SSL加速卡调研的原因及背景
SSL加速卡调研的原因及背景
SSL加速卡调研的原因及背景
网络信息安全已经成为电子商务和网络信息业发展的一个瓶颈,安全套接层(SSL)协议能较好地解决安全处理问题,而SSL加速器有效地提高了网络安全处理的性能。
公司产品本身可以在软件层次,利用CPU和内存等资源可以处理SSL加解密,但是性能不高。在公司产品中集成SSL加速卡,有利于提高处理SSL加解密的性能,节省系统资源,并提高公司产品的整体工作性能。
公司产品的需求:
1) 所有网络接口的数据流量都可以经过SSL加速卡的处理。并不和任何特定的网络接口绑定。
2) SSL加速卡的接口是通用接口,如:PCI Express等接口。
3) SSL 加速卡的驱动支持主流系统和虚拟化平台,如:Linux, FreeBSD, Windows, XEN, KVM, Citrix XenServer
4) SSL加速卡提供SDK和API等软件支持。
SSL加速卡调研的目的
1) SSL加速卡的种类以及功能和架构。
2) SSL加速卡的集成方式和服务支持。
Cavium公司介绍
Cavium Inc 公司是全球领先的多核 MIPS 和 ARM 处理器提供商,处理器广泛应用于网络/通讯、无线、存储和控制应用等领域的安全产品。
Cavium 是美国纳斯达克上市公司,股票代码为:CAVM,公司运营状况良好,现金流充足。Cavium 公司总部在加州硅谷核心地带圣何塞(San Jose) ,并在麻省的波士顿、印度海德拉巴、中国北京和台湾新竹设有研发中心。
国际上主要的网络/通讯/无线等厂商都有使用 Cavium 的解决方案,包括但不限于 Cavium、Array Networks、Juniper、Alcatel-Lucent、Nokia-Siemens Networks、华为、中兴、三星、华三、F5 Networks、Palo Alta Networks、Hillstone Networks。
公司名称: cavium 总部地点: 加州硅谷核心地带圣何塞
经营范围: MIPS 和 ARM 处理器提供商 公司性质: 上市公司
股票代码: CAVM 所属国家: 美国
Cavium公司主产品线
▪ OCTEON ▪ Fusion ▪ NEURON ▪ Thunder ▪ NITROX
▪ PureVu ▪ Celestial ▪ ECONA
OCTEON
1-48 核,主频最高达 2.5Ghz 的 MIPS64 处理器,集成了安全、存储(RAID 和数据去重)、压缩解压缩、TCPIP、DPI(Deep Packet Inspection)等协处理器,接口类型支持 DDR3/DDR4、PCIe、SGMII、XAUI/DXAUI/RXAUI、Interlaken/Interlaken-LA 等。
Fusion
单芯片集成多核 MIPS 和多个 DSP 核,支持 3G/4G 的单芯片基站SOC方案。
NEURON
查找处理器,支持ACL、LPM等。
Thunder
面向下一代云计算和数据中心的多核 ARM64 处理器
NITROX
安全协处理器。
PureVu
PureVu 多媒体SOC,面向无线显示应用。
Celestial
面向 IPTV/OTT 的多媒体 SOC。
ECONA
单/双核ARM,面向网络应用。
Cavium nitrox 产品种类以及功能和架构
NITROX® Security Processors (NITROX®安全处理器)
NITROX® V Security Processor Family
特性:
Sixth Generation Security processor with proven feature set and quality software
High performance security processing
• 15 Gbps – 100 Gbps Security Performance
• 45K -300K ECC Ops/s (p256)
• 20K – 120K RSA Ops/s (2048 bit keys)
• 288 RISC engines with instruction space
High-performance, industry standard compression
• 20 – 100 Gbps GZIP / LZS Compression
Virtualization
• Single Root – IO Virtualization (SR-IOV) support in hardware
• Up to 256 Virtual Functions
High-performance, industry standard interfaces
• Dual PCI-Express Gen 3 x4, x8 (100+ Gbps)
• Dual Interlaken x8 lanes (100+ Gbps)
Wide variety of algorithms supported
• IPSec, SSL, TLS 1.2, DTLS, ECC (p224, p256, p384, p521)
• DES, 3DES, AES 256-bit (ECB, CBC, XCBC, CNTR, GCM)
• MD5, SHA-1, SHA-2, SHA-3, MAC-MD5/SHA-1/SHA-2,SHA-3,
HMAC-MD5/SHA-1/SHA-2 (including SHA-224, SHA-256,
HA-384, SHA-512)
• RSA 2048, RSA 4096, RSA 8192, Diffie-Hellman, KASUMI, Snow3G, Zuc
Random Number Generator
• FIPS 140-3 compliant True RNG
Package
• Package: 27 x 27 mm FCBGA
• No external memory required
优势:
• Highly stable, secure and reliable hardware and software solution
• Delivers high throughput and broad scalability for
next-generation Cloud Data Center, Enterprise & Service provider
applications
• Ideal for Virtual environments
• Provides flexible options for popular current and next-generation
system interconnects
