SSL加速卡调研的原因及背景

SSL加速卡调研的原因及背景

SSL加速卡调研的原因及背景

网络信息安全已经成为电子商务和网络信息业发展的一个瓶颈，安全套接层(SSL)协议能较好地解决安全处理问题，而SSL加速器有效地提高了网络安全处理的性能。

公司产品本身可以在软件层次，利用CPU和内存等资源可以处理SSL加解密，但是性能不高。在公司产品中集成SSL加速卡，有利于提高处理SSL加解密的性能，节省系统资源，并提高公司产品的整体工作性能。

公司产品的需求：

1)         所有网络接口的数据流量都可以经过SSL加速卡的处理。并不和任何特定的网络接口绑定。

2)         SSL加速卡的接口是通用接口，如：PCI Express等接口。

3)         SSL 加速卡的驱动支持主流系统和虚拟化平台，如：Linux, FreeBSD, Windows, XEN, KVM, Citrix XenServer

4)         SSL加速卡提供SDK和API等软件支持。

SSL加速卡调研的目的

1)         SSL加速卡的种类以及功能和架构。

2)         SSL加速卡的集成方式和服务支持。

Cavium公司介绍

Cavium Inc 公司是全球领先的多核 MIPS 和 ARM 处理器提供商，处理器广泛应用于网络/通讯、无线、存储和控制应用等领域的安全产品。

Cavium 是美国纳斯达克上市公司，股票代码为：CAVM，公司运营状况良好，现金流充足。Cavium 公司总部在加州硅谷核心地带圣何塞（San Jose） ，并在麻省的波士顿、印度海德拉巴、中国北京和台湾新竹设有研发中心。

国际上主要的网络/通讯/无线等厂商都有使用 Cavium 的解决方案，包括但不限于 Cavium、Array Networks、Juniper、Alcatel-Lucent、Nokia-Siemens Networks、华为、中兴、三星、华三、F5 Networks、Palo Alta Networks、Hillstone Networks。

公司名称: cavium                                                                    总部地点: 加州硅谷核心地带圣何塞

经营范围: MIPS 和 ARM 处理器提供商                                   公司性质: 上市公司

股票代码: CAVM                                                                      所属国家: 美国

Cavium公司主产品线

▪ OCTEON         ▪ Fusion             ▪ NEURON        ▪ Thunder ▪ NITROX

▪ PureVu            ▪ Celestial                  ▪ ECONA

OCTEON

1-48 核，主频最高达 2.5Ghz 的 MIPS64 处理器，集成了安全、存储（RAID 和数据去重）、压缩解压缩、TCPIP、DPI（Deep Packet Inspection）等协处理器，接口类型支持 DDR3/DDR4、PCIe、SGMII、XAUI/DXAUI/RXAUI、Interlaken/Interlaken-LA 等。

Fusion

单芯片集成多核 MIPS 和多个 DSP 核，支持 3G/4G 的单芯片基站SOC方案。

NEURON

查找处理器，支持ACL、LPM等。

Thunder

面向下一代云计算和数据中心的多核 ARM64 处理器

NITROX

安全协处理器。

PureVu

PureVu 多媒体SOC，面向无线显示应用。

Celestial

面向 IPTV/OTT 的多媒体 SOC。

ECONA

单/双核ARM，面向网络应用。

Cavium nitrox 产品种类以及功能和架构

NITROX® Security Processors (NITROX®安全处理器)

NITROX® V Security Processor Family

特性:

Sixth Generation Security processor with proven feature set and quality software

High performance security processing

• 15 Gbps – 100 Gbps Security Performance

• 45K -300K ECC Ops/s (p256)

• 20K – 120K RSA Ops/s (2048 bit keys)

• 288 RISC engines with instruction space

High-performance, industry standard compression

• 20 – 100 Gbps GZIP / LZS Compression

Virtualization

• Single Root – IO Virtualization (SR-IOV) support in hardware

• Up to 256 Virtual Functions

High-performance, industry standard interfaces

• Dual PCI-Express Gen 3 x4, x8 (100+ Gbps)

• Dual Interlaken x8 lanes (100+ Gbps)

