Cryptographic Capabilities of Network Processors OverviewNetwork ProcessorASIC VS NPGeneral NP architectureTwo paths ArchitectureParallel PEs Pipeline PEsSecurity ProtocolsNeed for IPSecWhere is IPSec used?IPSec ModesSecurity ImplementationsSecurity AcceleratorSecurity ProcessorHIFN 7956 Security ProcessorSoftware ImplementationsStream Ciphers Instruction MixSystem- On-ChipObservation- IPlatform choicesCONCLUSIONCryptographic Capabilities of Network ProcessorsByUma Koppula, Ganeshprasad Maddipati, Tarun C. Nallabelli Jayakar and UsmanAkhtarOverview• Network Processor• Security Protocols• Security Co-processors• Software Implementation • System-On-Chip• Observation• ConclusionNetwork Processor• Definition: A Programmable device with packet processing capability.ASIC VS NPFeatures Network ProcessorsASICsSpeed High HighProgrammability Yes NoFlexibility Yes NoGeneral NP architectureCourtesy: www.embedded.comTwo paths ArchitectureParallel PEs Pipeline PEsSecurity Protocols•IPsec• SSLNeed for IPSecWithout encryption:- Every message sent maybe read by an unauthorized party (No Confidentiality).-Transaction will be modified (No Integrity)IP spoofing (No Authentication)Courtesy: www.cisco.comWhere is IPSec used?IPSec provides security at network (Internet) layer.-All IP datagrams covered.-No re-engineering of applications.-Transparent to users.Transport Layer: Applications must be modifiedApplication Layer: No leveraging effect– every application must handle it’s own security.IPSec Frames:-Host-to-Host :An encrypted connection between two hosts -Host-to-Network :Allows VPNs where remote users can log ontothe local network with a secure connection.-Network-to-Network/Router-to-Router :connects remote branch offices with the main network.IPSec ModesTransport Tunnel-The entire original IP datagram is encrypted, and it becomes the payload in a new IP packet - only the IP payload is encrypted - devices on the public network can see the final source and destination of the packet. - protects against traffic analysis - attacker can perform some traffic analysis - IPSec processing performed at security gatewayson behalf of endpoint hosts.- endpoint hosts must be IPSec-aware.Orig IPHeaderIPSecHeaderTCPHeaderDataNew IP HeaderAH or ESP HeaderTCPDataOrig IP HeaderSSL Protocol StackSSL SESSIONCourtesy: www.cisco.comSecurity ImplementationsSecurity Accelerator• Implementation of IPsec using initial security accelerator .Security ProcessorLook-Aside In-LineHIFN 7956 Security ProcessorCourtesy: www.hifn.comProduct Name How is it connected with NPAlgorithms implementedIPSEC Speeds Special FeaturesHifn 7956 Look Aside 3DES,SHA1 307-523Mbps 70 Diffie-Hellmann quick-mode connections per second (1024-bit) SSL performance: 84 RSA signatures 24 Main + Quick Mode connections per second.Cavium Nitrox II Inline DES/3DES,AES 1 – 10 Gbps 60K Diffie Hellman(180 bit)ops & 10-40k RSA operationsHifn 8350 Inline AES(CBC & CTR),DES/3DES2-4 Gbps N/ASafeNet Excel Inline AES,DES/3DES 3.1- 3.2 Gbps SSl,TLS operations also at (2100 0pS)Software Implementations“Optimization and benchmarking of cryptographic algorithms on network processors” By: Zhangxi Tan, Chuang Lin, Hao Yin and Bo liCourtesy:http://www.cs.ucr.edu/~bhuyan/papers/np1.pdfStream Ciphers Instruction MixCourtesy:http://www.cs.ucr.edu/~bhuyan/papers/np1.pdfThroughput for variying ME's01002003004005006007008001248NO. of ME'sThroughput(Mbps)AESDESRC5BlowfishIDEARC4System- On-ChipLoad Data inInput RAMLoad KeysIssue CiphercommandObservation- ILevel/FeaturesLOW (Home & Small offices)MEDIUM (Small businesses)HIGH(Large offices & Enterprises)SECURITY Basic Security Good Security Highest SecurityPerformance Limited High HighestIPsec bandwidth 2Mbps – 45 Mbps100 Mbps- 600 Mbps 2Gbps – 6GbpsPublic key operation speeds10-100 Ops 1000-10000 Ops 10000-40000 OpsPlatform choices Low End/IXP 4XX Product LineMid Range/IXP2800High Range/IXP 2850CONCLUSION• The Cryptographic processing using network processors has traversed from using security accelerator in conjunction with NP through using coprocessors to implement it On
View Full Document
Unlocking...