This positioning forces packet processing and many of the
security functions onto the traffic management silicon and
requires data-packet traffic to travel over low-speed side-port
interfaces. As data transfer rates move to OC-48/multi-Gigabit
Ethernet rates and beyond and the data-communication industry
focuses on higher levels of security, this approach becomes
untenable.
The
FlowThrough security architecture is a fundamentally new
approach to hardware implementation of the IPsec security
protocol. In the FlowThrough security architecture, all
of the IPsec functionality is handled by the security processor,
including the IKE session setup, without any outside intervention.
This is accomplished by encapsulating the entire IPsec and
IKE functions in an advanced FlowThrough security processor,
significantly reducing the software integration work required
to add security to a system.
Using
the FlowThrough Security Architecture, Hifn is building
a family of security processors that free system designers
from worrying about how security functionality will impact
system design and performance. Time to market is reduced
by providing simple integration with a wide variety of network
processors and TCP/IP processing engines that target OEM
customers in the IP Storage and network equipment markets.
The
Hifn FlowThrough Security Architecture positions IPsec and
SSL/TLS processing where it belongs - directly in the data
path. This approach enables expanded security processor
functionality, optimizes encryption performance, and minimizes
overall system overhead. System designers are freed from
worrying about how IPsec functionality will impact system
design and performance. Integration is simplified through
the use of standard interfaces and the requirement of only
a minimum of software for configuration and exception handling.
Looking
Back (Looking Aside)
Many hardware implementations of the IPsec protocol use
a “look-aside” architecture. The look-aside
architecture places the security processor on the control
path, attached peripherally to the Network processor or
system processor (Figure 1).
Figure 1 Traditional Look-Aside Architecture
In the look-aside
architecture, operations on inbound traffic, such as link-layer
processing, policy lookups, and security association lookups,
are performed in the network or system processor —
before the encrypted packet is sent to the security processor
for decryption/authentication. The decrypted packets then
travel back up the control path to the network or system
processor before being sent into the switch fabric. Outbound
traffic follows a similar process in reverse.
This approach
is reasonably effective for low throughput (20 – 300
Mbps) systems. However, for high-performance systems, the
look-aside architecture is fundamentally unscalable because
the sideband interfaces for most network and system processors
are not designed to carry large volumes of packet traffic
to a security processor. In addition, high-speed cryptographic
co-processors are under-utilized in look-aside architectures,
as the sideband control-path interface is unable to handle
the traffic volume needed to sustain multi-gigabit rates.
Finally, placement
of the security processor peripheral to the network processor
forces considerable packet processing work onto the network
or system processor, adding significant processing overhead
to the system. As the use of IPsec extends beyond limited
VPN deployments and into OC-48 routers and switches and
10 Gigabit IP Storage networks, a new approach is clearly
required.
The Key to Wire-Speed Security
- The FlowThrough Security Architecture
Hifn’s FlowThrough
Security Architecture was designed in response to the problems
associated with look-aside architectures. In the IPsec FlowThrough
Security Architecture, the security processor is located
in the data path, in front of the Network Processor or TCP/IP
processing
Figure 2 The Hifn FlowThrough Security
Architecture
Hifn Security
Processors that use the FlowThrough Security Architecture
employ high-speed streaming interfaces. This enables the
security processors to offload from the Network Processor
or TCP/ IP silicon a range of operations, including:
· Link layer processing (i.e. Ethernet or Packet
over SONET)
· IP Packet processing
· Policy lookups
· Security association handling
· IPsec encryption and authentication functions
In the Hifn FlowThrough
Security Architecture, packet processing and decryption
functions for inbound traffic are completed before the traffic
reaches the network Processor or TCP/IP processing silicon,
freeing the traffic management silicon to handle what it
does best. The in-line streaming interfaces allow the Hifn
security processors to feed network or system processor
at line rates, without requiring any modifications to network
processor hardware design. The result is multi-Gigabit encrypted
throughput in high-performance, cost-effective security
processors.
Figure 3 Example:Multi-Port Secure
Server Blade
Hifn has again
pioneered yet another higher level of security integration
on a single chip. The HIPP III 4300, 4350, 8300 and 8350
are the industry’s first true FlowThrough security
processors and process the entire IPsec and IKE protocols
in an in-line architecture. Hifn is the only vendor today
that offers such a complete solution on a single chip.
This system-on-a-chip
solution offers unprecedented price/performance value. This
approach not only lowers the device cost, but also significantly
lowers the system cost. The FlowThrough architecture is
indeed a very significant leap forward in embedded security
solutions.
|