AN133: SEC 4.0: Datapath Security Accelerator on the QorIQ P4080 Processor
|
|
- Lambert Payne
- 6 years ago
- Views:
Transcription
1 July 2009 AN133: SEC 4.0: Datapath Security Accelerator on the QorIQ P4080 Processor Geoff Waters NMG Systems Engineering - Security
2 Agenda Freescale security technology evolution Motivations for a datapath architecture Small packet challenge SEC 4.0 Hardware architecture Software architecture QorIQ trust architecture Secure boot Secure runtime Summary 2
3 Datapath Acceleration and the SEC 4.0 3
4 Networking Security Roadmap Phase 1 Phase 2 Phase 3 SEC 4.x MPC190 MPC185 SEC 1.x SEC 2.x xx 83xx 81xx SEC 3.x 85xx 83xx 81xx QorIQ 81xx MPC180 MPC Phase 1 Roll out Freescale security technology to commercial networking market through security co-processor product line Phase 2 Integrate security IP into Freescale communications processor products Phase 3 Continually improve baseline IP for integration, addition of trust architecture 4
5 Small Packet Challenge Mbps IPv4 ESP Null IPSec HW IPSec SW Packet Size (B) Relative performance of IPv4 and IPsec on Freescale MPC8548E, 1.3 GHz CPU, 533 MHz DDR, 266 MHz SEC Linux , 3 rd party IPsec stack 3DES-HMAC-SHA-1 5
6 P A Smarter Approach to Multicore P4080 Power Architecture 128KB e500-mc core Backside L2 Cache 32KB 32KB D-cache I-cache 1024KB Frontside L3 Cache 1024KB Frontside L3 Cache 64-bit DDR-2 / 3 Memory Controller 64-bit DDR-2 / 3 Memory Controller eopenpic PreBoot Loader Security Monitor Internal BootROM PAMU PAMU PAMU CoreNet coherency fabric PAMU PAMU Peripheral Access Mgmt Unit Power Mgmt SD/MMC SPI 2x DUART 4x I 2C 2x USB 2.0/ULPI Clocks/Reset elbc Test Port/ SAP SEC 4.0 Pattern Match Engine 2.0 Queue Mgr. Buffer Mgr. Frame Manager Parse, Classify, Distribute 10GE Buffer Frame Manager Parse, Classify, Distribute 10GE Buffer RapidIO Message Unit (RMU) PCIe PCIe SRIO 2x DMA PCIe SRIO Real Time Debug Watchpoint Cross Trigger Perf CoreNet Monitor Trace Aurora GPIO CCSR 18-Lane 5 GHz SERDES Designed to address embedded networking challenges Process more packets, even as instructions per packet increase Support simultaneous non-packet processing, including complex control, service overlays Compensate for growing gap between I/O and compute bandwidth vs. DDR bandwidth Massive integration to reduce total system footprint while remaining within <30W power envelope 6
7 QorIQ P4080 Performance Targets IPsec with all cores acting as datapath processors at 1.5GHz Gbps IPv4 IPv4 + FW/NAT ESP Null Asynch IPSec HW Packet Size (B) 7
8 Public Key Hardware Accelerators (PKHA) RSA and Diffie-Hellman (to 4096b) Elliptic curve cryptography (1023b) Supports runtime equalization Data Encryption Standard Accelerators (DESA) DES, 3DES (2K, 3K) ECB, CBC, OFB modes Advanced Encryption Standard Accelerators (AESA) Key lengths of 128-, 192-, and 256-bit ECB, CBC, CTR, CCM, GCM, CMAC, OFB, CFB, and XTS Message Digest Hardware Accelerators (MDHA) SHA-1, SHA , 384-, 512-bit digests MD5 128-bit digest HMAC with all algorithms Kasumi/F8 Hardware Accelerators (KFHA) F8, F9 as required for 3GPP A5/3 for GSM and EDGE GEA-3 for GPRS Snow 3G Hardware Accelerators (STHA) Implements Snow 3.0 CRC Unit CRC32, CRC32C, e OFDMA CRC Random number generator, random IV generation On-Chip System Interface CHAs Queue Manager Interface Job Queue Controller Descriptor Controllers SEC 4.0 RTIC Header and trailer offload for the following security protocols: IPSec, 802.1ae, SSL/TLS, SRTP, i, e Modular and scalable with simplified device driver 8
9 Unified Datapath Acceleration Architecture (DPAA) Frame Formats Frame Descriptor Multi-buffer (Scatter/gather) Frame D PID BPID S/G List Address Data Address 00 Length Simple Frame 100 Offset Length BPID Offset Frame Descriptor D PID BPID Address Status/Cmd 00 Address Length BPID Offset Data 000 Offset Length Status/Cmd Data 01 Address Length Data BPID Offset PID = Frame Partition ID BPID = Buffer Pool ID Buffer 9
10 DPAA Terminology Buffer Unit of contiguous memory, allocated by software Frame Buffer(s) that hold a data element (generally a packet) Frames can be single buffers or multiple buffers (using scatter/gather lists) A simple frame has one delimited data element Compound frames have more than one Frame descriptor Proxy structure used to enqueue frames. The frame memory itself is not used by the queue manager (QMan) Frame queue FIFO of related frames Frame queue descriptor Structure used to manage frame queues Work queue FIFO of frame queues Channel Set of 8 prioritized work queues, with hardware class scheduling Dedicated channel Supplies FQs to a single consumer Pool channel Can be shared by multiple consumers Packet Used more informally. A routable entity Portal Hardware interface used to access QMan facilities (e.g. enqueue or dequeue) for possibly multiple channels B B B B F = B FQ = F F WQ = Chan = Chan Chan 0 7 FQ FQ FQ B FQ Portal FQ FQ priority 10
