Protocol aware IPsec/TLS/MACsec/DTLS Packet Engine with classifier and look-aside interface for multi-core application processors

2000Mbps, programmable, maximum CPU offload by classifier, supports new and legacy crypto algorithms, AMBA interface

Supported by Driver development kit, QuickSec IPsec toolkit, Linaro ODP

Product description

The PacketEngine-IP-98 (EIP-98) security packet engine is a look-aside bus interface, an IPsec classifier and a packet transform engine. The packet engine is used as a bus master in the data plane of the system and processes packets with very little CPU intervention. This engine supports an AMBA (AXI, AHB, TCM) or a PLB SoC bus interface and can be delivered in different configurations to support IPsec as well as SSL/TLS. Compared to the PacketEngine-IP-93 & PacketEngine-IP-94 it offers higher performance, more algorithms, protocol flexibility through token instructions and supports multi-core CPUs. Compared to the PacketEngine-IP-97 it offers the same performance, but due to its on board classifier, it provides much higher CPU offload.

PacketEngine-IP-98 with classifier is a lookaside bus interface and a packet transform engine

The PacketEngine-IP-98 is designed to off-load the host processor to improve the speed of protocol operations and reduce power in gigabit application processors for: VPN routers; home media gateways; IoT gateways; femtocells; VPN appliances; surveillance cameras; and FTTH routers.

Performance for large packet sizes is 2000 Mbps for any supported protocol, with minimal CPU load for existing flows. IPsec performance for small packet sizes is 1000 Mbps. System clock speed is 500 MHz. Gate count is between 600 and 700k gates depending on the configuration. The Classifier runs embedded upgradable firmware.

Other information

Key benefits:

  • Silicon-proven implementatio
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • Driver development kit

IPsec classification:

  • IPsec-ESP header parsing to look-up a flow
  • Fetch flow and corresponding transform record based 
on lookup result
  • Update flow statistics
  • Update transform statistics
  • Support for IPv4 and IPv6

IPsec transformation (IPv4 and IPv6):

  • Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4308, 4309, 4543, 4868, 4869, 6054, 6071 and 6379)
  • IPsec ESP and AH tunnel & transport mode
  • Autonomous IPsec ESP packet classification and security association selection (both inbound and 
outbound)

  • Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets
  • Full sequence number processing, including ESN and full anti-replay check with various mask sizes
  • Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets
  • Append (outbound) / strip and verify (inbound) padding up to 255 bytes

MACsec

  • MACsec frame transforms according to IEEE 802.1AE-2006 and Draft 802.1AEbn/D1.0
  • SecTAG insertion and removal
  • PN insertion, removal and verification
  • ICV generation, insertion, removal and verification

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / DTLS1.0 / DTLS1.2:

  • Full single pass packet transforms according to latest RFCs (2246, 4346, 4347, 5246, 6101 and 6347)
  • Full header processing:
    • Insert header for outbound packets
    • Strip and verify header for inbound packets
    • Anti-replay check
    • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets
      • Strip and verify padding up to 255 bytes for inbound packets
      • Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets

SRTP packet transforms according to RFC3711:

  • SRTP packet transforms according to RFC3711
  • ROC insertion and removal
  • MKI insertion and removal
  • TAG generation and insertion

SA -Manager

  • Optimized Security Association format,
  • Supports unlimited number of security associations

The cryptographic engine supports the following cryptographic algorithms:

  • (3)DES in ECB and CBC with (3x) 56-bit key
  • AES in ECB, CBC, ICM, CTR mode with 128/192/256 bit keys, GCM, GMAC and CCM modes
  • ARC4 in stateful and stateless mode, up to 128-bit key, (EIP-97is, EIP-97ies)

The hash engine supports the following algorithms:

  • SHA-1, SHA-2-224, SHA-2-256, SHA-2-384, SHA-2-512, MD5
  • HMAC transforms for SHA-1, SHA-2, MD5
  • SSL-MAC transforms for SHA-1, MD5
  • AES-CCM, AES-XCBC-MAC, AES-CBC-MAC-PRF
  • GHASH, GCM, AES-GCM and AES-GMAC
  • CRC32

The pseudo random number generator supports:

  • ANSI X9.31 compliant; based on the AES cipher
  • Automatic IV generation

The host interface with DMA controller supports:

  • Multiple descriptor rings with individual access for 
multiprocessor support
  • Scatter/gather processing
  • Automatic arbitration and bus flow control
  • Supports big and little endian host systems
  • Decouples packet engine from system bus interface

Master and slave interface:

  • Master/slave interface: AXI/AXI or AXI/APB or AHB/AHB slave interface
  • Input and output buffers decouple packet engine from system bus interface
  • Convenient SW debug interface including halt mode
  • Clock switching interface for low power consumption
Contact