networkZONE Products for the week of June 30, 2003

Seaway Networks Says . . .
A New Twist: Seaway Networks Introduces Industry's First Network Content Processor
SW5000 Incorporates Industry-Leading TCP Termination, Stream Switching And
Layer 5-7 Processing

Seaway Networks, is pleased to announce the imminent availability of its SW5000 Network Content Processor (NCP). The SW5000 delivers an unprecedented 5 Gbps (full duplex) of full TCP byte stream reconstruction and/or termination combined with silicon-based Content Processing and embedded Stream Switching. The patented Streamwise stream switching architecture manages up to 2 million simultaneous TCP connections and enables OEM customers to build systems which support multiple simultaneous services at multi-gigabit rates. Such systems will allow networks and data centers to consolidate equipment, improve network security and provide additional layer 4 to 7 services.

"The demand for application-level security, combined with the trend towards equipment consolidation, is creating a significant design dilemma for networking equipment manufacturers," said Kit Fung, President of Seaway Networks. "Whereas Network Processor architectures are having difficulty meeting this challenge, the SW5000 is ideal because its features and performance enable multiple, simultaneous, layer 4-7 services." The SW5000 enables OEMs to provide performance and feature differentiation to application firewalls, intrusion detection systems, SSL accelerators, firewall/VPN gateways, content filters or any other application which requires advanced layer 4-7 processing. The SW5000 can be incorporated into a wide range of products including networking appliances, networking equipment cards, server blades, and PCI cards.

SW5000 Highlights

The SW5000 is specialized for layer 4 to 7 data path processing. It provides wire-speed silicon-based processing, including Layer 2 to 4 classification and full TCP termination at 5 Gbps (full duplex). The SW5000 also provides high-performance silicon-based Layer 5 to 7 processing features, including content searching, examination, modification, and replication. The SW5000 supports:

• 66 Million ACL comparisons per second
• 300,000 connection setups per second
• 240,000 layer 7 switching decisions per second
• 17 Gbps layer 5-7 pattern matching search

Because it was designed to support multiple simultaneous services, the SW5000
incorporates advanced stream management and switching features to maximize
processing efficiency and minimize memory and bandwidth usage. Zero-copy data
management and other techniques are inherent to the architecture and per-flow stream
scheduling with dynamic pipelining brings an unprecedented level of control. The SW5000 supports:

• 64,000 contexts for independent security or address domains
• Intelligent content processing
• Stream management including QoS and policy for 2 million simultaneous Connections

With a familiar programming environment, an SW5000-based system facilitates the
design of complex layer 4-7 applications. Its application programming environment was
designed to be simple, flexible, and portable for existing software. Application
development is carried out using a C/C++ GNU tool chain with an advanced SW5000
API library based on a familiar sockets interface.

Development Support

Seaway is focused on providing system designers a set of development tools to simplify and accelerate product development. Along with the SW5000 Software Development Kit (SDK) and SW5000 system software, the customer has two development platform options:

• The Virtual Development Platform provides a complete "board level" simulation package, including cycle-accurate simulation of the SW5000
• The Hardware Development Platform is a 6U cPCI chassis with a SW5000 Network Content Processor Board and 4 open cPCI slots to accommodate interface, system control and co-processor cards.
  

analogZONE Says . . .

When I spoke with the folks at Seaway on my trip through Canada's Silicon Tundra last December, the first words out of my mouth were, "Why does the world need another network processor?" Their answer was surprising, and a little difficult for me to grasp. I had some difficulty laying aside my conceptions about a network processor's role in life. It seems that instead of being exclusively designed for manipulating packet headers, the Seaway device's architecture makes it capable of monitoring the contents of packet streams, and modifying them where necessary.

So it turns out that, yes, there are lots of network processors out there, but not many (if any) are optimized for performing tasks at layers 4 and above - a type of work Seaway has termed "application-aware data path processing." From what I can tell the chip has a unique capacity to identify and direct complete streams of traffic to its different processing elements at wire speed without placing any burden on its compute capacity. This means that while the Seaway SW5000 does many of the traditional NP functions that accelerate TCP/IP protocol processing, it really focuses on accelerating the applications running on the networks. This includes offloading lower layer protocol functions (e.g. access control list, fragment reassembly and layer-4 protocol termination - and much more) from the host system, allowing it to devote its compute resources to supporting the actual services it delivers. The chip also supports actual service tasks, such as editing data streams and locating selected segments in data streams for replication or further processing. Of course, normal NPs can do this sort of stuff, but not nearly as efficiently.

