Intel®IXP2855 Network Processor
Packet and Content
Processing with Robust
Security Features in a Single
High-Performance Chip
Product Highlights
• Packet and content processing with robust security
features in a single component reduces system cost
by eliminating need for multiple devices
• Integrated cryptography engines provide hardware
acceleration of multiple algorithms—including DES,
3DES, AES, and SHA-1—performing IPSec
encryption/decryption up to 10 Gbps
• Fully programmable, flexible network processor architecture enables optimization of additional
algorithms and protocols to support IPSec, TCP, and SSL application environments
• Cryptography engines support interleaving and processing of frames “on-the-fly” to enable
processing of protected content for multi-Gigabit streams or single 10 Gbps connections
• Integrated design helps minimize board real estate, power and memory requirements
• Software- and pin-compatible with Intel®IXP28XX product line of network processors, preserving
customer investments and enabling evolution of current IXP28XX-based boards and systems
• Software building blocks, application kits, and specialized support services help to reduce
development efforts and speed time-to-market
• Consistent development environment provides a comprehensive set of simulation, profiling, and
debugging capabilities for faster prototyping
Product Brief
intel.com/go/
networkprocessors
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 1
Product Overview
As communications networks continue to evolve, service
providers are eager to take advantage of emerging capabilities
to offer new value-added services to their customers while, at
the same time, closely manage the costs incurred for these
upgrades. This continually evolving network service profile has
enabled service providers to expand business models beyond
basic bandwidth provisioning and deliver deeper content-based
services including protected web management, secure content
processing, and intrusion detection and prevention. In ever-
expanding applications such as Virtual Private Networks (VPNs)
and e-Commerce, the ability to provide data integrity and
protected access is increasingly critical.
Traditional architectures have addressed network security by
adding a coprocessor or in-line security processors. However,
as data rates increase, the coprocessor approach reaches
practical limitations. While in-line security processors are capable
of scaling to higher data rates, in order to do so they must
perform many of the same functions as a network processor
but with the limited flexibility inherent in “wired” hardware-based
designs. By providing integrated cryptography and security,
and high-bandwidth processing capability within a single chip,
it becomes possible to provide protected network traffic at up to
10 Gbps, allowing developers a broad spectrum of possibilities
to create content-aware processes and security appliances.
The Intel®IXP2855 network processor delivers high-performance
packet and content processing with robust security features in a
single chip. By integrating capabilities that have typically required
multiple specialized processors, the Intel IXP2855 provides a
cost-effective, security-enabled platform for a broad range of
emerging applications.
Target Applications
Many different application trends are driving the need for
high-performance secure content processing. Enterprise
networks have moved from dedicated internal connections to
firewall protected VPNs. Applications for e-Commerce must
support protected web browsing, while distributed server and
storage applications require secure mechanisms for data
exchanges. In addition, cost efficiencies and performance
requirements are fostering a migration of these applications
from computing platforms to communications products.
These development opportunities include:
• Appliance blades for bulk cryptography and TCP offload in
infrastructure switches, routers, and servers
• IPSec/TCP termination and off-load functionality in
networked storage applications
• Content-aware load balancing in networked appliances, such
as web switches, intrusion detection systems, and firewalls.
Intel®IXP2XXX Product Line Architecture
The Intel IXP2855 network processor builds on and extends
Intel’s fully programmable, high-performance IXP28XX
product line architecture by providing robust security
acceleration on-chip. It implements the same store-and-
forward design, including 16 multi-threaded microengines in the
data plane, combined with a high-performance Intel XScale®
core for control plane functions. In addition, the IXP2855
integrates two cryptography blocks that provide hardware
acceleration of popular encryption and data integrity algorithms.
Tight coupling of the cryptography elements with data plane
processing elements and memory subsystems means
a developer can take full advantage of the parallelism and
latency benefits of Intel’s network processor architecture.
