IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 1 Product Brief Intel(R) IXP2855 Network Processor Packet and Content Processing with Robust Security Features in a Single High-Performance Chip Product Highlights * Packet and content processing with robust security features in a single component reduces system cost by eliminating need for multiple devices * Integrated cryptography engines provide hardware intel.com/go/ networkprocessors acceleration of multiple algorithms--including DES, 3DES, AES, and SHA-1--performing IPSec encryption/decryption up to 10 Gbps * Fully programmable, flexible network processor architecture enables optimization of additional algorithms and protocols to support IPSec, TCP, and SSL application environments * Cryptography engines support interleaving and processing of frames "on-the-fly" to enable processing of protected content for multi-Gigabit streams or single 10 Gbps connections * Integrated design helps minimize board real estate, power and memory requirements * Software- and pin-compatible with Intel(R) IXP28XX product line of network processors, preserving customer investments and enabling evolution of current IXP28XX-based boards and systems * Software building blocks, application kits, and specialized support services help to reduce development efforts and speed time-to-market * Consistent development environment provides a comprehensive set of simulation, profiling, and debugging capabilities for faster prototyping IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 2 Product Overview * IPSec/TCP termination and off-load functionality in networked storage applications As communications networks continue to evolve, service providers are eager to take advantage of emerging capabilities * Content-aware load balancing in networked appliances, such to offer new value-added services to their customers while, at as web switches, intrusion detection systems, and firewalls. the same time, closely manage the costs incurred for these upgrades. This continually evolving network service profile has Intel(R) IXP2XXX Product Line Architecture enabled service providers to expand business models beyond basic bandwidth provisioning and deliver deeper content-based The Intel IXP2855 network processor builds on and extends services including protected web management, secure content Intel's fully programmable, high-performance IXP28XX processing, and intrusion detection and prevention. In ever- product line architecture by providing robust security expanding applications such as Virtual Private Networks (VPNs) acceleration on-chip. It implements the same store-and- and e-Commerce, the ability to provide data integrity and forward design, including 16 multi-threaded microengines in the protected access is increasingly critical. data plane, combined with a high-performance Intel XScale(R) core for control plane functions. In addition, the IXP2855 Traditional architectures have addressed network security by integrates two cryptography blocks that provide hardware adding a coprocessor or in-line security processors. However, acceleration of popular encryption and data integrity algorithms. as data rates increase, the coprocessor approach reaches practical limitations. While in-line security processors are capable Tight coupling of the cryptography elements with data plane of scaling to higher data rates, in order to do so they must processing elements and memory subsystems means perform many of the same functions as a network processor a developer can take full advantage of the parallelism and but with the limited flexibility inherent in "wired" hardware-based latency benefits of Intel's network processor architecture. designs. By providing integrated cryptography and security, As a result, security processing can be executed as pipeline and high-bandwidth processing capability within a single chip, stages within the multi-threaded IXP2855 architecture. This it becomes possible to provide protected network traffic at up to enables in-line encryption/decryption and hashing to occur as 10 Gbps, allowing developers a broad spectrum of possibilities packets are transmitted or received for increased performance. to create content-aware processes and security appliances. Based on an IP packet size of 40-byte clear text, the cipher path executes over 25 million encryptions per second, plus 11 million The Intel(R) IXP2855 network processor delivers high-performance HMAC-SHA-1 operations per second, sufficient to saturate an packet and content processing with robust security features in a aggregate 10 Gbps IPSec Ethernet link. single chip. By integrating capabilities that have typically required multiple specialized processors, the Intel IXP2855 provides a Within the IXP2855, the two cryptography blocks utilize the cost-effective, security-enabled platform for a broad range of same robust bus structures and communication processes as emerging applications. the microengines, a feature that allows efficient sharing of data and state information throughout the processing pipeline. In addition, multiple independent DRAM and SRAM channels Target Applications