11 SEC 4.0 Inputs FD3 PID BPID Addr Addr Offset Length Status/Cmd Buffer Decrypt Shared Descriptor Preheader 1 Preheader 2 Descriptor Header ARS Len NH Offset Options Salt (CTR mode only) Init Count (CTR mode only) Opt ESN (0s if not used) Seq Num Anti Replay Scoreboard Anti Replay Scoreboard key 2 key 1 Operation: Protocol IPsec CBC / CTR IB Dequeue Parameters Frame Queue ID Context Pointer Seq# SEC portal channel WQ7 WQ6 WQ5 WQ4 WQ3 WQ2 WQ1 FD2 PID BPID Addr Addr Offset Length Status/Cmd FD1 PID BPID Addr Addr Offset Length Status/Cmd Buffer Buffer WQ0 11
12 SEC 4.0 Protocol Processing Example - IPsec ESP Tunnel Encrypt Input Frame: Payload Crypto: Class 1 Payload padding Pad Len N Encrypted Payload padding Pad Len N Class 2 SPI Seq# Opt IV Payload padding Pad Len N Opt ESN Authenticate Output Frame: New IP Header SPI Seq# Opt IV Esp header Payload padding Pad Len N ICV SEC 4.0 adds encapsulating security payload (ESP) header, initialization vector (IV), ESP trailer, and keyed-hash message authentication code (HMAC) with integrity check value (ICV). Also adds outer header (up to 128B). Calculates IP header length field, does not calculate header checksum. 12
13 Shared Descriptor Example (Single-Pass ESP-CBC Tunnel) Descriptor header Descriptor length, attributes Protocol data block (PDB) Note: these are automatically updated after each frame Sequence numbers Association index (SPI) Blockcipher IV (immediate) Key blocks HMAC key (Class 2) Cipher key (Class 1) Both classes together enable single-pass operation Protocol operation e.g. WiMAX, IEEE , IPSec, etc. PDB Preheader 1 Preheader 2 Descriptor Header ARS Len NH Offset Options Salt (CTR mode only) Init Count (CTR mode only) Opt ESN (0s if not used) Seq Num Anti Replay Scoreboard Anti Replay Scoreboard key 2 key 1 Operation: Protocol IPsec CBC / CTR IB 13
14 SEC 4.0 Outputs Frame Buffer Res Packet Header Payload Res Res Enqueue Parameters Frame Queue ID Color Seq # Frame Descriptor Frame Address Partition ID Data Length Data Offset Status On-Chip System Interface Queue Manager Interface Job Queue Controller Descriptor Controllers RTIC DECO passes data to QMI, which outputs data into either original frame buffers or into new frame buffers (output buffer pool statically defined for flow). QMI sets all FD values. Ctx is updated as necessary. Typically Seq# or Anti-Replay state. DECO provides job completion information to the QMI, which uses the status word in the frame descriptor to inform software of success or failure. When last data is processed by an EU, DECO releases EUs and next DECO grabs them. CHAs 14
15 Job Completion Status Word SEC 4.0 can use interrupts to alert software of particular events; however, compared to prior generations of SEC, SEC 4.0 interrupts will be rare Consistent with the Request/Response model, the SEC 4.0 will inform software of the success or failure of a requested operation via a Job Completion Status Word Failures can be of several types: SEC generated output data, however a protocol error was detected LATE, REPLAY, ICV failure, FCS failure The SEC does not drop packets and clear buffers upon detection of a protocol error SEC detected an illegal/malformed command and did not output any data Moved on to a different FQ SEC detected a suspended Shared Descriptor and No-Op d the request SW can suspend Shared Descriptors asynchronously to packet processing The SEC will only generate interrupts in response to hardware failures and Trust Architecture Security Violations 15
16 SEC 4.0 Software Model Control Plane Data Plane Packet Ingress Classification Negotiation Connection Establish Session/SA Disconnect Device Driver Descriptor Construction Library Construct QI PreHeader Job Descriptor InitDescHdr Construct Shared Descriptor PDB HMAC Key Cipher Key Protocol Op Codes FQD Min IPsec Pre Processing SEC Helper Routine Oppy Mapping /Enqueue to FQ FQD FQD FQD Dequeue from SEC return queue SEC Helper Routine Oppy Min IPsec Post Processing FQDs from SEC dedicated channel Free Resources Routing Mapping /Enqueue to FQ Packet Egress Protocol Stack/LWE QMan Library Driver/DCL 16
17 QorIQ Trust Architecture 17
