Got a Byte?

Reeling in system-on-a-chip processing helps solve VPN performance problems

• By Bill Anderson
• Dec 01, 2006

UNAUTHORIZED access to networks has recently increased within the past few years, and replacing DoS as the second-most significant contributor to computer crime losses, according to the Computer Security Institute and FBI. Theft of proprietary information also showed a significant increase in average loss per respondent. Both threats can be addressed with virtual private network (VPN) technology to protect data transmissions and access to proprietary data assets. As a result, the market for remote access and site-to-site VPN technologies to secure data transmissions over potentially unsafe networks has grown significantly over the past 10 years.

To meet requirements for secure data communication, organizations deploy a wide range of security measures within networks. Typical network appliances that require strong security include enterprise switch and router products, networked office automation solutions and printers and storage area networking devices.

There are three fundamental requirements for data protection on the network. One is confidentiality. Integrity is another requirement, and the third requirement is authentication and authorization. Identities need to be protected to make sure information is only exchanged between the intended parties, and the information or service is only available to a user if that person has the appropriate rights to access the information or use the service.

To meet requirements for secure data communication, organizations deploy a wide range of security measures within networks. Typical network appliances that require strong security include enterprise switch and router products, networked office automation solutions and printers and storage area networking devices (iSCSI, FC-SP).

With the rise of real-time, data-intensive applications, such as VoIP and streaming video, VPN security technologies, such as IPsec and SSL, have become bottlenecks to the overall performance of business applications.

Security in Silicon
VPN security systems rely on cryptography to ensure confidentiality, authentication and data integrity of communications over potentially unsafe networks. Encryption is the foundation for all security protocols such as Internet protocol security (IPSec), secure sockets layer (SSL) and secure multi-protocol label switching (MPLS).

Various cryptographic algorithms have been developed to address the increasing demand for security. Hashing algorithms, such as SHA-256, help preserve data integrity and are used for digital signatures. Public-key cryptography is mainly used for key generation, exchange, key confidentiality, signing and signature verification. Symmetric crypto algorithms are mainly used for data confidentiality.

Because of the complexity, cryptographic security algorithms are generally computation-intensive. Symmetric encryption and decryption algorithms like DES and Triple-DES require many bit-manipulating operations. Traditional security system designs using cryptographic software running on a general-purpose processor are often inefficient performing the operations. The many instructions needed to calculate cryptographic operations simply overwhelm today's CPUs, adversely affecting overall system performance and scalability, and making software-based cryptography an unsuitable option for high-performance security processing.

The more effective alternative to software is dedicated cryptographic hardware acceleration in silicon. Dedicated hardware allows for efficient, high-performance implementations of cryptographic operations because hardware logic is specifically designed to perform cryptographic algorithms efficiently, greatly outperforming software. While a general-purpose CPU processor requires many instructions to execute a software-based crypto operation, dedicated hardware crypto implementations offload, processing to silicon cells designed to perform only cryptographic operations, greatly improving performance. The efficiency of dedicated hardware also brings the advantage of reduced power consumption compared to software-based crypto.

Another benefit of hardware implementations is reduced vulnerability to security threats. While it may not be very difficult to alter security software running on a general-purpose CPU processor, it is far more complex and expensive to tamper with a cryptographic security engine embedded in a chip.

Small-Packet Challenge
While IPsec security processing of large IP packets (1,500 bytes) has been accelerated to multi-Gigabit performance in many VPN systems, achieving the same performance levels for small packets (64 bytes) has proven to be a challenge. Because the percentage of overhead data and associated packet processing is much higher for a given data stream of small packets than it is for big packets, the performance of small-packet security processing has been a problem for security system designers. And throwing massive computing power at the problem is often not a cost-effective solution.

The architectural bottleneck to higher performance comes from the fact that each packet needs to be processed by a general-purpose CPU before and after it gets offloaded for security processing to the embedded security accelerator. For small packets, this CPU processing burden is higher compared to larger packets. The situation is becoming increasingly critical with the rise of small packets in data traffic, mostly driven by real-time applications such as VoIP.

In traditional VPN security architectures, hardware acceleration is usually limited to dedicated modules/security processors that perform cryptographic security processing under full control of an embedded, general-purpose CPU. In these architectures, the general-purpose processor still needs to process each IP packet.

Especially at high data rates and for small packet sizes, the approach creates a significant burden on the processor, resulting in an overall throughput bottleneck.

Inline Security Processing
The latest development in security processing, and an excellent solution for the small packet performance challenge, is a security architecture that completely, autonomously processes packets inline, offloading security processing to the CPU. In contrast to previous "look-aside" security architectures, the new concept of inline security processing eliminates any data plane processing interaction with the general-purpose CPU core (e.g. packet classification, filtering and flow processing) and completely processes all the security functions to the dedicated, inline security system. Unlike traditional security-enabled communications processors and dual-chip solutions (dedicated CPU and security coprocessor), the inline security architecture is not involved in processing packets that belong to an existing data flow (a connection using the same protocol, addressing and source). This allows the embedded CPU to dedicate its cycles to only control plane VPN functions such as flow setup, flow destruction and potential higher-level data plane processing tasks.

The result is superior data rates across packet sizes and a significant reduction of general-purpose processor utilization for security functions.

Data Plane Offloading
To overcome the bottleneck, inline security systems implement the complete data plane functionality into a dedicated, efficient system-on-a-chip hardware system -- the Inline Security Engine. The Inline Security Engine?s value lies in its capability to maximize data plane offloading from a host processor to dedicated inline security hardware.

As a key element of the Inline Security Engine, packet classification and flow processor modules ensure time-consuming packet-by-packet security processing is fully offloaded from the host processor along with any cryptographic processing implemented by the Inline Packet Engine module.

The microengines operate in parallel configurations, allowing complex security operations to be performed on the packet and administration data at the highest speeds, making the inline security system more efficient than any general-purpose processor-based, look-aside system. With the engine, the general-purpose processor is not involved in processing packets that belong to an existing data flow. This allows the processor to dedicate its cycles to data flow setups and other processing tasks. The result is a high-performance security solution that delivers Gigabit-rate processing.

For every packet, classifiers and flow processors perform a sanity check, deciding how the packet needs to be processed (either by the host processor or by the packet engine) or whether it needs to be discarded (filtering). Then the engines take care of the associated administration tasks, such as transforms and flow information updates. In the system, the packet classifiers and flow processors autonomously instruct the engine as to which operation needs to be performed on the packet.

The Inline Security Engine implements various data manipulation functions on incoming data as instructed by the packet classifier and flow processor, including data insertion, data removal, data replacement, data retrieval, and crypto, hash and checksum operations. In order to achieve Gigabit-rate throughputs, the engine uses a three-stage processing pipeline.

Inline security processing takes a step beyond traditional security architectures by deploying dedicated security hardware for full-data plane-packet classification, filtering and flow processing for every packet. The result is superior data rates across all packet sizes and a reduction of general-purpose processor use for VPN security functions. Its performance for small packets make the engine an ideal solution for securing real-time, high data rate Internet applications over IPsec VPNs.