As a result, security processing can be executed as pipeline
stages within the multi-threaded IXP2855 architecture. This
enables in-line encryption/decryption and hashing to occur as
packets are transmitted or received for increased performance.
Based on an IP packet size of 40-byte clear text, the cipher path
executes over 25 million encryptions per second, plus 11 million
HMAC-SHA-1 operations per second, sufficient to saturate an
aggregate 10 Gbps IPSec Ethernet link.
Within the IXP2855, the two cryptography blocks utilize the
same robust bus structures and communication processes as
the microengines, a feature that allows efficient sharing of data
and state information throughout the processing pipeline. In
addition, multiple independent DRAM and SRAM channels
provide the capacity for large numbers of security associations
at 10 Gbps IPSec wire rates. The IXP2XXX product line design
compatibility also extends to the integrated Intel XScale core,
which can be used to execute security-related session setup
protocols such as Internet Key Exchange (IKE), in addition to
other general-purpose code. Finally, the PCI bus interface
included in all members of the IXP2XXX product line enables
specialized processors to be incorporated into line card designs
as needed to support requirements such as high-performance
public key computations.
2
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 2
3
Intel
XScale
Core
16-bit
CSRs
-Fast_wr -UART
-Timers -GPIO
-BootROM/Slow Port
Hash
64/28/128
Scratch
Memory
MEv2
16
MEv2
15
MEv2
14
MEv2
13
18-bit18-bit18-bit18-bit
18-bit
18-bit 18-bit 18-bit
18-bit 18-bit18-bit
64-bit
QDR
SRAM
1
QDR
SRAM
2
QDR
SRAM
3
QDR
SRAM
4
MEv2
8
MEv2
7
MEv2
6
MEv2
5
MEv2
1
MEv2
2
MEv2
3
MEv2
4
E/D Q E/D Q E/D Q
MEv2
9
MEv2
10
MEv2
11
MEv2
12
Rbuf
Tbuf
PCI
(64-bit)
66 MHz
Stripe/Byte Align
DRAM
I/F
1
DRAM
I/F
2
DRAM
I/F
3
Core I/F
E/D Q
16-bit
SPI-4.2
or
CSIX I/F
Crypto 1
Crypto 2
Cryptography Blocks
Each of the two identical cryptography blocks in the IXP2855
network processor includes two 3DES/DES (Data Encryption
Standard) cores and one AES (Advanced Encryption Standard)
core for packet encryption/decryption, in addition to two SHA-1
(Secure Hash Algorithm) cores for data authentication. Both
blocks support Electronic Code Book (ECB) and Cipher Block
Chaining (CBC) cipher modes for maximum application flexibility.
The AES cores support encryption/decryption using 128-bit,
192-bit, or 256-bit keys. Data authentication using the SHA-1
algorithm can be implemented either before or after the cipher
algorithms. This flexibility enables the processing pipeline to be
tuned for IPSec or TCP/SSL environments.
Each core operates independently, allowing simultaneous
processing of multiple protected packets within each block.
In addition, the ability to load cryptography keys while a block
is simultaneously processing packets enables the network
processor to support large numbers of sessions. Packet
encryption/decryption and state information such as keys,
initialization vector, and authentication state are maintained
within the cryptography blocks. By processing data blocks as
they arrive, the cryptography elements enable processing of
protected content “on-the-fly,” while eliminating the need to
reassemble packets in memory. The ability to avoid multiple
memory passes allows data from several packets to be inter-
leaved efficiently within the cryptography blocks. As a result,
the IXP2855 can be used to support an aggregation of multiple
high-speed links, such as 10x1 Gbps line cards and single 10
Gbps interfaces.
Intel®IXP2855 Network Processor Block Diagram
The Intel®IXP2855 network processor implements the same store-and-forward
design as the rest of the Intel®IXP28XX product line, including 16 multi-threaded
microengines in the data plane and a high-performance core for control plane
functions. The IXP2855 adds two cryptography blocks for hardware acceleration
of popular encryption and data integrity algorithms and provides a range of
performance/watt product SKU options.
