Global Sources
EE Times-India
Stay in touch with EE Times India
 
EE Times-India > Embedded
 
 
Embedded  

ISR design with multi-core processors

Posted: 25 Aug 2008     Print Version  Bookmark and Share

Keywords:multi-core processors  ISR  CPU  network processor 

The integrated services router (ISR), also known as universal threat management (UTM) or secure services gateway (SSG), is a trend in network security that converges several discrete functions into one device. It is quickly becoming the single most important security device in many enterprises, particularly in small and medium-size networks.

Figure: A generic embedded multi-core processor can be used for networking.

The ISR may perform a conglomeration of networking and security functions previously provided by multiple specialised devices, acting as a router, firewall/NAT, IPSec VPN, IDS/IPS (intrusion-detection system/intrusion-prevention system), antivirus and content filter. And even more functions are expected to be integrated.

ISR design challenges
But with the desire to consolidate a variety of networking and security functions come some design concerns. The key challenges in designing a family of world-class ISRs include:

- Simultaneous execution of multiple types of data paths with good performance;

-Cost-effectiveness of material and development, enabling a short development cycle;

-Scalability (from small branch office to large head office, for instance) in terms of performance and cost, allowing the design and software to be reused; and

-Effective accommodation of third-party software.

Convergence of data paths
Stringent performance requirements associated with networking equipment make the design of data paths challenging. Because of the divergent functions supported in an ISR, there are three types of data paths: packet header processing in the router and firewall, crypto processing in the IPSec VPN, and content processing: deep-packet inspection (DPI) in the IDS/IPS, antivirus and content filter.

When a packet is received, certain packet header fields are used as keys to look up tables that help determine what to do with the packet. This typically entails adjustment to some packet header fields and encapsulation of the packet in the appropriate data link protocol header, after which the packet is forwarded, possibly with some bandwidth control.

To maximise performance, designers minimise the number of instructions needed to provide the required functions. The cache should be kept warm, and the overhead associated with interrupt processing, context and buffer management should be minimised.

The packet header processing data path is relatively simple. Because of this, it can be (and, indeed, has been) implemented on an ASIC/NPU for high-performance systems. For low- to mid-level performance, the popular implementation uses communications processors.


1 • 2 • 3 Next Page Last Page



Comment on "ISR design with multi-core processor..."
Comments:  
*  You can enter [0] more charecters.
*Verify code:
 
 
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

 

Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

 
Back to Top