An IPSec Accelerator Design for a 10Gbps In-Line Security Network Processor

The IP security protocol (IPSec) is an important and widely used security protocol in the IP layer. But the implementation of the IPSec is a computing intensive work which greatly limits the performance of the high speed network. In this paper, a high performance IPSec accelerator used in a 10Gbps in-line network security processor (NSP) is presented. The design integrates the protocol processing and the cryptographic processing; the transport/tunnel mode of the AH, ESP security protocols and the AES, HMAC-SHA-1 cryptographic algorithms are realized by hardware. An efficient partial crossbar data transfer skeleton with iSLIP scheduling algorithm is adopted to realize the maximum utilization of the computation resources in the accelerator. The number of AH, ESP, AES, HMAC-SHA-1 cores in the design can be configured to meet the different applications. By simulation, with 8 protocol IP-cores and 24 crypto IP-cores connected to the crossbar in the IPSec accelerator, the design gives a peak throughput for the AH protocol transport mode of 11.28Gbps at the average of 512 bytes packet length under a clock rate of 300MHz. The hardware verification is implemented on a Virtex-5 XC5VSX95T based FPGA board. Low power design methods are also used in the design to reduce the power dissipation.

[1]  Cheng-Wen Wu,et al.  Single- and Multi-core Configurable AES Architectures for Flexible Security , 2010, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[2]  Richard Kessler,et al.  A 32-core RISC microprocessor with network accelerators, power management and testability features , 2012, 2012 IEEE International Solid-State Circuits Conference.

[3]  Nick McKeown,et al.  Designing and implementing a fast crossbar scheduler , 1999, IEEE Micro.

[4]  Trevor Blackwell Speeding up Protocols for Small Messages , 1996, SIGCOMM.

[5]  V. Piuri,et al.  High-level Architecture of an IPSec-dedicated System on Chip , 2007, 2007 Next Generation Internet Networks.

[6]  Nick McKeown,et al.  The iSLIP scheduling algorithm for input-queued switches , 1999, TNET.

[7]  Chen Hongyi,et al.  Zodiac: System architecture implementation for a high-performance Network Security Processor , 2008, 2008 International Conference on Application-Specific Systems, Architectures and Processors.

[8]  Srivaths Ravi,et al.  Impact of configurability and extensibility on IPSec protocol execution on embedded processors , 2006, 19th International Conference on VLSI Design held jointly with 5th International Conference on Embedded Systems Design (VLSID'06).

[9]  V. Piuri,et al.  IPSec hardware resource requirements evaluation , 2005, Next Generation Internet Networks, 2005.

[10]  Hongyi Chen,et al.  Zodiac: System architecture implementation for a high-performance Network Security Processor , 2008, ASAP.

[11]  Xiangyu Li,et al.  Power analysis resistant AES crypto engine design and FPGA implementation for a network security co-processor , 2009, 2009 IEEE 8th International Conference on ASIC.

[12]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[13]  Yang Yongsheng Power analysis resistant AES crypto engine design for a network security co-processor , 2009 .

[14]  Jens-Peter Kaps,et al.  Efficient Hardware Accelerator for IPSec Based on Partial Reconfiguration on Xilinx FPGAs , 2011, 2011 International Conference on Reconfigurable Computing and FPGAs.

[15]  Chen Hongyi A VLSI-IP Module Design for Implementing Multi-hash Function , 2010 .

[16]  Adnan Aziz,et al.  Implementation of an On-chip Interconnect Using the i-SLIP Scheduling Algorithm , 2006 .

[17]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[18]  Daxiong Xu,et al.  Design and Implementation of High Performance IPSec Applications with Multi-Core Processors , 2008, 2008 International Seminar on Future Information Technology and Management Engineering.