networkZONE Products for the week of August 4, 2003
Cavium Networks Says…
Right-Sized Security - Cavium Networks' Wireless LAN
Security Processor Family for Enterprise Access and Aggregation Points
Nitrox Wireless Security Processors to Support Current and
Emerging 802.11 Security Standards at Multi-Gigabit speeds
Cavium Networks has just released its Nitrox Wireless family of security
macro processors, the first processors specifically designed to support
current and emerging 802.11 security standards. The company also announced
that Aruba Wireless Networks -- maker of high-performance wireless network
switching systems (WLAN) for enterprises and "hot spot" service
providers -- has adopted Cavium's Nitrox Wireless security processors. Cavium's
award winning Nitrox family of Security processors are being used by several
server motherboard and OEM vendors, in a wide range of networking equipment
such as VPN gateways, SSL VPNs, wireless gateways, server load-balancers,
routers, switches, web-servers and SANs.
Nitrox Wireless accelerates a wide range of WLAN security protocols
To address security weaknesses of the Wired Equivalent Privacy (WEP) protocol,
IEEE is developing the 802.11i security standard for WLANs, which mandates
Advanced Encryption Standard (AES). With 802.11i, existing wireless access
and aggregation points need to add security acceleration in their hardware
to achieve required performance. Cavium's Nitrox Wireless family is designed
to support the complete suite of security algorithms used in WLAN security
today and for the emerging 802.11i standard -- including AES, 3DES and ARC4
and the various modes of each algorithm. Additionally the Nitrox Wireless
processors perform complete protocol processing of CCMP, IPSec, IKE, MPPE
and functions of TKIP. The Nitrox Wireless processors included a true hardware
Random Number Generator and are highly optimized to increase overall system
performance through zero-copy processing and efficient utilization of system
bus.
"We chose Cavium's Nitrox Wireless processor because of its unparalleled flexibility, scalability, performance and cost," said Kent Headrick, VP of Engineering at Aruba Networks. "Cavium's Nitrox Wireless processor has enabled us to support a wide range of wireless security protocols such as TKIP, MPPE, and IPsec at performance ranges up to 2Gbps. Additionally, as we move forward to incorporate the emerging 802.11i standard, also being adopted by the Wi-fi Alliance as WPA version2, Cavium's flexible architecture will enable us to provide high-performance without a costly hardware upgrade."
Broad product line for Aggregation Devices as well as Enterprise Access
Points
The Nitrox Wireless family of Security Macro Processors has ten members
to target a wide range of price / performance points, allowing OEMs to implement
wireless LAN security in intelligent access points or aggregation devices,
such as WLAN switches. The new Nitrox Lite CN501w is intended for low-power,
enterprise access-point products -- it has a 32-bit PCI interface, provides
50 Mbps of performance at 64 byte packet size and consumes <1 Watt of
power. The Nitrox Lite family with 4 distinct products, targets applications
from 50 Mbps to 1 Gbps, with a PCI bus interface. The Nitrox family, with
6 distinct products, targets applications from 1 Gbps to 4 Gbps, with choice
of a PCI, PCI-X or HyperTransport interfaces and also adds support for optional
external key memory.
"Robust and high-performance wireless LAN security is critical for the widespread adoption of Wireless LANs by enterprises," said Bob Wheeler, senior analyst at The Linley Group. "Cavium's Nitrox processor has already proven to be a winning choice in the IPsec and SSL acceleration areas. Now, Cavium has taken advantage of the flexibility of its Nitrox processor to quickly provide a wireless family of security processors suited to multiprotocol operation and capable of support for new protocols -- essential for tracking the evolving security requirements of the wireless market."
Complete Solution
Cavium's complete solution includes chips, evaluation boards (reference
hardware designs), and reference software. The Nitrox Wireless evaluation/development
kit is implemented on industry-standard PCI/PCI-X or HyperTransport boards,
supported by an array of software and support utilities, including drivers
and API's for popular operating-systems, and chip configuration, test, and
debug utilities. With this rich software and hardware reference, customers
can quickly integrate Nitrox Wireless with minimal engineering effort.
analogZONE Says . . .
