Protocol aware IPsec/TLS packet engine with look-aside interface for SoC

500Mbps, supports new and legacy crypto algorithms, AMBA interface

Supported by Driver development kit, QuickSec IPsec toolkit

Product description

The PacketEngine-IP-97 (EIP-97) security packet engine is a look-aside bus interface and a packet-transform engine. The packet engine is used as a bus master in the data plane of the system and processes packets with very little CPU intervention. This engine supports an AMBA (AXI, AHB, TCM) or a PLB SoC bus interface and can be delivered in different configurations to support IPsec as well as SSL/TLS. Compared to the PacketEngine-IP-93 & PacketEngine-IP-94 it offers higher performance, more algorithms, protocol flexibility through token instructions and supports multi-core CPUs.

The PacketEngine-IP-97 is designed to off-load the host processor to improve the speed of protocol operations and reduce power in gigabit application processors for: VPN routers; home media gateways; IoT gateways; femtocells; VPN appliances; surveillance cameras; and FTTH routers.

Performance for large packet sizes is 2000 Mbps for any supported protocol. IPsec performance for small packet sizes is 1000 Mbps. System clock speed is 500 MHz. Gate count is between 400 and 600k gates depending on the configuration.

Other information

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • Driver development Kit

IPsec (IPv4 and IPv6):

  • Full IPsec packet ESP transforms, for tunnel & transport mode, according to RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4301, 4303, 4308, 4309 and 4868).
  • Complete IPsec (IPv4 and IPv6) Header processing:
    • Insert ESP header for outbound packets,
    • Strip and verify ESP header for inbound packets,
    • Anti-replay check,
  • IPsec Trailer processing:
    • Insert padding up to 255 bytes for outbound packets,
    • Strip and verify padding up to 255 bytes for inbound packets.
    • Calculate and insert Integrity Check Value for outbound packets, strip and verify for inbound packets.

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / DTLS:

  • Full single pass packet transforms according to RFCs (2246, 3268, 3546, 4346, 4347, 4366 and 5246).
  • Full Header processing:
    • Insert header for outbound packets,
    • Strip and verify header for inbound packets,
    • Anti-replay check.
    • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets,
      • Strip and verify padding up to 255 bytes for inbound packets,
      • Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets.

SRTP packet transforms according to RFC3711:

  • Calculate and insert TAG for outbound packets
  • Strip and verify TAG for inbound packets
  • Optimized Security Association format,
  • Supports unlimited number of Security Associations.

MACsec (transforms according IEEE 802.1AE)

  • Header insertion and removal,
  • Integrity only or integrity and confidentiality.

SA -Manager

  • Optimized Security Association format,
  • Supports unlimited number of Security Associations.

The cryptographic engine supports the following cryptographic algorithms:

  • DES (CFB1-8-64, OFB1-8-64, ECB, CBC),
  • 3DES (CFB1-8-64, OFB1-8-64, ECB, CBC),
  • AES (ECB, CBC, OFB128, CFB1-8-128, ICM, CTR) 128, 196, 256-bit keys,
  • ARC4 in stateful, stateless mode, up to 128-bit key,
  • Automatic padding up to 255 bytes.

The Hash engine supports the following algorithms:

  • SHA-1, SHA-2-224, SHA-2-256, SHA-2-384, SHA-2-512, MD5,
  • HMAC transforms for SHA-1, SHA-2, MD5,
  • SSL-MAC transforms for SHA-1, MD5,
  • AES-CCM, AES-XCBC-MAC, AES-CBC-MAC-PRF,
  • GHASH, GCM, AES-GCM and AES-GMAC.

The Pseudo Random Number Generator supports:

  • ANSI X9.31 compliant; based on the AES cipher,
  • Automatic IV generation.

The DMA controller supports:

  • Scatter/Gather capability,
  • Source Address and Destination address of 32 bit,
  • Up to 2048 bytes per DMA transfer,
  • Automatic arbitration and bus flow control,
  • Big and little endian host systems.

Master and slave interface:

  • AHB master/AHB slave or AXI master/AXI slave interface.
  • Input and output buffers decouple Packet Engine from system bus interface,
  • Convenient SW debug interface including halt mode.
  • Clock switching interface for low power consumption
Contact