Hifn
HIPP III
Storage Security Processor
4350
Protocols
IPsec ESP
Tunnel or
Transport Mode
Supports L2TP
Security
ESP/UDP for NAT
Encryption
AES
(128 and 256-bit)
DES
3DES
Authentication
SHA-1
MD5
AES-XCBC-MAC
Interface Bus
4x GMII or TBI
On-Chip IKE
Optional ICSA-
compliant IKE
running on-board
Supports Main
Mode & Quick
Mode
Pre-shared Key or
RSA certificate
authentication
Supports iSCSI
initiation of IKE
session setup
and teardown
The HIPP III 4350 Storage Security
Processor efficiently addresses
your needs for a standards
compliant 2-port gigabit Ethernet
solution
The HifnTM HIPP III 4350 Storage Security
Processor is the first security processor designed for
the specific requirements of IP Storage applications.
The 4350 offers a complete IPSec data path solution
optimized for IP Storage based systems, combining
inbound and outbound policy processing, SA lookup,
SA context handling, and packet formatting all
within a single chip. Hifn's 4350 delivers industry-
leading cryptographic functionality, supporting the
DES/3DES-CBC, AES-CBC, AES-CTR, MD5, SHA-1
and AES-XCBC-MAC algorithms. Hifn also provides
complete software support, including an on-board
iSCSI-compliant IPSec software stack, offering an
embedded HTML manager application.
The HIPP III 4350 employs Hifn's FlowThroughTM
Security Architecture to deliver two channels of full-
duplex Gigabit Ethernet encrypted throughput in iSCSI
(Internet Small Computer System Interface), FCIP (Fibre
Channel over IP) and other IP-based storage network-
ing systems. The high-speed HIPP III 4350 is optimized
for use in server host bus adapters, FCIP bridges, stor-
age routers, and storage arrays.
Hifn's FlowThrough Security Architecture
Hifn's FlowThrough Security Architecture is the
cornerstone of a new family of solutions that vitally
change the way security is built into the network.
The new architecture enables security processors
that sit directly in the data path, eliminating the inef-
ficiencies of existing "look-aside" security designs.
Fundamental to the new FlowThrough architec-
ture is the acceleration of the entire data path of the
IPSec protocol, which previously represented a heavy
processing load on the Storage Processor or other
processing elements in the system. The new archi-
tecture incorporates packet processing, link layer
processing for Ethernet, security association han-
dling, and IPSec encryption/ authentication functions
into silicon-based products. Hifn's FlowThrough
Security Architecture enables high-performance,
cost-effective security processors that provide wire-
speed performance for encrypted traffic in IP Storage
and high-performance network equipment.
Easy Integration
The HIPP III 4350 uses industry-standard GMII/TBI
interfaces, supported by numerous GigE TOE (TCP
Offload Engine) and Storage Processor vendors. It is
typically interfaced between the GMII ports on a
GigE TOE or Storage Processor and the Ethernet PHY.
The 4350 supports two full-duplex Gigabit Ethernet
ports.
The control interface to the 4350 is achieved
using in-band Ethernet frames. An additional
100Mbps Ethernet MII port allows an optional out-of-
band control port, or it may be used to establish an
inter-chip link for multi-chip designs. The chip
includes two standard PC-133 SDRAM interfaces.
One is used for program and data storage for the on-
board embedded Session Control (eSC) processor. (In
designs that don't require on-chip IKE, this RAM can
be omitted.) The second SDRAM interface is used to
store Security Associations (SAs) when many hun-
dreds or thousands of secure tunnels are required.
These standard interfaces allow integration into a
variety of systems.
Preserve Data Security
and Integrity for Both
iSCSI and FCIP Hardware
GMII/TBI
GMII/TBI
GMAC
GMAC
Memory
Bridge
Policy
TCAM
eSC
Processor
HIPP III Core
DMA, I/O Buffer & Packet Queue Manager
SA
RAM
RNG
DPU II
Packet
Processor
Crypto
Algorithm
Processors
GMII/TBI
MII
GMAC
GMII/TBI
GMAC
MAC
SA
SDRAM
x16
x32
SDRAM
HIPP III 4350 Block Diagram
Product Brief Version 1.0
Features & Benefits
Supports Layer 3
and Layer 2
protocols.
