• State Resolved
  • Locked Locked
  • Replies 4 replies
  • Subscribers 99 subscribers
  • Views 746 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

simultaneous SRTP and IPSec using Keystone security accelerators

Jeff Brower73
Genius 3420 points

Other Parts Discussed in Thread: 66AK2H06, SHA-256

TI Experts-

Can the security accelerators on the 66AK2H06 perform SRTP and IPSec at the same time?

Also is there a doc giving performance measurements or benchmarks for supported encryptions for Keystone I and II devices ?  I searched through the Security Accelerator for Keystone Devices User Guide (sprugy6b) and was not able to find this.

Thanks.

-Jeff
Signalogic

  • 0
    Intellectual 395 points

    Hi Jeff,

    Can the security accelerators on the 66AK2H06 perform SRTP and IPSec at the same time?

    Though I am not a Keystone Architecture expert,I am pretty sure IPSec and SRTP share the encryption and decryption hardware module in Security Accelerator,so that will cause a deadlock in SA 

    Reference: KeyStone Architecture Security Accelerator (SPRUGY6B) Section 2.18 SA Transmit Queues.

    Also is there a doc giving performance measurements or benchmarks for supported encryptions for Keystone I and II devices ? 

    http://www.ti.com/lit/an/sprabh2a/sprabh2a.pdf .This document has performance measurements for some of KeyStone Device peripherals including Packet Accelerator.

    Regards

    ~Anish

  • 0 in reply to Anish Mathew
    Genius 3420 points

    Anish-

    Yes it's a good question.  You may be right.  Hopefully a TI person can confirm and/or supply some additional detail.

    In the cryptography application we're working on at Signalogic, our first priority is SHA-256 hash, at the fastest rate possible.

    -Jeff

  • 0 in reply to Jeff Brower73
    TI__Guru* 95265 points

    Jeff,

    Yes, as mentioned by Anish, "

    Some examples of behavior that violate this restriction are as follows:

    Using separate queues for 2 protocols that share the same hardware modules in
    the SA. For example, using queue 646 for SRTP packets and queue 647 for IPsec
    ESP traffic.
    – This example violates the restriction because both IPsec ESP and SRTP share
    the encryption and decryption hardware module, and the authentication
    hardware module.
    Typically, it is recommended to use transmit queue 646 for 3GPP air cipher traffic and
    transmit queue 647 for IPsec ESP, IPsec AH, and SRTP traffic. Extra care must be taken
    for data-mode traffic since the hardware processing engines that are used are not as
    clearly defined as for the other protocols."

    So, you can't do IPSEc and SRTP at the same time.

    For the benchmarking document, we don't have it right now.

    Regards, Eric

     

  • 0 in reply to lding
    TI__Guru* 95265 points

    Jeff,

    Some clarification to my previous post, "To make the SA support IPSEC and SRTP channels simultaneously. However, you need to send both packets through the same queue to avoid SA lockup. The rule of thumb is that the input queue should be identical if both channels share the same engines. In this case, the encryption and authentication engines are shared."

    In this way, you don't have the HW violation. Sorry for the confusion for this.

    Regards, Eric