• Meets security acceleration needs of next-generation
applications with latest security algorithm support
• Combines key functionality into a single, high-performance,
low-power chip – Security, Compression, Virtualization, & Random
Number Generator
• Future proof implementation. Custom / new crypto protocols
using instruction space
NITROX V Applications (NITROX V应用场景)
Cloud Server Offload
• Web, Mail, Search
• VM to VM IPsec tunnels
Data Centers
• Application Delivery Controllers (ADC)
• WAN Optimization
• Storage Appliances
Enterprise
• UTM Gateway
• Routers
• WAN Optimization
• VPN/Firewall
• Intrusion Prevention Appliances
NITROX V Software Support (NITROX V软件支持)
Multi-Protocol Support
• SSL, TLS, IPsec, Wireless
• Full Protocol processing with specialized Macro API functions
Extensive Operating System and Crypto Stack Support
• Software drivers for popular operating systems and
Hypervisors such as Linux, BSD, DPDK, Windows, XEN and KVM.
• OpenSSL, KAME IPsec, PKCS#11, JCA
Crypto Offload Adapters (加密卸载适配器)
特性:
• High performance security processing for both RSA operations and for bulk cryptography
- 35K – 1M RSA Ops/s (1024-bit)
- 6K to 150K RSA Ops/s (2048-bit)
- 5 to 60 Gbps of Security Performance
• High Compression performance
- 5 to 60 Gbps GZIP/LZS performance
• Integrated SRIOV for IO Virtualization
- 8.16, 32, 64 Virtual Functions
• PCI Express Gen2 support on single chip Adapter and Gen3 support on multi-chip Adapter
• Low power starting at < 20W for 200K RSA Ops/sec
• Top to bottom Hardware & Software compatibility
优势:
- Virtualized Data Center & Cloud Computing
- Application Delivery Controllers (ADC)
- WAN optimization
- Server Ooad for cloud services
- Secured Cloud Computing
- L4+ Switches
- Unied Threat Management Appliances
- WLAN Controllers
- Web Servers
- Encryption (AES XTS) and Compression (LZS for Storage Appliances)
规格:
Cryptography
• IPSec, SSL, TLS 1.2, DTLS, ECC Suite B (ECDH, ECDSA)
DES, 3DES, ARC4, AES 256-Bit (ECB, CBC, XCBC, CNTR,GCM, XTS)
• MD5, SHA-1, SHA-2, MAC-MD5/SHA-1/SHA-2,
HMAC-MD5/SHA-1/SHA-2 (including SHA-224,
SHA-256, SHA-384, SHA-512)
• RSA 2048, RSA 4096, Diffie-Hellman, KASUMI
Compression
• GZIP, PKZIP, LZS
Virtualization
• Single Root – IO Virtualization (SRIOV)
- 8, 16, 32, 64 Virtual Functions
I/O
• PCI Express Gen2 x8 (Single chip adapter)
• PCI Express Gen3 x8 (Multi chip adapter)
Software
• Multi Protocol support – SSL, TLS, IPSec
• Software Development Kit – SSL, IPSec
• Drivers
- Linux
- FreeBSD
- Microsoft Windows 2008 R2
- RedHat KVM
- Citrix XenServer
软件和API支持
• Drivers for Linux and FreeBSD
- RHEL 5.3, Fedora Core 10.x, FreeBSD 6.3 and 7.2
• Java Cryptographic Extension support
• OpenSSL and TurboSSL support
• PKCS#11 Crypto-service provider
• OpenSSH
• API libraries for Card and key management
• Performance optimized SSL macro APIs
FIPS HSM Adapters (FIPS硬件安全模块适配器)
特性:
Up to 32 partitioned FIPS 140-2 level 3 HSMs in single
