    • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets
      • Strip and verify padding up to 255 bytes for inbound packets
      • Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets

MACsec

  • MACsec frame transforms according to IEEE 802.1AE standards
  • SecTAG insertion and removal
  • PN insertion, removal and verification
  • ICV generation, insertion, removal and verification
 

SRTP packet transforms according to RFC3711:

  • SRTP packet transforms according to RFC3711
  • ROC insertion and removal
  • MKI insertion and removal
  • TAG generation and insertion
 

3GPP Wireless Algorithms

SA -Manager

  • Embedded SA cache [Inserted Bullet]
  • Optimized Security Association format
  • Supports unlimited number of security associations
 

The cryptographic engine supports the following cryptographic algorithms:

  • (3)DES in ECB and CBC with (3x) 56-bit key
  • AES in ECB, CBC, ICM, CTR mode with 128/192/256-bit keys, GCM, GMAC and CCM modes, optional AES-XTS
  • Optional ChaCha20, SM4, ARIA [Inserted Bullet]
  • Optional ARC4 in stateful and stateless mode, up to 128-bit key
  • Kasumi in basic and f8 mode (UEA1)
  • SNOW3G in basic and 128-EEA1 mode(UEA2)
  • ZUC in basic and 128-EEA3 mode (UEA3)
 

The hash engine supports the following algorithms:

  • SHA-1, SHA-2-224/256, MD5
  • Optional SHA-2-384/512, SHA-3 224/256/384/512
  • HMAC transforms for SHA-1, SHA-2, MD5
  • Optional SM3, Poly1305
  • SSL-MAC transforms for SHA-1, MD5
  • AES-CCM, AES-XCBC-MAC, AES-CBC-MAC-PRF
  • GHASH, GCM, AES-GCM and AES-GMAC
  • CRC32
  • Kasumi in f9 mode (UIA1)
  • SNOW3G in basic and 128-EIA1 mode(UIA2)
  • ZUC in basic and 128-EIA3 mode (UIA3)
 

The host interface with DMA controller supports:

  • Multiple descriptor rings with individual access for 
multiprocessor support
  • Scatter/gather processing
  • Automatic arbitration and bus flow control
  • Supports big and little endian host systems
  • Decouples packet engine from system bus interface
 

Master and slave interface:

  • Master/slave interface: AXI/AXI or AXI/APB
  • Input and output buffers decouple packet engine from system bus interface
  • Convenient SW debug interface including halt mode
  • Clock switching interface for low power consumption
  • Virtualization
Rambus logo