provide the capacity for large numbers of security associations Many different application trends are driving the need for at 10 Gbps IPSec wire rates. The IXP2XXX product line design high-performance secure content processing. Enterprise compatibility also extends to the integrated Intel XScale core, networks have moved from dedicated internal connections to which can be used to execute security-related session setup firewall protected VPNs. Applications for e-Commerce must protocols such as Internet Key Exchange (IKE), in addition to support protected web browsing, while distributed server and other general-purpose code. Finally, the PCI bus interface storage applications require secure mechanisms for data included in all members of the IXP2XXX product line enables exchanges. In addition, cost efficiencies and performance specialized processors to be incorporated into line card designs requirements are fostering a migration of these applications as needed to support requirements such as high-performance from computing platforms to communications products. public key computations. These development opportunities include: * Appliance blades for bulk cryptography and TCP offload in infrastructure switches, routers, and servers 2 IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 3 Cryptography Blocks Each core operates independently, allowing simultaneous processing of multiple protected packets within each block. Each of the two identical cryptography blocks in the IXP2855 In addition, the ability to load cryptography keys while a block network processor includes two 3DES/DES (Data Encryption is simultaneously processing packets enables the network Standard) cores and one AES (Advanced Encryption Standard) processor to support large numbers of sessions. Packet core for packet encryption/decryption, in addition to two SHA-1 encryption/decryption and state information such as keys, (Secure Hash Algorithm) cores for data authentication. Both initialization vector, and authentication state are maintained blocks support Electronic Code Book (ECB) and Cipher Block within the cryptography blocks. By processing data blocks as Chaining (CBC) cipher modes for maximum application flexibility. they arrive, the cryptography elements enable processing of The AES cores support encryption/decryption using 128-bit, protected content "on-the-fly," while eliminating the need to 192-bit, or 256-bit keys. Data authentication using the SHA-1 reassemble packets in memory. The ability to avoid multiple algorithm can be implemented either before or after the cipher memory passes allows data from several packets to be inter- algorithms. This flexibility enables the processing pipeline to be leaved efficiently within the cryptography blocks. As a result, tuned for IPSec or TCP/SSL environments. the IXP2855 can be used to support an aggregation of multiple high-speed links, such as 10x1 Gbps line cards and single 10 Gbps interfaces. Intel(R) IXP2855 Network Processor Block Diagram The Intel(R) IXP2855 network processor implements the same store-and-forward design as the rest of the Intel(R) IXP28XX product line, including 16 multi-threaded microengines in the data plane and a high-performance core for control plane functions. The IXP2855 adds two cryptography blocks for hardware acceleration of popular encryption and data integrity algorithms and provides a range of performance/watt product SKU options. 18-bit 18-bit 18-bit Stripe/Byte Align DRAM I/F 1 DRAM I/F 2 Crypto 1 MEv2 1 DRAM I/F 3 MEv2 2 MEv2 3 MEv2 4 16-bit Rbuf Crypto 2 SPI-4.2 or CSIX I/F Intel XScale Core PCI (64-bit) 66 MHz MEv2 7 MEv2 6 MEv2 5 MEv2 9 MEv2 10 MEv2 11 MEv2 12 Tbuf Core I/F 64-bit MEv2 8 Hash 64/28/128 Scratch Memory QDR SRAM 1 QDR SRAM 2 QDR SRAM 3 QDR SRAM 4 E/D Q E/D Q E/D Q E/D Q 18-bit 18-bit 18-bit 18-bit 18-bit 18-bit 18-bit CSRs -Fast_wr -UART -Timers -GPIO -BootROM/Slow Port MEv2 16 MEv2 15 18-bit 3 MEv2 14 MEv2 13 16-bit IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 4 Development Environment By utilizing the development tools, network building blocks, and the Intel(R) IXA Software Framework in the SDK, the overall devel- Intel provides a comprehensive development environment for opment effort can achieve significant time-to-market advantage. the IXP2855 network processor that enables rapid application development of easy-to-test, easy-to-integrate platform-level The Intel IXA SDK preserves investments in software by solutions. The development environment includes the industry- maintaining the familiar Developer Workbench programming leading Intel(R) Internet Exchange Architecture Software environment. Developers who have used the Intel IXA SDK Development Kit (Intel IXA SDK), complemented by a robust, portable macro library, Intel(R) C Compiler for Intel(R) Network standards-based Advanced Telecom Computing Architecture*- Processors, the Intel(R) Microengine C Networking Library, and compliant (AdvancedTCA*) Hardware Development Kit (HDK). the programming framework with previous Intel(R) network The combination supports ease-of-design implementation processors can easily migrate applications to IXP2855 