INTRODUCTIONSECURITY ATTACKS AGAINST SANIP STORAGE SECURITY STANDARDS3. Network processors in Wireless Applications1Cryptographic Capabilities of Network Processors Aparna Kasturi, Swethana Pagadala and Sheryl Pinto Abstract— Network processors are programmable devices that process information packets at rates of 1 Gbit/s and above. Due to the sensitivity of information being exchanged over networks, it is necessary for network processors to incorporate security measures over the data being transferred. This report looks at the different schemes of adding cryptography to a network processor. It also analyses two areas where network processors are used, namely Storage Area Networks and wireless networks for the current cryptographic capabilities and standards used in these areas. Index Terms – Look-Aside Architecture, Polymorphic Ciphers, WEP, IPsec 1. INTRODUCTION The bandwidth boom and the drop in the cost of bandwidth opened the internet to a wide variety of applications such as e-commerce, Voice over IP (VoIP), Virtual Private Networks, etc. Each application is associated with its own set of protocols and standards. Networks need to have the equipment to be able to support these new protocols. Earlier most networking functions above the physical layer were handled by software implementations on general purpose computers. In order to increase the processing speed to deal with the increased speeds of the internet, focus shifted to hardware implementations namely as in ASIC implementations. But rapid changes in the low layer protocols and the emergence of new higher layer applications made the time in market of these ASIC implementations very low. This led to the birth of network processors, which are Application Specific Instruction Processors (software programmable) with special circuitry to handle packet-processing functions. With the increase of the internet being used in areas which require highly sensitive information to be transferred over the network, arose the need to integrate security as a component of the network processors. Security over a network basically means to ensure the availability of service, to authenticate users and their transmitted data, to protect the confidentiality of the transaction and to maintain the integrity of the data being exchanged. Securing of network traffic involves two main processes, protocol processing and cryptographic algorithm processing. Protocol processing includes the functions that are necessary for packet analysis and communication such as TCP (Transmission Control Protocol), IP (Internet Protocol), TLS (Transmission Layer Security). Cryptographic algorithm processing includes the algorithms that affect the entire payload in order to maintain confidentiality and integrity. 1.1 Security with Network Processors There are three main ways to add security to a network processor. Look Aside Architecture: First is by means of a security co-processor used in conjunction with a network processor. Security co-processor is cryptographic accelerator hardware that performs the encryption and decryption of data and also off-loads the key exchanges from the main processor. A diagram of the look aside architecture is shown below: TM + SA Memory Fig 1 Look Aside Architecture Network Processor/ Traffic Manager Cryptographic Processor Switch Fabric OC-48 Quad Gigabit Ethernet Framer + PHY2In the Look Aside architecture a greater burden is placed on the network processor. The security processor is simply hooked on to the network processor. In case of network processors that provide IpSec output, the network processor has to handle many IPSec packet parsing tasks and security association look ups before handing the data over to the security co-processor. Although the security processor offloads the computation intensive processing of cryptographic algorithms from the network processor, the remaining IPSec protocol processing functions burden the network processor and slow down the output speed. TM MemoryNetwork Processor Switch Fabric OC-48 Quad Gigabit Ethernet Framer + PHY Security Processor SA Memory Another drawback is that the packet data has to travel four times over the memory bus, thus requiring that the bus between the network processor and security co-processor be able to handle twice the line data rate. This approach is effective only at low throughput speeds of 20 – 300 Mbps. For higher performance systems, the sideband interfaces cannot handle the traffic volume needed for multi-gigabit rates. This results in the high speed cryptographic processor being under utilized. A solution to the above drawbacks is the flow through security architecture Flow Through Security Architecture FlowThrough Security Architecture was first designed by Hifn in response to the problems associated with look-aside architectures. In the IPsec FlowThrough Security Architecture, the security processor is located in the data path inline with the Network Processor. The IPSec processing functions for inbound traffic are completed at line speed before the traffic reaches the network processor. The network processor is not performing any IPSec function, other than exception conditions, and configuration of policy. This approach enables expanded security processor functionality, optimizes encryption performance, and minimizes overall system overhead. The flow-through architecture solves the performance problems of the look-aside architecture, but it requires the security processor to do many of the functions that the network processor is targeted for. Some of these tasks include reassembly of packets, protocol processing, and exception handling. Fig 2 Flow Through Security Architecture Some applications require that a security processor be sandwiched between two network processors, like in the example of an SSL proxy application which requires the termination of a TCP connection, SSL processing and then re-establishment of a new TCP connection. This leads to some duplication of processing capabilities between the network processor and the security processor. If the security functionality were to be included with the network processor it would result in the same hardware architecture performing multiple applications. This is very desirable. On Chip Security The latest endeavor in integrating security with a network processor is by adding the cryptography functionality onto the same silicon as the network processor. This results in
View Full Document
Unlocking...