18 QorIQ P4080 Block Diagram External Tamper Detect eopenpic PreBoot Loader Security Fuses Security Monitor Internal BootROM Power Mgmt SD/MMC SPI DUART 2x I 2C 2x USB 2.0/ULPI Clocks/Reset QorIQ P4080 elbiu M2SB Test Port/ SAP L2 L2 128 KB L2 L2 L2 Backside L2 L2 L2 Cache PAMU Security 4.0 Pattern Match Engine 2.0 PAMU Queue Mgr. Buffer Mgr. Power Architecture e500-mc Core CoreNet Coherency Fabric 1024 KB Frontside L3 Cache 32 KB 32 KB 1024 KB D-Cache I-Cache Frontside L3 Cache PAMU Frame Manager Parse, Classify, Distribute 10GE HV MMU Buffer 10GE PAMU Frame Manager Parse, Classify, Distribute Buffer SRIO Message Unit PCIe PCIe SRIO PAMU 64-bit DDR-2 / 3 Memory Controller 64-bit DDR-2 / 3 Memory Controller Peripheral Access Mgmt Unit PCIe DMA SRIO Real Time Debug Watchpoint Cross Trigger Perf Monitor CoreNet Trace Aurora GPIO CCSR 18-Lane 5 GHz SERDES 18
19 Trusted Boot Process Code Signing Entity System Code (Plaintext) Hash Plaintext Hash = (ciphertext hash) (e) mod N Ciphertext Hash = (plaintext hash) (d) mod N E, d, and N are mathematically chosen so that RSA works (N is the product of 2 large primes) Sign and Verify are identical operations (modular exponentiation) Internal Secure Boot Code If Decrypted Hash = Generated Hash, the System Code has not been modified Decrypted Hash Generated Hash RSA Sign Private Key (d) Public Modulus (N) Public Key (e) Public Modulus (N) RSA Verify Signature System Code (Plaintext) System NV RAM Signature System Code (Plaintext) 19
20 Secure Storage Non-volatile Volatile (with zeroization option) External NV Memory Internal OTP Memory Main Memory Internal SRAM Integrity Protected Code, Data Public Values, Configuration Secret Values No Execute Region Hypervisor/PAMU access protected memory regions Session Keys Hypervisor/PAMU access protected memory regions Encrypted & Integrity Protected Code, Data Encrypted & Integrity Protected Code, Data Encrypted & Integrity Protected Code, Data Digital Signature 20
21 Run Time Integrity Checker to Sec_MON System Memory Map Zone 1 SHA-256 mismatch comparator Zone 1 stored hash Zone 1 Zone 2 Zone 3 DMA controller SHA-256 mismatch comparator mismatch Zone 2 stored hash SHA-256 comparator Zone 3 stored hash Zone 4 mismatch Zone 2 Zone 4 SHA-256 comparator Zone 4 stored hash 21
22 Power Architecture No Execute Feature The Power Architecture Book-III E Translation Look aside Buffer (TLB) includes control bits that CPUs use to determine read, write, execute and caching rules for the memory pages The 'X' bit in the TLB controls whether the page s contents can be executed as instructions The ability to define pages as non-executable provides a significant barrier against attacks that overflow data buffers into code memory space This feature is functionally equivalent to the NX bit (No execute) in the x86 architecture, although the Power Architecture Book-III E X bit predates NX by several generations 22
23 Hypervisor Symmetric Multiprocessing (SMP) with Task Affinity Local Ctl Service 1 Service 2 Service 3 I/O Ingress I/O Egress SMP Control SMP Control SMP Services Asymmetric Multiprocessing (AMP) with Hypervisor Parallel Datapath AMP with Hypervisor Parallel Datapath AMP with Hypervisor Datapath I/O Ingress I/O Egress L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache L2 Cache Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core Power Architecture Core D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache D-Cache I-Cache CoreNet Interconnect Fabric Front-side L3 Cache Front-side L3 Cache DDR2/3 Memory Controller DDR2/3 Memory Controller 23
24 Summary P4080 processor combines high levels of computing horsepower with efficient virtualized accelerators SEC 4.0 was designed as part of a comprehensive Datapath Acceleration Architecture to reduce CPU utilization and increase security protocol throughput The SEC 4.0 is also part of a comprehensive QorIQ Trust Architecture, enabling trusted computing in a multi-core environment 24
25 Q&A Thank you for attending this presentation. We ll now take a few moments for the audience s questions and then we ll begin the question and answer session. 25
26
An Introduction to the QorIQ Data Path Acceleration Architecture (DPAA) AN129
July 14, 2009 An Introduction to the QorIQ Data Path Acceleration Architecture (DPAA) AN129 David Lapp Senior System Architect What is the Datapath Acceleration Architecture (DPAA)? The QorIQ DPAA is a
More informationFreescale s definition:
October 2013 Freescale s definition: A Trustworthy system is a system which does what its stakeholders expect it to do, resisting attackers with both remote and physical access, else it fails safe. Freescale
