High Speed Look-aside Security Processing Engine

Features

• Performance
• The EIP-97b configurations have the following performance:
• IPsec/SSL/TLS/DTLS 5Gbps using AES and SHA-1
• MACsec 5.9Gbps using AES-GCM
• The performance is specified for packets (frames) of 1500 bytes with a new context for each packet (frame) based on a 500MHz system clock.
• For detailed performance please refer to section 2.9.
• At the same frequency, small packet performance (for above algorithms) is approx. half compared to 1500 byte packets.
• The EIP-97a configuration targets low-gate count and has less performance. Performance of EIP-97c configurations is 2x higher than the EIP-97b.
• Performance of EIP-97d configurations is 4x higher than the EIP-97b, and achieves up to 20Gbps for AES-SHA-1 operations (@500MHz for large packets). On request an EIP-97e is available with an 8x higher performance than the EIP-97b.
• IPsec (IPv4 and IPv6):
• Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4308, 4309, 4543, 4868, 4869, 6054, 6071 and 6379),
• IPsec ESP and AH tunnel & transport mode,
• Complete IPsec (IPv4/IPv6) Header/Trailer processing,
• Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets,
• Full sequence number processing, including ESN and full anti-replay check with various mask sizes
• Calculate and insert Integrity Check Value for outbound packets, strip and verify for inbound packets,
• Append (outbound) / strip and verify (inbound) padding up to 255 bytes.
• MACsec
• MACsec frame transforms according to IEEE 802.1AETM-2006 and Draft 802.1AEbn/D1.0
• SecTAG insertion and removal,
• PN insertion, removal and verification
• ICV generation, insertion, removal and verification
• SRTP
• SRTP packet transforms according to RFC3711
• ROC insertion and removal,
• MKI insertion and removal,
• TAG generation and insertion.
• SSLv3.0 / TLSv1.0 / TLSv1.1 / TLSv1.2 / DTLS:
• Packet transforms according to latest RFCs (2246, 4346, 4347, 5246, 6101 and 6347)
• Header processing.
• Packet selecting a stream ciphers are processed autonomous, for block ciphers external padding length calculation is required.
• Padding insertion & removal up to 255 bytes.
• Security Associations / context records
• Optimized Security Association format (context record)
• Supports unlimited number of Security Associations.
• CRYPTO ENGINE
• The cryptographic engine supports the following cryptographic algorithms:
• (3)DES in ECB and CBC with (3x) 56-bit key,
• AES in ECB, CBC, ICM, CTR mode with 128/192/256 bit keys, GCM, GMAC and CCM modes,
• ARC4 in Stateful and Stateless mode, up to 128-bit key, (EIP-97is, EIP-97ies),
• HASH ENGINE
• The Hash engine supports the following algorithms:
• MD5 and SHA-1
• SHA-2 with 224-bit, 256-bit digest
• SHA-2 with 384-bit, 512-bit digest (EIP-97ie, EIP-97ies)
• HMAC transforms for above algorithms,
• GHASH (for GCM and GMAC)
• AES-CMAC, XCBC-MAC and CBC-MAC (for CCM)
• SSL MAC transforms (EIP-97is, EIP-97ies).
• CRC-32
• Internal PRNG for optimal IV generation
• Host Interface Adapter with DMA and bus mastering
• The DMA controller supports:
• Multiple Descriptor Rings with individual access for multiprocessor support,
• Scatter/Gather processing,
• Automatic arbitration and bus flow control,
• Supports big and little endian host systems,
• INTERFACES
• Packet Engine, AHB, AXI, PLB (sync or async) or TCM master and slave,
• Optional transform / context record cache available
• Decouple Packet Engine from system bus interface,
• Convenient SW debug interface including halt mode.
• Clock switching interface for low power consumption.

Benefits

• Silicon-proven IP
• Optimized hardware/software interface enables higher system efficiency
• Programmable packet processing including IP header modifications
• Multiple configurations available to fit the performance/area/power needs
• Excellent throughput across all packet sizes
• World-class support

Deliverables

• Documentation
• SafeXcel-IP-97b Hardware Specification &Integration Manual
• SafeXcel-IP-97b Programmer Manual
• Synthesizable Verilog RTL source code
• Self-checking RTL test bench, including test vectors and expected result vectors
• Simulation & Synthesis scripts
• Driver Development Kit.
• Contains Generic Driver Library
• Comprehensive test tool and vectors for IP test
• Documentation
• Example Driver
• Configurations:
• Gate count (sub-set of configurations):
• EIP-97a-i 350k gates
• EIP-97b-i 470k gates
• EIP-97b-ie 485k gates
• EIP-97b-is 510k gates
• EIP-97b-ies 590k gates
• EIP-97c-ies 990k gates
• EIP-97d-ies 1925k gates
• Synthesized at 400 MHz in a typical CMOS 40nm technology (for configurations with AXI interfaces).

Applications

• The EIP-97 is a Cryptographic Accelerator designed to off-load the host processor to improve the speed of IPsec ESP, IPsec AH, SRTP, SSL, TLS, DTLS and MACsec protocol operations and reduce power in cost-sensitive networking products, such as:
• Femtocell,
• DSL routers,
• SOHO routers,
• Cable Modems,
• VPN Appliances.
• Besides being optimized for small packet processing the EIP-97 is designed for integration into multiprocessor systems.

• see the entire INSIDE Secure SafeXcel-IP-97b High Speed Look-aside Security Processing Engine datasheet
• get in contact with INSIDE Secure SafeXcel-IP-97b High Speed Look-aside Security Processing Engine Supplier