Abstract
This paper deals with an in-line network security processor (NSP) design that implements the Internet Protocol Security (IPSec) protocol processing for the 10 Gbps Ethernet. The 10 Gbps high speed data transfer, the IPSec processing including the crypto-operation, the database query, and IPSec header processing are integrated in the design. The in-line NSP is implemented using 65 nm CMOS technology and the layout area is 2.5 mm×3 mm with 360 million gates. A configurable crossbar data transfer skeleton implementing an iSLIP scheduling algorithm is proposed, which enables simultaneous data transfer between the heterogeneous multiple cores. There are, in addition, a high speed input/output data buffering mechanism and design of high performance hardware structures for modules, wherein the transfer efficiency and the resource utilization are maximized and the IPSec protocol processing achieves 10 Gbps line speed. A high speed and low power hardware look-up method is proposed, which effectively reduces the area and power dissipation. The post simulation results demonstrate that the design gives a peak throughput for the Authentication Header (AH) transport mode of 10.06 Gbps with the average test packet length of 512 bytes under the clock rate of 250 MHz, and power dissipation less than 1 W is obtained. An FPGA prototype is constructed to verify the function of the design. A test bench is being set up for performance and function verification.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Chen, Z.H., 2011. Research on Pattern Matching Algorithm in 40Gbps Application Awareness System. MS Thesis, PLA Information Engineering University, Zhengzhou, China (in Chinese).
Cho, Y.H., Mangione-Smith, W.H., 2005. Fast Reconfiguring Deep Packet for 1+ Gigabit Network. Proc. 13th Annual IEEE Symp. on Field Programmable Custom Computing Machine, p.215–224. [doi:10.1109/FCCM.2005.34]
Fang, Y.T., Huang, T.C., Wang, P.C., 2008. Ternary CAM Compaction for IP Address Lookup. 22nd Int. Conf. on Advanced Information Networking and Applications, p.1462–1467. [doi:10.1109/WAINA.2008.168]
Ferrante, A., Piuri, V., 2007. High-Level Architecture of an IPSec-Dedicated System on Chip. 3rd EuroNGI Conf. on Next Generation Internet Networks, p.159–166. [doi:10.1109/NGI.2007.371211]
Ferrante, A., Piuri, V., Owen, J., 2005. IPSec Hardware Resource Requirements Evaluation. Next Generation Internet Networks, p.240–246. [doi:10.1109/NGI.2005.1431672]
Ferrante, A., Satish, C., Piuri, V., 2007. IPSec Database Query Acceleration. 4th Int. Conf. on E-Business and Telecommunications, p.188–200.
Gupta, P., McKeown, N., 1999. Designing and implementing a fast crossbar scheduler. IEEE Micro, 19(1):20–28. [doi:10.1109/40.748793]
Ha, C.S., Lee, J.H., Leem, D.S., 2004. ASIC Design of IPSec Hardware Accelerator for Network Security. IEEE Asia-Pacific Conf. on Advanced System Integrated Circuits, p.168–171.
Hifn, 2008. Flow Through Security Processor. Available from http://www.acaltechnology.com/_files/legacy_news/HifnPB-9150-5.pdf IEEE Std 802.3-2012 url. IEEE Standard for Ethernet. IEEE Computer Society, NY, USA.
Jain, R., 1992. A comparison of hashing schemes for address lookup in computer networks. IEEE Trans. Commun., 40(10):1570–1573. [doi:10.1109/26.168785]
Khan, E., El-Kharashi, M.W., Rafiq, A.N.M.E., Gebali, F., Abd-El-Barr, M., 2003. Network Processors for Communication Security: a Review. IEEE Pacific Rim Conf. on Communications Computers and Signal Processing, p.173–176.
Liu, A.X., Meiners, C.R., Torng, E., 2010. TCAM razor: a systematic approach towards minimizing packet classifiers in TCAMs. IEEE/ACM Trans. Network., 18(2):490–500. [doi:10.1109/TNET.2009.2030188]
Liu, Y., Wu, L.J., Niu, Y., Zhang, X.M., Gao, Z.Q., 2012. A High-Speed SHA-1 IP Core for 10 Gbps Ethernet Security Processor. 8th Int. Conf. on Computational Intelligence and Security, p.237–241. [doi:10.1109/CIS.2012.60]
McKeown, N., 1999. iSLIP scheduling algorithm for input-queued switches. IEEE/ACM Trans. Network., 7(2):188–201. [doi:10.1109/90.769767]
Nishida, Y., Kawai, K., Koike, K., 2010. A 2Gbs Network Processor with a 24mW IPsec Offload for Residential Gateways. IEEE Int. Solid-State Circuits Conf., p.280–281. [doi:10.1109/ISSCC.2010.5433917]
Pape, J.D., 2006. Implementation of an On-Chip Interconnect Using the i-SLIP Scheduling Algorithm. MS Thesis, the University of Texas, Austin, USA.
Potlapally, N.R., Ravi, S., Raghunalhan, A., Lee, R.B., Jha, N.K., 2006. Impact of Configurability and Extensibility on IPSec Protocol Execution on Embedded Processors. 19th Int. Conf. on VLSI Design, p.299–304. [doi:10.1109/VLSID.2006.102]
RFC2401:1998. Security Architecture for the Internet Protocol. Internet Engineering Task Force (IETF), Washington D.C., USA.
Wang, C.H., Lo, C.Y., Lee, M.S., Yeh, J.C., Huang, C.T., Wu, C.W., Huang, S.Y., 2006. A Network Security Processor Design Based on an Integrated SOC Design and Test Platform. Proc. 43rd Annual Design Automation Conf., p.490–495. [doi:10.1145/1146909.1147039]
Wang, H.X., Bai, G.Q., Chen, H.Y., 2008. Zodiac: System Architecture Implementation for a High-Performance Network Security Processor. IEEE 19th Int. Conf. on Application-Specific Systems, Architectures and Processors, p.91–96. [doi:10.1109/ASAP.2008.4580160]
Wang, H.X., Bai, G.Q., Chen, H.Y., 2010. Design and implementation of a high performance network security processor. Int. J. Electron., 97(3):309–325. [doi:10.1080/00207210903289383]
Wang, L., Niu, Y., Wu, L.J., Zhang, X.M., 2010. Design of an IPSec IP-Core for 10 Gigabit Ethernet Security Processor. Proc. 10th IEEE Int. Conf. on Solid-State and Integrated Circuit Technology, p.539–541. [doi:10.1109/ICSICT.2010.5667343]
Wu, L.J., Ji, Y.J., Zhang, X.M., Li, X.Y., Yang, Y.S., 2009. Power analysis resistant AES crypto engine design for a network security co-processor. J. Tsinghua Univ. (Sci. Tech.), 49(S2):2097–2102 (in Chinese).
Author information
Authors and Affiliations
Corresponding author
Additional information
Project (No. 2011ZX01034-002-002-003) supported by the National Science and Technology Major Projects of the Ministry of Industry and Information Technology, China
Rights and permissions
About this article
Cite this article
Niu, Y., Wu, Lj., Liu, Y. et al. A 10 Gbps in-line network security processor based on configurable hetero-multi-cores. J. Zhejiang Univ. - Sci. C 14, 642–651 (2013). https://doi.org/10.1631/jzus.C1200370
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1631/jzus.C1200370