Conventional wisdom has been that general-purpose microprocessors serve mainly in the control plane in communications and networking gear while FPGAs, application-specific standard products, and ASICs handle packet processing in the data plane. But that has changed over the course of the last few years. Every new generation of microprocessors is more capable of handling real-time packet manipulation. The latest Intel® Architecture (IA) processors based on the Sandy Bridge microarchitecture, for example, can handle more complex applications such as implementing security algorithms, and support more network ports than prior-generation processors. Networking equipment vendors can capitalize on the performance offering smaller lower-cost security appliances with scalable port density.
There are several features in Sandy-Bridge-based processors that can be especially useful in security-centric communication systems. The processors leverage a new on-chip ring interconnect that links processor cores, caches, and a memory controller. That architecture is an advantage for Intel in that it allows the processor designers to scale designs adding cores. But it provides superior throughput than prior on-chip interconnects and that is a key to performance in communications applications.
The microarchitecture also includes support for ECC (Error Correction Code) memory. Single bit errors are relatively harmless in personal computing but can be devastating in mission-critical embedded systems in communications, military, medical, and other applications. ECC allows the system to detect and correct soft errors.
Note that not every Sandy Bridge processor includes the ECC support, but ones that do are not hard to find. For example, the Intel® Xeon® Processor E2-1225 and E3-1275 support ECC.
A relatively new feature called Intel® Advanced Encryption Standard (AES) New Instructions (AES-NI) can also offer a performance boost in security-centric applications. AES-NI was actually introduced in the second-generation of processors based on the Nehalem microarchitecture and is more widely available in the Sandy Bridge lineup.
AES-NI accelerates data encryption functions though the use of new instructions. Intel has said that AES-NI can provide a 3x to 10x performance advantage over pure software-based AES implementations. Third party benchmarks don’t document quite that great of an advantage in terms of how fast the processor executes the encryption algorithm. But AES-NI relieves the processor of that duty freeing it up for other tasks.
Again, AES-NI support is not in every Sandy Bridge processor. The Xeon processors mentioned above support the technology. And a number of second-generation Intel® Core™ i5 and i7 processors do support AES-NI including the i7-2600 and the i5-2400.
There are two more features in Sandy Bridge that can boost networking performance. The Intel® Advanced Vector Extensions (AVX) single-instruction multiple-data (SIMD) extension that I focused on in a recent blog are primarily targeted at multimedia but there are some communications-centric functions that can use the SIMD capability. And the second-generation Intel® Turbo Boost Technology 2.0 offers an optimized capability of raising the performance of one core to handle peak demands generated by one task.
A number of companies are already offering network appliance platforms based on Sandy Bridge processors and security is the focus of some of the products. Lanner Electronics*, for example, has the new FW-8770 network appliance that is available with a choice of the quad-core i5 and i7 processors mentioned above. It’s also available with the Intel® Core™ i3-2120 dual-core processor but that IC does not include AES-NI support.
Lanner ships the product standard in a 1U form factor with 8 Gbit-Ethernet ports that are implemented in the Intel chipset. Design teams can optionally add 8 additional ports via a Lanner Ethernet module while staying within the 1U form factor. Terence Chou- Lanner’s Network Appliance Vice President, said, “When coupled with the 2nd Generation Intel® Core™ processors, the chipset allows the FW-8770 to be our first mainstream appliance with 16 GbE LAN ports. The Intel processors also have new Intel® Turbo Boost Technology 2.0 and power sharing enhancements which helps our appliance to have increased performance by dynamically scaling frequency while reducing power consumption.”
Nexcom** offers a similar feature set in its NSA 5130 Network Security Appliances. The platform offers a choice of second-generation Core processors. Nexcom also offers the product in 8- and 16-port versions. There is also space for a 3.5-in hard drive or dual 2.5-in drives. And the platform includes an 8-lane PCIe slot.
What type of security centric applications are you working with? Have you utilized the AES-NI capability? If so, what level of performance boost is the technology delivering? Please share you experiences with fellow followers of the Intel® Embedded Community via comments.
To view other community content focused on security, see “Security – Top Picks”
Roving Reporter (Intel Contractor)
Intel® Embedded Alliance
*Lanner Electronics is an Associate member of the Intel® Embedded Alliance
**Nexcom is an Associate member of the Alliance