network from concept and modeling through hardware application processor-based solutions. (R) development. To further accelerate development, Intel will make available a The Intel IXA SDK enables hardware and software engineering suite of modular software building blocks, including IPSec and to proceed in parallel. The SDK provides a software engineering TCP/SSL security subsystem components. Specialized support team with an easy-to-use graphical simulation environment for services are available from members of Intel(R) Communications developing, debugging, and optimizing a network application Alliance to help accelerate customer development of protected while, at the same time, a hardware design team can efficiently content processing solutions. develop and build the platform prototype. Delivering High-Speed Security Services The Intel(R) IXP2855 network processor-based line card configuration is ideal for networking applications such as IPSec or intrusion detection/prevention and firewall appliances requiring decryption at wire rates up to 10 Gbps. SRAM Queues and Tables Optional TCAM Q D R Q D R Q D R Q D R D R A M D R A M D R A M Packet Memory Control Plane Processor Ingress Processing Decryption Authentication Classification PCI 64/66 Policing Intel(R) IXP2855 Network Processor--Ingress Fabric Interface Chip 10 Gbps 1x10GbE SPI 4.2 I/F or 10x1GbE 15 Gbps Flow Ctl 10 Gbps 15 Gbps Intel(R) IXP2855 Network Processor--Egress 10G I/O CSIX I/F Fabric Egress Processing Traffic Shaping Encryption SRAM Queues and Tables Q D R Q D R Q D R Q D R D R A M D R A M D R A M 4 Authentication Packet Memory IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 5 These services may include design, customization, feature Simulation tools include queue, memory, and thread histories enhancements, performance optimization, software integration, that show memory and processor utilization, memory migration, and extended support. reference latencies, and queue depths. The microengine development environment (Workbench/ The SDK provides high-level tools, software framework, libraries, Transactor) provides an integrated development firmware, and drivers, allowing customers to evaluate, demon- environment (IDE) for advanced, graphical, cycle-accurate strate, and fine-tune performance of Intel network processors to simulation, profiling, and debugging. This enables faster meet specific product requirements. prototyping, intuitive optimization, and faster time-to-market The HDK is composed of an AdvancedTCA-compliant industry- development of networking applications. standard form factor chassis, an Intel IXP2855 network The Transactor can effectively manage concurrency issues by processor-based board, and a choice of modular media cards simulating packets going into and out of the network processor, for maximum design flexibility. Complementary silicon and enabling detailed visualization of processes and events within the coprocessors are available from Intel or third parties, including network processor. The Transactor identifies opportunities for members of the Intel Communications Alliance code optimization by providing a logged history and statistics (www.intel.com/go/ica). The hardware platform and software that show cycle-by-cycle interactions among the threads and components have been developed to work together to provide memory units. The Transactor also includes a scripting engine for the flexibility, scalability, and performance levels required to meet managing test configurations and developing test cases. the demands of today's high-performance networks. Enabling Rich Content Processing In this configuration, the Intel(R) IXP2855 network processor can enable rich content processing applications (e.g., TCP termination, Layer 7 load balancing) at multi-Gigabit rates. Optional SRAM Queues and Tables Optional/Expansion TCAM Q D R Q D R Q D R Q D R D R A M D R A M D R A M Packet Memory Control Plane Processor Processing of Protected Content Decryption Authentication Classification Policing PCI 64/66 Intel(R) IXP2855 Network Processor Traffic Shaping Encryption SPI-4.2 10 Gbps 4x1GbE to Media 10 Gbps 4x1GbE to Fabric 10x1GbE IXF1110 5 IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 6 Features Benefits 1.5 GHz, 1.4 GHz, 1.0 GHz, and 650 MHz product options Multiple performance options available for an array of applications from low line rate/service-intense applications to high line rate/high-performance applications. 