Peter Bellows, Jaroslav Flidr, Ladan Gharai, and Colin Perkins
Proceedings 6th International Conference on Military and Aerospace Programmable Logic Devices, Washington, DC, USA, September 2003.
This paper describes an FPGA-based system for IPsec security of high-speed data across commodity IP networks. To demonstrate the system, we have transmitted 890 Mbps raw HDTV video across a commodity network, secured on the fly with the IPsec protocol and AES encryption. Such performance is impossible with software-only implementations, for full line-rate data overwhelms typical CPUs. This is particularly true when cryptographic transforms are required, such as those required by the IP Security (IPsec) protocol. This protocol processing overhead competes directly for CPU cycles against the applications trying to process the high-speed data. We have developed an "intelligent network interface" card based on Xilinx Virtex FPGAs for the purpose of offloading arbitrary protocol processing bottlenecks from the network stack. The network accelerator, named "GRIP" (Gigabit-Rate IPsec), integrates seamlessly into a standard Linux network stack to provide gigabit-rate acceleration of network processing from any of the layers in the stack.