Product Attributes

Using FPGAs as traffic processors for network security

Traffic to and from security devices (firewalls) is encrypted at multiple levels, and L2 encryption/decryption (MACSec) is processed at the link layer (L2) network nodes (switches and routers). Processing beyond the L2 (MAC layer) typically includes deeper parsing, L3 tunnel decryption (IPSec), and encrypted SSL traffic with TCP/UDP traffic. Packet processing involves the parsing and classification of incoming packets and the processing of large traffic volumes (1-20M) with high throughput (25-400Gb/s).

Due to the large number of computing resources (cores) required, NPUs can be used for relatively higher speed packet processing, but low latency, high-performance scalable traffic processing is not possible because traffic is processed using MIPS/RISC cores and scheduling such cores based on their availability is difficult. The use of FPGA-based security appliances can effectively eliminate these limitations of CPU and NPU-based architectures.

Application-level security processing in FPGAs

FPGAs are ideal for inline security processing in next-generation firewalls because they successfully meet the need for higher performance, flexibility, and low-latency operation. In addition, FPGAs can also implement application-level security functions, which can further save computing resources and improve performance.

Common examples of application security processing in FPGAs include

- TTCP offload engine

- Regular expression matching

- Asymmetric encryption (PKI) processing

- TLS processing

Next-generation security technologies using FPGAs

Numerous existing asymmetric algorithms are vulnerable to compromise by quantum computers. Asymmetric security algorithms such as RSA-2K, RSA-4K, ECC-256, DH, and ECCDH are the most affected by quantum computing techniques. New implementations of asymmetric algorithms and NIST standardization are being explored.

Current proposals for post-quantum encryption include the Ring-on-Error Learning (R- LWE) method for

- Public Key Cryptography (PKC)

- Digital signatures

- Key creation

The proposed implementation of public key cryptography includes certain well-known mathematical operations (TRNG, Gaussian noise sampler, polynomial addition, binary polynomial quantifier division, multiplication, etc.). FPGA IP for many of these algorithms is available or can be efficiently implemented using FPGA building blocks, such as DSP and AI engines (AIE) in existing and next-generation Xilinx devices.

This white paper describes the implementation of L2-L7 security using a programmable architecture that can be deployed for security acceleration in edge/access networks and next-generation firewalls (NGFW) in enterprise networks.