Integrated Cryptographic and Compression Accelerators on Intel

SOLUTION BRIEF
Intel® QuickAssist Technology
Integrated Cryptographic and
Compression Accelerators on Intel®
Architecture Platforms
High performance, scalability, and ease of use allow network device manufacturers
to dramatically decrease development time.
Workload Acceleration Challenges
Built-in Acceleration
Demands on cloud and network
equipment are escalating at breakneck
pace, driving the need to deliver ever
higher levels of traffic throughput
and security. To keep up with market
requirements, network equipment
manufacturers often accelerate
compression and cryptographic
workloads using commercially-available
add-in cards, which can be time
consuming to optimize performance
using scarce programming resources.
Developers preferring to use open
source software, like OpenSSL* or
IPsec, may find accelerator card
vendors either deviate from open
source APIs, hindering software
portability, or are slow to respond to
API updates, thus delaying support for
new features.
With Intel QuickAssist Technology,
Intel is making it easier for equipment
manufacturers to deliver highperformance compression and
cryptography on devices deployed
in wireless, telecom, cloud, data
centers, and enterprise systems. The
technology is integrated in a family
of pin-compatible Intel® chipsets that
deliver scalable crypto performance
- from 0 to 50 Gbps – via on-chip
hardware accelerators. Additionally,
crypto accelerators are available on
select members of the Intel® Atom™
processor C2000 product family, which
makes these system-on-chip (SoC)
solutions ideal for entry-level, network
equipment. The compression and
cryptography performance of these
products is shown in Table 1.1
KEY BENEFITS
High performance – on par
with or better than leading
crypto co-processors
Scalability – from 0 to 50 Gbps
of crypto performance
Ease of use – different
integration paths to software
applications via patches or
kernel changes.
Flexibility – accelerate
open-source or proprietary
implementations
Future proof – application
code stays the same as
technology evolves
This solution brief provides an overview of the integrated cryptographic and compression accelerators available on select
Intel® architecture platforms, and is one in a series of five briefs describing how to maximize the benefits from Intel®
QuickAssist Technology. Please see the Resources section for links to the series.
Intel® Atom™
processor
Intel® Communications Chipset 89xx Series
Version
8900
8903
8910
8920
8925
8955
C2738
Intel® QuickAssist Technology
Capability (Gbps)
None
5G
10G
20G
25G
50G
10G
IPsec (Gbps)
N/A
5G
10G
20G
25G
43G
7G
SSL (Gbps)
N/A
5G
10G
20G
25G
49G
7G
Compression (Gbps)
N/A
3G
5G
8G
12G
24G
N/A
Kasumi*/Snow3G* (Gbps)
N/A
24G
1G
RSA Decrypt 1k-bit key
(ops/sec)
N/A
RSA Decrypt 2k-bit key
(ops/sec)
N/A
10G
12K
24K
28K
100K
190K
13K
5K
20K
40K
2K
FCBGA1283
FCBGA: 27mm x 27mm BGA
Package
Table 1. Results from Compression and Cryptography Performance Testing1
Open Source Software Support
of open frameworks enables application developers to
benefit from the acceleration technology with minimal
software development effort.
Intel QuickAssist Technology supports the open source
frameworks and applications shown in Table 2, accelerating
cryptography and data compression workloads. The use
Workload
Open Source Framework
Open Source Applications
Cryptography
. OpenSSL* libcrypto
. Linux* Kernel Crypto
API (scatterlist)
. IPsec (NETKEY)
. Apache*
Data Compression
. zlib
. File Compression
(minigzip)
Table 2. Supported Workloads and Open Source Frameworks and Applications
2
Ease of Use
communicate directly with the built-in accelerators through
the highly-extensible API. Figure 1 depicts the symmetric
cryptography, public key, and compression/decryption
hardware accelerators present on an Intel® processor-based
platform with Intel QuickAssist Technology.
With minor changes to a software build, developers can
significantly boost performance of the open-source
frameworks listed in Table 2 using Intel QuickAssist
Technology. Software developers just need to add
Intel-developed Linux* Kernel patches or Open Source
Framework patches – available at no cost – to attain
around an order of magnitude (e.g., ten-fold) performance
improvement.1 Even higher performance levels can
be achieved by equipment manufacturers when their
network applications (in Linux user-space or kernel-space)
Application
Layer
These accelerators can be accessed by proprietary
applications, or open-source functions and OS libraries
via the Intel QuickAssist Technology API. The available
patches and Linux kernel changes are designed to increase
portability and performance.
Proprietary
Open Source (e.g., IPSec, Apache*)
Functions/
OS Libraries
gZip
(zLib)
OpenSSL*
(libcrypto)
NetKey
(LKCF)
Intel-developed patches and kernel changes
Drivers
Intel® QuickAssist Technology API
Symmetric
Cryptography
Public Key
Functions
Compression/
Decryption
Optimized
Software
Intel® Processor-based Platform
Intel Drivers, Patches etc.