Wide variety of algorithms supported

• IPSec, SSL, TLS 1.2, DTLS, ECC (p224, p256, p384, p521)

• DES, 3DES, AES 256-bit (ECB, CBC, XCBC, CNTR, GCM)

• MD5, SHA-1, SHA-2, SHA-3, MAC-MD5/SHA-1/SHA-2,SHA-3,

HMAC-MD5/SHA-1/SHA-2 (including SHA-224, SHA-256,

HA-384, SHA-512)

• RSA 2048, RSA 4096, RSA 8192, Diffie-Hellman, KASUMI, Snow3G, Zuc

Random Number Generator

• FIPS 140-3 compliant True RNG

Package

• Package: 27 x 27 mm FCBGA

• No external memory required

优势:

• Highly stable, secure and reliable hardware and software solution

• Delivers high throughput and broad scalability for

next-generation Cloud Data Center, Enterprise & Service provider

applications

• Ideal for Virtual environments

• Provides flexible options for popular current and next-generation

system interconnects

• Meets security acceleration needs of next-generation

applications with latest security algorithm support

• Combines key functionality into a single, high-performance,

low-power chip – Security, Compression, Virtualization, & Random

Number Generator

• Future proof implementation. Custom / new crypto protocols

using instruction space

NITROX V Applications (NITROX V应用场景)

Cloud Server Offload

• Web, Mail, Search

• VM to VM IPsec tunnels

Data Centers

• Application Delivery Controllers (ADC)

• WAN Optimization

• Storage Appliances

Enterprise

• UTM Gateway

• Routers

• WAN Optimization

• VPN/Firewall

• Intrusion Prevention Appliances

NITROX V Software Support (NITROX V软件支持)

Multi-Protocol Support

• SSL, TLS, IPsec, Wireless

• Full Protocol processing with specialized Macro API functions

Extensive Operating System and Crypto Stack Support

• Software drivers for popular operating systems and

Hypervisors such as Linux, BSD, DPDK, Windows, XEN and KVM.

• OpenSSL, KAME IPsec, PKCS#11, JCA

Crypto Offload Adapters (加密卸载适配器)

特性:

• High performance security processing for both RSA operations and for bulk cryptography

- 35K – 1M RSA Ops/s (1024-bit)

- 6K to 150K RSA Ops/s (2048-bit)

- 5 to 60 Gbps of Security Performance

• High Compression performance

- 5 to 60 Gbps GZIP/LZS performance

• Integrated SRIOV for IO Virtualization

- 8.16, 32, 64 Virtual Functions

• PCI Express Gen2 support on single chip Adapter and Gen3 support on multi-chip Adapter

• Low power starting at < 20W for 200K RSA Ops/sec

• Top to bottom Hardware & Software compatibility

优势:

- Virtualized Data Center & Cloud Computing

- Application Delivery Controllers (ADC)

- WAN optimization

- Server Ooad for cloud services

- Secured Cloud Computing

- L4+ Switches

- Unied Threat Management Appliances

- WLAN Controllers

- Web Servers

- Encryption (AES XTS) and Compression (LZS for Storage Appliances)

规格:

Cryptography

• IPSec, SSL, TLS 1.2, DTLS, ECC Suite B (ECDH, ECDSA)

DES, 3DES, ARC4, AES 256-Bit (ECB, CBC, XCBC, CNTR,GCM, XTS)

• MD5, SHA-1, SHA-2, MAC-MD5/SHA-1/SHA-2,

HMAC-MD5/SHA-1/SHA-2 (including SHA-224,

SHA-256, SHA-384, SHA-512)

• RSA 2048, RSA 4096, Diffie-Hellman, KASUMI

Compression

• GZIP, PKZIP, LZS

Virtualization

• Single Root – IO Virtualization (SRIOV)

- 8, 16, 32, 64 Virtual Functions

I/O

• PCI Express Gen2 x8 (Single chip adapter)

• PCI Express Gen3 x8 (Multi chip adapter)