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 3
Development Environment
Intel provides a comprehensive development environment for
the IXP2855 network processor that enables rapid application
development of easy-to-test, easy-to-integrate platform-level
solutions. The development environment includes the industry-
leading Intel®Internet Exchange Architecture Software
Development Kit (Intel®IXA SDK), complemented by a robust,
standards-based Advanced Telecom Computing Architecture*-
compliant (AdvancedTCA*) Hardware Development Kit (HDK).
The combination supports ease-of-design implementation
from concept and modeling through hardware application
development.
The Intel IXA SDK enables hardware and software engineering
to proceed in parallel. The SDK provides a software engineering
team with an easy-to-use graphical simulation environment for
developing, debugging, and optimizing a network application
while, at the same time, a hardware design team can efficiently
develop and build the platform prototype.
By utilizing the development tools, network building blocks, and
the Intel®IXA Software Framework in the SDK, the overall devel-
opment effort can achieve significant time-to-market advantage.
The Intel IXA SDK preserves investments in software by
maintaining the familiar Developer Workbench programming
environment. Developers who have used the Intel IXA SDK
portable macro library, Intel®C Compiler for Intel®Network
Processors, the Intel®Microengine C Networking Library, and
the programming framework with previous Intel®network
processors can easily migrate applications to IXP2855 network
processor-based solutions.
To further accelerate development, Intel will make available a
suite of modular software building blocks, including IPSec and
TCP/SSL security subsystem components. Specialized support
services are available from members of Intel®Communications
Alliance to help accelerate customer development of protected
content processing solutions.
4
SRAM
Queues and Tables
10G I/O
Packet
Memory
15 Gbps
PCI 64/66
10 Gbps
Flow Ctl
10 Gbps 15 Gbps
SRAM
Queues and TablesPacket
Memory
Fabric
Interface Chip
Fabric
CSIX
I/F
Egress
Processing
Traffic Shaping
Encryption
Authentication
Ingress
Processing
Decryption
Authentication
Classification
Policing
D
R
A
M
D
R
A
M
D
R
A
M
Q
D
R
Q
D
R
Q
D
R
Q
D
R
D
R
A
M
D
R
A
M
D
R
A
M
Q
D
R
Q
D
R
Q
D
R
Intel
®
IXP2855 Network
Processor—Egress
Optional
Control Plane
Processor
1x10GbE
or
10x1GbE
SPI
4.2
I/F
Q
D
R
TCAM
Intel
®
IXP2855 Network
Processor—Ingress
Delivering High-Speed Security Services
The Intel®IXP2855 network processor-based line card configuration is ideal for
networking applications such as IPSec or intrusion detection/prevention and
firewall appliances requiring decryption at wire rates up to 10 Gbps.
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 4
5
These services may include design, customization, feature
enhancements, performance optimization, software integration,
migration, and extended support.
The microengine development environment (Workbench/
Transactor) provides an integrated development
environment (IDE) for advanced, graphical, cycle-accurate
simulation, profiling, and debugging. This enables faster
prototyping, intuitive optimization, and faster time-to-market
development of networking applications.
The Transactor can effectively manage concurrency issues by
simulating packets going into and out of the network processor,
enabling detailed visualization of processes and events within the
network processor. The Transactor identifies opportunities for
code optimization by providing a logged history and statistics
that show cycle-by-cycle interactions among the threads and
memory units. The Transactor also includes a scripting engine for
managing test configurations and developing test cases.
Simulation tools include queue, memory, and thread histories
that show memory and processor utilization, memory
reference latencies, and queue depths.
The SDK provides high-level tools, software framework, libraries,
firmware, and drivers, allowing customers to evaluate, demon-
strate, and fine-tune performance of Intel network processors to
meet specific product requirements.
