networkZONE Products for the week of March 3, 2003
Cavium Says…
Look-Aside No More - Cavium's NITROX II Family Of
Security Processors Delivers In-Line IPsec and SSL Processing From 2 Gbit/s
to 10 Gbit/s
Cavium Networks is now offering the NITROX II family of In-line
Security Macro Processors that eliminates the security processing bottleneck
by providing a range of true "bump-in-the-wire" processors with
performance ranging from 2 Gbits/s to 10 Gbits/s of IPsec or SSL security
protocol processing. The single chip NITROX II family equipped with high
performance, streaming SPI-3 and SPI-4 interfaces complements Cavium's award-winning
NITROX Lite, NITROX and NITROX Plus family of security processors, which
started shipping in production volumes in 2002. The NITROX II family of
processors will be used in a wide range of multi-gigabit networking equipment
such as routers, switches, web-servers, server load balancers, firewalls,
SANs, and VPN gateways, enabling a secure and authenticated Internet.
"IPSec VPNs are mainstream, and SSL-based VPN products are starting to ship in volume, " said Jeff Wilson Executive Director, of Infonetics Research. "All types and sizes of organizations are rolling out encrypted network services. NITROX II, with its in-line functionality and wide performance range will enable networking vendors to quickly integrate cost effective, wire speed security into existing networking equipment and meet the market demand of wide-spread security deployment."
Existing security processors that off-load IPsec security protocol processing are look-aside architectures that sit off a host CPU or NPU. This look-aside architecture requires a substantial number of host processor cycles to do packet parsing, classification, lookups and management for the traffic between the host and the security processor, so the host CPU or NPU becomes the performance bottleneck. Cavium's NITROX II with its built-in capability to sit in-line between the MAC and the host processor completely off-loads security processing from the host processor and eliminates this bottleneck.
"An in-line design is a must for high-performance security processing, because the look-aside approach runs out of gas in multi-gigabit applications," noted Linley Gwennap, principal analyst of The Linley Group. "Cavium is the first vendor to build an in-line security processor and, not coincidentally, has the industry's fastest chip for both IPSec and SSL applications. Yet the flexibility and price/performance range of the NITROX II family make it well suited to a variety of security appliances, data-center equipment, networked storage devices, and edge routers."
NITROX II: Comprehensive In-line Multi-Protocol Security Processing
The NITROX II family supports a choice of industry standard, single or dual, streaming SPI-3 or SPI-4.2 interfaces, a 64-bit PCI-X bus for control and data path applications and a local 72-bit DDR SDRAM bus. These interfaces facilitate integration into both in-line and look-aside line-card and security appliance architectures. The NITROX II is a programmable processor that provides a comprehensive solution including protocol processing, symmetric, and asymmetric encryption for IPsec, SSL, iSCSI and WEP protocol based applications. The NITROX II's complete packet and protocol processing functions support both IPv4 and IPv6, packet classification, Layer 2 and IP header parsing, checksum, inbound SA lookup, fragmentation support, IPsec selector checks, and exception generation for bad IP packets, ICMP, IKE etc. NITROX II also supports extensive per SA statistics collection along with built-in high availability features like SA mirroring. The NITROX II accelerates the complete suite of standard symmetric encryption and hashing algorithms such as 3DES, AES, ARC4, SHA-1, SHA-2 and MD-5 with their multiple modes, options and key lengths at performance ranges from 2Gbits/s to 10Gbits/s. Asymmetric algorithms such as RSA, DH and DSS with key lengths up to 4096-bits are supported with a peak performance of 60K 180-bit exponent DH or 40K 1024-bit exponent RSA operations per second.
"Furthering Cavium's tradition of introducing innovative and disruptive technologies to the security market, we are proud to announce the NITROX II family of In-line Security Macro Processors," said Syed Ali, President and CEO of Cavium Networks. "Cavium's product portfolio delivers an unmatched end-to-end footprint with performance points from 50 Mbits/s to 10 Gbits/s, which meets customer needs across the entire security processing spectrum. Cavium is very well positioned to become the one-stop shop for security processors."
Cavium's NITROX II also has the ability to process multiple security protocols like IPsec, SSL and WEP simultaneously with guaranteed bandwidth reservation options to enable quality of service (QOS) applications using Internet security. Applications that require QOS include implementation of service level agreements (SLAs) by service providers, Voice plus Video over IPsec, and Storage using iSCSI.
