Protocol-IP-93 Multi-Protocol Engine, Look-Aside, 1 Gbps

The Protocol-IP-93 Multi-Protocol Engine is a protocol-aware packet engine for accelerating IPSec, SSL/TLS, and SRTP up to 1 Gbps in SoCs. Designed for fast integration, low gate count and full packet transforms, it provides a reliable and cost-effective embedded IP solution that is easy to integrate into SoC designs. It is ideal for securing cloud connection with TLS and acceleration of other application that require cryptographic operations, such as secure boot.

Protocol-aware IPsec/TLS packet engine with Look-Aside interface for IoT.

Up to 1 Gbps, lowest gate count in the industry, just 100K gates
(ex AMBA interface).

Supported by Driver Development Kit, QuickSec IPsec toolkit,
Secure Boot Toolkit.

How the Protocol-IP-93 Multi-Protocol Engine works

The Multi-Protocol Engine is a protocol-aware packet engine IP with a Look-Aside bus interface and a packet transform engine. The Multi-Protocol engine is used as a bus master in the data plane of the system and processes packets with very little CPU intervention. This engine supports an AMBA (AXI, AHB, TCM) or a PLB SoC bus interface and can be delivered in different configurations to support IPsec as well as SSL and TLS up to the latest 1.3 release. It is the world’s only 100K gate IPsec/TLS accelerator (excluding interface).
Diagram: PacketEngine-IP-93 Security Packet Engine, Look-Aside, 300Mbps
Protocol-IP-93 Multi-Protocol Engine Block Diagram

The Multi-Protocol Engine is designed to off-load the host processor to improve the speed of protocol operations and reduce power in cost-sensitive networking products, such as: high-end IoT devices; IoT gateways; femtocells; DSL routers; SOHO routers; cable modems; VPN appliances; and surveillance cameras.

Performance for large packet sizes is > 1 Gbps for any supported protocol. IPsec performance for small packet sizes is > 500 Mbps, at a system clock speed of 500 MHz.

Secure Networking Basics cover

Secure Networking Basics: MACsec, IPsec, and SSL/TLS/DTLS

The MACsec, IPsec and SSL/TLS/DTLS protocols are the primary means of securing data in motion (communicated between connected devices). These protocols can be anchored in hardware or implemented in software as part of an end-to-end security architecture. This white paper provides fundamental information on each of these protocols including their interrelationships and use cases.

Features and Benefits

Key benefits:

  • Silicon-proven implementation
  • Fast and easy to integrate into SoCs
  • Flexible layered design
  • Complete range of configurations
  • World-class technical support
  • Driver Development Kit
  • Descriptor ring infrastructure, with master DMA controller
  • SA manager

IPsec (IPv4 and IPv6):

  • Full IPsec packet ESP transforms, for tunnel & transport mode, according to RFCs (2403, 2404, 2405, 2410, 3566, 3602, 3686, 4301, 4303, 4308, 4309, 4835 and 4868)
  • Complete IPsec (IPv4 and IPv6) header processing:
  • Insert ESP header for outbound packets
  • Strip and verify ESP header for inbound packets
  • Anti-replay check
  • IPsec trailer processing:
  • Insert padding up to 255 bytes for outbound packets
  • Strip and verify padding up to 255 bytes for inbound packets
  • Calculate and insert integrity check value for outbound packets, strip and verify for inbound packets

SSL3.0 / TLS1.0 / TSL1.1 / TLS1.2 / TLS1.3 / DTLS:

  • Full single pass packet transforms according to RFCs (2246, 3268, 3546, 4346, 4347, 4366, 5246 and 8446).
  • Full Header processing:
  • Insert header for outbound packets,
  • Strip and verify header for inbound packets,
  • Anti-replay check.
  • Trailer processing:
      • Insert padding up to 255 bytes for outbound packets
      • Strip and verify padding up to 255 bytes for inbound packets
      • Calculate and insert Message Authentication Code for outbound packets, strip and verify for inbound packets

The cryptographic engine supports the following cryptographic algorithms:

  • (Triple-)DES in ECB and CBC with 56-bit key
  • AES in ECB, CBC, ICM, CTR mode with 128-bit 192-bit and 256-bit key
  • Special HDCP cipher mode combination with AES-CTR
  • Optional ARC4 in stateful, stateless mode, up to 128-bit key
  • Automatic padding up to 255 bytes

The hash engine supports the following algorithms:

  • SHA-1, SHA-2-224/256, MD5
  • HMAC transforms for SHA-1, SHA-2, MD5
  • SSL-MAC transforms for SHA-1, MD5

Combined AECD Cipher algorithms

  • Optional: AES-GCM, AES-GMAC 
Rambus logo