More informationLeveraging Data Plane Acceleration Techniques on the QorIQ P4080 Processor
June 2010 Leveraging Data Plane Acceleration Techniques on the QorIQ P4080 Processor For High-Performance Network Security Applications (v1.0) John Rekesh Software Architect, Software Products Division
More informationQorIQ P4080 Software Development Kit
July 2009 QorIQ P4080 Software Development Kit Kelly Johnson Applications Engineering service names are the property of their respective owners. Freescale Semiconductor, Inc. 2009. QorIQ P4080 Software
More informationOn-Chip Debugging of Multicore Systems
Nov 1, 2008 On-Chip Debugging of Multicore Systems PN115 Jeffrey Ho AP Technical Marketing, Networking Systems Division of Freescale Semiconductor, Inc. All other product or service names are the property
More informationFrame Manager (FMan) Internals
Frame Manager (FMan) Internals AN130 David Lapp Senior System Architect This session is an introduction to Frame Manager Internals Introduction It is intended to be stand alone but it is helpful to have
More informationPerformance Analysis with Hybrid Simulation
6 th November, 2008 Performance Analysis with Hybrid Simulation PN111 Matthew Liong System and Application Engineer, NMG owners. Freescale Semiconductor, Inc. 2008. r2 Overview Hybrid Modeling Overview
More informationQorIQ Platform's Trust Architecture Overview: Adding Trust to Networked and Networking Systems FTF-NET-F0070
QorIQ Platform's Trust Architecture Overview: Adding Trust to Networked and Networking Systems FTF-NET-F0070 Geoff Waters Systems Architect A P R. 2 0 1 4 TM External Use Agenda What is a Trustworthy System?
More informationVortiQa Software with Unified Threat Management for Service Provider Equipment
July 2009 VortiQa Software with Unified Threat Management for Service Provider Equipment Performance Optimization on QorIQ P4080 Multicore Processor Bharat Mota Director of Engineering, Software Products
More informationQorIQ P4080 Communications Processor Product Brief
Freescale Semiconductor Product Brief Document Number: P4080PB Rev. 1, 09/2008 QorIQ P4080 Communications Processor Product Brief The QorIQ P4080 Communications Processor combines eight Power Architecture
More informationQorIQ Based Multicore LTE Layer 2 Software
July 2009 QorIQ Based Multicore LTE Layer 2 Software Keith Shields AC CELE R ATIO N CORENET FABRIC Freescale LTE System Enablement Overview: Software; Devices; AMC boards CONTROL RF PA RF RF PA PA RF Small
More informationKeyStone C66x Multicore SoC Overview. Dec, 2011
KeyStone C66x Multicore SoC Overview Dec, 011 Outline Multicore Challenge KeyStone Architecture Reminder About KeyStone Solution Challenge Before KeyStone Multicore performance degradation Lack of efficient
More informationP3041 QorIQ Communications Processor Product Brief
Product Brief Document Number: P3041PB Rev. 0, 11/2011 P3041 QorIQ Communications Processor Product Brief This product brief provides an overview of the P3041 QorIQ communications processor features as
More informationSEC 2/3x Descriptor Programmer s Guide
Freescale Semiconductor Application Note Document Number: AN3645 Rev. 3, 04/2010 SEC 2/3x Descriptor Programmer s Guide by Networking and Multimedia Group Freescale Semiconductor, Inc This application
More informationDifferences Between P4080 Rev. 2 and P4080 Rev. 3
Freescale Semiconductor Application Note Document Number: AN4584 Rev. 1, 08/2014 Differences Between P4080 Rev. 2 and P4080 Rev. 3 About this document This document describes the differences between P4080
More informationQorIQ P4080 Multicore Processor Software Initialization Steps for the Data Path Acceleration Architecture (DPAA)
June, 2010 QorIQ P4080 Multicore Processor Software Initialization Steps for the Data Path Acceleration Architecture (DPAA) FTF-NET-F0681 Brandon Ade and Srikanth Srinivasan NMG Systems and Applications
More informationRAD55xx Platform SoC. Dean Saridakis, Richard Berger, Joseph Marshall *** *** *** *** *** *** *** photo courtesy of NASA
1 RAD55xx Platform SoC Dean Saridakis, Richard Berger, Joseph Marshall *** *** *** *** *** *** *** photo courtesy of NASA 2 Agenda RAD55xx Platform SoC Introduction Processor Core / RAD750 Processor Heritage
More informationData Path Acceleration Architecture (DPAA) Deep Dive
June 23, 2010 Data Path Acceleration Architecture (DPAA) Deep Dive FTF-NET-F0446 Sam Siu Systems and Applications Engineer Reg. U.S. Pat. & Tm. Off. BeeKit, BeeStack, CoreNet, the Energy Efficient Solutions
More informationINTERNET PROTOCOL SECURITY (IPSEC) GUIDE.
