Abstract
Bandwidth-intensive applications compete directly with the operating system’s network stack for CPU cycles. This is particularly true when the stack performs security protocols such as IPsec; the additional load of complex cryptographic transforms overwhelms modern CPUs when data rates exceed 100 Mbps. This paper describes a network-processing accelerator which overcomes these bottlenecks by offloading packet processing and cryptographic transforms to an intelligent interface card. The system achieves sustained 1 Gbps host-to-host bandwidth of encrypted IPsec traffic on commodity CPUs and networks. It appears to the application developer as a normal network interface, because the hardware acceleration is transparent to the user. The system is highly programmable and can support a variety of offload functions. A sample application is described, wherein production-quality HDTV is transported over IP at nearly 900 Mbps, fully secured using IPsec with AES encryption.
This work is supported by the DARPA Information Technology Office (ITO) as part of the Next Generation Internet program under Grants F30602-00-1-0541 and MDA972-99-C-0022, and by the National Science Foundation under grant 0230738.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Calvin, J.: Digital convergence. In: Proceedings of theWorkshop on New Visions ofr Large- Scale Networks: Research and Applications, Vienna, Virginia (2001)
IP Security Protocol (IPsec) Charter: Latest RFCs and Internet Drafts for IPsec (2003), http://ietf.org/html.charters/ipsec-charter.html
FreeS/WAN: IPsec Performance Benchmarking (2002), http://www.freeswan.org/freeswan_trees/-freeswan-1.99/doc/performance.html
Schott, B., Bellows, P., French, M., Parker, R.: Applications of adaptive computing systems for signal processing challenges. In: Proceedings of the Asia South Pacific Design Automation Conference, Kitakyushu, Japan (2003)
Bellows, P., Flidr, J., Lehman, T., Schott, B., Underwood, K.D.: GRIP: A reconfigurable architecture for host-based gigabit-rate packet processing. In: Proc. of the IEEE Symposium on Field-Programmable Custom Computing Machines, Napa Valley, CA (2002)
Chodowiec, P., Gaj, K., Bellows, P., Schott, B.: Experimental testing of the gigabit IPseccompliant implementations of Rijndael and Triple-DES using SLAAC-1V FPGA acceleratorboard. In: Proc. of the 4th Int’l Information Security Conf., Malaga, Spain (2001)
Grembowski, T., Lien, R., Gaj, K., Nguyen, N., Bellows, P., Flidr, J., Lehman, T., Schott, B.: Comparative analysis of the hardware implementations of hash functions SHA-1 and SHA-512. In: Proc. of the 5th Int’l Information Security Conf., Sao Paulo, Brazil (2002)
Hutchings, B.L., Franklin, R., Carver, D.: Assisting network intrusion detection with reconfigurable hardware. In: Proc. of the IEEE Symposium on Field-Programmable Custom Computing Machines, Napa Valley, CA (2002)
FreeS/Wan (2003), http://www.freeswan.org/
Society of Motion Picture and Television Engineers: Bit-serial digital interface for highdefinition television systems. SMPTE-292M (1998)
Perkins, C.S., Gharai, L., Lehman, T., Mankin, A.: Experiments with delivery of HDTV over IP networks. In: Proc. of the 12th International Packet Video Workshop (2002)
Schulzrinne, H., Casner, S., Frederick, R., Jacobson, V.: RTP: A transport protocol for realtime applications RFC 1889 (1996)
DVS Digital Video Systems (2003), http://www.dvs.de/
Mummert, T., Kosak, C., Steenkiste, P., Fisher, A.: Fine grain parallel communication on general purpose LANs. In: Proceedings of 1996 International Conference on Supercomputing (ICS 1996), Philadelphia, PA, USA, pp. 341–349 (1996)
Reinhardt, S.K., Larus, J.R., Wood, D.A.: Tempest and typhoon: User-level shared memory. In: International Conference on Computer Architecture, Chicago, Illinois, USA (1994)
Sumimoto, S., Tezuka, H., Hori, A., Harada, H., Takahashi, T., Ishikawa, Y.: The design and evaluation of high performance communication using a Gigabit Ethernet. In: International Conference on Supercomputing, Rhodes, Greece (1999)
Shivam, P., Wyckoff, P., Panda, D.: EMP: Zero-copy OS-bypass NIC-driven Gigabit Ethernet message passing. In: Proc. of the 2001 Conference on Supercomputing (2001)
Lockwood, J.W., Turner, J.S., Taylor, D.E.: Field programmable port extender (FPX) for distributed routing and queueing. In: Proc. of the ACM International Symposium on Field Programmable Gate Arrays, Napa Valley, CA, pp. 30–39 (1997)
McHenry, J.T., Dowd, P.W., Pellegrino, F.A., Carrozzi, T.M., Cocks, W.B.: An FPGA-based coprocessor for ATM irewalls. In: Proc. of the IEEE Symposium on FPGAs for Custom Computing Machines, Napa Valley, CA, pp. 30–39 (1997)
Underwood, K.D., Sass, R.R., Ligon, W.B.: Analysis of a prototype intelligent network interface. Concurrency and Computing: Practice and Experience (2002)
National Laboratory for Applied Network Research: Network performance measuring tool (2003), http://dast.nlanr.net/Projects/Iperf/
Jarvinen, K., Tommiska, M., Skytta, J.: Fully pipelined memoryless 17.8 Gbps AES-128 encryptor. In: 11th ACM International Symposium on Field- Programmable Gate Arrays (FPGA 2003), Monterey, California (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bellows, P., Flidr, J., Gharai, L., Perkins, C., Chodowiec, P., Gaj, K. (2003). IPsec-Protected Transport of HDTV over IP. In: Y. K. Cheung, P., Constantinides, G.A. (eds) Field Programmable Logic and Application. FPL 2003. Lecture Notes in Computer Science, vol 2778. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45234-8_84
Download citation
DOI: https://doi.org/10.1007/978-3-540-45234-8_84
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40822-2
Online ISBN: 978-3-540-45234-8
eBook Packages: Springer Book Archive