The HDK is composed of an AdvancedTCA-compliant industry-
standard form factor chassis, an Intel IXP2855 network
processor-based board, and a choice of modular media cards
for maximum design flexibility. Complementary silicon and
coprocessors are available from Intel or third parties, including
members of the Intel Communications Alliance
(www.intel.com/go/ica). The hardware platform and software
components have been developed to work together to provide
the flexibility, scalability, and performance levels required to meet
the demands of today’s high-performance networks.
SRAM
Q
ueues and Tables
SPI-4.2
Packet
Memory
PCI 64/66
10 Gbps
4x1GbE to Fabric
4x1GbE to Media
10 Gbps
Optional/Expansion
Processing
of Protected
Content
Decryption
Authentication
Classification
Policing
Traffic Shaping
Encryption
D
R
A
M
D
R
A
M
D
R
A
M
Q
D
R
Q
D
R
Optional
Q
D
R
Q
D
R
TCAM
Intel
®
IXP2855
Network Processor
Control Plane
Processor
10x1GbE
IXF1110
Enabling Rich Content Processing
In this configuration, the Intel®IXP2855 network processor can enable rich
content processing applications (e.g., TCP termination, Layer 7 load balancing)
at multi-Gigabit rates.
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 5
6
Features
1.5 GHz, 1.4 GHz, 1.0 GHz, and 650
MHz product options
16 integrated programmable
microengines with 8K-word
(4-byte-wide) code stores
Enhanced, writable code store memory
for internal data storage
Two integrated cryptography blocks
provide hardware acceleration for DES,
3DES, AES, and SHA-1 algorithms
Flow-through cryptography architecture
processes packets “on-the-fly”
Supports ECB and CBC cipher modes
Integrated Intel XScale®core
—32-Kbyte instruction cache
—32-Kbyte data cache
—2-Kbyte minidata cache
Support for more than 2 GB of memory
Three industry-standard RDRAM
interfaces
Four industry-standard 32-bit QDR
SRAM interfaces
PCI 2.2 I/O interface
Modular software building blocks for
IPsec and TCP
Software Development Kit and
Hardware Development Kit
<2W of incremental power for
cryptography blocks
Benefits
Multiple performance options available for an array of applications from low line
rate/service-intense applications to high line rate/high-performance applications.
High-performance, flexible, multi-threaded, RISC processor engines specifically
architected for communications protocols and high-speed data management.
Multi-threaded microengines are easily programmed for a wide variety of packet
processing applications.
32-Kbyte available per microengine for instruction or internal data storage.
Excess instruction space completely available for internal memory storage. Data
structures can be developed using internal code store for low latency and fast
access time. Total 512-Kbyte memory across 16 microengines available as
instruction or internal memory storage.
Enables bulk encryption/decryption for IPSec data streams at speeds up to 10 Gbps.
Increases performance and helps to minimize packet reassembly in memory.
Provides flexibility to address multiple application environments.
Embedded 32-bit RISC core for IKE, route table maintenance, and system-level
management function help to lower system cost and save board space.
Supports large numbers of security associations for robust performance.
High-density, high-bandwidth memory subsystem to support maximum
performance at line rate.
Multiple-channel, fast access to lookup tables, access lists, statistics, and data
structure control. Supports industry standard NPF LA-1 interface for TCAM or
look-aside processor additions.
Supports industry-standard connection to additional processors to accelerate
security functions, such as public key exchange.
Helps simplify product development and speed time-to-market.
Helps speed development time by providing an easy-to-use framework for
developers. Provides example reference code and application blocks for
accelerated application development. AdvancedTCA-based development
platform for standard, easy-to-test, easy-to-integrate application development.
Low-power consumption reduces design concerns and system costs. Multiple
product performance and frequency options provide a broad range of
performance/watt choices.