Software-only
Figure 1. Accessing Intel® QuickAssist Technology Accelerators
3
Hardware accelerated
Hardware Options
Intel QuickAssist Technology is available in two different
form factors: chipsets and server accelerator cards. For
the lowest cost, power, and board footprint, the Intel®
Communications Chipset 89xx series can be paired with
the Intel® Xeon® processor E5-2600 v2 product family,
or a two or four-core Intel processor in a BGA package.
The recently launched Intel® Communications Chipset
8950 improves the crypto acceleration performance
by 2.5 times over the Intel® Communications Chipset
8920 and accelerates compression workloads by up to
20 Gbps. All Intel Communications Chipset 89xx series
are pin compatible, so a common board design can be
configured from no crypto (Intel® Communications Chipset
8900) to 50 Gbps crypto acceleration performance (Intel
Communications Chipset 8950).
Figure 2. Intel® QuickAssist Technology Server Acceleration Card
Additionally, Intel offers Intel QuickAssist Technology
Server Accelerator Cards (Figure 2), which plug into a
PCI Express* Gen 3 x8 slot on existing servers based on
the Intel Xeon processor E5-2600 v2 and Intel® Xeon®
processor E5-2400 product families. Since most servers
have an available x8 slot, these accelerator cards are
typically easier to deploy than other accelerator cards that
require the less common PCI Express Gen 2 x16 slot. Two
server accelerator cards are available:
ƒƒ Intel® QuickAssist Adapter 8920-SCC: up to 20 Gbps
crypto acceleration performance
platforms containing hardware acceleration with Intel
QuickAssist Technology) or software optimizations based
on the latest Intel instruction set architectures. In other
words, application code calling an open-source framework
(e.g., OpenSSL) remains the same regardless of whether
the acceleration is provided by a software module or a
hardware accelerator on the platform. Likewise, application
code does not have to change as technology evolves
(i.e., new encryption feature) since the Intel QuickAssist
Technology API will maintain backward-compatibility,
thereby future-proofing equipment manufacturer software.
ƒƒ Intel® QuickAssist Adapter 8950-SCCP: up to 50 Gbps
crypto acceleration performance
Flexible Workload Acceleration on Intel® Architecture
As the complexity of networking and security applications
grows, more systems will need to offload cryptography
and data compression workloads, making more CPU cycles
available for other functions, like deep packet inspection
(DPI) and traffic management. Intel QuickAssist Technology
offers a high-level of flexibility with optimized support via
shims for both open source or propriety implementations
of these functions. Moreover, the high performance,
scalability, and ease-of-use benefits derived from Intel
QuickAssist Technology allow equipment manufacturers
to shorten their time to market for next–generation
network devices.
Since these accelerator boards are based on the same
technology as the Intel Communications Chipset 89xx
series, they are low power and do not require active
heat sinks.
Future Proof
Applications can use the Intel QuickAssist Technology
API to communicate directly with acceleration hardware,
providing the highest performance. Alternatively,
applications can call the associated open source APIs,
which will use either Intel-developed patches (for
4
Resources
Solution Brief Series: Intel® QuickAssist Technology
Part 1: Integrated Cryptographic and Compression Accelerators on Intel® Architecture Platforms
Part 2: Bridging Open Source Applications and Intel® QuickAssist Technology Acceleration
Part 3: Accelerating OpenSSL* Using Intel® QuickAssist Technology
Part 4: Accelerating Hadoop* Applications Using Intel® QuickAssist Technology
Part 5: Scaling Acceleration Capacity from 5 to 50 Gbps Intel® QuickAssist Technology
Intel® QuickAssist Technology
Cryptographic and Compression Acceleration
For more information About Intel QuickAssist Technology, visit
http://www.intel.com/content/www/us/en/io/quickassisttechnology/quickassist-technology-developer.html
Performance tests and ratings are measured using specific
computer systems and/or components and reflect the approximate
performance of Intel® products as measured by those tests. Any
difference in system hardware or software design or configuration,
as well as system use patterns including wireless connectivity, may
affect actual test results and ratings.
1
Copyright © 2013 Intel Corporation. All rights reserved. Intel, the Intel
logo, and Xeon are trademarks of Intel Corporation in the United
States and/or other countries.
*Other names and brands may be claimed as the property of others.
Printed in USA MS/VC/1113 Order No. 329879-001US
5
ƒƒ Symmetric cryptography functions
include cipher operations (AES, DES,
3DES, ARC4); wireless (Kasumi,
Snow 3G); hash/authenticate
operations (SHA-1, MD5; SHA-2
[SHA-224, SHA-256, SHA-384, SHA512]); authentication (HMAC, AESXCBC, AES-CCM); AES-XTS (Intel®
Communications Chipset 8925 and
Intel® Communications Chipset 8950
only); and random number generation.
ƒƒ Public Key functions include RSA
operation; Diffie-Hellman operation;
digital signature standard operation;
key derivation operation; elliptic curve
cryptography (ECDSA and ECDH);
random number generation; and prime
number testing.
ƒƒ Compression/decompression include
DEFLATE (Lempel-Ziv 77) and LZS
(Lempel-Ziv-Stac).