gary
 
» Technology   » Hardware IP   » Software IP
Request More Information     Download Datasheet

Posedge DTLS Engine

Overview

Datagram Transport Layer Security (DTLS) is defined RFC4347 of the Network Working Group of the IETF. It primarily provides communications privacy for datagram protocols and allows client/server applications to communicate in a way that prevents eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. DTLS preserves the datagram semantics of the underlying transport layer data and unlike TLS that needs to run over a connection oriented protocol, DTLS is suited for connectionless protocols such as UDP.
DTLS protocol has two phases of communication. In the first phase the two end points negotiate security parameters, including keys, encryption, authentication protocols and the session is established. The first phase is reliable as the end stations retry the packets in case of lost packets using DTLS handshake protocol. In the second phase data records are transferred, where bulk of the data is moved.

The Posedge DTLS engine performs all the second phase record layer functions of the DTLS protocol. The DTLS engine works at UDP packet level and performs Layer-5 Security individually on all the records of the packet. Optionally the core can be configured to one record per UDP datagram. The DTLS engine segregates the records in each of the UDP datagram, adds epoch, sequence number fields from the SA database, performs HMAC-SHA-1 authentication, data padding, followed by AES CBC encryption/decryption with 128 bit key (configurable to support 192, 256 bit keys). The SA database is updated with the sequence number etc. In the ingress, additional checks for packet validity, sequence number and anti-replay are performed.
The engine is fully compliant with multiple records per packet, with record sizes as small as 2 bytes and performs complete decryption before authentication check to identify the payload length field.

The IP is configurable with respect to the encryption and authentication engines instantiated. In addition, the performance of the Security Engines can be traded with the design size.

dtls

Posedge DTLS is easy to integrate into a datapath with FIFO interfaces for data interface and AXI/AHB for configuration. The engine has local/remote loopback modes, testmode for debug and hardware counters for statistics. The DTLS engine gates the clock of the crypto engines during IDLE cycles under hardware control. Posedge DTLS engine works with the DTLS phase-1 software running on Linux 2.6.23 Host, which performs reliable communication of handshake packet with retransmission.

Features

• Up to 1 Gbps full duplex Throughput & Low Latency with short packets
• Complete inline processing without software intervention in the datapath
• RFC4347 compliant
• Flexible number of records per packet
• Configurable number of Secure Associations
• AES-128-CBC with explicit Initialization vector for encryption and decryption
• HMAC-SHA-1 algorithm based authentication
• Anti-replay verification on Ingress
• MIB Counters for DTLS record content types, error statistics
• Support coalesced DTLS records in Ingress
• Configurable behavior on per-session (anti-replay, alert generation and handing, receiving/sending multiple
   DTLS records within PMTU)
• Supports debug features like local/remote loop-back and bypass of packets
• DTLS bypass mode support
• Flow control support
• Security Association as part of the Start of Frame Delimiter

Applications

The Posedge-DTLS is suited for a variety of networking applications such as:
• Bump-in-the-wire Layer-5 security in gateways
• Secure Storage Controllers
• Application Layer Security appliances
• Enterprise Class SAN

Benefits

• Independent block to perform DTLS processing
• Easy integration into an existing data path
• Programmable Packet and Key interface
• Flexible Interface Support
• AXI/AHB/APB interface for configuration and statistics collection
• Configurable FIFO interfaces for data path 128b at 250MHz
• Internal data path is 128b at 250MHz
• Low Gate Count and Memory Size
• 150K NAND gate equivalents
• 2 KB for normal Ethernet Packets
• 16 KB for Jumbo packet support
• World Class Customer Support

Deliverables

• Fully Synthesizable Verilog RTL
• Architecture Specification
• Self-checking Testbench and Testcases
• ASIC/FPGA Synthesis Scripts
• Integration Manual
• Software Drivers

Tech Specs

    Part Number Posedge-DTLS
    Short description Posedge-DTLS engine
    Provider: Posedge Inc
    Portability ASIC, FPGA, Structured ASIC
    Type Soft  
    Maturity FPGA Implementation
    Availability Now
    FPGA Technology: Xilinx: Virtex-5 LX
 
 
 
  United States India - Hyderabad India - Bangalore Taiwan  
  350 Oakmead Parkway,
Suite 200, Sunnyvale,
CA - 94085.		 Unit - 2, 5th Floor, Building No 9,
Mindspace, Hitech City,
Madhapur, Hyderabad,
Andhra Pradesh - 500 081		 1st Floor, No.7/3,
Old Madras Road,
Opp: 100ft Road, Indiranagar,
Bangalore - 560038		 11F, No. 206, Sec. 1,
Fu-Xing S. Rd. Taipei, Taiwan		  
  Tel  : +1 408-642-6964 Tel  : +91 40 44182299 Tel  : +91 080 42028553, 25304488  
lilnkedin
 twitter
 
© 2011 Posedge. All Rights Reserved.
Privacy Policy Sitemap Technology Contact Us