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 6
7
Features
Microengine operating frequency
Microengine program control stores
SPI-4 Phase 2 operation
CSIX switch fabric interface
Intel XScale®core operating frequency
PCI interface
SRAM interface (QDR) (four channels)
RDRAM (three channels)
Operating temperature at 1.5 GHz –
650 MHz
Power supply
Power dissipation
Package
Solder ball pitch
Specifications
1.5 GHz, 1.4 GHz, 1.0 GHz, and 650 MHz 32-bit data paths
8K instructions
311–500 MHz (622–1,000 MTs) 16-bit LVDS (dual-edge) signaling
311–500 MHz (622–1,000 MTs) 16-bit LVDS (dual-edge) signaling
750 MHz, 700 MHz, 500 MHz, and 325 MHz/32-bit data path
64-bit/66 MHz
Peak bandwidth of 2 GBytes/sec per channel using 250 MHz SRAMs
(1 GByte/sec Read, 1 GByte/sec Write)
Peak bandwidth 2.4 GBytes/sec (19.2 Gbps) per channel
(supports 800 MHz, 1066 MHz, and 1200 MHz RDRAM devices)
0° to 70° C ambient
1.5 GHz Vdd = 1.3 V±5%
1.4 GHz – 650 MHz Vdd = 1.25 V±5%
~27W typical, ~32W maximum @ 1.5 GHz operation
~13W typical, ~16W maximum @ 650 MHz operation
1356 Ball FCBGA 37.5 mm x 37.5 mm
1 mm
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 7
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL®PRODUCTS. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF
SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY RELATING TO
SALE AND/OR USE OF INTEL PRODUCTS, INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY,
OR INFRINGEMENT OF ANY PATENT, COPYRIGHT, OR OTHER INTELLECTUAL PROPERTY RIGHT.
Intel may make changes to specifications, product descriptions, and plans at any time, without notice.
Intel Corporation may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the presented subject
matter. The furnishing of documents and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any such
patents, trademarks, copyrights, or other intellectual property rights. Intel products are not intended for use in medical, life saving, life sustaining, critical control or
safety systems, or in nuclear facility applications.
The Intel®IXP2855 network processor may contain design defects or errors known as errata, which may cause the product to deviate from published specifications.
Current characterized errata are available upon request.
AdvancedTCA and the AdvancedTCA logo are the registered trademarks of the PCI Industrial Computers Manufacturers Group.
*Other names and brands may be claimed as the property of others.
Intel, the Intel logo, and Intel XScale are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Printed in USA
Copyright © 2005, Intel Corporation. All rights reserved.
Intel Access
Intel®Network Processors Home Page intel.com/go/networkprocessors
Developer’s Site developer.intel.com
Intel in Communications intel.com/communications
General Information Hotline (800) 628-8686 or (916) 356-3104 5 a.m. to 5 p.m. PST
Intel®Literature Center (800) 548-4725 7 a.m. to 7 p.m. CST (U.S. and Canada)
International locations please contact your local sales office.
SKU: 309430-001
0905/KSC/MRM/XX/PDF
UNITED STATES AND CANADA
Intel Corporation
Robert Noyce Building
2200 Mission College Blvd.
P.O. Box 58119
Santa Clara, CA 95052-8119
USA
EUROPE
Intel Corporation (UK) Ltd.
Pipers Way
Swindon
Wiltshire SN3 1RJ
UK
ASIA-PACIFIC
Intel Semiconductor Ltd.
32/F Two Pacific Place
88 Queensway, Central
Hong Kong, SAR
JAPAN
Intel Japan (Tsukuba HQ)
5-6
Tokodai Tsukuba-shi
300-2635 Ibaraki-ken
Japan
SOUTH AMERICA
Intel Semicondutores do Brasil LTDA
Av. Dr. Chucri Zaidan, 940-10° andar
04583-904 São Paulo, SP
Brazil
IXP2855_ProductBrief.qxd 12/15/05 1:18 PM Page 4
