FPGAs: Embedded Apps : FPGAs adapt security functions in security blade design

As networking makes greater strides, the need for security becomes increasingly paramount. However, even with rapid advances in networking technology, security lags behind and in most instances, is only assigned to virtual private networks (VPNs) and firewalls. OEMs generally don't design security into switches, most of the routers, storage area networks (SANs) and servers, largely due to cost restrictions imposed by inordinately expensive ASIC design cycles.

But thanks to the design benefits FPGAs provide — especially the new higher speed versions — network system designers can cost-effectively deploy security in these other network equipments. FPGAs are the linchpin for design flexibility and functional upgrading of such features as fault-tolerance, IPSec protocols and system interface issues. Plus, FPGAs hand network system designers the critical robustness for adapting different security functions and the ability to easily add new and different ones as security technologies advance.

For example, in a security blade or subsystem design, the security processor handles public and private key algorithm processing, while a single FPGA performs algorithm exception handling, datapath protocol transform, interface bandwidth match, fault tolerance handling, and packet and byte count.

Standard encryption/decryption and authentication algorithms such as RC-4, Data Encryption Standard (DES), TripleDES, Message Digest-5 (MD-5), and Secure Hash Algorithm-1 (SHA-1) are used in worldwide network security systems. However, there are also proprietary algorithms that are defined for specific transactions, especially for government operations in certain countries. And, these must be accounted for as well in a security subsystem. With an FPGA in the security subsystem, the central control logic is able to classify non-standard algorithms and generate exception calls to the host. The host microprocessor takes over the algorithm acceleration process immediately.

Design complexity and bandwidth demand are two major issues in today's network system design camps. The system interfaces of a network processor, switch fabric, and security processor are on different data planes and have different protocol specifications. To reduce the design complexity involved in matching these different interfaces, the designer can rely on an FPGA as the perfect device that can efficiently convert interface protocols from both sides.

For instance, the fast datapath from a network processor is a cell-based Utopia-like interface that needs to hook up a packet-based streaming interface on the security processor's datapath. On ingress data flow, FIFOs in the FPGA hold inbound data cells from the host and re-assemble them as a data packet for the security processor. Meanwhile, on egress data flow, FIFOs in the FPGA do the reverse process. Data from security processor is transformed from a packet to the cell. Therefore, various interfaces can be handled by simply re-programming the FPGA without modifying the system configuration or designing the same functionality on a costly and time-consuming ASIC.

Similar to protocol mismatches, there are also fast datapath interface mismatches, especially in the areas of speed and bandwidth. FIFOs in the FPGA definitely play a key role for making data to flow through smoothly. The depth of the FIFOs level can match two different speed interfaces and the width of the FIFOs' size can match the different bus widths. At times, FIFOs can be implemented twice as large as the external bus width to reduce the internal clock speed.

Lost data

Fault tolerance is becoming more important in a network system, particularly in security subsyste ms. The reason is the possibility exists for a security session to break during transmitting and receiving, which in turn may damage the security mechanism, thus causing security data to be lost. With an FPGA implementation, the central control logic performs the tag insertion on ingress data packets and decoding on egress data packets from the security processor. In this instance, the designer has a variety of options for implementing fault tolerance. Such designs depend on the system architecture and data flow control on the data plane and protocol stack control on the control plane.

Many network system OEMs would like to have better quality of service (QoS) support in their network security systems. The efficient way to implement it is to have accurate statistical data for flow control. Since the FPGA sits on the fast datapath, all security traffic passes through this device. This scheme affords the FPGA the opportunity to analyze the traffic flow and provide the accurate statistical data to the host. The most common requirement is the packet or byte count of the flow through data. A state machine implemented in the FPGA can do the job by sampling Start-Of-Packet (SOP) and End-Of-Packet (EOP) signals and decoding the packet length field from the packet header. With this statistical data, the host system provides better QoS management service.

Designers can also take advantage of FPGA implementation to handle sophisticated functions, such as stateful protocol processing and load balancing. The FPGA has to provide on-chip memory and processor to accomplish these tasks. However, firmware support is important in this kind of architecture. The whole system development is getting more complicated.

This FPGA-based design is at the heart of a security blade that provides a complete hardware and software solution at high scalability-performance OC-12 to OC-192 throughput for Internet Protocol Security (IPSec) and Secure Socket Layer (SSL) processing in a network system, for example, the sec urity blade resides on a server's PCI slots.

The blade connects to the host system's control plane via 100Base-T and host system's data plane via Gigabit Ethernet on routers. Also, this blade can be a service module by connecting to the switch fabric in host systems. Overall, the blade concept reduces the system design cycle and provides security features to existing networking infrastructure equipments.