networkZONE Products for the week of July 15, 2002
Cavium Says . . .
Canny Crypto Cruncher Manifests Multiple Modes
Cavium's multi-CPU security processor simultaneously supports
SSL and IPSEC while providing guaranteed bandwidth per application
Cavium Networks has added the NITROX Plus family of Multi Service Security
Processors to its product line. They provide a single chip solution for
simultaneously accelerating multiple applications such as VPN, e-Business,
Storage, Wireless, XML security applications with guaranteed bandwidth reservation
per application. NITROX Plus provides a programmable, highly integrated,
feature rich single chip solution designed to accelerate multiple security
based protocols such as SSL, IPsec, iSCSI, and XML Digital Signatures with
dynamic priority based protocol processing. NITROX Plus will be used in
a wide range of networking equipment such as routers, switches, web-servers,
application servers, server load balancers, firewalls, SANs, Wireless gateways
and VPN gateways, enabling a secure and authenticated Internet.
Service Providers are looking to deliver guaranteed secure bandwidth through Service Level Agreements that drives the need for priority based security processing. Additionally, the demand for secure voice and video on data networks requires that these real time applications have dedicated security processing bandwidth assigned to them to ensure that smaller voice packets do not get trapped behind large data packets resulting in high latency and poor quality. Other emerging security trends are integrating multiple security applications such as IPsec for branch offices and SSL for Remote users into a single platform. These trends are driving the need for a multi protocol, multi service security processor that can process multiple types of traffic. Currently system vendors are forced to use multiple security acceleration chips for different protocols and traffic types, which drives up the cost and complexity significantly. NITROX Plus eliminates this complicated multi-chip, multi-path bottleneck by integrating support for multiple security protocols and guaranteed bandwidth provision in a single chip.
The NITROX Plus has a multi core architecture that allows each core to run any protocol like IPsec or SSL enabling a flexible mix of bandwidth per protocol. Additionally, high priority queues are provided that can be used to process high priority real time traffic such as voice and video. Another powerful feature is that the allocation of security bandwidth can be dynamically changed on the fly based upon traffic conditions. This platform integration enables equipment consolidation that reduces cost, deployment complexity, and increases manageability for enterprise and service provider data center managers. The NITROX Plus supports multiple bulk encryption algorithms such as 3DEC, AES and RC4 at speed up to 5Gbps along with up to 50K RSA and 40K Diffie-Hellman operations per second. In addition to providing the industry's highest performance Multi Service Security Processor, Cavium Networks is delivering a complete turnkey solution with its processors including firmware, drivers, middleware, and an evaluation board to reduce customer's time to market.
"Cavium's flag ship NITROX Security Macro Processor family, which is in production has dramatically changed the performance and cost metrics of deploying security. Our new NITROX PLUS family is set to have the same impact for Multi Service security applications," said Syed Ali, President and CEO of Cavium Networks. "System vendors will be able to dynamically allocate secure bandwidth per protocol for various types of traffic eliminating the need for multiple acceleration chips. NITROX Plus allows vendors to build highly integrated secure networking equipment with significantly reduced cost, complexity and time to market,"
"Businesses are increasingly using the Internet for commerce, remote access, and remote storage, but they are demanding increased security. Deployments of IPSec VPNs, clientless remote access using SSL web-browsers, any-where Storage using iSCSI, and XML based secure web applications using Microsoft.NET are growing rapidly," said Jeff Wilson, Directing Analyst at Infonetics Research. "Cavium's NITROX Plus family will enable accelerated deployment of cost effective multi service security."
The NITROX Plus Family of Multi Service Security Processors
The NITROX Plus family of Security Macro Processors has two members that target distinct price and performance points. The NITROX Plus 1430 processor supports a 64-bit, 66MHz PCI bus or 64-bit, 133MHz PCI-X bus along with a 64-bit DDR DRAM for local context or session storage and is ideally suited for applications requiring 2.5G of secure bandwidth and 20K RSA ops/sec. The NITROX Plus 1540 processors have an 8bit, 500MHz HyperTransport bus with a 64-bit DDR DRAM for local context or session storage and targets high-end applications requiring 5Gbps of secure bandwidth and 50K RSA ops/sec. All these devices support the predecessor NITROX software architecture with the unique Adaptive Processing capability that allows processing power to be flexibly allocated between session set up and bulk data encryption depending upon real time traffic conditions. Cavium's Macro Processing feature reduces bus bandwidth requirements and host CPU load by concatenating multiple cryptographic and protocol operations into one large Macro command. The maximum power consumption ranges from 5 Watts for the NITROX Plus 1430 to 10 Watts for the NITROX Plus 1540.
