News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

Security processors get 64 RISC cores

Oct 26, 2010 — by Eric Brown — from the LinuxDevices Archive — 47 views

Cavium Networks announced the next generation of its Nitrox security processors, supported by a Linux software development kit (SDK). The four new Nitrox III security processors integrate 16 to 64 security RISC cores with compression engines, virtualization hardware, and a PCI-Express Gen 2 interface, and are said to be scalable from 5Gbps to 40Gbps.

As with the Nitrox II, the Nitrox III processors are designed for enterprise, data center, and service provider equipment such as UTM (unified threat management) gateways, application delivery controllers, and WAN optimization appliances, says Cavium Networks. The chips can also be used in general security-enhanced routers, switches and servers, says the company. (See farther below for more background on Nitrox products.)

The need for greater performance and lower power usage in high-end networking security equipment is being driven by rapid adoption of data center and cloud computing initiatives, says Cavium. The technology is also said to be motivated by the need to implement new SP 800-57 NIST (National Institute Of Standards and Technology) guidelines calling for doubling key size from 1024 bit to 2048 bit for Secure Socket Layer (SSL) encryption.

Due to sample in Q2 2011, the single-chip Nitrox III offers performance up to 10 times greater than alternative multi-chip solutions within the same power envelope, claims the company. The Nitrox III processors do not require external memory, cutting cost, power consumption, and the board real estate used, says Cavium.

Nitrox III processor models

(Click to enlarge)

Although the Nitrox III line is claimed to scale to up to 40Gbps security performance, the initial four models shown in the chart above appear to scale from 5Gbps to 30Gbps. The series includes the CNN3510-C5 (5Gbps), the CNN3530-C10 (10Gbps), the CNN3550-C20 (20Gbps), and the CNN3570-C20 (30Gbps or 40Gbps).

The processors are said to support 200,000 RSA operations per second (ops/sec) for 1024-bit keys, and 35,000 RSA ops/sec for 2048-bit keys.

Nitrox III CNN35xx block diagram

(Click to enlarge)

Cross-compatibility with CPU platforms was not detailed, but the Nitrox III processors appear to be primarily designed to work in conjunction with x86 CPUs, as well as Cavium's own MIPS64-based Octeon line of networking system-on-chips.

Nitrox III in typical system designs
(Click to enlarge)

Key features available with Nitrox III processors are said to include.

  • Up to 64 security cores, supporting up to 40Gbps of security performance.
  • 200,000 (200K) RSA operations per second (ops/sec) for 1024-bit keys, and 35K RSA ops/sec for 2048-bit keys
  • Optional 50K SSL ops/sec, 100K SSL ops/sec, and 200K SSL ops/sec packages
  • Up to four compression engines with enhanced codec acceleration from 5Gbps to 20Gbps, and support for GZIP, PKZIP, Inflate and Deflate compression algorithms, plus storage-focused LZS compression
  • PCI-Express (PCIe) Gen2 x16 I/O for up to 40Gbps of security and 20Gbps of compression performance (also supports x4 and x8 lanes)
  • "Single Root IO Virtualization" (SR-IOV) feature on PCIe interface, including support for 8, 16, 32, or 64 virtual functions for varying number of CPU cores or virtual machines
  • Random number generator compliant with FIPS 140-3 (NIST)
  • Supports security protocols including IPsec, SSL TLS 1.2, DTLS, and ECC Suite B
  • Supports security algorithms including variants of AES, 3DES, ARC4, MD5, SHA-1, SHA-2, RSA 2048, RSA 4096, Kasumi, EC-DH, and EC-DSA
  • Adapts to various asymmetric (tunnel setup/handshake) and symmetric (encryption) processing loads based on application demand
  • Low power dissipation with 10 Watt to 20 W options

Linux-ready SDK

The Nitrox III Software Development Kit (SDK) includes an x86 driver for Linux. However, the Nitrox III platform itself is also said to be compatible with VMware ESXi, BSD, and Microsoft Windows. The SDK offers APIs for a variety of protocols, firmware, and reference stacks for IPSec and SSL, says Cavium Networks. The APIs, firmware, and protocol stacks are said to be compatible with the current Nitrox PX SDK.

Nitrox background

Most of the Linux-ready devices we've covered that include Nitrox chips use the aforementioned PX line of processors instead of the higher-end Nitrox II. The latter are said to be based on multiple micro-programmed GigaCipher cores, and support interfaces including SPI-4.2, SPI-3, and PCI-X (see chart below).

Nitrox family members compared

(Click to enlarge)

Products that use the Nitrox PX chips include the recent Intel Xeon C5500-based Lanner FW-8910 networking appliance, which ships with a Nitrox PX CN1620 chip. In November of last year, Cavium also announced a line of Nitrox XL CN16XX-NFBE Adapters.

In July 2009, Cavium introduced its Nitrox DPI CN17XX Layer 7 co-processors, which are primarily designed to work with the company's MIPS-based Octeon line of networking system-on-chips (SoCs). These content-inspection co-processors are said to provide 4Gbps to 20Gbps of deterministic performance with low latency.

Stated Bob Wheeler, senior analyst at the Linley Group, "High performance SSL with support for 2048 bit keys, virtualization, and traffic compression are key requirements in the data center market. Cavium's Nitrox III processor family effectively addresses these requirements, enabling OEMs developing data center and cloud computing systems to benefit from the significantly increased security and compression performance, virtualization features, and power efficiency of these security processors."

Stated Rajiv Khemani, VP and GM of the Networking & Communications Division, Cavium Networks, "The Nitrox III product line has received tremendous positive response and commitment from several Tier-1 customers in data-center, service-provider and WAN optimization areas."


The Nitrox III processor family is expected to sample in Q2 2011, although design collateral for early customers will be available in the fourth quarter of this year, says Cavium Networks. The processors use a 27 x 27mm FCBGA package, says the company.

More information may be found here.

This article was originally published on and has been donated to the open source community by QuinStreet Inc. Please visit for up-to-date news and articles about Linux and open source.

Comments are closed.