networkZONE Products for the week of January 17, 2005
Cavium Networks Says…
Cavium's New NITROX SoHo Processor Family Members
Deliver More Security, More Throughput For VDSL/FTTx SOHO/SME Routers &
Gateways
NITROX Soho CN2XX boosts security performance to 200 Mbit/s
and adds support for multiple security-protocols with no performance degradation
Cavium Networks has announced the availability of two new members, of
its NITROX Soho processor family. The CN220 and CN225 Secure Communication
Processors (SCP) deliver industry leading SOHO/SME performance of up to
200Mbps of Routing, Firewall and VPN throughput with over 100 IKE or SSL
transactions per second. Additionally, these new devices can support multiple
security protocols such as: IPSec, SSL and CCMP simultaneously with no performance
degradation. The new NITROX Soho CN220 and CN225 are software and footprint
compatible with existing family members enabling excellent portability and
scalability.
SOHO and SME router and gateway performance requirements are rapidly increasing with the deployment of next generation technologies such as wireless 802.11n, FTTH, Broadband Ethernet and VDSL. Additionally, users are demanding full line-rate VPN/Firewall security with support for multiple protocols such as IPSec, CCMP and easy to use SSL VPN technology at mass-market price points.
None of the current processors in this mass-market segment support line rate packet and security performance for these new technologies and neither do they support hardware acceleration for user authentication algorithms such as RSA and DH which results in a marked drop off in throughput with additional VPN users.
The NITROX Soho SCP Solution
NITROX Soho is an industry leading Secure Communication Processor family
with the best performance, lowest solution cost and unmatched scalability
for SOHO/SME applications. NITROX Soho Processor family includes five different
hardware and software compatible CN2XX processors in 166MHz or 200MHz versions
that deliver a range of price, performance and interface options. The product
family integrates a MIPS32 4Km Processor with 16KB I-Cache and 16KB D-Cache,
16KB scratchpad and a 32 bit SDRAM main memory interface.
The new CN22X products integrate two powerful security acceleration engines with full packet and protocol processing offload, to the existing NITROX Soho processor family. This frees up the CPU for other applications and enables support of up to 200Mbps of all standard encryption and hashing algorithms such as DES, 3DES, 256 bit AES and HMAC MD5/SHA1 along with up to 900 RSA 1024bit exponent or 1550 Diffie-Hellman 180-bit exponent operations per second.
The NITROX Soho Secure Communication Processors provide a wide range of networking I/Os on-chip including three 10/100 Ethernet MACs, 32bit/33 MHz PCI, UARTs, GPIOs, timers and serial buses for optimal system integration. A complete Software Development Kit is available with evaluation boards, software and drivers, Linux and VxWorks OS support and a broad range of third-party software applications.
"The current generation of NITROX Soho products have met with an
excellent reception due their solid performance and retail friendly price
points." said Rajiv Khemani, Vice President of Marketing at Cavium
Networks. "The new CN22X products were designed to meet the increasing
demand for higher performance points, and multi-protocol support at industry
leading price points."
analogZONE Says . . .
While Cavium's NITROX II chips, reviewed here, originally established the company's reputation for providing heavy-duty security silicon to power high-end servers, carrier access equipment, and other "heavy iron," they've done a good job of scaling down their multi-core architecture and applying it to lower-priced, higher-volume markets. Last year, they unleashed several successful lines of sub-$20 products aimed at the SoHo, SMB, and WLAN infrastructure markets, reviewed here, that tailored the throughput and functionality to the lower data rates of residential gateways, and for specific applications, such as the CCMP algorithm used for wireless data encryption and authentication in 802.11 wireless LANs.
But nothing in networking remains static for very long. The next generation of SoHo/SMB security processors will need to handle the higher data rates from VDSL and FTTx connections -- up to 100 Mbit/s. Between this, the growing number of multimedia streams, and the increasingly complex security protocols they are being asked to support, most current low-cost security solutions simply won't have the MIPS or throughput to do the job. In other words, it's time to get a bigger hammer.
