Global Sources
EE Times-India
Stay in touch with EE Times India
EE Times-India > Embedded

ISR design with multi-core processors

Posted: 25 Aug 2008     Print Version  Bookmark and Share

Keywords:multi-core processors  ISR  CPU  network processor 

The IPSec VPN data path, a second data path through the system, requires packet header processing with the addition of CPU-intensive cryptographic computation. A cryptographic accelerator is typically used to process these intensive computations, except in systems providing modest performance. For higher performance, an accelerator capable of single-pass operation for encryption and hashing is desirable. With the same hardware, vastly different system performance can result, depending on the software used.

The third data path through the ISR focuses on content processing, also known as deep-packet inspection. Application protocol and content processing is complex, requiring more code space than packet processing in the router, firewall and IPSec data paths. And instead of processing fixed-location packet header fields, an unanchored search of regular-expression (regex) patterns anywhere in the packet stream must be used.

Such complex functions can realistically be implemented only with general-purpose CPUs that have a rich instruction set, rather than fast NPU cores with limited instruction sets and code space. Attaining an acceptable degree of performance requires the availability of enough CPU cycles to execute the required instructions. A large cache is typically needed to enable efficient use of CPU cycles, especially when dealing with a large number of flows and complex code.

However, even a general-purpose CPU is not enough for systems requiring high deep-packet inspection performance. If software alone is leveraged to perform this complex inspection, system performance becomes unsatisfactory.

A hardware pattern matcher with regex capability can greatly accelerate unanchored searches. In addition to high scan performance, the support of fast, incremental, live signature updates is vital.

Third-party app software
Routing, firewall and IPSec VPN are relatively mature technologies. Established networking vendors likely already have field-proven implementations their customers know and trust. Each vendor naturally wants to build the new ISR by adding functions to its existing implementation.

Content-aware security functions are relatively new and may not be the core competency of routing/firewall/VPN vendors. Looking farther into the future, applications beyond content security, such as VoIP and network storage, are prime candidates for further integration into the platform. Software implementation of the new functions may come from a partner, the open source community or a separate part of the vendor organisation. It is highly desirable to have a platform design that enables easy incorporation and efficient operation of third-party software while separating the new and the old for easy fault isolation and rapid development.

It is now possible to incorporate multiple general-purpose CPU cores as well as cryptographic and regex pattern-matching accelerators in a single system on chip (SoC) within an embedded power budget. Such multi-core SoCs have the potential to meet all ISR design challenges effectively:

-"Simple" router, firewall and VPN data paths: Reasons for using a hard-to-develop and hard-to-maintain ASIC or network processor have disappeared. Multiple general-purpose CPU cores provide the CPU cycles required for high performance without sacrificing ease of development and maintenance.

-High-performance deep-packet inspection: General-purpose CPU cores (instead of simple cores in network processors) mean it is now easier to develop and maintain software for complex content-security data paths involving DPI. Using multiple such cores makes CPU cycles available for the high-speed execution of the complex code. The availability of integrated regex pattern-matching hardware further accelerates DPI operation.

-Integration for cost competitiveness: Like communications processors, multi-core embedded processors have all important processing and I/O elements integrated into the SoC, enabling cost-effective systems with simple designs.

-Ease of scalability: Multiple cores, each supporting a range of frequencies, simplify scaling considerably. The same design and software can be reused for a product line of systems, ranging in performance from low to high, by using processors with different numbers of cores and different frequencies.

-Third-party software mixing and mingling: In a mixed environment running a vendor's own proprietary networking software and third-party application software, separate processor(s) can be used to provide CPU cycles with isolation. Furthermore, different operating systems appropriate for the applications used can be put to work on different CPU cores.

 First Page Previous Page 1 • 2 • 3 Next Page Last Page

Comment on "ISR design with multi-core processor..."
*  You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.


Go to top             Connect on Facebook      Follow us on Twitter      Follow us on Orkut

Back to Top