Architecture

The GRIP project will employ an FPGA-based PCI accelerator board as a high-performance Gigabit Ethernet host interface with programmable IPsec acceleration. This card, called SLAAC-1V, has been developed under the DARPA Adaptive Computing Systems (ACS) program. The GRIP project will add the gigabit I/O functionality and programming required for the gigabit rate IPsec processing. COTS workstations, running FreeBSD or Linux operating systems, will be equipped with the GRIP hardware accelerators. Standard versions of these operating systems will be modified to take advantage of the hardware based crypto processing. These modifications will include kernel and protocol stack changes for the IPsec protocol, implementation of techniques to increase the speed of security policy database lookups, and modifications to compensate for the resource bottlenecks that limit system performance. In addition an Application Programming Interface (API) will be developed to allow applications to utilize these features.

From the workstation perspective, the SLAAC-1V board will appear to be a standard Gigabit Ethernet host adapter with additional capabilities. The IPsec accelerator will encrypt outgoing packets and decrypt incoming packets on behalf of the host processor. The accelerator will initially support DES and 3DES standards for encryption and MD5/SHA-1 algorithms for authentication. Other encryption algorithms, such as the five Advanced Encryption Standard (AES) candidates, will be incorporated as drop-in encryption modules. The IPsec accelerator will also provide dedicated hardware assist for other processor-intensive functions such as transport layer checksums and cached SPD/SPDB lookups. Since the chief bottleneck of the system is the PCI bus, the IPsec accelerator will use a custom DMA engine to directly scatter and gather packets to/from host memory, thus eliminating unnecessary bus copies. Packets will be processed from the fast synchronous SRAM caches onboard the IPsec accelerator before they are delivered to host memory or the Gigabit Ethernet interface. In order to sustain a bandwidth of one gigabit per second, the IPsec accelerator will process multiple packets in parallel and will interleave processing with I/O. Multiple crypto sessions with different keys and even different algorithms will be processed in parallel. Using the advanced partial runtime reconfiguration capabilities of Virtex FPGAs, the IPsec accelerator will support dynamic "paging" of different encryptor modules to adapt to the current set of active sessions. GRIP will also integrate recently developed DES (and soon AES) algorithm cores for Virtex that exploit partial hardware evaluation, which promise a bandwidth of 10.7 Gigabits/sec.