Protocol-aware IPsec/TLS packet engine with look-aside interface for IoT.

200 Mbps, lowest gate count in the industry, just 100K gates (ex AMBA interface).

Supported by Driver Development Kit, QuickSec IPsec toolkit, Secure Boot Toolkit.

Product description

The PacketEngine-IP-93 (EIP-93) security packet engine is a look-aside bus interface and a packet transform engine. The packet engine is used as a bus master in the data plane of the system and processes packets with very little CPU intervention. This engine supports an AMBA (AXI, AHB, TCM) or a PLB SoC bus interface and can be delivered in different configurations to support IPsec as well as SSL/TLS. It is the world's only 100k gate IPsec accelerator (excluding interface).

Compared to the PacketEngine-IP-94, it is smaller with somewhat lower performance and fewer algorithms.

The PacketEngine-IP-93 is designed to off-load the host processor to improve the speed of protocol operations and reduce power in cost-sensitive networking products, such as: high-end IoT devices; IoT gateways; femtocells; DSL routers; SOHO routers; cable modems; VPN appliances; and surveillance cameras.

Performance for large packet sizes is > 550 Mbps for any supported protocol. IPsec performance for small packet sizes is > 300 Mbps. System clock speed is 250 MHz.

Gate count 105k gates: ultra-low gate count and compact design for low cost applications. For example, the PacketEngine-IP-93i, excluding interfaces and memories, is about 105k gates when synthesized at 250 MHz in a typical CMOS 45nm technology.

Other information

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • Driver Development Kit

IPsec (IPv4 and IPv6):

  • Full IPsec packet ESP transforms, for tunnel & transport mode, according to RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4301, 4303, 4308, 4309, 4835 and 4868).
  • Complete IPsec (IPv4 and IPv6) header processing:
    • Insert ESP header for outbound packets
    • Strip and verify ESP header for inbound packets
    • Anti-replay check
  • IPsec trailer processing:
    • Insert padding up to 255 bytes for outbound packets
    • Strip and verify padding up to 255 bytes for inbound packets
    • Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / DTLS:

  • Full single pass packet transforms according to RFCs (2246, 3268, 3546, 4346, 4347, 4366 and 5246).
  • Full Header processing:
    • Insert header for outbound packets,
    • Strip and verify header for inbound packets,
    • Anti-replay check.
    • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets
      • Strip and verify padding up to 255 bytes for inbound packets
      • Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets

SRTP packet transforms according to RFC3711:

  • Calculate and insert TAG for outbound packets
  • Strip and verify TAG for inbound packets
  • Optimized security association format
  • Supports unlimited number of security associations.

The cryptographic engine supports the following cryptographic algorithms:

  • DES in ECB and CBC with 56-bit key
  • Triple-DES in ECB and CBC with 3 x 56-bit key
  • AES in ECB, CBC, ICM, CTR mode with 128-bit 192-bit and 256 bit key
  • ARC4 in stateful, stateless mode, up to 128-bit key
  • Automatic padding up to 255 bytes

The hash engine supports the following algorithms:

  • SHA-1, SHA-2-224, SHA-256, MD5
  • HMAC transforms for SHA-1, SHA-2, MD5
  • SSL-MAC transforms for SHA-1, MD5

The pseudo random number generator supports:

  • ANSI X9.31 compliant; based on the AES cipher
  • Automatic IV generation

The DMA controller supports:

  • Source address and destination address of 32-bit size
  • Up to 256 bytes per DMA transfer
  • Automatic arbitration and bus flow control
  • Big and little endian host systems