Network threats require enhanced security for access control, user authentication, and attack protection, concerns which require a leap in performance— particularly VPN performance. VPN performance is critical, yet many medium-sized businesses have typically been priced out of VPN acceleration, resulting in compromised features and performance.

To address this, a new breed of platforms based on the new Intel® EP80579 Integrated Processor, deliver untouchable performance for less than half the price of previous platforms. With as much as 1600 Mbps of VPN throughput, they deliver a “no-compromises” approach to security for medium-sized businesses.

This article presents a technology overview of the Intel EP80579 processor -based Network Application Platform design, a comparison with previous solutions, and a review of packet processing acceleration methodologies and their usage on the Intel® EP80579 platform.

Intel® EP80579 processor-based Platform vs. 4-chip Solution

Previously, most entry- to mid-range network application platforms used a 4-chip solution. For example, Advantech’s FWA-3700:

Typical IPsec VPN throughput is 200 Mbps, using 256-byte packets and 2048 IPsec VPN tunnels. However, the CPU operates at 100% capacity with CPU power consumption as high as 31W.

Intel® EP80579 Integrated Processor with Intel® QuickAssist Technology replaces all three chips plus the accelerator card with one System-on-Chip (SoC), providing:

Advantech’s new Intel® EP80579 Integrated Processor based FWA-3240 platform illustrates these advantages. Initial results yield 1600 Mbps IPsec VPN throughput, with as little as 10% CPU utilization, power reduction of almost 20%, and decreases in board size of nearly 45 percent.

OEM’s can forgo specialized co-processors and dedicated security hardware while remaining cost-effective (up to 50% reduction) and extremely power-efficient.

Intel® EP80579 Architecture Overview

The Intel® EP80579 Integrated Processor is an integrated SoC processor with memory and I/O controllers, using Intel® QuickAssist Technology, providing cryptographic acceleration and packet processing, priced $54 to $95, with a thermal design power rating (TDP) of 13 to 21 W. It has four main components:

• Intel® Pentium® M processor-based IA-32 core running 600-1200 MHz, with a 256 Kilobyte 2-way level 2 (L2) cache.
• Integrated Memory Controller Hub (IMCH, “north bridge”); the main path to memory for the IA core and all coherent I/O peripherals (PCI express, IICH “south bridge”, transactions from Acceleration and I/O Complex (AIOC) to coherent memory).
• Integrated I/O Controller Hub (IICH “south bridge”); a set of PC-compatible I/O devices (SATA 1.0/2.0 controllers, USB 1.1/2.0 host controllers, USB ports, 16550-compatible serial UART interfaces, two each).
• AIOC including Intel QuickAssist Technology with: Acceleration Services Unit (ASU) providing acceleration of packet processing for common protocols, and fast packet classification engine with support for firewall, NAT and IPsec; Security Services Unit (SSU) providing acceleration of common symmetric cryptography algorithms (AES, 3DES, DES, RC4), as well as asymmetric algorithms (RSA, Diffie- Hellman, DSA). Supports message digest/hash functions (MD5, SHA-1, SHA-2, HMAC) and true random number generation.

Other AOIC components:

• Three Gigabit Ethernet (GbE) media access controllers (MACs).
• Three High Speed Serial (HSS) interfaces supporting up to 12 T1/ E1 TDM interfaces.
• Logic to allow agents to access on-chip SRAM and external DRAM. Based on BIOS, this logic routes requests to external DRAM either directly to the memory controller, or through the Memory Controller Hub (MCH) for coherency with the Intel Architecture (IA) processor’s L2 cache. A ring controller provides 64 rings (circular buffers) that can be used for message passing between software on the IA core and firmware on the ASU.

Acceleration Models

Look-aside Model:

Every packet goes directly from Gigabit Ethernet MAC to IA core with little or no acceleration. Once the IA core receives packets, it sends them to the SSU for cryptographic processing. Crypto functions include encryption, decryption, and authentication support for symmetric (bulk) and asymmetric (public/private key) algorithms. The IA core invokes these functions by API with algorithm chaining support, whereby a single API call carries out one cipher/one hash (in either order), reducing the number of function calls and associated latency. The model is easy to implement though the lack of packet acceleration limits it to the low end of the SMB market. Many vendors already use PCI-based crypto accelerator devices that rely on the lookaside model, which are easily replaceable with the integrated security acceleration features of the Intel EP80579 Integrated Processor.

Fast Path Model:

Packets are processed entirely in the “fast path” (ASU), without ever being sent to the IA core, which addresses scalability of up to a gigabit per second line rates. One Gigabit port connects to the external network and the other to the internal network. An IPsec acceleration engine sits between ports running on the ASU, working with the crypto engine or SSU. It encrypts external outbound packets and decrypts internal inbound packets on IPsec VPN tunnels. Internet key exchange (IKE) is performed by the IA core, using the look-aside model to accelerate public key cryptography. It is a relatively low-frequency event not significantly impacting scalability.

Inline Model:

Sends packets to the IA core after an accelerator performs some amount of packet, cryptographic, or other accelerated processing (e.g., termination of SSL-encrypted TCP stream on the host). Accelerators handle TCP, SSL record & cryptographic processing (encryption/decryption and authentication), and sending plaintext to the host. Processing cycles are offloaded from the OS stack, freeing up the IA core for other tasks. The TCP/SSL engine implements TCP termination on the fast path. Denial-of-service (DoS) attack prevention mechanisms include the use of SYN cookies to prevent TCP SYN flood attacks. The engine also provides complete fast path implementation of SSL record processing. The SSL handshake is implemented on the IA and uses look-aside to accelerate cryptographic functions. Using the TCP/SSL engine, applications implement transparent inline acceleration of an SSL VPN.

Combining the Models

Real-world applications combine models through policy creation and matching classifiers:

• IPsec traffic is handled using either look-aside or fast path models.
• IP forwarding, TCP splicing, and simple firewall actions (dropping, rejecting, TTL scrambling) use fast path.
• TCP termination and SSL is implemented using inline acceleration.
• Other traffic is routed to the OS stack without packet processing.

Regardless of model, cryptographic operation is accelerated using the Look-aside Crypto API.

Conclusion

The Intel EP80579 Integrated Processor delivers performance without sacrificing programmability, providing enough CPU margin to respond to dynamic threats while offering the capacity for additional value-added software services. Medium-sized businesses can benefit from VPN acceleration without having to compromise on features and performance.

Compared to past solutions, the processor offers dramatic improvements in cost, power, and board space, while offering major advances in throughput and headroom. With all of these advantages, the Intel EP80579 Integrated Processor is set to revolutionize the network appliance market.

Refs: Intel® EP80579 Software for Security Applications on IntelQuickAssist Technology Programmer’s Guide.