INTERNET PROTOCOL SECURITY (IPSEC) GUIDE www.insidesecure.com INTRODUCING IPSEC NETWORK LAYER PACKET SECURITY With the explosive growth of the Internet, more and more enterprises are looking towards building
More informationEDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE PUBLIC
EDGE COMPUTING & IOT MAKING IT SECURE AND MANAGEABLE FRANCK ROUX MARKETING MANAGER, NXP JUNE 6 2018 PUBLIC PUBLIC 2 Key concerns with IoT.. PUBLIC 3 Why Edge Computing? CLOUD Too far away Expensive connectivity
More informationP2040 QorIQ implementation
Course objectives: This course has 6 main objectives: Describing the hardware implementation, particularly the boot sequence and the DDR3 controller Understanding the features of the internal interconnect
More informationHigh-Performance, Highly Secure Networking for Industrial and IoT Applications
High-Performance, Highly Secure Networking for Industrial and IoT Applications Table of Contents 2 Introduction 2 Communication Accelerators 3 Enterprise Network Lineage Features 5 Example applications
More informationEnabling the Migration to an All-IP Network
July, 2009 Enabling the Migration to an All-IP Network Colin Cureton Product Marketer Enable next generation broadband networking systems to deliver a seamless user experience via processors offering:
More informationImplementing an Ethernet Solution Using Power Architecture Based Processors: An Overview of the etsec, VeTSEC and dtsec IP Blocks Mark Cheng
August, 2010 Implementing an Ethernet Solution Using Power Architecture Based Processors: An Overview of the etsec, VeTSEC and dtsec IP Blocks NET-F0562 Mark Cheng NMG, AP PowerPC Applications Engineering
More informationFreescale Roadmap for Communications Processors Built on Power Architecture Technology
August, 2010 Freescale Roadmap for Communications Processors Built on Power Architecture Technology NET-F0425 Jeffrey Ho Technical Marketing Reg. U.S. Pat. & Tm. Off. BeeKit, BeeStack, CoreNet, the Energy
More informationFreescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C- Ware, the Energy Efficient Solutions logo, Kinetis,
May 2013 Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C- Ware, the Energy Efficient Solutions logo, Kinetis, mobilegt, PEG, PowerQUICC, Processor Expert, QorIQ,
More informationPC Touchpad Appliance
October 2013 Networks strained by use of smarter, bandwidth-hungry devices need: Multicore platforms performing more intelligently and securely Low-power, low-cost, easy-to-use equipment Scalable platform
More informationAn Intelligent NIC Design Xin Song
2nd International Conference on Advances in Mechanical Engineering and Industrial Informatics (AMEII 2016) An Intelligent NIC Design Xin Song School of Electronic and Information Engineering Tianjin Vocational
More informationFIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2
Oracle Solaris Kernel Cryptographic Framework with SPARC T4 and T5 Software Version: 1.0 and 1.1; Hardware Version: SPARC T4 (527-1437-01) and T5 (7043165) FIPS 140-2 Non-Proprietary Security Policy Level
More informationBCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.
BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.8 Broadcom Ltd. Revision Date: 2016-05-25 Copyright Broadcom 2016. May
More informationAnand Raghunathan
ECE 695R: SYSTEM-ON-CHIP DESIGN Module 2: HW/SW Partitioning Lecture 2.26: Example: Hardware Architecture Anand Raghunathan raghunathan@purdue.edu ECE 695R: System-on-Chip Design, Fall 2014 Fall 2014,
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationJunos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will
More informationSMB Appliance. SOHO Appliance
August 2011 Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, C-Ware, t he Energy Efficient Solutions logo, mobilegt, PowerQUICC, QorIQ, StarCore and Symphony are trademarks
More informationSoftware Datapath Acceleration for Stateless Packet Processing
June 22, 2010 Software Datapath Acceleration for Stateless Packet Processing FTF-NET-F0817 Ravi Malhotra Software Architect Reg. U.S. Pat. & Tm. Off. BeeKit, BeeStack, CoreNet, the Energy Efficient Solutions
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationGlenda Whitbeck Global Computing Security Architect Spirit AeroSystems
Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems History 2000 B.C. Egyptian Hieroglyphics Atbash - Hebrew Original alphabet mapped to different letter Type of Substitution Cipher
More informationPCD Graphs & PCD Processing Elements. Advanced Data Flows & DPAA Domains
November 2013 As developers of Networking solutions over Multiple-core devices, having a suitable software base is crucial to your success and competiveness. Attending this session, will help you gain
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationIPSec Transform Set Configuration Mode Commands
IPSec Transform Set Configuration Mode Commands The IPSec Transform Set Configuration Mode is used to configure IPSec security parameters. There are two core protocols, the Authentication Header (AH) and
More informationOracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1
Oracle Solaris Userland Cryptographic Framework Software Version 1.0 and 1.1 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 1.3 2014-01-08 Copyright 2014 Oracle Corporation Table
More informationOracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1
Oracle Solaris Kernel Cryptographic Framework Software Version 1.0 and 1.1 FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Version 1.2 12/12/2013 Copyright 2013 Oracle Corporation Table of
More informationDavid Wetherall, with some slides from Radia Perlman s security lectures.
David Wetherall, with some slides from Radia Perlman s security lectures. djw@cs.washington.edu Networks are shared: Want to secure communication between legitimate participants from others with (passive
More informationCryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption
and secure channel May 17, 2018 1 / 45 1 2 3 4 5 2 / 45 Introduction Simplified model for and decryption key decryption key plain text X KE algorithm KD Y = E(KE, X ) decryption ciphertext algorithm X
More informationPOWER7+ TM IBM IBM Corporation
POWER7+ TM 2012 Corporation Outline POWER Processor History Design Overview Performance Benchmarks Key Features Scale-up / Scale-out The new accelerators Advanced energy management Summary * Statements
More informationAN147 An Overview of the PowerQUICC III MPC8572
July, 2009 AN147 An Overview of the PowerQUICC III MPC8572 Toby Foster Product Marketing service names are the property of their respective owners. Freescale Semiconductor, Inc. 2009. Agenda Positioning
More informationCryptography and Network Security Chapter 16. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,
More informationIPSec Transform Set Configuration Mode Commands
IPSec Transform Set Configuration Mode Commands The IPSec Transform Set Configuration Mode is used to configure IPSec security parameters. There are two core protocols, the Authentication Header (AH) and
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationDesigning with the PowerQUICC II Pro Family
July 2009 Designing with the PowerQUICC II Pro Family David Rosado, Product Marketing PowerQUICC Pro Family Overview of MPC831x and MPC837x Product Features Market and Applications Added Value Performance
More informationThe QorIQ portfolio The markets we address and the trends there
November 2013 Freescale in Networking The QorIQ portfolio The markets we address and the trends there Product portfolio update what is new Portfolio review: C29x High Performance Tier Mid Performance Tier
More informationSecuring Network Traffic Tunneled Over Kernel managed TCP/UDP sockets
Securing Network Traffic Tunneled Over Kernel managed TCP/UDP sockets Sowmini Varadhan(sowmini.varadhan@oracle.com) Agenda Proceedings of NetDev 1.1: The Technical Conference on Linux Networking (February
More informationBluefly Processor. Security Policy. Bluefly Processor MSW4000. Darren Krahn. Security Policy. Secure Storage Products. 4.0 (Part # R)
Bluefly Processor Security Policy PRODUCT NAME: PROJECT NUMBER: AUTHOR: Bluefly Processor MSW4000 Darren Krahn REVISION : 1.16 DOCUMENT REFERENCE : SP-MSW4000-01 DOCUMENT TYPE: DEPARTMENT: Security Policy
More informationIPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More informationFCQ2 - P2020 QorIQ implementation