Administration and Manageability
The NITROX II family of Security Macro Processors is a feature-rich solution that includes dedicated administrative processing resources to handle a myriad of management functions such as tamper-proof protection, error logging, statistics collection, billing information, error recovery, zeroing out of private keys, trusted path management, private key generation and primality checking. These resources dramatically ease the task of developing fully manageable FIPS 140-2 Level 1,2,3,4 compliant systems.
Complete Solution
Cavium delivers a complete security solution including chips, evaluation
boards and reference software. The NITROX II evaluation board offers a choice
of PCI-X, SPI-3 and SPI-4.2 interface options along-with Gigabit Ethernet
connectivity. The NITROX II is supported by an array of software support
utilities and applications based on open-source and third party software.
The complete software suite of reference code includes drivers for Linux
and popular real-time-operating-systems with chip configuration utilities,
power on test tools, a modified FreeS/WAN IPsec stack and a modified OpenSSL
stack integrated with open-source application software.
analogZONE Says . . .
The introduction of Cavium's new NITROX II architecture may be one of those infrequent times when that appellation "industry first," actually means something. Their innovative design moves IPSEC and SSL security processing from a look-aside, to an in-line function, making it the first true multi-Gigabit-speed "bump-in-the-wire" security product. Besides simply being an amazing display of processing power, an in-line design offers a significant advantage because it virtually eliminates the overhead on a network processor or host system as the contents of security transactions are passed back and forth across external interfaces.
When I first ran into these folks a couple of years ago, I was more than a tad skeptical about their claims to have a security processor that used the same array of GigaCypher programmable processing cores to efficiently handle both SSL and IP SEC traffic. But by the time the NITROX Plus chip was reviewed here last summer, http://www.analogzone.com/netp0715a.htm I've seen their chips be delivered to several design wins and am reasonably confident they can deliver the goods.
While there are other improvements in NITROX II, the big news is that the architecture is designed to work in-line with packet flow, often connected directly to a line card interface or a network processor. With so many network processors having adopted either the SPI-3 or SPI-4.2 interface as their connection of choice, Cavium's decision to support both flavors of the standard is a wise decision (see Figure). Depending on the number of cores a particular chip uses, you can now have add anywhere between 3 Gbit/s 10 Gbit/s if wireline-fast security processing to your design with a minimum of fuss.
The chips also sport PCI-X interfaces on both inbound and outbound ports. This allows the NITROX II to use a PCI bus-based host system in the control plane, or even to function as a data plane bridge to a host system in "slower" (typically 2 Gbit/s or less) security server applications. And speaking of bridging, the processor can also be used to "glue" system elements with dissimilar SPI interfaces together. I can see a number of places where the ability to sit between say, a SPI-3 MAC chip and a SPI 4.2 NPU will be rather handy.
Another very important feature of the NITROX II is its support for channelized MACs and framers. Both of the chip's interfaces support per channel wire order on up to 16 logical ports (multiple Gigabit Ethernet ports.) Among other things this allows per-port flow control in aggregated networks, a feature that makes QoS management in channelized Ethernet applications. relatively straightforward.
Their new NITROX II architecture uses the same security processing element as the original NITROX line. Like its predecessors, NITROX II handles both SSL and IP SEC using the same engine, and can split its processing power between protocols. The cores can also be tasked independently to support multi-services, and to allocate reserved bandwidth for voice or video channels. On-chip packet buffers (one in each direction) cut processing delays significantly and ensure that the only data off-chip is context (keys.) Since the cores share the same instruction set and programming model as the rest of Cavium's products, you will have all the existing development tools and code libraries at your disposal.
Since the Cavium data sheets (and my earlier review) cover most of the actual functionality of the NITROX architecture, I won't run down the entire list of security processing features that the NITROX II has. But hopefully, this short list will give you an idea of some of the basic security capabilities:
IPSEC Features
SSL Features
It looks like the folks at Cavium seem to have once again anticipated and met the market's needs with a broad range of products based on their unique programmable multi-core technology. They managed to distinguish their new products from the excellent offerings from the likes of HiFN, Broadcom, and even Corrent's SPI-equipped chips because of the multiple transactions required to move the data twice across the look-aside interfaces to get data on and off the chip.
Since the NITROX II builds on an existing architecture, and the first alpha silicon is back from the fab and in the lab, Cavium earns a low vaporware index.
| |