Today’s network communications infrastructure requires end-to-end security, from Single Office/Home Office (SOHO) appliances to hybrid cloud data centers to carrier service provider. Whether it is data in flight or at rest, security throughout the communications spectrum has become a baseline requirement, provisioned through industry-standard network security protocols such as MACsec and IPsec.
These requirements become especially challenging when one considers the unique software environments associated with various network security points, from bump-in-the-wire virtual network function (VNF) acceleration (CPU offload) in the DC cloud, to firewall or deep packet inspection (DPI) appliances at the gateway, to embedded line-card storage engines in the enterprise.
IPsec provides secure communications across IP networks through data confidentiality, integrity, origin authentication, and replay protection. Users demand end-to-end Layer 3 security in Hybrid Cloud and Enterprise to protect data in-transit and at-rest.
Intel offers IPsec soft IP for both Intel® Arria® 10 and Intel® Stratix®10 devices. These solutions apply to two unique application domains: embedded data-plane IPsec acceleration in a chassis line-card and VNF IPsec acceleration attached to servers as a Smart-NIC.
IPsec for embedded applications include edge routers, L2/L3 switches, and secure remote access gateways. These IPsec solutions can easily scale from the smallest use case (e.g., Intel Arria 10 GX660 device for just 2X 25 Gbps Ethernet (GbE) or 1X 40GbE IPsec), to larger, higher performance devices such as the Intel Stratix 10 SG280 device that can support up 2 to 4X 100GbE IPsec. All Intel FPGA solutions are also capable of supporting MAC, PHY, and PCS layers (E-tile PHY), including PCIe* Gen3 x8 or Gen3 x16 connectivity for management and configuration.
Another use case for the embedded line card is to integrate IPsec soft IP with other Intel soft IP logic (e.g., classification and longest prefix match (LPM) lookup using our Algorithmic Search Engine, or a channelized Interlaken connection), or alternatively a user’s custom logic (e.g., Layer 3 DPI). The IPsec soft-IP RTL source code (encrypted model) can be made available to the user for integration with their own custom logic along with appropriate documentation to assist the design team with timing constraints and interconnect specifications for CORE pin or signal or I/O definitions. In such cases a stand-alone testbench and several test vectors are also provided to assist in the development phase.
Media Access Control (MAC) Security, often known as MACsec, is an IEEE standard-based protocol for securing communication among the trusted components of an 802.1 LAN. This function provides security to MACs defined in IEEE standard 802, 802.2 (LLC), 802.1D (Bridging), 802.1Q (VLAN) and 802.1X (PNAC). MACsec, formally defined in IEEE 802.1AE, is the Layer 2 security standard which defines connectionless data confidentiality and integrity for media access independent protocols.
Intel offers MACsec soft IP FPGA-based solutions that apply to today’s diverse range of Layer2 LAN applications, such as secure SmartNIC cards, carrier Ethernet, Internet of Things (IoT) “smart” devices, and many more.
These MACsec soft IP solutions are available on the Intel Arria10 Development Kit and on Intel Stratix 10 Development Kit. Both platforms will also be made available with a generic software driver (PCIe Gen3 connectivity) and a set of test vectors to demonstrate the MACsec proof of concept.