Formation P2020 QorIQ implementation: This course covers NXP QorIQ P2010 and P2020 - Processeurs PowerPC: NXP Power CPUs FCQ2 - P2020 QorIQ implementation This course covers NXP QorIQ P2010 and P2020 Objectives
More informationA Deep Dive on the QorIQ T1040 L2 Switch
A Deep Dive on the QorIQ T1040 L2 Switch FTF-NET-F0007 Suchit Lepcha Application Engineering Manager F e b. 2 1. 2 0 1 4 TM External Use Agenda Overview Switch Functions Software Conclusion External Use
More information(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography
Code No: RR410504 Set No. 1 1. Write short notes on (a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography 3. (a) Illustrate Diffie-hellman Key Exchange scheme for GF(P) [6M] (b) Consider
More informationAcronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector
Acronyms 3DES AES AH ANSI CBC CESG CFB CMAC CRT DoS DEA DES DoS DSA DSS ECB ECC ECDSA ESP FIPS IAB IETF IP IPsec ISO ITU ITU-T Triple DES Advanced Encryption Standard Authentication Header American National
More informationPerformance Analysis on SMP and Non-SMP for Multicore Technology
June, 2010 Performance Analysis on SMP and Non-SMP for Multicore Technology FTF-ENT-F0697 TieFei Zang Principle Software Engineer Introduction Multicore in communication processor technology Dual cores
More informationSecurity IP-Cores. AES Encryption & decryption RSA Public Key Crypto System H-MAC SHA1 Authentication & Hashing. l e a d i n g t h e w a y
AES Encryption & decryption RSA Public Key Crypto System H-MAC SHA1 Authentication & Hashing l e a d i n g t h e w a y l e a d i n g t h e w a y Secure your sensitive content, guarantee its integrity and
More informationPerformance Enhancement for IPsec Processing on Multi-Core Systems
Performance Enhancement for IPsec Processing on Multi-Core Systems Sandeep Malik Freescale Semiconductor India Pvt. Ltd IDC Noida, India Ravi Malhotra Freescale Semiconductor India Pvt. Ltd IDC Noida,
More informationThe IPsec protocols. Overview
The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview
More informationThe Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,
1 The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationM2351 Security Architecture. TrustZone Technology for Armv8-M Architecture
Architecture TrustZone Technology for Armv8-M Architecture Outline NuMicro Architecture TrustZone for Armv8-M Processor Core, Interrupt Handling, Memory Partitioning, State Transitions. TrustZone Implementation
More informationKey Encryption as per T10/06-103
1 T10/06-144r0 Key Encryption as per T10/06-103 David L. Black (author) Jack Harwood (presenter) 2 Problem and Design Goals 05-446 only specifies encryption key transfer in clear Keys can be entirely too
More informationCryptographic Concepts
Outline Identify the different types of cryptography Learn about current cryptographic methods Chapter #23: Cryptography Understand how cryptography is applied for security Given a scenario, utilize general
More informationCRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK
CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK UNIT-1 1. Answer the following: a. What is Non-repudiation b. Distinguish between stream and block ciphers c. List out the problems of one time pad d. Define
More informationshow crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2
This chapter includes the command output tables. group summary, page 1 ikev2-ikesa security-associations summary, page 2 ikev2-ikesa security-associations summary spi, page 2 ipsec security-associations,
More informationIPSec Site-to-Site VPN (SVTI)
13 CHAPTER Resource Summary for IPSec VPN IKE Crypto Key Ring Resource IKE Keyring Collection Resource IKE Policy Resource IKE Policy Collection Resource IPSec Policy Resource IPSec Policy Collection Resource
More information1 Development History. 2 Typical Applications
nc. Advance Information MPC190TS/D Rev. 0.2, 2/2003 MPC190 Security Processor Technical Summary This document provides an overview of the MPC190 security processor, including a brief development history,
More informationConfiguring Security for VPNs with IPsec
This module describes how to configure basic IPsec VPNs. IPsec is a framework of open standards developed by the IETF. It provides security for the transmission of sensitive information over unprotected
More informationKeyStone C665x Multicore SoC
KeyStone Multicore SoC Architecture KeyStone C6655/57: Device Features C66x C6655: One C66x DSP Core at 1.0 or 1.25 GHz C6657: Two C66x DSP Cores at 0.85, 1.0, or 1.25 GHz Fixed and Floating Point Operations
More informationIntroducing Hardware Security Modules to Embedded Systems
Introducing Hardware Security Modules to Embedded Systems for Electric Vehicles charging according to ISO/IEC 15118 V1.0 2017-03-17 Agenda Hardware Trust Anchors - General Introduction Hardware Trust Anchors
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationPacketShader: A GPU-Accelerated Software Router
PacketShader: A GPU-Accelerated Software Router Sangjin Han In collaboration with: Keon Jang, KyoungSoo Park, Sue Moon Advanced Networking Lab, CS, KAIST Networked and Distributed Computing Systems Lab,
More informationTechDays property of their respective owners Freescale Semiconductor, Inc..
