SafeXcel-5140 - High-Performance Enterprise Security Processor

Overview

The SafeXcel-5140 chip is a high-performance security processor specifically designed for Small and Medium Enterprise security applications. The processor is primarily targeted at VPN gateway appliances with Ethernet connectivity. However, the SafeXcel-5140’s rich set of features and interfaces also makes it an ideal choice for other security-demanding applications like network interface cards, broadband access devices, and multimedia home network equipment. The SafeXcel-5140 is a unique single-chip solution that integrates an industry-standard ARMv4-compliant 32-bit RISC processor and security acceleration for best-in-class security, performance and cost advantage.

State-of-the-art security and networking features

The SafeXcel-5140 is designed to provide superior security functionality, performance, and cost advantage to the SME market. While the SafeXcel-5140 provides hardware implementations for 3DES, AES, SHA-1, MD5, random number generation, and public-key acceleration, the SafeXcel-5140 also features packet filtering and flow processing, NAT, NAT-T, NAPT, IPsec and Secure Realtime Transport Protocol (SRTP) processing, as well as SHA-256, AES Galois Counter Mode (GCM), AES-XCBC-MAC-96, and Extended Sequence Numbers.

Line-rate small packet throughput

While existing security-enabled processors can handle large IP packets at reasonable data rates, they often perform very poorly when it comes to processing small packets. The SafeXcel-5140 chip excels at small packet sizes and provides wire-rate, full-duplex T3 throughput (aggregate: 90 Mbit/s) across all packet sizes. This is particularly important as small packets are much more prevalent in Internet traffic than large packets. Furthermore, the share of small packets in Internet traffic is expected to increase even further with applications like VoIP (voice over internet protocol).

Full data plane hardware offload

In traditional security-enabled processors, hardware assist is limited to security modules that perform cryptographic processing under control of the embedded CPU. The SafeXcel-5140 takes a significant step beyond this traditional security offload model. The unique value of the SafeXcel-5140 lies in its capability to fully offload data plane processing up to the IP/IPsec layer to dedicated hardware modules: the microengine-based Packet Filter / Flow Processor modules and the Inline Packet Engine.

On top of superior throughput, full data plane hardware also brings along the advantage of maximized processing headroom on the embedded CPU. In traditional security-enabled communications processors and in dual-chip solutions (consisting of a dedicated CPU and a stand-alone security coprocessor), the CPU needs to perform some level of processing on each packet. This leads to a significant processing load on the CPU. In the SafeXcel-5140 however, the embedded CPU is not involved in processing packets that belong to an existing data flow. This allows the embedded CPU to dedicate its precious cycles to flow setup (using hardware assist) and other processing tasks.

Complete OEM solution for SME security gateways

The SafeXcel-5140 chip leverages SafeNet’s in-depth knowledge and experience in building next-generation VPN solutions by integrating advanced security hardware and software. The unique Packet Filter / Flow Processor and Inline Packet Engine modules are designed leveraging SafeNet’s experience with solutions that consist of SafeXcel hardware coprocessors and SafeNet’s proven QuickSec Unified software toolkits.

Pre-integrated with SafeNet’s leading QuickSec Unified security software, the Enterprise Security Processor enables OEMs to build complete VPN gateways, broadband access devices and home networking equipment, while significantly reducing time-to-market.

Benefits

• Precisely designed for SME applications
• Line rate performance across all packet sizes
• Full data plane offload for IPsec
• Maximized processing headroom on CPU
• Tightly integrated with QuickSec Unified
• Best cost advantage in the market

Features

• Embedded CPU
• ARMv4â-compliant 32-bit RISC
• 450 MHz clock frequency
• 32 Kbyte data cache
• 32 Kbyte instruction cache
• Data Plane Security
• IPsec
• SRTP
• DES, 3DES (ECB, CBC)
• AES (ECB, CBC, CTR)
• AES-Galois Counter Mode
• MD5, SHA-1, SHA-256
• HMAC
• AES-XCBC-MAC-96
• Pseudo Random Number Generation
• Control plane security
• True Random Number Generation
• AES-XCBC-MAC-PRF
• Public Key Acceleration
• IPv4, IPv6 support
• 9KB Jumbo frame support
• NAT, NAT-T, NAP-T support in hardware
• Firewall support in hardware
• Timer
• Interrupt controller
• Realtime clock

Performance

• Data plane: full-duplex 45 Mbit/s throughput for 64-byte packets (aggregate throughput 90 Mbit/s for 64-byte packets)
• SA setup rate: TBD
• Flow setup rate: TBD
• PKA: 96 1024-bit exponentiations/sec, without use of CRT

Interfaces

• PCI-X v1.0b, 66 MHz / 133 MHz,
  32-bit / 64-bit, initiator and target mode,
  Backward-compatible with PCI v2.2 (33 MHz / 66 MHz).
• Flash/SRAM memory
• 32-bit DDR, 150 MHz
Dual MII/GMII
10/100/1000BASE-T MACs
802.11Q VLAN tag update/retrieve
Wake-on-LAN
• UART
• I2C
• 8-pin GPIO
• USB 2.0 On-the-Go

Electrical

• Core voltage: 1.2V
• DDR I/O voltage: 2.5V
• Other I/O voltage: 3.3V / 5V-tolerant
• Power consumption: TBD

Package

• 502-pin BGA