Network processors: balancing higher performance versus better security

Two conflicting requirements are associated with the continuing growth of the Internet: higher performance and better security. With users demanding less delays in their access to information and entertainment service providers need to move data faster and more efficiently. In order to address these needs service providers must build a network that can meet individual user needs for access, speed and quality of service while at the same time providing a positive return on investment.

The most obvious way to address these conflicting objectives is to beef up the network with equipment designed to allow service providers to offer a menu of sophisticated services that can be tailored and billed based on individual usage requirements.

But while this type of network requires more powerful and effective data processing that can not only deliver service, it is also necessary to ensure the security of the data and the users accessing that data on the network.

What does security mean in the Internet context? Quite simply: ensuring the availability of service, authenticating users and their data, and protecting the confidentiality and integrity of data.

Over the past two years, the shift towards a network processing architecture that is built around network processing elements has changed the way networks are designed. At the same time this shift has opened new, previously unimaginable processing power and introduced greater ease of use. All of which make it easier to improve the security as well as performance in a network.

Network processing consists of network processing elements (NPE) and the software to program them. An NPE is either a network processor or co-processor programmed to perform a specific data processing function. The Network Processing Forum (NPF) defines a network processing unit (NPU) as "a programmable or configurable semiconductor based device that is designed and optimized for the processing of network data (packets). Network processor optimizations include hardware and instruction set support for high-speed packet classification and packet modification."

A network co-processor is defined as "an adjunct processor that is designed for a specific purpose such as encryption or compression/decompression. Typically, the co-processor works in conjunction with a Network Processor or custom IC and typically is not capable of forwarding packets on its own." This type of architecture is ideal for providing the availability, authentication, confidentiality, and integrity needed to support any valuable communication on the Internet.

A significant problem facing the Internet is that of Denial of Service attacks. Coordinated properly, these attacks create the dual problem of denying service to paying customers and robbing the service provider of network reliability.

While not a new issue, the severity of attacks has grown as a greater number of insecure service hosts go online that can be accessed by malicious programmers. These hackers write programs that manipulate the hosts into sending a flood of packets that the site and the network cannot possibly handle. As a result, the site shuts down and everybody loses.

In addition, this flood of malicious traffic produces congestion in the network that saturates the available bandwidth to the point where nothing else can get through. Dropping the malicious packets at the last hop router cannot solve the problems of link congestion and the impact on the Internet as a whole carrying this worthless traffic.

To solve this problem, completely filtering protocols must be implemented. In the same way that routing protocols send route updates, filtering protocols update filters. But, even with such protocols in place, many current routers do not have the CPU capacity to apply filter rules to every packet on a high-speed interface. In addition, current router hardware may be constrained in other ways. Most can only handle a small number of filters and are usually limited as to when those filters can be applied to packets.

Even if the flooding packets are all identical — except for source IP addresses — and easily identified by a filter, the various flood sources must be recognized before they can be filtered. One difficult problem for administrators today is that although they can see the spike in the rate of incoming data on their router port, they don't have tools to inspect that data. If a portion of that data could be captured it would be possible to identify the sources of the flood.

Unidentified packets

Current routers, however, keep packets away from the CPU because the CPU can't keep up. Since the CPU can't share what it doesn't get, system administrators cannot identify or stop the flood of malicious packets. Adding support for new forms of traffic control may be impossible in a CPU+FPGA/CPU+ASIC designed router, but trivial in an NPU based one.

In the CPU+FPGA device, different chips perform different functions. The system architecture provides dedicated chips programmed to move packets, without actually doing significant processing on those packets. If the functionality required from the device changes over time, hard-wired packet handling pathways may prevent the system from implementing new processing requirements. Even in a system with a bus architecture, the available bus bandwidth may not allow for a packet to transit the bus multiple times during processing. If it did, the multiple passes may produce unacceptable latency.

NPUs provide greater flexibility for programmers, are optimized for network functions, and allow for growth and change within a single product's lifecycle.

Continuing with the DDOS case, some networks still permit IP packets with forged source addresses to leave their networks. In such cases, attempting to add traditional filters will fail, because the source can change their source address with every packet, if desired. One approach to blocking these floods would need a router to be able to inspect the contents of each packet, and identify the offending packets by something other than their source and destination addresses.

The Network Processing Forum is providing designers with standard ways for adding security to network processors in switches and routers. For an effective solution, security measures must be designed into the management coprocessor; the network processing elements in the data plane, the classification processor and in the control plane. Source: Network Processing Forum

A router using a network processing architecture that includes an NPU could be programmed to inspect the contents of packets and identify the offending traffic. This could be accomplished with a signature that is defined, as in the case of intrusion detection, to identify individual packets, or traffic sets that constitute an attack. Routers could propagate this information, discriminating packet source addresses and input ports, and trace the attack back to its source. With a good set of service and repudiation agreements in place, the routers could even automatically install filters, stopping the attack completely.

All this needs performance increases that go beyond the capabilities of embedded CPUs and re-programmability that high-speed ASICs do not have. NPU and network co-processor vendors have demonstrated that their products have both performance and level of programmability to tackle these problems.

One important aspect of security is authentication — that is making sure you know who you're talking to. With the exception of Web browsing and e-mail, almost every access to a remote computer requires users to identify themselves and provide some proof, in the form of a password or key, that they are who they claim. In the case of strong cryptographic authentication methods, a lot of processing power can be required to handle key exchanges. Once complete, a more streamlined encryption is used for the rest of the session, using a temporary key, exchanged in secret during the initial handshake.

Cryptographic accelerator hardware makes it possible to provide wire-speed performance of streaming encryption, and also off-load the key exchanges from the main processor in a device. In addition to performance, flexibility is key when making implementation decisions. Only programmable systems can adapt to new standards, such as migration from DES/triple-DES, the long-standing Federal Data Encryption Standard, to the new Federal Information Processing Standard ( FIPS-197) and its chosen Advanced Encryption Standard, without having to redesign the hardware.

Encrypted traffic simplifies the work for a firewall or remote access gateway tremendously. When a network administrator creates a set of firewall rules, they are playing chess with an attacker — trying to build a complete defense, while not locking their own users in to the point that they can't get out through the firewall to do useful work. If all traffic were encrypted end-to-end, the firewall device would have a simple yes/no choice to make, "is this packet part of an established session or a setup request, and does it have valid authentication information, or not."

NPUs and hardware encryption accelerators let vendors build devices that can implement this type of security at wire-speed.