That hammer has arrived in the form of the CN220 and CNN225. Cavium has done a nice job of identifying and filling this new niche in the silicon ecology and creating products that stand a better-than-average chance of thriving in it. The new processors are designed to provide the encryption, encapsulation, and other security processing needed in higher-bandwidth (50 - 100 Mbit/s, or more) gateways that support "triple-play" broadband services that bring voice, video and data across the same pipe.
They also recognized that VPN/SSL support is becoming almost mandatory for most users since secure tunneling is starting to displace IPsec as the secure connection of choice for remote access applications. But either type of connection requires lots of MIPS that can drag down most computers if they have to support a tunneled session without hardware assist.
The CN220 and CN225 reuse many of the elements
from their last-gen SoHo products, a healthy dose of IP from their enterprise
silicon. They also add a "security engine," a block of dedicated
IP cores to handle IPsec, SSL, and TCP termination (packet offload) without
having to use the on-chip MIPS RISC engine (see the Figure). We did not
discuss it in detail but Cavium claims that their "P-trie" lookup
algorithm helps optimize performance when running multiple IPsec-based tunnels.
The ability to run multiple tunneled connections without impacting throughput
will probably be an important feature in next-gen gateways since they will
be expected to let users log into their office via a VPN, make their calls
on a VoIP connection, and stream a couple of video channels into their house
at the same time.
As the Figure illustrates, the security engine has additional dedicated cores handle the RC4, Diffie Hillman, RSA, CCMP (part of 802.11i WPA v2 WLAN security), and TKIP encryption functions that further offload most of the heavy lifting involved with security from the MIPS core. This frees it up to run routing, firewall, and other features, allowing it to absorb functions usually performed by a dedicated switch chip. This lets you use lowest-cost bare-bones L2 switch silicon and Wi-Fi chips in your design and still deliver premium features and performance: including a full-duplex firewall that supports 50 firewall rules at speeds of up to 100 Mbit/s.
I'd like to clarify the small print in Cavium's claims and note that their chips' full-duplex 100 Mbit/s rating is for traffic containing large packets. The larger number of transactions-per-Megabit required for traffic containing lots of short packets (such as UDP, and VoIP) will likely cut the chips' throughput, although I'd guess that it's still quite adequate for many applications. And if your application demands more capacity than the CN220's single security engine can deliver, you can always drop in the pin-compatible CN225 which sports a dual-engine configuration.
Being the suspicious type, I had some concerns that the high data rates, combined with the additional interactions with the second security engine might cause traffic jams on the chip's internal bus. Cavium has assured me that, with a 4.2 Gbit/s capacity, it can handle the extra traffic. I did a few basic calculations and the math seems to verify their claims, but, since I don't have a lab at my disposal, I'd love it if anybody out there who actually runs these chips let me know how close Cavium's claims match reality.
Of course speed and functionality are only half the equation for success in a high-volume consumer market. Between the narrow market windows and even thinner design capabilities, manufacturers demand lots of design support (HW & SW) to enable quick turn design cycles as short as 2 - 4 months between project start-up and boxes moving towards the shelves at Fry's. Cavium has solved many of these problems by developing a common set of APIs that work across all of their processors. Also, they have taken pains to ensure that all products within a specific product family are footprint/pinout compatible, allowing the same design to be used from sub-10 Mbit/s to 200 Mbit/s. With a little care, a manufacturer should be able to use most of the same "guts" across several product lines.
Because of the anticipated heavy demand for security features in next-gen gateways, I'm retracting the statement I made in my review (August 2003) that "Cavium may be overly-optimistic about its prospects for the lower end of its product line that's intended for the single access point and SoHo/SME market." Given gateways' growing bandwidth security requirements, their products deliver enough functionality and value that they should find many applications where they are very welcome.
Nevertheless, I still stand by the advice I gave to Cavium back in 2003 to watch its back. Given the potential size of the market, my prediction that "merchant semi-makers with strong design and integration capabilities will inevitably come out with specialized chip sets for these markets that have the crypto punch to support full-speed traffic" should be taken seriously. In fact, I'll be reviewing something that fits this description in the next week or two. Stay tuned for details.
Cavium's CN22X chips are sampling with production in late Q1, 2005. Pricing for the CN220 starts under $20, with the CN225 under $25, both for 10-k piece lots. Samples and evaluation platforms are available now.
|
| ||||
