networkZONE Product Review: Cavium Networks NITROX II WiMAX Security Solution for Base Stations & CPEs

networkZONE Products for the week of July 4, 2005

Cavium Networks Says…
Cavium Introduces Security Solutions for WiMAX Base Stations and CPEs
nex-G Adopts Cavium Networks' New NITROX II WiMAX Solution in its 16 Sector Base Station to Support Current & Emerging WiMAX Security Standards at Multi-Gigabit speeds

Cavium Networks has introduced the broadest security solutions for WiMAX based equipment ranging from Customer Premises Equipment (CPEs) to multi-sector Base Stations. The market leading Cavium Networks NITROX & NITROX II security processors provide 802.16-2004 compliant security solution for Base Stations requiring 75 Mbps to multi-Gbps performance. Additionally, the highly integrated MIPS32^TM based Cavium Networks NITROX Soho Secure Communication Processors (SCP) provide the same support for CPEs requiring 64 Kbps to 20 Mbps performance. Given the high flexibility and programmability of these processor families, the security support is easily extendible to 802.16e, the mobile version of the WiMAX standard. The company also announced that nex-G, a designer, developer and manufacturer of carrier class wireless broadband solutions for the global market, is using NITROX II security processors in its Horizon Sixteen Sector WiMAX Base Station. This Base Station is a scalable solution, capable of supporting the world's high capacity networks for high-density deployment.

"We chose the NITROX II Security Processor for our Horizon WiMAX Sixteen Sector Base Station as it was the only product that met our performance and WiMAX security needs", said Glen West, CTO of nex-G. "The security software and the support provided by Cavium Networks enabled us to rapidly and seamlessly integrate the NITROX II Security Processor into our system."

WiMAX, a broadband wireless metropolitan area network (MAN) technology based on IEEE 802.16 and ETSI HiperMAN, can provide last mile broadband wireless access and can connect Wi-Fi hotspots to the Internet. Given that WiMAX data is transmitted over the air, the 802.16 standard requires a security sub-layer encrypting connections between Subscriber Station (CPE) and Base Station using the AES-CCM protocol. It also requires the usage of a client/server key management protocol based on X.509 digital certificates and RSA public-key encryption algorithm [PKCS #1]. Processing these algorithms on the CPU in the Base Station or CPE consumes valuable processing cycles thereby reducing application performance. The market leading NITROX, NITROX II and NITROX Soho product lines from Cavium Networks provide an optimal solution that offloads the security processing functionality at highly competitive prices.

New software for AES-CCM encryption protocol and WiMAX Public Key Management software is being released with the latest Software Development Kits for all NITROX and NITROX II Security Processors and NITROX Soho Processors from Cavium Networks.

The NITROX and NITROX II families of Security Processors have over two dozen members to target a wide range of price / performance points, for implementing WiMAX security in single or multi-sector Base Stations ranging in performance from 75 Mbps to multi-Gbps. The highly integrated NITROX Soho MIPS32 processor family includes nine members ranging in performance from 10 Mbps - 150 Mbps, that allow OEMs to build highly cost effective WiMAX CPEs and Base Stations. The NITROX Soho Processors integrate a MIPS32 Processor with 16KB Instruction & Data Caches, powerful security engines, 3 x 10/100 Ethernet MACs, 32Bit PCI interfaces, and a range of General Purpose I/Os.

In addition to the security algorithms required by the 802.16-2004 specification, each of the product families supports a wide variety of other algorithms. For symmetric encryption, AES-256 (CTR, CBC, XCBC, ECB), DES, 3DES and ARC4 algorithms are supported. RSA and Diffie-Hellman algorithms are included for asymmetric encryption. SHA-1 and MD5 hash algorithms are also supported.

analogZONE Says . . .

Cavium's latest release is a software-based repurposing of their current NITROX (reviewed in 2004) and NITROX SoHo security engines to meet the needs of the emerging WiMAX market. It currently focuses the processor's capabilities specifically to support the encryption scheme used by the WiMAX fixed-service standard, but the chip's programmable architecture should allow it to be extended to the mobile spec when it's complete. The release above does a respectable, if somewhat terse, description of all the security options you can run on the multi-core processor chips so I'll keep it shorter than usual and confine my remarks here to a little analysis and commentary.