Ethernet (Layer 2)
Ethernet DIX
IEEE 802.3 10Base-T
IEEE 802.3u 100Base-TX
IEEE 802.3ab 1000Base-X
IEEE 802.3x Flow Control
IEEE 802.2 LLC
IEEE 802.1q VLAN
RFC1042 SNAP
Jumbo 9K frame support
IPSec (Layer 3)
RFC 2401 IP Security
Architecture
RFC 2406 IP Encryption
RFC 2405 DES-CBC Cipher
Algorithm
RFC 2403 HMAC-MD5
RFC 2404 HMAC-SHA-1
RFC 2409 - IKE
Hifn
HIPP III
Storage Security Processor
4350
Part
Number
Speed
Package
4350
200 Mhz
324 LBGA
Documentation:
Datasheet
User's Manual
Programmers Reference Guide
Performance Application Note
Reference Hardware Document
Ordering Information
750 University Avenue
Los Gatos, CA 95032
408.399.3500 tel
408.399.3501 fax
info@hifn.com
www.hifn.com
2003 by Hi/fn, Inc. This product must be exported from the United States in accordance with the Export Administration Regulations. Diversion contrary to U.S. law prohibited.
Hifn and FlowThrough are trademarks of Hi/fn, Inc. Hi/fn and LZS are registered trademarks of Hi/fn, Inc. All other trademarks are the property of their respective owners.
Hifn
Products
HIPP II 8065
HIPP II 8165
Hifn Product Selection Guide
PCI
Streaming
Bus
LZS
MPPC
3-DES
AES
SHA
MD5
RSA
DSA
1k-bit
RSA SSL
signatures
set-ups
per second
IKE
main-mode
tunnels
per second
Hardware
support
for public
keys up to
Hifn
Intelligent
Packet
Processing
Package
2000
1750
3K bits
576-pin TBGA
576-pin TBGA
4500
1750
3K bits
HIPP I 7815
HIPP I 7855
120
85
2K bits
480-pin BGA
480-pin BGA
HIPP II 8154
906
1000
3K bits
576-pin TBGA
HIPP III 8300
250
10
90
5
4K bits
4K bits
324-pin LBGA
241
150
2K bits
HIPP III 8350
HIPP III 4300
400
150
HIPP III 4350
4K bits
324-pin LBGA
324-pin LBGA
300
75
4K bits
324-pin LBGA
Single-chip, low-cost solution
4Gbps IPSec processing (Full Duplex Dual GigEthernet)
1M Packets Per Second, back-to-back SA variation
Minimal part count: Inexpensive PC-133 SDRAMs support
on-chip IKE and/or optional local SA storage
FlowThrough
TM
security processing
In-line IPSec protocol and algorithm processing
Streamlined & optimized for storage security
On-chip IKE processing (optional)
Complete IPSec/IKE processing enables easiest
IPSec system implementation
Optimized for site-to-site tunnels
200 SAs supported on-chip
Up to 16,000 SAs with external PC-133 SDRAM
256 on-chip policy entries
Full IPSec Compliant Functionality
IPSec ESP in tunnel and transport modes
AES (CBC & CTR), DES/3DES, SHA-1, MD5, AES-XCBC-MAC
Specifications
13 process, 324 LBGA (19mm square)
<1.75W Power consumption
Applications
IP Storage
Host Bus Adaptors (HBA's)
Target Bus Adaptors (TBA's)
SAN Switches
Storage Servers
SDRAM
HIPP III
4350
GMII/TBI
GMII/TBI
GMII/TBI
GMII/TBI
Dual 1 Gbps
TCP Offload
Engine
(TOE)
Dual
GigE
PHY
PCI-X
3.3V & 1.2V
Regulator
125 Mhz
Example Host Bus Adaptor with HIPP III 4350