If the IEEE's emerging 802.11i security should help WLAN technology migrate from home and casual public access to mission-critical enterprise applications they are going to have to address MIS directors' security concerns, and Cavium's new line of crypto-crunchers seems to be well-positioned to do this. Earlier this year, I reviewed the chip that preceded this latest release, and feel that they have one of the most flexible and powerful architectures in the industry. It's good to see that rather than simply trying to sell its existing products for wireless applications, they have tweaked the Nitrox architecture to add the specific crypto functions needed for WLAN security -- for both today and tomorrow.
Flexibility is critical here because wireless security is quickly evolving beyond the original wired-equivalent privacy (WEP) scheme, which is now considered insufficient for enterprise-level security needs. While the IEEE 802.11 committee hammers out the details of its new security specs that will supercede WEP, many equipment vendors are using existing network security protocols including IPsec. As a stopgap measure, the TGi has rolled out the WiFi protected access (WPA) protocol, a sort of enhanced WEP which also has TKIP and authentication. It's also been designed to be forward-compatible with the full-up 802.11i security protocol when it's complete. This works for today in most applications, but for the truly paranoid it can be enhanced using additional VPN and tunneling protocols between client and a secure server.
Once it's complete, 802.11i should become the dominant security standard for enterprise and public infrastructures. While a bit of overkill for most applications (in my opinion anyway), 802.11i should put MIS directors' fears to rest, and provide significant future-proofing capabilities. The final version of the standard mandates using the CCMP algorithm for wireless data encryption and authentication to replace the current TKIP (RC4 encryption) scheme.
But tight security comes at a price. CCMP runs elliptical encryption algorithms, and requires levels of processing power not available from the kinds of RISC cores typically found in an embedded application. This will require an on-chip hardware accelerator core or external security processor to fill the MIPS gap. Many vendors (including Atheros, Broadcom, Marvell, and TI) already have some level of hardware encryption acceleration, but Cavium says most of what's out there will not support the full 54-Mbit/s streams with full-up AES encryption running. Since most (or all) clients will actually use only a portion of the channel capacity, the modest on-chip accelerators will probably be good enough for most adapter cards and terminal applications. But Cavium is probably right that the on-chip security cores will not meet the challenge in access points or other infrastructure equipment which talks to multiple connections, with multiple keys, tunnels, and protocols.
This is where Cavium comes in, by providing complete hardware AES & protocol processing (header insertion & extraction, and CCMP termination.) Their chips also provide acceleration for TKIP, IKE, and all current protocols. The nice part is that the Cavium processor architecture is a mix of programmable and fixed-function elements, making it firmware-upgradable to track any changes to 802.11i and any future protocol developments.
Actually Cavium has introduced 10 new wireless products, all geared for different capacity ranges. You also get your choice of host interface bus (PCI 32/66 MHz, PCI X 64/133 MHz, and 200-MHz HyperTransport), which should help most developers easily adapt the chips to their existing products. As usual, you get a generous helping of development support that features a large library of pre-developed microcode that configure the Nitrox chip for a wide variety of applications. Stitching the chip to your host system is made easier with a full set of open-source Linux Software Drivers/Tools, CCMP Shim Layer code, and IPsec application layer support. This, plus a series of full-up reference designs should put you in the security business in a hurry. And if you're in a real hurry Cavium's ready-made development boards can have you in low-volume production as quickly as you can find customers.
While I think they are all fine products, I think that Cavium may be overly-optimistic about its prospects for the lower end of its product line that's intended for the single access point and SoHo/SME market. While the low-cost security chips could do a great job, it's almost a sure bet that merchant semi-makers with strong design and integration capabilities will inevitably come out with specialized chip sets for these markets that have the crypto punch to support full-speed traffic.
On the other hand I do think that their more powerful chips will find great success with applications in high-density wireless routers and concentrators, like the Aruba 5000 WLAN switch. The concept of a "dumb AP" connected to a smart hub or concentrator is a great way to control both costs and manageability in both large enterprise and public infrastructure applications. It's also a great way to hold down per-unit costs by using a single high-capacity Cavium chip to provide secure connections for a bunch of low-cost lightweight access points.
All 10 Nitrox Wireless parts are sampling now, with production in Q4 2003. Nitrox Lite CN501w will be $14.95 in 10-k piece lots; Nitrox Lite Wireless will be$16 to $95 in 1000-piec lots; Mitrox Wireless will be $141 to $500 in 1000-piece lots.
| |