"After successfully delivering the first NITROX Security Macro Processor, Cavium has produced another innovative product in NITROX Plus, which takes a new approach to solving the security processing bottleneck in integrated networking equipment," said Linley Gwennap, principal analyst of the Linley Group. "Based on features and performance, NITROX Plus appears unmatched in multi-protocol, bandwidth-sensitive applications"
Cavium Networks' roadmap includes the NITROX II In-Line Multi Service Security Macro Processor that integrates even more network functionality and adds the SPI-3, SPI-4 interfaces.
Administration and Manageability
The NITROX Plus family of Multi Service Security Processors is a feature
rich solution that includes dedicated administration processing resources
to handle the myriad of administration and management functions such as
tamper proof protection, error logging, statistics collection, billing information,
error recovery, zeroing out of private keys, trusted path management, private
key generation and primality checking that will dramatically ease the task
of developing fully manageable FIPS 140-2 Level 1,2,3,4 compliant systems.
analogZONE Says . . .
I reviewed Cavium's original NITROX encryption engine back in October of 2001 (before it was sampling) and was quite impressed. Now that the chips are actually shipping, I find my faith rewarded with a product that's finding very good market acceptance. And, I suspect that the latest incarnation of the NITROX architecture will find equal, or better success.
NTROX was designed with multiple general-purpose GigaCipher cores, each with its own micro-code and register file, and capable of performing all SSL or IPsec operations on its own (see the figure). The chip also packs a separate administrative core engine that handles many procedures normally associated with the host, such as session set-up and key administration. Back then I liked its programmability, and how its architecture was designed to offload both computational and administrative tasks from the host system. Since then, Cavium has delivered the original Nitrox chip, and gone on to re-spin it in nearly a dozen flavors to provide different levels of performance, as well as support for different host busses (HyperTransport, PCI, PCI-X, and PSE secure bus.) Their latest edition, the NITROX Plus is pin Compatible with the original NITROX product, but offers several important improvements.
Perhaps the most significant improvement to NITROX are the internal mods
to its instruction queue and a new software load that allows different processors
to run different protocols at will. According to Cavium, this allows a mix-and-match
approach without sacrificing any efficiency or bandwidth. Using the NITROX
Plus engine, you should be able to build a high-performance server, or even
a single blade within a router that Although similar to the performance
of the Broadcom chip for SSL apps, the Blue Steel processor is simply an
algorithm offload chip. Cavium, on the other hand, offloads computation,
the bulk encryption, as well as the RSA procedures and session set-up. Keeping
most of the computation and administrative tasks on-chip minimizes the load
on both the host's CPU and the bus so you can do other stuff with it.
Since most enterprise applications now require secure IPSEC connections for any remote access, and SSL for secure web browsing, this will let you design products that make the most efficient use of whatever bandwidth is available to them - no insignificant feature in these cost-conscious times.
One of the surprise applications that Cavium pointed out is secure, browser-based e-mail. They explained that it is becoming increasingly popular to use browser-based applications for all security applications to provide a universal interface rather than a specialized piece of client software. In other words, more and more people are using the SSL capabilities of plain-vanilla secure browsers to establish e-mail access from any computer without the bother and expense of relying on an IPSEC-based VPN connection. After having suffered for several years with a previous employer's clumsy, slow, and difficult-to-use Notes-based remote VPN, I find Cavium's analysis to be especially compelling.
Another important aspect of this re-configurable security engine is its priority-based security processing capability. The administrative processor can manage queues, and identify high-priority flows to guarantee quick turnaround for selected connections or applications. Besides the ability to provide differentiated service classes, the Cavium chip's priority-based queuing should provide enough latency variation control to easily support secure voice applications.
While no development effort is easy, Cavium at least gives you a bunch of hand-holding. For example, NITROX Plus comes with a set of improved driver software that supports multiple queues, plus Turbo SSL - a one-call routine that supports acceleration for Macro SSL streams. This kind of detailed software support is essential to time-to-market, but Cavium goes one step further. You also get an Apache-based web server reference design so you can have a running prototype to mess with in almost no time. And if you're really pressed for time or are short a few design team members, they'll also be happy to make PCI, PCI-X, and HT-based OEM boards to your specs.
With several versions of the NITROX already shipping,
and Cavium willing to give me an in depth tour of the modifications needed
to accomplish its new multi-tasking tricks, I'm inclined to give their new
chip a low Vapor Index Rating. The NITROX Plus 1430-350 MHz is in a TSBGA-600
priced at $395 and the 1540-350 MHz in a BGA-600 is priced at $595, both
in 1000-piece lots.
|