40G MACsec Encryption in an FPGA

Similar documents
ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

10/100/1000 Ethernet MAC with Protocol Acceleration MAC-NET Core

Open Flow Controller and Switch Datasheet

ELECTENG702 Advanced Embedded Systems. Improving AES128 software for Altera Nios II processor using custom instructions

LogiCORE IP AXI Performance Monitor v2.00.a

Implementation of Full -Parallelism AES Encryption and Decryption

International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research)

ETHERNET ENCRYPTION MODES TECHNICAL-PAPER

Networking Virtualization Using FPGAs

A DIY Hardware Packet Sniffer

Improved Method for Parallel AES-GCM Cores Using FPGAs

NATIONAL RESEARCH AGENCY CASE STUDY - CCTV NETWORK SERVICES

Implementation and Design of AES S-Box on FPGA

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Chapter 9. IP Secure

ALL-AIO-2321P ZERO CLIENT

Internet Packets. Forwarding Datagrams

ENHWI-N n Wireless Router

Architecture of distributed network processors: specifics of application in information security systems

7a. System-on-chip design and prototyping platforms

Protocol Security Where?

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Lecture 17 - Network Security

Cryptographic Rights Management of FPGA Intellectual Property Cores

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

DRAFT Gigabit network intrusion detection systems

An Overview of ZigBee Networks

DDS. 16-bit Direct Digital Synthesizer / Periodic waveform generator Rev Key Design Features. Block Diagram. Generic Parameters.

Hardware Implementation of Improved Adaptive NoC Router with Flit Flow History based Load Balancing Selection Strategy

Cloud Infrastructure Planning. Chapter Six

AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

LAYER 2 ENCRYPTORS METRO AND CARRIER ETHERNET METROS AND WIDE AREA NETWORKS ETHERNET ENCRYPTION FOR PRESENTS:

VXLAN: Scaling Data Center Capacity. White Paper

Layer 2 Network Encryption where safety is not an optical illusion Marko Bobinac SafeNet PreSales Engineer

YO-301AP POE AP Datasheet

10 Gigabit Ethernet MAC Core for Altera CPLDs. 1 Introduction. Product Brief Version February 2002

10/100/1000Mbps Ethernet MAC with Protocol Acceleration MAC-NET Core with Avalon Interface

Using FPGAs to Design Gigabit Serial Backplanes. April 17, 2002

Secret File Sharing Techniques using AES algorithm. C. Navya Latha Garima Agarwal Anila Kumar GVN

Remote Access VPNs Performance Comparison between Windows Server 2003 and Fedora Core 6

Layer 2 Encryption Fortifying data transport

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Chapter 7 Transport-Level Security

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

UVOIP: CROSS-LAYER OPTIMIZATION OF BUFFER OPERATIONS FOR PROVIDING SECURE VOIP SERVICES ON CONSTRAINED EMBEDDED DEVICES

Industrial Networks & Databases

SafeNet Network Encryption Solutions Safenet High-Speed Network Encryptors Combine the Highest Performance With the Easiest Integration and

Network Security Part II: Standards

Rohde & Schwarz R&S SITLine ETH VLAN Encryption Device Functionality & Performance Tests

Switch Fabric Implementation Using Shared Memory

HANIC 100G: Hardware accelerator for 100 Gbps network traffic monitoring

A low-cost, connection aware, load-balancing solution for distributing Gigabit Ethernet traffic between two intrusion detection systems

running operation mode painless TECHNICAL SPECIFICATION WAN/LAN: One 10/100 Fast Ethernet RJ-45 WPS (WiFi Protected Setup) WAN (Internet connection)

Hardware and Software

Demystifying Wireless for Real-World Measurement Applications

Zarząd (7 osób) F inanse (13 osób) M arketing (7 osób) S przedaż (16 osób) K adry (15 osób)

Quality of Service Analysis of site to site for IPSec VPNs for realtime multimedia traffic.

ESSENTIALS. Understanding Ethernet Switches and Routers. April 2011 VOLUME 3 ISSUE 1 A TECHNICAL SUPPLEMENT TO CONTROL NETWORK

Key Hopping A Security Enhancement Scheme for IEEE WEP Standards

Introduction to IP v6

How To Secure My Data

LinkProof And VPN Load Balancing

10/100 Mbps Ethernet MAC

ALL-ZC-2140P-DVI PCoIP Zero Client Overview

IT 3202 Internet Working (New)

Polymorphic AES Encryption Implementation

Exhibit n.2: The layers of a hierarchical network

ESR b/g/n SOHO Router

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

AES1. Ultra-Compact Advanced Encryption Standard Core. General Description. Base Core Features. Symbol. Applications

ADVANCED NETWORK CONFIGURATION GUIDE

The new frontier of the DATA acquisition using 1 and 10 Gb/s Ethernet links. Filippo Costa on behalf of the ALICE DAQ group

Introduction to Security and PIX Firewall

Chapter 6 CDMA/802.11i

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

ESR b/g/n SOHO Router

Arquitectura Virtex. Delay-Locked Loop (DLL)

Key Features. Multiple Operation Modes ENH500 can operate into four different modes with Access Point, Client Bridge, Client Router and WDS Mode.

