A Scalable Architecture for IP Security (IPsec) Hardware Accelerator

• Main Authors: Chia-Yen Hsieh, 謝佳燕
• Other Authors: Cheng-Wen Wu
• Format: Others
• Language: en_US
• Published: 2005
• Online Access: http://ndltd.ncl.edu.tw/handle/92696944667950081729

碩士 === 國立清華大學 === 電機工程學系 === 93 === With the rapid growth of applications in Internet and wireless communication, the security for transmitting information on public network has become a fundamental issue. The Internet Protocol Security (IPsec) standard is developed by the Internet Engineering Task Force (IETF) to provide the security services at the IP layer. IPsec implemented by software is not sufficient to handle the enormous traffic generated by modern network applications. In this thesis, we propose three scalable architectures for IPsec which support the Encapsulating Security Payload (ESP) protocol in tunnel mode. Besides, an evaluation method is provided for the proposed architectures, including the AMBA-based and non-bus-based interconnection methods. The IPsec processor is implemented with core-based design methodology. The cryptographic algorithms supported in our design are AES-ECB, AES-CBC, HMAC-MD5 and HMAC-SHA-1. The proposed architecture is available for processing more than one packet in parallel using only one copy of protocol processing hardware with 10 crypto-engines (5 AES and 5 HMAC engines). If more than 10 crypto-engines are required for high-speed network, another copy of IPsec processor must be implemented. The proposed architecture is platform based and scalable, which provides tradeoff between performance and cost for a wide range of network applications. Broadcom BCM5841 is a scalable architecture for IPsec. The design details of BCM5841 are not revealed in their white paper. We apply our design to the architecture of BCM5841 and compare the cost and performance with that of the proposed architecture. The performance is the same for the two architectures, but the area of the proposed architecture is less than that of BCM5841. The usage of crypto-engines is flexible in the proposed architecture with AMBA-based interconnection method. Moreover, the utilization of crypto-engines in the proposed architecture is better when the IP traffic requires the entire security service of either encryption or authentication, but not both. Based on the analysis results, we give an example implemented with 2 AES and 2 HMAC engines. The total gate count is about 266 K gates. The maximum system throughput is 1.1 Gbps for 1,400-byte IP packets, with ESP processing using the AES-CBC mode and 128-bit key. For the worst case, the average system throughput is 356 Mbps, where the IP packets are processed using the AES-CBC mode with 256-bit key and HMAC-SHA-1 mode with 256-bit key.