More Muscle Than Competitors Cavium is the first company to put more than four standard CPUs onto a single high-performance chip. Other vendors have packed dozens of CPUs onto a chip, but these earlier products used simplified CPUs. For example, Intel’s IXP network processors include up to 16 microengines that use a proprietary instruction set designed for packet processing. These CPUs are not as easy to program as a standard MIPS. A bigger limitation of previous products is their limited code space. The IXP and other network processors store their instructions in on-chip memory, limiting each CPU to a few thousand instructions. While this amount is enough for simple packet processing, complex applications such as intrusion detection require far more instructions. Like most general-purpose processors, Octeon stores its instructions in external memory, allowing virtually unlimited program size. But with up to 16 CPUs operating at 600MHz, Octeon has far more processing power than a single general-purpose CPU operating at 1GHz or 2GHz or even 4GHz. With its strong processing performance and unlimited program memory, Octeon can take on tasks that are too difficult for any other processor. But Octeon is not for every application. The program must be divided among the 16 CPUs so that each can contribute an equal amount of work. For example, in an anti-virus program, each packet must be examined to determine if it contains a portion of a known virus. Because of the large number of possible viruses, this task is too complex for a standard network processor. But by assigning each packet to a different CPU, Octeon can do anti-virus checking at speeds of more than 1Gbps. Help for the CPUs Even 16 CPUs cannot perform complex security algorithms at gigabit speeds purely in software. Octeon includes several hardware features to accelerate specific security tasks. For example, the chip’s cryptographic units help encrypt and decrypt data at high speeds. This function is needed to implement virtual private networks (VPN). A problem occurs when VPN is combined with anti-virus: encrypted packets cannot be scanned for viruses. The solution is to decrypt the packets before virus scanning. Octeon can handle both tasks in a single chip. Similarly, compressed files cannot be scanned without decompressing the data. Octeon includes a hardware engine that performs ZIP decompression and compression, solving this problem without wasting CPU cycles. Octeon also has hardware to accelerate intrusion detection and virus scanning. Both of these tasks involve checking incoming packets against thousands of patterns that might indicate an attack. Instead of checking for each pattern individually in software, Octeon uses its regular-expression engine to do the checking much faster in hardware. For applications that require TCP packets to be assembled into complete messages, Octeon includes hardware to perform TCP checksums and other common functions. The chip also includes packet-processing hardware, a high-bandwidth memory interface, eight Gigabit Ethernet MACs, and several other useful I/O interfaces. Solving Security Problems Cavium rates the 16-CPU chip at 10Gbps for simple firewall or VPN functions and 4Gbps for simultaneous firewall, VPN, intrusion detection, anti-virus, and anti-spam functions. For users that don’t need this much performance, Cavium also offers less-expensive versions with 2, 4, or 8 CPUs. Another version, the Octeon EXP, leaves out the special security accelerators and can be used in general-purpose applications. Pricing ranges from $125 to $750. Security is a growing concern at most businesses, small and large. Companies must protect their web sites and their internal data from hackers, but simple firewalls are not enough; more complex intrusion detection is needed. Viruses, worms, and spam waste time for employees and disrupt the corporate network. The cost of new security equipment is much less than the cost of lost productivity due to security problems. The traditional approach of placing a firewall on the company’s Internet connection is no longer enough. Viruses can creep in any time an employee logs in from home or from a laptop that has been outside the firewall. Employees themselves may try to hack the corporate network from inside. With its single-chip design, Octeon can be deployed throughout the network, handling LAN data rates from 500Mbps to 4Gbps. The new chip can be added to existing switches, routers, and line cards to implement a new level of protection throughout the network. Other companies are developing security processors with similar functions, but Cavium has the early lead.
|
