Efficient Hardware Accelerator for IPSec based on Partial - - PowerPoint PPT Presentation

efficient hardware accelerator for ipsec based on partial
SMART_READER_LITE
LIVE PREVIEW

Efficient Hardware Accelerator for IPSec based on Partial - - PowerPoint PPT Presentation

Jun 26, 2023 704 likes •996 views

Introduction Previous Work Methodology Results Summary Efficient Hardware Accelerator for IPSec based on Partial Reconfiguration on Xilinx FPGAs Ahmad Salman Marcin Rogawski Jens-Peter Kaps Cryptographic Engineering Research Group (CERG)

slide-1
SLIDE 1

Introduction Previous Work Methodology Results Summary

Efficient Hardware Accelerator for IPSec based on Partial Reconfiguration on Xilinx FPGAs

Ahmad Salman Marcin Rogawski Jens-Peter Kaps

Cryptographic Engineering Research Group (CERG) http://cryptography.gmu.edu Department of ECE, Volgenau School of Engineering, George Mason University, Fairfax, VA, USA

  • Int. Conference on ReConFigurable Computing and FPGAs

ReConFig 2011

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 1 / 26

slide-2
SLIDE 2

Introduction Previous Work Methodology Results Summary

Outline

1 Introduction 2 Previous Work 3 Methodology 4 Results 5 Summary

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 2 / 26

slide-3
SLIDE 3

Introduction Previous Work Methodology Results Summary Introduction Supported Protocols IPSec Implementations FPGA Platforms

Introduction

Internet Protocol Security (IPSec) provides security against attacks on data transmitted over the Internet. Provides

Authentication → Information Source Confidentiality → Encryption Data Integrity → Data alteration

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 3 / 26

slide-4
SLIDE 4

Introduction Previous Work Methodology Results Summary Introduction Supported Protocols IPSec Implementations FPGA Platforms

Supported Protocols

IPSec uses a series of protocols to provide security services

The Encapsulating Security Payload (ESP) Protocol. The Authentication Header (AH) protocol. The Internet Key Exchange (IKEv2) protocol in version two.

These protocols make use of various cryptographic algorithms.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 4 / 26

slide-5
SLIDE 5

Introduction Previous Work Methodology Results Summary Introduction Supported Protocols IPSec Implementations FPGA Platforms

Supported Protocols

Protocol Security Service Provided Supported Algorithm ESP confidentiality through encryption and

  • ptional

data integrity AES in CBC or CTR mode and AES-XCBC-MAC-96 AH connectionless integrity and data origin authenti- cation HMAC-SHA1-96, AES- XCBC-MAC-96, HMAC- SHA-256 IKE negotiates connection pa- rameters Diffie-Hellman scheme in 1024 or 2048 bits groups and AES in PRNG mode Table: IPSec Supported Protocols and Algorithms

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 5 / 26

slide-6
SLIDE 6

Introduction Previous Work Methodology Results Summary Introduction Supported Protocols IPSec Implementations FPGA Platforms

IPSec Implementations

Software Hardware

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 6 / 26

slide-7
SLIDE 7

Introduction Previous Work Methodology Results Summary Introduction Supported Protocols IPSec Implementations FPGA Platforms

IPSec Implementations

Software ← Flexible Fast → Hardware

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 6 / 26

slide-8
SLIDE 8

Introduction Previous Work Methodology Results Summary Introduction Supported Protocols IPSec Implementations FPGA Platforms

FPGA Platforms

Among popular implementations of IPSec in hardware are those that target FPGAs Problem Resource limited devices. More resources = more money.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 7 / 26

slide-9
SLIDE 9

Introduction Previous Work Methodology Results Summary Introduction Supported Protocols IPSec Implementations FPGA Platforms

FPGA Platforms

Among popular implementations of IPSec in hardware are those that target FPGAs Problem Resource limited devices. More resources = more money. Solution Hardware/Software co-design. Partial Reconfiguration.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 7 / 26

slide-10
SLIDE 10

Introduction Previous Work Methodology Results Summary IPSec FPGA Implementations IPSec Implementations Our Design

Implementations using Partial Reconfiguration

Authors Embedded Processor Hardware Software Implemen- tation

  • G. Gogniat

et al. No AES in Differ- ent modes No IPSec

  • I. Gonzales

et al. Microblaze AES, RC4, IDEA PR Initia- tion VOIP SSL

  • I. Gonzales

et al. Microblaze 3DES, AES MD5 SSH

  • K. Anjo,
  • T. Awashima

DPR-1 AES, DES, CAST128,256, MD5 HMAC IPSec

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 8 / 26

slide-11
SLIDE 11

Introduction Previous Work Methodology Results Summary IPSec FPGA Implementations IPSec Implementations Our Design

