Multi-Protocol Engine with Classifier, Look-Aside, 5-10 Gbps
Overview
The Protocol-IP-196 Multi-Protocol Engine is a protocol-aware packet engine for accelerating IPSec, SSL/TLS, DTLS, 3GPP and MACsec up to 10 Gbps in multi-core application or communication processors offering a large selection of cipher algorithms. Designed for fast integration, maximum CPU offload and offering full transforms, it provides a reliable and cost-effective embedded IP solution that is easy to integrate into multi-core SoC designs. The Multi-Protocol Engine is pre-integrated with the DPDK, Linaro ODP and Linux crypto APIs. Therefore, this IP is designed for seamless integration of network security processing in systems, with its AMBA bus interfaces as well as these public APIs.
Key Features
- IPsec classification:
- IPsec-ESP header parsing to look-up a flow
- Fetch flow and corresponding transform record based ?on lookup result
- Update flow statistics
- Update transform statistics
- Support for IPv4 and IPv6
- IPsec transformation (IPv4 and IPv6):
- Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4304, 4308, 4309, 4543, 4835, 4868, 4869, 6054,6379, 7321, 7539, 7634 and 8221)
- IPsec ESP and AH tunnel & transport mode
- Autonomous IPsec ESP packet classification and security association selection (both inbound and outbound)?
- Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets
- Full sequence number processing, including ESN and full anti-replay check with various mask sizes
- Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets
- Append (outbound) / strip and verify (inbound) padding up to 255 bytes
- SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / TLS1.3 / DTLS1.0 / DTLS1.2:
- Full single pass packet transforms according to latest RFCs (2246, 4346, 4347, 5246, 5288, 5289, 6101, 6347, 6460, 6655, 7539, 7905 and 8446)
- Full header processing:
- Insert header for outbound packets
- Strip and verify header for inbound packets
- Anti-replay check
- Trailer processing:
- Insert padding up to 255 bytes for outbound packets
- Strip and verify padding up to 255 bytes for inbound packets
- Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets
- MACsec
- MACsec frame transforms according to IEEE 802.1AE standards
- SecTAG insertion and removal
- PN insertion, removal and verification
- ICV generation, insertion, removal and verification
- SRTP packet transforms according to RFC3711:
- SRTP packet transforms according to RFC3711
- ROC insertion and removal
- MKI insertion and removal
- TAG generation and insertion
- 3GPP Wireless Algorithms
- SA -Manager
- Embedded SA cache [Inserted Bullet]
- Optimized Security Association format
- Supports unlimited number of security associations
- The cryptographic engine supports the following cryptographic algorithms:
- (3)DES in ECB and CBC with (3x) 56-bit key
- AES in ECB, CBC, ICM, CTR mode with 128/192/256-bit keys, GCM, GMAC and CCM modes, optional AES-XTS
- Optional ChaCha20, SM4, ARIA [Inserted Bullet]
- Optional ARC4 in stateful and stateless mode, up to 128-bit key
- Kasumi in basic and f8 mode (UEA1)
- SNOW3G in basic and 128-EEA1 mode(UEA2)
- ZUC in basic and 128-EEA3 mode (UEA3)
- The hash engine supports the following algorithms:
- SHA-1, SHA-2-224/256, MD5
- Optional SHA-2-384/512, SHA-3 224/256/384/512
- HMAC transforms for SHA-1, SHA-2, MD5
- Optional SM3, Poly1305
- SSL-MAC transforms for SHA-1, MD5
- AES-CCM, AES-XCBC-MAC, AES-CBC-MAC-PRF
- GHASH, GCM, AES-GCM and AES-GMAC
- CRC32
- Kasumi in f9 mode (UIA1)
- SNOW3G in basic and 128-EIA1 mode(UIA2)
- ZUC in basic and 128-EIA3 mode (UIA3)
- The host interface with DMA controller supports:
- Multiple descriptor rings with individual access for ?multiprocessor support
- Scatter/gather processing
- Automatic arbitration and bus flow control
- Supports big and little endian host systems
- Decouples packet engine from system bus interface
- Master and slave interface:
- Master/slave interface: AXI/AXI or AXI/APB
- Input and output buffers decouple packet engine from system bus interface
- Convenient SW debug interface including halt mode
- Clock switching interface for low power consumption
- Virtualization
Benefits
- Silicon-proven implementation
- Fast and easy to integrate into SoCs
- Flexible layered design
- Complete range of configurations
- World-class technical support
- Driver development kit
- Full virtualization, key separation at application and CPU level
- Embedded cache
- AMBA interfaces
- FIPS-compliant DRBG
Block Diagram
Applications
- SSL
- TLS
- DLTS
- IPsec
- Communication protocols
Technical Specifications
Foundry, Node
Any
Maturity
Silicon Proven
Availability
Now
TSMC
Silicon Proven:
7nm
,
16nm
,
28nm
,
40nm
G
Related IPs
- Multi-Protocol Crypto Packet Engine, Low Power, Bus Attached
- In-line Multi-Protocol Cipher Engine
- Multi-Protocol Crypto Engine
- Multi-Protocol Crypto Engine with Classification
- High-performance 32-bit multi-core processor with AI acceleration engine
- High-performance 64-bit RISC-V architecture multi-core processor with AI vector acceleration engine