banner_products_page_ipsec

Discretix IPSec Accelerator

Discretix IPSec Accelerator (DxIPSA) offers a wide range of solutions for the acceleration of both cryptographic and protocol-related IPSec operations. DxIPSA is a robust embedded security solution for semiconductor designers, guaranteeing quick time-to-market, and significantly decreasing design and engineering costs.

Market Needs

Today’s networks are the backbone of an increasingly connected world, transporting high-definition content, rich multimedia services and sensitive corporate information. Faced with ever-increasing bandwidth requirements, SoC designers must expand network throughput while maintaining robust security. The traditional approach to securing network traffic used symmetric hardware cryptographic cores to accelerate data processing, while the sequencing of cores – required by the protocol – was performed by the host processor. DxIPSA addresses the requirements of broadband networks with a high-performance, integrated IPSec acceleration engine that supports a wide range of algorithms and protocol-related operations. DxIPSA provides an enhanced processor off-loading by adding dedicated hardware to perform core-sequencing and protocol related operations.

Technical Overview

Via a slave interface, the host processor defines which packets should be processed by DxIPSA. In order to minimize processor intervention, the number of aggregated and processed packets is configurable.

The DxIPSA obtains the relevant Security Association (SA) parameters per packet from the Security Association Database (SAD), via a DMA master port1.The DxIPSA then initializes a processing unit to handle the packet. The processing unit streams the packet (using a DMA master port) through the required cryptographic engines, adds/removes required header/trailer, and sends it to a configured place in memory. Local packet memory is not required.

The DxIPSA engine can have between 1-8 internal processing units, all of which are identical, and capable of processing inbound or outbound IP traffic.


DxIPSA Engine - Potential Connection Schemes



1 With the exception of IPSA-2x, where SAD parameters are written to the IPSA by the Host processor.


Block Diagram



 

 

 

 

 

 

 

Technical Capabilities

Adheres to RFC-4301/2/3/8 and RFC-4835
IPv4 and IPv6 (optional) support
Automatic processing of ESP header and trailer
Cryptographic acceleration for AH
Supports Transport and Tunnel modes with configurable number of processing units for a wide range of throughputs
Supports encryption algorithms: AES ECB/CBC/CTR
Supports authentication algorithms: HMAC MD-5/SHA1, AES-XCBC-MAC
Optional supports for combined mode algorithms: AEC CCM and AES GCM
Supports AES Key - 192 and 256 bits (optional)
Optional support for TDES, HMAC SHA2 (all lengths)
ESN and Anti-Replay support per SA, including overflow detection (optional)
Auditable events log (optional)
Traffic Flow Confidentiality (TFC) support per SA for both transmitter and receiver - dummy packets and padding (optional)
All cryptographic functions based on FIPS validated algorithms
Synthesizable up to 200MHz


Contact us for more information