High Speed Look-aside Security Processing Engine
The SafeXcel-IP-97b can be used in the following applications:
• NPU SoC
• VPN routers
• MACsec routers
• L2 & L3 Secure Switches
• VoIP
• WiMAX and WiFi
• FTTH (Fiber To The Home)
The SafeXcel-IP-97b features a modular interface design, facilitating flexible integration into various systems. The SafeXcel-IP-97b is available in four configurations, each available with an AHB, PLB or AXI system bus interface. For more options, such as support for other bus interfaces or alternate configurations of the encryption and authentication algorithms, please contact AuthenTec. An SoC with the SafeXcel-IP-97b can be extended to a complete Security Processor by adding INSIDE Secure True Random Number Generator (EIP-76) and Public Key Accelerator IP modules (EIP-28).
Features
- Performance
- The EIP-97b configurations have the following performance:
- IPsec/SSL/TLS/DTLS 5Gbps using AES and SHA-1
- MACsec 5.9Gbps using AES-GCM
- The performance is specified for packets (frames) of 1500 bytes with a new context for each packet (frame) based on a 500MHz system clock.
- For detailed performance please refer to section 2.9.
- At the same frequency, small packet performance (for above algorithms) is approx. half compared to 1500 byte packets.
- The EIP-97a configuration targets low-gate count and has less performance. Performance of EIP-97c configurations is 2x higher than the EIP-97b.
- Performance of EIP-97d configurations is 4x higher than the EIP-97b, and achieves up to 20Gbps for AES-SHA-1 operations (@500MHz for large packets). On request an EIP-97e is available with an 8x higher performance than the EIP-97b.
- IPsec (IPv4 and IPv6):
- Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4308, 4309, 4543, 4868, 4869, 6054, 6071 and 6379),
- IPsec ESP and AH tunnel & transport mode,
- Complete IPsec (IPv4/IPv6) Header/Trailer processing,
- Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets,
- Full sequence number processing, including ESN and full anti-replay check with various mask sizes
- Calculate and insert Integrity Check Value for outbound packets, strip and verify for inbound packets,
- Append (outbound) / strip and verify (inbound) padding up to 255 bytes.
- MACsec
- MACsec frame transforms according to IEEE 802.1AETM-2006 and Draft 802.1AEbn/D1.0
- SecTAG insertion and removal,
- PN insertion, removal and verification
- ICV generation, insertion, removal and verification
- SRTP
- SRTP packet transforms according to RFC3711
- ROC insertion and removal,
- MKI insertion and removal,
- TAG generation and insertion.
- SSLv3.0 / TLSv1.0 / TLSv1.1 / TLSv1.2 / DTLS:
- Packet transforms according to latest RFCs (2246, 4346, 4347, 5246, 6101 and 6347)
- Header processing.
- Packet selecting a stream ciphers are processed autonomous, for block ciphers external padding length calculation is required.
- Padding insertion & removal up to 255 bytes.
- Security Associations / context records
- Optimized Security Association format (context record)
- Supports unlimited number of Security Associations.
- CRYPTO ENGINE
- The cryptographic engine supports the following cryptographic algorithms:
- (3)DES in ECB and CBC with (3x) 56-bit key,
- AES in ECB, CBC, ICM, CTR mode with 128/192/256 bit keys, GCM, GMAC and CCM modes,
- ARC4 in Stateful and Stateless mode, up to 128-bit key, (EIP-97is, EIP-97ies),
- HASH ENGINE
- The Hash engine supports the following algorithms:
- MD5 and SHA-1
- SHA-2 with 224-bit, 256-bit digest
- SHA-2 with 384-bit, 512-bit digest (EIP-97ie, EIP-97ies)
- HMAC transforms for above algorithms,
- GHASH (for GCM and GMAC)
- AES-CMAC, XCBC-MAC and CBC-MAC (for CCM)
- SSL MAC transforms (EIP-97is, EIP-97ies).
- CRC-32
- Internal PRNG for optimal IV generation
- Host Interface Adapter with DMA and bus mastering
- The DMA controller supports:
- Multiple Descriptor Rings with individual access for multiprocessor support,
- Scatter/Gather processing,
- Automatic arbitration and bus flow control,
- Supports big and little endian host systems,
- INTERFACES
- Packet Engine, AHB, AXI, PLB (sync or async) or TCM master and slave,
- Optional transform / context record cache available
- Decouple Packet Engine from system bus interface,
- Convenient SW debug interface including halt mode.
- Clock switching interface for low power consumption.
Benefits
- Silicon-proven IP
- Optimized hardware/software interface enables higher system efficiency
- Programmable packet processing including IP header modifications
- Multiple configurations available to fit the performance/area/power needs
- Excellent throughput across all packet sizes
- World-class support
Deliverables
- Documentation
- SafeXcel-IP-97b Hardware Specification &Integration Manual
- SafeXcel-IP-97b Programmer Manual
- Synthesizable Verilog RTL source code
- Self-checking RTL test bench, including test vectors and expected result vectors
- Simulation & Synthesis scripts
- Driver Development Kit.
- Contains Generic Driver Library
- Comprehensive test tool and vectors for IP test
- Documentation
- Example Driver
- Configurations:
- Gate count (sub-set of configurations):
- EIP-97a-i 350k gates
- EIP-97b-i 470k gates
- EIP-97b-ie 485k gates
- EIP-97b-is 510k gates
- EIP-97b-ies 590k gates
- EIP-97c-ies 990k gates
- EIP-97d-ies 1925k gates
- Synthesized at 400 MHz in a typical CMOS 40nm technology (for configurations with AXI interfaces).
Applications
- The EIP-97 is a Cryptographic Accelerator designed to off-load the host processor to improve the speed of IPsec ESP, IPsec AH, SRTP, SSL, TLS, DTLS and MACsec protocol operations and reduce power in cost-sensitive networking products, such as:
- Femtocell,
- DSL routers,
- SOHO routers,
- Cable Modems,
- VPN Appliances.
- Besides being optimized for small packet processing the EIP-97 is designed for integration into multiprocessor systems.
View INSIDE Secure SafeXcel-IP-97b High Speed Look-aside Security Processing Engine full description to...
- see the entire INSIDE Secure SafeXcel-IP-97b High Speed Look-aside Security Processing Engine datasheet
- get in contact with INSIDE Secure SafeXcel-IP-97b High Speed Look-aside Security Processing Engine Supplier
Security Engine
- eSecure module for SoC security
- Security Engine
- IP Security Protocol Processing Engine
- IEEE802.1AE (MACsec) Processing Engine/L2 Security Engine
- INSIDE Secure SafeXcel-IP-96 Security Packet Engine Family
- INSIDE Secure SafeXcel-IP-62 Ultra High Performance Inline Security Packet Engine for IPsec, MACsec, and FC-SP