Other Implementations

Author Implementation Hardware Software Applica- tion

  • A. Dandalis,
  • V. Prasanna

AES Finalists MARS, RC6, Rijndael, Ser- pent, Twofish No IPSec KAME Project IPSEC Supported Algorithms No Racoon IPSec

  • J. Lu,
  • J. Lockwood

AES, HMAC-MD5, HMAC-SHA1 AES, HMAC-MD5, HMAC-SHA1 Key Ne- gotiation IPSec Commercial Products FortiGate, Helion Crypto Accelera- tor 4000 IPSec SSH HTTPS

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 9 / 26

slide-12
SLIDE 12

Introduction Previous Work Methodology Results Summary IPSec FPGA Implementations IPSec Implementations Our Design

Proposed Design

Table: Hardware-Software co-design implementation details of proposed IPSec system Implementation In Hardware In Software Application AES CBC, CTR modes ESP MAC-XCBC-96 AH XCBC-PRF-128 IKEv2 SHA-256 HMAC AH MODEXP Pre-Calculations IKEv2

  • Round Robin

PR trigger scheduling algorithm

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 10 / 26

slide-13
SLIDE 13

Introduction Previous Work Methodology Results Summary System Description Partial Reconfiguration System Hardware System Software Methodology

Queues

Output Queue

Network

ESP Queue AH Queue IKEV2 Queue

Status Network

IPSec coprocessor Scheduling Algorithm

Figure: Synchronization Circuit Between Hardware and Software

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 11 / 26

slide-14
SLIDE 14

Introduction Previous Work Methodology Results Summary System Description Partial Reconfiguration System Hardware System Software Methodology

Partial Reconfiguration

Partial Reconfiguration (PR) is a process of configuring a portion of the FPGA while the other part is still running. A relatively new technique

Altera Stratix V.

A PR system is divided into

Static region known as Base Region (BR). Dynamic regions known as Partial Reconfigurable Regions (PRR). Reconfigurable Modules (RMs)

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 12 / 26

slide-15
SLIDE 15

Introduction Previous Work Methodology Results Summary System Description Partial Reconfiguration System Hardware System Software Methodology

Partial Reconfigurable Hardware in the System

AES

Embedded Processor (MB) Coprocessor IPsec (PRR) On−chip Peripheral Bus (OPB) (ICAP) Internal Configuration Access Port

MODEXP

SHA256 (RM) (RM) (RM)

External Memory

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 13 / 26

slide-16
SLIDE 16

Introduction Previous Work Methodology Results Summary System Description Partial Reconfiguration System Hardware System Software Methodology

Hardware/Software Synchronization Circuit

RD_ACK

FF in

  • ut

rst FF in

  • ut

rst 32 32 32 32 rst data_in data_out dst_ready dst_write Software Input Reg Software Output Reg OPB CLK RST src_read

IPSec Co−Processor Microblaze

rst rst src_ready

WR_ACK

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 14 / 26

slide-17
SLIDE 17

Introduction Previous Work Methodology Results Summary System Description Partial Reconfiguration System Hardware System Software Methodology

System Software

Drivers for the hardware peripherals. Internal Control Access Port (ICAP) API initialization. Modes of Operations.

Cipher Block Chaining (CBC) mode. Counter (CTR) mode.

Hashed Message Authentication Code (HMAC) Calculation Pre-Computations.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 15 / 26

slide-18
SLIDE 18

Introduction Previous Work Methodology Results Summary System Description Partial Reconfiguration System Hardware System Software Methodology

Experiment Methodology

Implementation of individual cryptographic algorithms in non-PR designs. Creation of the PR design with all three algorithms. Assign Tasks to the system processor through the scheduler.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 16 / 26

slide-19
SLIDE 19

Introduction Previous Work Methodology Results Summary PR System RM Implementations AES Comparisons System Performance

PR Implementation Results

Table: Summary for Implementations on XC4VFX12 Virtex-4 FPGA Device Utilization Summary PR Design Non-PR Design Static Dynamic Resource Logic Used Used Used Number of Slices 1588 2148 5506 Number of Slice Flip Flops 1566 1008 3906 Number of 4 input LUTs 2059 3600 8140 Number of DSP48 3 3 Number of FIFO16/RAMB16s 33

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 17 / 26

slide-20
SLIDE 20

Introduction Previous Work Methodology Results Summary PR System RM Implementations AES Comparisons System Performance

Utilization Percentage

29% ¡ Static ¡ 39% ¡ Dynamic ¡ 32% ¡ Unused ¡

PR ¡Design ¡Utilization ¡

0% ¡ 20% ¡ 40% ¡ 60% ¡ 80% ¡ 100% ¡ 120% ¡

Slices ¡ FlipFlop ¡ 4 ¡Input ¡LUTs ¡ DSP48 ¡ V4FX12 ¡Resource ¡Percentage ¡ ¡

Full ¡Design ¡Implementation ¡

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 18 / 26

slide-21
SLIDE 21

Introduction Previous Work Methodology Results Summary PR System RM Implementations AES Comparisons System Performance