Hardware Security Module (HSM) Adapter
• High SSL / TLS performance
- Up to 35K 2048-bit key RSA operations / sec
- Up to 11K ECC operations / sec
- Up to 10Gbps of bulk crypto throughput
• Enhanced on card storage
- Up to 500,000 concurrent SSL sessions
- Up to 50000 concurrent server private keys
• USB port and over the network two-factor authentication
• SP800-90 based Deterministic Random Bit Generator
(Random Number Generator) support for FIPS 140-3
• Accelerates and secures cryptographic functions and bulk encryption
• 256-bit AES based key encrypt for key archive and transport
- Advanced ECC for handshake
优势:
• Scalable performance per partition for multi-domain cloud infrastructure
• Support for multiple crypto APIs enables easy integration with Data Center applications
• Short development time for quick time to market
- Complete hardware module
- Common APIs for both FIPS and non-FIPS product
- Complete SDK including source code for drivers, utilities and reference application
• Physical and logical Cryptographic boundaries
- Secure and tamper evident enclosure
- All keys are secured within cryptographic boundary
适用:
• Cloud HSM Appliance
• Application Delivery Controllers / Load Balancers
• Networking / Server Appliances
• Database Servers
• Web Servers
• Remote Access Servers
• Unified Threat Management Appliances
• Public Key Infrastructure
规格:
• Low profile (2.1” x 6.6”) PCIe form factor can easily fit 1U appliance
• PCIe Gen2 x8 interface
• USB 2.0 port for ‘Smart Keys’ for FIPS 140-2 Level 3
• Support for a wide variety of algorithms
• Modular Exponentiation: RSA / DH Public Key 2048-bit & 4096-bit
• Operating Temperature: 0 to 50° C
• Regulatory Certifications: Safety, cTUVus UL, EMC, FCC/ICES, Class B
软件和API支持
• Drivers for Linux and FreeBSD
• Drivers for KVM and Xen
• PKCS#11 Crypto-service provider
• OpenSSL and TurboSSL support
• Java Cryptography Architecture (JCA) support
• API libraries for Card and key management
• API libraries for Cloning
• API libraries for Two factor authentication over Network or USB
Cavium nitrox 产品集成方式和服务支持
a) NITROX® Security Processors (NITROX®安全处理器)
- 安全处理器解决方案,提供芯片解决方案和SDK工具,方便OEM厂商进行集成或二次开发。
b) Crypto Offload Adapters (加密卸载适配器)
• PCI Express Gen2 x8 (Single chip adapter)
- PCI Express Gen3 x8 (Multi chip adapter)
- 软件驱动支持的平台: Linux, FreeBSD, Windows, XEN, KVM, Citrix XenServer
c) FIPS HSM Adapters (FIPS硬件安全模块适配器)
- PCIe Gen2 x8 interface
- USB 2.0 port for ‘Smart Keys’ for FIPS 140-2 Level 3
- 软件驱动支持的平台: Linux, FreeBSD, Windows, XEN, KVM, Citrix XenServer
Cavium nitrox 产品分析总结
1) NITROX® Security Processors 是针对安全处理器的解决方案。
2) Crypto Offload Adapters 中CNN55xx-NHB-G 与CNN55xx-Cxx-NHB-G是使用自家NITROX V 的芯片,Bulk Crypto的性能为15Gbs to 100Gbps,
3) FIPS HSM Adapters 是针对FIPS HSM的适配器,CNN3560-NFBE-1.0-G 产品的SSL / TLS的最高性能为10Gbps
4) Crypto Offload Adapters系列产品可以满足公司的需求,而且产品的性能出众。
============== End