IPsec/TLS/MACsec/DTLS transform pipeline

5..10Gbps, programmable, supports new and legacy crypto algorithms, AMBA interface

Supported by SA and token builder SW kit

Product description

The PacketEngine-IP-96 (EIP-96) packet transform engine is the transform engine embedded in all PacketEngine-IP-97/98/197 protocol aware security engines. It is the processing pipeline that takes full packets in and processes it into encrypted or decrypted packets based on instructions that it gets through tokens. The PacketEngine-IP-96 is fully flexible through these tokens that are either generated by the supplied software token builder or by the hardware classifiers found in the PacketEngine-IP-98 or PacketEngine-IP-197.

The PacketEngine-IP-96 is designed to be the cryptographic pipeline in high-end security designs. Main targets are high-end servers of network CPUs, tile based designs and multi-homogeneous core designs.

Sustained performance for large packet sizes is 5000 Mbps for any supported protocol (2500 Mbps for small packets) @500MHz (and 1Gbps @1GHz). Gate count is between 250 and 500k gates depending on the configuration. Multiple PacketEngine-IP-96 cores can be cascaded.

Other information

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • SA and token builder SW kit

IPsec (IPv4 and IPv6):

  • Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4308, 4309, 4543, 4868, 4869, 6054, 6071 and 6379)
  • IPsec ESP and AH tunnel & transport mode
  • Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets
  • Full sequence number processing, including ESN and full anti-replay check with various mask sizes
  • Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets
  • Append (outbound) / strip and verify (inbound) padding up to 255 bytes

MACsec

  • MACsec frame transforms according to IEEE 802.1AE-2006 and Draft 802.1AEbn/D1.0
  • SecTAG insertion and removal,
  • PN insertion, removal and verification
  • ICV generation, insertion, removal and verification

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / DTLS1.0 / DTLS 1.2:

  • Full single pass packet transforms according to latest RFCs (2246, 4346, 5246, 6101 and 6347).
  • Full header processing
    • Insert header for outbound packets
    • Strip and verify header for inbound packets
    • Anti-replay check
    • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets
      • Strip and verify padding up to 255 bytes for inbound packets
      • Calculate and insert message authentication code for outbound packets, strip and verify for inbound packets

SRTP packet transforms according to RFC3711:

  • SRTP packet transforms according to RFC3711
  • ROC insertion and removal
  • MKI insertion and removal
  • TAG generation and insertion

Wireless algorithms and SAR mode of operation 


  • Kasumi f8 and f9, 

  • SNOW 3G, 

  • ZUC. 
Storage algorithms 

  • AES-XTS (including CTS mode) 


The cryptographic engine supports the following cryptographic algorithms:

  • (3)DES in ECB and CBC with (3x) 56-bit key,
  • AES in ECB, CBC, ICM, CTR mode with 128/192/256 bit keys, GCM, GMAC and CCM modes,
  • ARC4 in Stateful and Stateless mode, up to 128-bit key, (EIP-97is, EIP-97ies),
  • Kasumi in basic and f8 mode (UEA1),
  • SNOW3G in basic and 128-EEA1 mode (UEA2),
  • ZUC in basic and 128-EEA3 mode (UEA3)
  • AES in XTS mode.

The hash engine supports the following algorithms:

  • SHA-1, SHA-2-224, SHA-2-256, SHA-2-384, SHA-2-512, MD5,
  • HMAC transforms for SHA-1, SHA-2, MD5,
  • SSL-MAC transforms for SHA-1, MD5,
  • AES-CCM, AES-XCBC-MAC, AES-CBC-MAC-PRF,
  • GHASH, GCM, AES-GCM and AES-GMAC,
  • CRC32.
  • Kasumi in f9 mode (UIA1)
  • SNOW3G in basic and 128-EIA1 mode (UIA2),
  • ZUC in basic and 128-EIA3 mode (UIA3).

The Pseudo Random Number Generator supports:

  • ANSI X9.31 compliant; based on the AES cipher
  • Automatic IV generation

Interface option 1 (default):

  • Data busses have a master DMA and target TCM interface to allow optimal packet data requests by the EIP-96
  • SA (context) bus has a master DMA and target TCM interface to allow optimal context data requests by the EIP- 96
  • Streaming token input and output interfaces
  • Target TCM interface for SW debug and configuration

Interface option 2:

  • Streaming data input and output interfaces
  • Selection between of context interface:
    • SA (context) bus can have a master DMA and target TCM interface to allow optimal context data requests by the EIP-96
    • Optionally this interface is configured for two independent streaming context input and output interface (EIP-96-cf)
    • Streaming token input and output interfaces
    • Target TCM interface for SW debug and configuration
Contact