TM TechDays 2013 Freescale, the Freescale logo, AltiVec, C-5, CodeTEST, CodeWarrior, ColdFire, C-Ware, the Energy Efficient Solutions logo, mobilegt, PowerQUICC, QorIQ, StarCore and Symphony are trademarks
More information3 Features. 1 Development History. 2 Typical Applications. Freescale Semiconductor, I
nc. Advance Information MPC185TS/D Rev. 2.1, 2/2003 MPC185 Security Processor Technical Summary This technical summary provides an overview of the MPC185 Security Processor, including a brief development
More informationCONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements
CONTENTS Preface Acknowledgements xiii xvii Chapter 1 TCP/IP Overview 1 1.1 Some History 2 1.2 TCP/IP Protocol Architecture 4 1.2.1 Data-link Layer 4 1.2.2 Network Layer 5 1.2.2.1 Internet Protocol 5 IPv4
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationRESTRUCTURING DPDK DEVICE-DRIVER FRAMEWORK
RESTRUCTURING DPDK DEVICE-DRIVER FRAMEWORK Expanding DPDK to non-pci, non-virtual devices SHREYANSH JAIN, HEMANT AGRAWAL NXP 21/OCT/2016 About Me... An engineer with NXP s Digital Networking Software team
More informationECE 646 Fall 2009 Final Exam December 15, Multiple-choice test
ECE 646 Fall 2009 Final Exam December 15, 2009 Multiple-choice test 1. (1 pt) Parallel processing can be used to speed up the following cryptographic transformations (please note that multiple answers
More informationParallelizing IPsec: switching SMP to On is not even half the way
Parallelizing IPsec: switching SMP to On is not even half the way Steffen Klassert secunet Security Networks AG Dresden June 11 2010 Table of contents Some basics about IPsec About the IPsec performance
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationIntroduction to Routers and LAN Switches
Introduction to Routers and LAN Switches Session 3048_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved. 3 Prerequisites OSI Model Networking Fundamentals 3048_05_2001_c1 2001, Cisco Systems, Inc.
More informationChapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University
Chapter 6 IP Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. IP Security Overview 2. IP Security Architecture 3.
More informationSecure channel, VPN and IPsec. stole some slides from Merike Kaeo
Secure channel, VPN and IPsec stole some slides from Merike Kaeo 1 HTTP and Secure Channel HTTP HTTP TLS TCP TCP IP IP 2 SSL and TLS SSL/TLS SSL v3.0 specified
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationSankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank
Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology Question Bank Subject: Information Security (160702) Class: BE Sem. VI (CE/IT) Unit-1: Conventional
More informationBCA III Network security and Cryptography Examination-2016 Model Paper 1
Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct
More informationHow to abstract hardware acceleration device in cloud environment. Maciej Grochowski Intel DCG Ireland
How to abstract hardware acceleration device in cloud environment Maciej Grochowski Intel DCG Ireland Outline Introduction to Hardware Accelerators Intel QuickAssist Technology (Intel QAT) as example of
More informationQorIQ T4 Family of Processors. Our highest performance processor family. freescale.com
of Processors Our highest performance processor family freescale.com Application Brochure QorIQ Communications Platform: Scalable Processing Performance Overview The QorIQ communications processors portfolio
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 11 Basic Cryptography Objectives Define cryptography Describe hashing List the basic symmetric cryptographic algorithms 2 Objectives
More informationTotal No. of Questions : 09 ] [ Total No.of Pages : 02
CS / IT 321 (CR) Total No. of Questions : 09 ] [ Total No.of Pages : 02 III/IV B. TECH. DEGREE EXAMINATIONS, OCT / NOV - 2015 Second Semester COMPUTER SCIENCE & ENGINEERING NETWK SECURITY Time : Three
More informationThe Linux Kernel Cryptographic API
Published on Linux Journal (http://www.linuxjournal.com) The Linux Kernel Cryptographic API By James Morris Created 2003-04-01 02:00 This article provides a brief overview of the new cryptographic API
More informationEncrypted Phone Configuration File Setup
This chapter provides information about encrypted phone configuration files setup. After you configure security-related settings, the phone configuration file contains sensitive information, such as digest
More informationVirtual Tunnel Interface
This chapter describes how to configure a VTI tunnel. About s, on page 1 Guidelines for s, on page 1 Create a VTI Tunnel, on page 2 About s The ASA supports a logical interface called (VTI). As an alternative
More informationInternet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho
Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality
More information