Software

• Multi Protocol support – SSL, TLS, IPSec

• Software Development Kit – SSL, IPSec

• Drivers

- Linux

- FreeBSD

- Microsoft Windows 2008 R2

- RedHat KVM

- Citrix XenServer

软件和API支持

• Drivers for Linux and FreeBSD

- RHEL 5.3, Fedora Core 10.x, FreeBSD 6.3 and 7.2

• Java Cryptographic Extension support

• OpenSSL and TurboSSL support

• PKCS#11 Crypto-service provider

• OpenSSH

• API libraries for Card and key management

• Performance optimized SSL macro APIs

FIPS HSM Adapters (FIPS硬件安全模块适配器)

特性:

Up to 32 partitioned FIPS 140-2 level 3 HSMs in single

Hardware Security Module (HSM) Adapter

• High SSL / TLS performance

- Up to 35K 2048-bit key RSA operations / sec

- Up to 11K ECC operations / sec

- Up to 10Gbps of bulk crypto throughput

• Enhanced on card storage

- Up to 500,000 concurrent SSL sessions

- Up to 50000 concurrent server private keys

• USB port and over the network two-factor authentication

• SP800-90 based Deterministic Random Bit Generator

(Random Number Generator) support for FIPS 140-3

• Accelerates and secures cryptographic functions and bulk encryption

• 256-bit AES based key encrypt for key archive and transport

- Advanced ECC for handshake

优势:

• Scalable performance per partition for multi-domain cloud infrastructure

• Support for multiple crypto APIs enables easy integration with Data Center applications

• Short development time for quick time to market

- Complete hardware module

- Common APIs for both FIPS and non-FIPS product

- Complete SDK including source code for drivers, utilities and reference application

• Physical and logical Cryptographic boundaries

- Secure and tamper evident enclosure

- All keys are secured within cryptographic boundary

适用:

• Cloud HSM Appliance

• Application Delivery Controllers / Load Balancers

• Networking / Server Appliances

• Database Servers

• Web Servers

• Remote Access Servers

• Unified Threat Management Appliances

• Public Key Infrastructure

规格:

• Low profile (2.1” x 6.6”) PCIe form factor can easily fit 1U appliance

• PCIe Gen2 x8 interface

• USB 2.0 port for ‘Smart Keys’ for FIPS 140-2 Level 3

• Support for a wide variety of algorithms

• Modular Exponentiation: RSA / DH Public Key 2048-bit & 4096-bit

• Operating Temperature: 0 to 50° C

• Regulatory Certifications: Safety, cTUVus UL, EMC, FCC/ICES, Class B

软件和API支持

• Drivers for Linux and FreeBSD

• Drivers for KVM and Xen

• PKCS#11 Crypto-service provider

• OpenSSL and TurboSSL support

• Java Cryptography Architecture (JCA) support

• API libraries for Card and key management

• API libraries for Cloning

• API libraries for Two factor authentication over Network or USB

Cavium nitrox 产品集成方式和服务支持

a)         NITROX® Security Processors (NITROX®安全处理器)

• 安全处理器解决方案，提供芯片解决方案和SDK工具，方便OEM厂商进行集成或二次开发。

b)         Crypto Offload Adapters (加密卸载适配器)

• PCI Express Gen2 x8 (Single chip adapter)

• PCI Express Gen3 x8 (Multi chip adapter)
• 软件驱动支持的平台: Linux, FreeBSD, Windows, XEN, KVM, Citrix XenServer

c)         FIPS HSM Adapters (FIPS硬件安全模块适配器)

• PCIe Gen2 x8 interface
• USB 2.0 port for ‘Smart Keys’ for FIPS 140-2 Level 3
• 软件驱动支持的平台: Linux, FreeBSD, Windows, XEN, KVM, Citrix XenServer

Cavium nitrox 产品分析总结

1)         NITROX® Security Processors 是针对安全处理器的解决方案。

2)         Crypto Offload Adapters 中CNN55xx-NHB-G 与CNN55xx-Cxx-NHB-G是使用自家NITROX V 的芯片，Bulk Crypto的性能为15Gbs to 100Gbps，

3)         FIPS HSM Adapters 是针对FIPS HSM的适配器，CNN3560-NFBE-1.0-G 产品的SSL / TLS的最高性能为10Gbps

4)         Crypto Offload Adapters系列产品可以满足公司的需求，而且产品的性能出众。

============== End