Security IP icon


Protocol-IP-97 Multi-Protocol Engine, Look-Aside, 5 Gbps

The Protocol-IP-97 Multi-Protocol Engine is a protocol-aware packet engine for accelerating IPSec, SSL, TLS, DTLS, 3GPP and MACsec up to 5 Gbps in multi-core SoCs offering a large selection of cipher algorithms. Designed for fast integration, low gate count and full transforms, the packet engine provides a reliable and cost-effective embedded IP solution that is easy to integrate into multi-core SoC designs.

Protocol aware IPsec, SSL, TLS, DTLS, 3GPP, MACsec packet engine with Look-Aside interface for multi-core application processors

5 Gbps, programmable, supports new and legacy crypto algorithms, AMBA interface

Supported by Driver development kit, QuickSec IPsec toolkit

How the Protocol-IP-97 Multi-Protocol Engine works

The Multi-Protocol Engine is a protocol-aware packet engine with a Look-Aside bus interface and a packet transform engine. It is used as a bus master in the data plane of the system and processes packets with very little CPU intervention. This engine supports an AMBA (AXI, AHB, TCM) or a PLB SoC bus interface and can be delivered in different configurations to support IPsec, SSL, TLS and DTLS. Compared to the Protocol-IP-93 it offers higher performance, more algorithms, protocol flexibility through token instructions and efficient prefetching of packets to maintain line-rate throughputs for small and large packets. The Protocol-IP -97 performs complete L3 packet transformations and achieves 2 Gbps full-duplex for any packet size at 500 MHz and above.
Diagram: Protocol-IP-97 Multi-Protocol Engine Block Diagram
Protocol-IP-97 Multi-Protocol Engine Block Diagram

The Multi-Protocol Engine is designed to off-load the host processor to improve the speed of protocol operations and reduce power in gigabit application processors for: VPN routers, home media gateways, FTTH routers, IoT gateways, 5G base stations, edge network equipment, femtocells, VPN appliances and surveillance cameras.

Performance for large packet sizes is well over 5 Gbps for any supported protocol. IPsec performance for small packet sizes is 2.5 Gbps at a clock speed of 500 MHz.

Features and Benefits

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • Descriptor ring infrastructure, with master DMA controller, including Descriptor, SA and packet prefetching
  • SA manager
  • FIPS-compliant DRBG

Driver Development Kit.IPsec (IPv4 and IPv6):

  • Full IPsec packet ESP/AH transforms according to latest RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4106, 4301, 4303, 4304, 4308, 4309, 4543, 4835, 4868, 4869, 6054, 6379, 7321, 7539, 7634 and 8221)
  • IPsec ESP and AH tunnel & transport mode
  • Insert ESP/AH header for outbound packets, strip and verify ESP/AH header for inbound packets
  • Full sequence number processing, including ESN and full anti-replay check with various mask sizes
  • Calculate and insert Integrity Check Value for outbound packets, strip and verify for inbound packets
  • Append (outbound) / strip and verify (inbound) padding up to 255 bytes

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / TLS1.3 / DTLS1.0 / DTLS1.2:

  • Full single pass packet transforms according to latest RFCs (246, 4346, 4347, 5246, 5288, 5289, 6101, 6347, 6460, 6655, 7539, 7905 and 8446).
  • Full Header processing:
    • Insert header for outbound packets,
    • Strip and verify header for inbound packets,
    • Anti-replay check.
    • Trailer processing:
        • Insert padding up to 255 bytes for outbound packets,
        • Strip and verify padding up to 255 bytes for inbound packets,
        • Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets.


  • MACsec frame transforms according to IEEE 802.1AE
  • SecTAG insertion and removal
  • PN insertion, removal and verification
  • ICV generation, insertion, removal and verification

3GPP Wireless Algorithms

The cryptographic engine supports the following cryptographic algorithms:

  • (3)DES in ECB and CBC with (3x) 56-bit key
  • AES in ECB, CBC, ICM, CTR mode with 128/192/256 bit keys, GCM, GMAC and CCM modes, optional AES-XTS
  • Optional ChaCha20, SM4, ARIA [bullet inserted]
  • Optional ARC4 in Stateful and Stateless mode, up to 128-bit key
  • Kasumi in basic and f8 mode (UEA1)
  • SNOW3G in basic and 128-EEA1 mode (UEA2)
  • ZUC in basic and 128-EEA3 mode (UEA3)

The Hash engine supports the following algorithms:

  • SHA-1, SHA-2-224/256, MD5
  • Optional SHA-2-384/512, SHA-3 224/256/384/512 [bullet inserted]
  • HMAC transforms for SHA-1, SHA-2, MD5
  • Optional SM3, Poly1305[bullet inserted]
  • SSL-MAC transforms for SHA-1, MD5
  • CRC32
  • Kasumi in f9 mode (UIA1)
  • SNOW3G in basic and 128-EIA1 mode (UIA2)
  • ZUC in basic and 128-EIA3 mode (UIA3)

The DMA controller supports:

  • Scatter/Gather capability
  • Source Address and Destination address of 32 bit
  • Up to 2048 bytes per DMA transfer
  • Automatic arbitration and bus flow control
  • Big and little endian host systems

Master and slave interface:

  • Master/Slave interface: AXI/AXI or AXI/APB or AHB/AHB slave interface
  • Input and output buffers decouple Packet Engine from system bus interface
  • Convenient SW debug interface including halt mode
  • Clock switching interface for low power consumption
CryptoManager Root of Trust Cover

The CryptoManager Root of Trust

Built around a custom RISC-V CPU, the Rambus CryptoManager Root of Trust (CMRT) is at the forefront of a new category of programmable hardware-based security cores. Siloed from the primary processor, it is designed to securely run sensitive code, processes and algorithms. More specifically, the CMRT provides the primary processor with a full suite of security services, such as secure boot and runtime integrity, remote attestation and broad crypto acceleration for symmetric and asymmetric algorithms.

Upcoming Webinar: AI Requires Tailored DRAM Solutions