16 integrated programmable microengines with 8K-word (4-byte-wide) code stores High-performance, flexible, multi-threaded, RISC processor engines specifically architected for communications protocols and high-speed data management. Multi-threaded microengines are easily programmed for a wide variety of packet processing applications. Enhanced, writable code store memory for internal data storage 32-Kbyte available per microengine for instruction or internal data storage. Excess instruction space completely available for internal memory storage. Data structures can be developed using internal code store for low latency and fast access time. Total 512-Kbyte memory across 16 microengines available as instruction or internal memory storage. Two integrated cryptography blocks provide hardware acceleration for DES, 3DES, AES, and SHA-1 algorithms Enables bulk encryption/decryption for IPSec data streams at speeds up to 10 Gbps. Flow-through cryptography architecture processes packets "on-the-fly" Increases performance and helps to minimize packet reassembly in memory. Supports ECB and CBC cipher modes Provides flexibility to address multiple application environments. Integrated Intel XScale(R) core --32-Kbyte instruction cache --32-Kbyte data cache --2-Kbyte minidata cache Embedded 32-bit RISC core for IKE, route table maintenance, and system-level management function help to lower system cost and save board space. Support for more than 2 GB of memory Supports large numbers of security associations for robust performance. Three industry-standard RDRAM interfaces High-density, high-bandwidth memory subsystem to support maximum performance at line rate. Four industry-standard 32-bit QDR SRAM interfaces Multiple-channel, fast access to lookup tables, access lists, statistics, and data structure control. Supports industry standard NPF LA-1 interface for TCAM or look-aside processor additions. PCI 2.2 I/O interface Supports industry-standard connection to additional processors to accelerate security functions, such as public key exchange. Modular software building blocks for IPsec and TCP Helps simplify product development and speed time-to-market. Software Development Kit and Hardware Development Kit Helps speed development time by providing an easy-to-use framework for developers. Provides example reference code and application blocks for accelerated application development. AdvancedTCA-based development platform for standard, easy-to-test, easy-to-integrate application development. <2W of incremental power for cryptography blocks Low-power consumption reduces design concerns and system costs. Multiple product performance and frequency options provide a broad range of performance/watt choices. 6 IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 7 Features Specifications Microengine operating frequency 1.5 GHz, 1.4 GHz, 1.0 GHz, and 650 MHz 32-bit data paths Microengine program control stores 8K instructions SPI-4 Phase 2 operation 311-500 MHz (622-1,000 MTs) 16-bit LVDS (dual-edge) signaling CSIX switch fabric interface 311-500 MHz (622-1,000 MTs) 16-bit LVDS (dual-edge) signaling Intel XScale(R) core operating frequency 750 MHz, 700 MHz, 500 MHz, and 325 MHz/32-bit data path PCI interface 64-bit/66 MHz SRAM interface (QDR) (four channels) Peak bandwidth of 2 GBytes/sec per channel using 250 MHz SRAMs (1 GByte/sec Read, 1 GByte/sec Write) RDRAM (three channels) Peak bandwidth 2.4 GBytes/sec (19.2 Gbps) per channel (supports 800 MHz, 1066 MHz, and 1200 MHz RDRAM devices) Operating temperature at 1.5 GHz - 650 MHz 0 to 70 C ambient Power supply 1.5 GHz Vdd = 1.3 V5% 1.4 GHz - 650 MHz Vdd = 1.25 V5% Power dissipation ~27W typical, ~32W maximum @ 1.5 GHz operation ~13W typical, ~16W maximum @ 650 MHz operation Package 1356 Ball FCBGA 37.5 mm x 37.5 mm Solder ball pitch 1 mm 7 IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 4 Intel Access Intel(R) Network Processors Home Page intel.com/go/networkprocessors Developer's Site developer.intel.com Intel in Communications intel.com/communications General Information Hotline (800) 628-8686 or (916) 356-3104 5 a.m. to 5 p.m. PST Intel Literature Center (R) (800) 548-4725 7 a.m. to 7 p.m. CST (U.S. and Canada) International locations please contact your local sales office. UNITED STATES AND CANADA Intel Corporation Robert Noyce Building 2200 Mission College Blvd. P.O. Box 58119 Santa Clara, CA 95052-8119 USA EUROPE Intel Corporation (UK) Ltd. Pipers Way Swindon Wiltshire SN3 1RJ UK ASIA-PACIFIC Intel Semiconductor Ltd. 32/F Two Pacific Place 88 Queensway, Central Hong Kong, SAR JAPAN Intel Japan (Tsukuba HQ) 5-6 Tokodai Tsukuba-shi 300-2635 Ibaraki-ken Japan SOUTH AMERICA Intel Semicondutores do Brasil LTDA Av. Dr. Chucri Zaidan, 940-10 andar 04583-904 Sao Paulo, SP Brazil INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL(R) PRODUCTS. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY RELATING TO SALE AND/OR USE OF INTEL PRODUCTS, INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel may make changes to specifications, product descriptions, and plans at any time, without notice. Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such patents, trademarks, copyrights, or other intellectual property rights. Intel products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications. The Intel(R) IXP2855 network processor may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available upon request. AdvancedTCA and the AdvancedTCA logo are the registered trademarks of the PCI Industrial Computers Manufacturers Group. *Other names and brands may be claimed as the property of others. Intel, the Intel logo, and Intel XScale are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Printed in USA Copyright (c) 2005, Intel Corporation. All rights reserved. 0905/KSC/MRM/XX/PDF SKU: 309430-001