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

FPGA Implementation of IP Packet Segmentation and Reassembly in Internet Router*

Computer Networks. Definition of LAN. Connection of Network. Key Points of LAN. Lecture 06 Connecting Networks

802.11b/g/n SOHO Router 2.4GHz 150Mbps 11N AP/Router

GadgetGatewayIa Configurable LON to IP Router and/or Remote Packet Monitor. ANSI (LonTalk ) and ANSI 852 (IP) standards based.

Security Engineering Part III Network Security. Security Protocols (II): IPsec

Exam 1 Review Questions

AppliedMicro Trusted Management Module

IJESRT. [Padama, 2(5): May, 2013] ISSN:

Securing VoIP Networks using graded Protection Levels

June Bridge & Switch. Pietro Nicoletti Piero[at]studioreti.it. Bridge-Switch-Engl - 1 P. Nicoletti: see note pag. 2

Load Balance Router R258V

Advanced VSAT Solutions Bridge Point-to-Multipoint (BPM) Overview

Journal of Mobile, Embedded and Distributed Systems, vol. I, no. 1, 2009 ISSN

Transcription:

40G MACsec Encryption in an FPGA Dr Tom Kean, Managing Director, Algotronix Ltd, 130-10 Calton Road, Edinburgh EH8 8JQ United Kingdom Tel: +44 131 556 9242 Email: tom@algotronix.com February 2012 1

MACsec System IEEE 802.1AE Media Access Control Security (MACsec) is a layer 2 security scheme Secures a vulnerable ethernet link transparently to user-level applications Can use IEEE 801.1X-2010 for authentication and key exchange Provides confidentiality and message authentication using AES-GCM algorithm February 2012 2

MACsec Applications MACsec can be applied to any Ethernet network Compatible with encrypted traffic (e.g. IPsec) Applications include EPON routers, enterprise LANs and cloud-based connectivity MAN and defence systems use 256-bit keys (supported by Algotronix) Adds an additional layer of security to military and governmental communications systems Secure data links to embedded systems February 2012 3

Algotronix MACsec History Shipped first AES core in 2004 Shipped AES-GCM for MACSEC at 10G in 2008 Shipped first 1G MACsec version in 2010 Shipped 40G AES-GCM in 2010 Shipped 10G MACsec in 2011 Completing upgrade of MACsec to work at 40G Plan 100G MACsec for late 2012 February 2012 4

MACsec Function Destination Address Source Address Unencrypted payload Encryption Key MACsec Function Destination Address Source Address SecTAG (8 or 16 Bytes) Encrypted payload ICV (16 bytes) February 2012 5

MACsec IP Core Top Level Secure Channel Parameters Controlled Output to System Uncontrolled Output to System Receive Path Input From MAC Controlled Input from System Uncontrolled Input from System Transmit Path Output to MAC Enable Clock Reset Control and Statistics February 2012 6

Secure Channel Unit The Algotronix MACsec core includes on-chip CAMs for fast storage and look-up of keys Keys are 128-bit (standard) or 256-bit (optional) Can support 256 Security Associations (configurable) Key memory is write only from outside the core, to enhance security February 2012 7

AES-GCM Critical part of MACSEC for area and performance Encryption with AES-CTR mode and authentication with GF-HASH Works on 128 bit blocks of data where ethernet works on bytes AES-CTR is iterative, 10 or 14 rounds of processing for each data block. Two overhead encryptions per packet, one overhead GF-HASH operation per packet. February 2012 8

AES-GCM IP Core load_key input_key load_text input text input_text_kind input_text_width input_text_final Pipelined AES 128 bit GF Multiply output_text_valid output text output_text_kind output_text_width output_text_final output_tag_valid load_iv input_iv_and_tag GCM Mode Logic output_tag authentication success start pass_through do_encrypt output_pending advanced_output_valid io_cycle enable clock reset GCM-Control clear February 2012 9

Challenges of AES-GCM at 40Gbit/sec Start with existing AES-GCM 10Gbit design Double clock frequency to 312.5MHz Double number of pipeline stages in AES-CTR Simplify and speed up keyschedule implementation Algebraic manipulation of GF-multiply (feedback loop in GF-Hash makes pipelining difficult) New Karatsuba GF multiplier design to improve speed and area February 2012 10

MACsec Core Area Guidelines 1G 10G 40G Regs 14602 17371 37486 Slice LUTs RAM 18ks RAM 36ks 17031 32119 42350 4 4 55 5 5 9 Xilinx Virtex 5 128 bit keys All MACSEC features included Transmit and Receive channel included AES Sboxes implemented in LUTs for 1G and 10G designs Clock frequency is 2x higher for 40G design Guideline only many implementation options are possible February 2012 11

Algotronix MACsec Cores Design scalable from 1G to 10G and 40G Configurable number of Secure Channels Support worst case timing without overrun Portable to all major FPGA families Tier one customers can access our IP through Xilinx VHDL or Verilog source code Comprehensive test bench Cost effective February 2012 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information