Independent Cores Implementations

Table: Summary for Implementations on XC4VFX12 Virtex-4 FPGA Device Utilization Implementations for each core Summary independently AES SHA-256 MODEXP Resource Logic Used Used Used Number of Slices 1862 952 499 Number of Slice Flip Flops 807 1008 421 Number of 4 input LUTs 3600 1632 861 Number of DSP48 3 Number of FIFO16/RAMB16s

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 19 / 26

slide-22
SLIDE 22

Introduction Previous Work Methodology Results Summary PR System RM Implementations AES Comparisons System Performance

Dynamic Region Utilization

0% ¡ 20% ¡ 40% ¡ 60% ¡ 80% ¡ 100% ¡ 120% ¡ Slices ¡ ¡ Flip ¡Flops ¡ ¡ 4 ¡input ¡LUTs ¡ ¡ DSP48 ¡ ¡ AES ¡ SHA256 ¡ MODEXP ¡

Dynamic ¡Region ¡Percentage ¡

Figure: Utilization for each core independently

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 20 / 26

slide-23
SLIDE 23

Introduction Previous Work Methodology Results Summary PR System RM Implementations AES Comparisons System Performance

AES Throughput in a PR design

Work AES Throughput [MB/S]

  • A. Dandalis and V. Prasanna

353

  • Y. Hasegawa et al.

363

  • G. Gogniat et al.

422 Our Design 711 Table: Comparing our AES throughput to other implementations

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 21 / 26

slide-24
SLIDE 24

Introduction Previous Work Methodology Results Summary PR System RM Implementations AES Comparisons System Performance

ESP Time-Slot

Bits Buffered

PR ESP time slot Processing time Buffering time Time PR IKEV2

0 ¡ 20 ¡ 40 ¡ 60 ¡ 80 ¡ 100 ¡ 120 ¡ 140 ¡ 160 ¡ 180 ¡ 0 ¡ 100 ¡ 200 ¡ 300 ¡ 400 ¡ 500 ¡ 600 ¡ 700 ¡ 800 ¡ 0 ¡ 0.1 ¡ 0.2 ¡ 0.3 ¡ 0.4 ¡ 0.5 ¡ 0.6 ¡ 0.7 ¡ 0.8 ¡ 0.9 ¡ 1 ¡ 1.1 ¡ 1.2 ¡ 1.3 ¡ 1.4 ¡ 1.5 ¡ 1.6 ¡ 1.7 ¡ 1.8 ¡ 1.9 ¡ 2 ¡ 2.1 ¡ 2.2 ¡ Throughput ¡ Buffer ¡

Buffer ¡Size[Mb] ¡ Throughput[Mb/s] ¡ ESP ¡Time ¡Till ¡PR[s] ¡

Maximum ¡Throughput ¡

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 22 / 26

slide-25
SLIDE 25

Introduction Previous Work Methodology Results Summary PR System RM Implementations AES Comparisons System Performance

System Latency Vs Throughput

0.1 ¡ 0.3 ¡ 0.5 ¡ 0.7 ¡ 0.9 ¡ 1.1 ¡ 1.3 ¡ 1.5 ¡ 1.7 ¡ 250 ¡ 300 ¡ 350 ¡ 400 ¡ 450 ¡ 500 ¡ 550 ¡ 600 ¡ 650 ¡ 0.1 ¡0.3 ¡0.5 ¡0.7 ¡0.9 ¡1.1 ¡1.3 ¡1.5 ¡1.7 ¡

Throughput ¡[Mb\s] ¡

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 23 / 26

slide-26
SLIDE 26

Introduction Previous Work Methodology Results Summary Conclusion Future Work

Conclusion

The proposed design provides a low cost solution for IPSec in Hardware. A scheduling algorithm was used to handle task assignments. Benefits of implementing IKEV2 as RM. Results show that the design performs well with high traffic networks.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 24 / 26

slide-27
SLIDE 27

Introduction Previous Work Methodology Results Summary Conclusion Future Work

Future Work

Implementing the design on Faster FPGA families. Use new tools. Extending the number of supported algorithms. Implementing the AES core as part of the static region.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 25 / 26

slide-28
SLIDE 28

Introduction Previous Work Methodology Results Summary Conclusion Future Work

Thanks for your attention.

ReConFig 2011

  • A. Salman, M. Rogawski, J.-P. Kaps

HW Accelerator for IPSec using Partial Reconfig. 26 / 26