Packet processors to speed and protect military networks
StoryDecember 22, 2009
The constant flow of information through shared network-based applications such as situational awareness, voice/data communications, and signals intelligence/surveillance is an essential element of today?s sophisticated information-centric warfare environment. To meet the demands for growth, commercial networks employ packet processors to perform a broad range of tasks to manage networks, offload performance-sapping tasks such as encryption, and inspect payload content at 10 Gbps line speeds and more.
Commercial network technology will be migrating deep into the digital battlefield to enhance performance, maintain service, and provide a more secure communications environment. Battlefield Network Enabled Capability (NEC) extends from individual soldiers, through Virtual Private Networks (VPNs) in chassis, vehicles, or shelters to the complete command infrastructure. The constant flow of information through shared network-based applications such as situational awareness, voice/data communications, and signals intelligence/surveillance is an essential element of today’s sophisticated information-centric warfare environment. To meet the demands for growth, commercial networks employ packet processors to perform a broad range of tasks to manage networks, offload performance-sapping tasks such as encryption, and inspect payload content at 10 Gbps line speeds and more.
Performance and network security
Just as commercial networks and the military’s command and operations network infrastructure require continuous performance growth to meet users’ expectations, so do battlefield networks. For example, network-centric applications such as sharing, analyzing, and annotating images from multiple sensors are very demanding of both network and computing resources. These applications can also extend across many tiers of battlefield command and multiple coalition partners with the resultant burden of varying security classifications between the many different systems and participants. The prevention of intrusion and the maintenance of network and data integrity are high priorities.
A common point of vulnerability is the IP address which, if unprotected, can lead to unauthorized access, denial of service attacks, or virus planting. IPsec, which is a mandatory part of IPv6 but only optional for IPv4, provides IP address protection through negotiated message transfers and encryption. But IPsec is not yet universally implemented. Payload content can be further protected with additional levels of encryption that might vary in type with the data’s sensitivity. However, the implementation of IPsec, payload security, and the trend for increased line speeds from 1 Gbps to 10 Gbps impose significant additional levels of processing that many subsystems and networks do not have. In addition, changing defense funding priorities means that many legacy fighting vehicles are now being modernized in preference to replacement, introducing many of the capabilities developed specifically for participation in the NEC environment.
Packet processing
To meet the needs of network performance and security, packet processors can offload many of the protocol processing layers. And because of their performance potential, packet processors can perform many additional network management and security operations at line speeds. Packet processing provides the performance and capability for perimeter defense, encryption/decryption, virus checking, IP routing and address translation, and detection and prevention of service attacks within embedded computing subsystems, switches, and routers. However, packet processors are also able to analyze the payload content, even at Gbps line speeds, known as Deep Packet Inspection (DPI). DPI can determine the packet type such as voice or data, e-mail, or security threat and includes sophisticated pattern matching to identify packets that might require further processing before dispatch.
These requirements for packet processing have spawned a new generation of high-performance, multicore processing devices based on, for example, PowerPC (Freescale Semiconductor) and MIPS64 (Cavium Networks) cores. These Systems-on-Chip (SoCs) offer from 4 to 16 processor cores with GHz clock rates, on-chip pattern matching and security engines, high-bandwidth memory interfaces, and flexible multi-GHz connectivity options to host processors and networks. GE Fanuc Intelligent Platforms has adopted Cavium Networks’ OCTEON packet processing devices and software to power a range of commercial, standards-based telecommunications products. For military applications requiring extended environmental performance or conduction cooling, VPX (VITA 46) provides the ideal platform for implementations in either 3U or 6U formats. Depicted in Figure 1 is the NPA-58x4, a 4-port GbE AdvancedMC packet processor based on the Cavium OCTEON, transforming into reality the idea that efficient real estate, performance, and functionality could be achieved based on a 3U VPX military-grade product.
Figure 1: NPA-58x4 AdvancedMC module from GE Fanuc Intelligent Platforms
GbE is widely implemented and well supported by an ecosystem of multiple vendors of embedded computing equipment including SBCs, switches, routers, software, backplanes, and packaging standards suitable for use in military vehicles. These embedded systems will migrate through 10 GbE and 40 GbE for copper backplanes to the 100 GbE fiber standards of the future. Offloading protocol stacks, maintaining network integrity, and establishing secure zones, media gateways, and firewalls without compromising embedded system performance are key application areas that packet processing is set to benefit.
To learn more, e-mail Duncan at [email protected].