Depending on the throughput needed, you can use either their NITROX Lite or NITROX I/II devices in base stations. The NITROX Lite can handle one or two 75 Mbit/s WiMAX channels and can be used in a look-aside configuration in conjunction with any conventional CPU or NP that supports a PCI/PCI-X interfaces. For higher capacity base stations with up to 16 sectors, the NITROX II family's Gigabit-level processing speeds can be harnessed via a SPI-3/4.2 interface that allows it to run as a pipeline from whatever source you choose (it also has a PCI/X interface for use in look-aside configurations).

But for every base station in the field there will be hundreds or thousands of subscribers, each with their own wireless CPE. This is where the lower-cost SoHo product will shine. With capacities of 5 - 20 Mbits/s and most of the elements needed to make a broadband media gateway integrated on the same chip, the NITROX SoHo devices only require PHYs, a low-cost L2 packet switch, a radio, and memory for a complete design that supports DifServ, routing, NAT, and other essential router functions (see the Fig. - WiMAX CPE Implemented with Cavium's NITROX SoHo Chip). It's sort of like buying a security processor and getting a home gateway free.

As with any chip of this complexity all the devices have an associated development kit that allows you to use off-the-shelf parts to build cost-effective CPE quickly, or solve a large chunk of base station design issues with a minimum of fuss. NITROX's programmable architecture really shines here since it allows these standard chips to be quickly adapted for this specialized job with the right software. To accomplish this, the kits include a firmware image, drivers, and APIs (C-based). Some selected kits also have reference design protocol stacks for to implement essential functions such as IPSEC, SSL, etc…

I have a good feeling that this software solution will work well since Cavium has already done an excellent job of re-purposing its existing assets to address other markets several times before. They've leveraged the processor cores and other IP from their original security engines to successfully address several other markets, including bridge processors, CPE media gateways, and MIPs-based multi-core media processors.

Cavium's aggressive support of WiMAX is a well-timed move because we're just beginning to see some significant commercial activity as companies have begun to roll out pilot services and equipment makers are in the early stages of tooling up for production. While much of the early activity is overseas, I'm hopeful that WiMAX will also provide an easier way for competitive carriers to deploy their services in the US. With SBC, Verizon and other wired carriers making life a living hell for anyone in America wanting to deploy DSL in their territory, and the US the recent Supreme Court decision that releases cable companies from any obligation to share their cable bandwidth, WiMAX's high bandwidth, robust MAC, and relatively low cost may offer an excellent way for next-generation competitive carriers to reach their customers. And because security is an integral part of the WiMAX protocol, Cavium's chips may offer a path of least resistance (and lowest cost) for providing it.

Thanks to the product line's proven history and high level of integration, I'd expect Cavium to grab a good chunk of the first generation of WiMAX CPE. My only caveat is that the SoHo gateway market has been extremely competitive for DSL and cable and I'd expect no less for WiMAX. It's a pretty good bet that there are several companies including Broadcom, Conexant, Marvell, and TI who will soon be turning their own formidable design and integration talents to bear on this emerging market.

With so many sockets at stake you can be sure the competition will be fierce and that Cavium will have to use every trick it has to maintain the early lead that these first-generation chips will give them. This means that Cavium will probably have to do even more integration to stay competitive. In order to remain a player in this market I'd expect to see them integrate a small L2 switch, some integrated memory, and perhaps some on-chip MACs and PHYs to pare down the BOM cost to the near-impossible levels that high-volume ODMs demand.

Cavium's WiMAX security solution is available today for all existing NITROX & NITROX II Security Processors and NITROX Soho Processors. Development kits for NITROX & NITROX Soho Processors are priced between $5 k and $25 k depending on the device they support.

Product Archives
Return to the networkZONE

Lee's Saltshaker Rating

acquisitionZONE - audio/videoZONE - connectivityZONE - greenZONE - networkZONE - powerZONE - technoteZONE - T&MZONE - wirelessZONE - endZONE - productARCHIVE
home