This is not to say that the SW5000 is a slouch at IP acceleration - it has hardware assists for most primitive TCP functions. As you can see from the functional diagram, the processor has a set of dedicated engines (Block #1 in the diagram) that perform in-line line processing for layers 2, 3, & 4. Its internal classification logic allows the chip to decide whether to terminate a particular flow within processor, or just pass it through. It also has logic to buffer and re-assemble fragmented traffic as a hardware function that's transparent to the chip's software and higher-layer functions. This task alone would tax a traditional programmable NP heavily and severely limit any other applications it could support. This TCP termination offload function is a big deal because it frees NPs and other hardware for application-oriented (i.e. revenue-producing) tasks.

Once the streams are groomed and straightened out, the Seaway's packet engine goes to work using an array of sub-engines. Some of these processors are autonomous and firmware driven and used to do routine tasks such as stripping off headers and trailers, generating headers and trailers (including CRC.) You have on-chip assist for stream replication - an important feature for supporting multicast, stream logging, or what the U.S. government euphemistically calls "lawful intercept" (Orwell would spin in his grave at the idea of universal wiretaps - 1984, anyone?)

If you really need something beyond what the SW5000 can do on its own, Seaway has thoughtfully provided interfaces to co-processors via a stream switch. The internal switch can direct individual streams through a look-aside processor and make it look as though it's in-line. Stripping off individual streams pumps only the stream requiring processing to the processor, saving your co-processor's bandwidth for more useful tasks than pass-through.

Your co-processor can be attached via either a packet burst SRAM interface (for PowerPC-oriented chips), and a memory-mapped interface that can be easily mapped (via FPGA) to HT, PCI, & PCIX busses. One interface can also be configured to run in SPI-3 mode (common for many security processors) as well. If you're running a Hifn security processor you're in luck because the SW5000 also supports their proprietary streaming mode interface too, something that allows multiple processors to share the bus.

The SW5000 should find applications in high-capacity load balancing and security processing. In an application-level firewall the engine would identify http streams within TCP connections, terminate TCP traffic and extract http activity to analyze for illegal activities, check for viruses, prevent unauthorized access of specific content on a server. In a secure application the processor can maintain all the security context in a stream or packet while the content is being processed - something that's harder or impossible to do with a normal NP.

I've done my best to explain the basics of how the Seaway architecture differs from the rest of the pack, but if you want to drill down a little deeper, you can take a look at Seaway's white paper. They don't get down to a gate level description of how their device works, but at least manage to fill in some details I have neither the space, nor the expertise, to explain.

Until now multiple security processors would seem redundantly redundant, but there is an emerging need to support multiple security services in a single box, for multi-service platforms and high-capacity firewalls. Seaway allows this to happen by offloading the security processors from the mundane tasks (TCP termination, search through data) and directing only the streams needed to go to a specific processor.

I certainly understand Seaway's enthusiasm for its concept of stream processing. In theory it could enable very efficient use of a network element's bandwidth and processing power. It's difficult to say, however, whether reality matches theory. For one thing I'd need to get a much closer look at the software development tools that claim to allow you to program this rather complex device in "C++" to get a good feeling about whether normal humans could create applications. Given the fact that much of the processor consists of discrete state machines, I think it's very possible to have a programming environment that will make good use of the chip's resources using a high-level language, but I do have my lingering concerns.

Another thing arguing for the credibility of Seaway's claims is the fact that they are part of the Kanata high-tech belt where companies generally tend to deliver on most or all of their claims.

I also wonder if there will be some reluctance to invest the money and ride the steep learning curve required to adopt a radical new architecture these days. I suspect, however, that at least for certain applications, where the SW5000's performance benefits are most pronounced, there will be some interest in making the leap. If a few smart early adopters do manage to turn out successful products with the Seaway chip I would imagine there will be a stampede of new customers, and most likely a few copy-cat attempts at content stream processors. I imagine by that time, however, Seaway will have its next product in place to hold its place in the market it's pioneered.

In any event the first silicon is working and under test at Seaway and will be sampling shortly. Development systems are already available to select customers. I'll be pulling for this highly aggressive and unique chip to differentiate itself from the pack and re-shape the industry's expectations of what network processors can do.

The SW5000 Network Content Processor is sampling now with production quantities available in Q3 2003. The SW5000 1157 BGA package is priced at $645 in 1-k quantities. The SW5000 Virtual Development Platform is available now to qualified customers. The SW5000 Hardware Development Platform (available 3Q 2003) is priced at $21,495 and includes one system I/O module (IOM) and one 2-port Gigabit Ethernet Module (GEM.)

Lee's Saltshaker Rating

• Product Archives by ZONE
• Return to the networkZONE