ABSTRACT: Recently, an increasing number of enterprises are utilizing the new VPN services such as IP-VPN, Wide Area Ethernet and Internet VPN in order to integrate their IP based corporate telephone and core transaction systems into data networks. To support this integration, even at small to medium sized corporate sites, a high performance access router capable of handling large throughput, reliable QoS processing and high-speed encryption for VPN is in demand. In this paper, technologies employed in the high speed access router (IX1000/IX2000/IX3000 series router) are described. These technologies enable the implementation of low cost solutions for fast packet forwarding via caching mechanisms and high performance VPN processing using an encryption LSI.

KEYWORDS: IP-VPN, IPsec, Access router, Encryption LSI, Caching mechanism

1. INTRODUCTION

In this day and age, in order to enhance the function of network devices as an information infrastructure, further high performance and also price reductions are being demanded for both medium and small sized corporation sites as well as for broadband implementation by the VPN services such as IP-VPN, Wide Area Ethernet and Internet VPN.

In particular in order to fill the need for a high speed access router with a low process degradation capability and to encrypt IP packets without being dependent on applications IPsec encryption which is an encrypted communication protocol is on the increase.

In NEC, in order to achieve the creation of a low-cost router, the hardware has been designed with devices that are carefully selected. Especially, it uses a commercial IPsec accelerator, the IX1000, IX2000, IX3000 series (hereafter referred to as the IX series) which we have developed specifically in order that packet forwarding might be improved.

Furthermore, as a sort of software skill, we have developed an original function called “UFS (Unified Forwarding Service) cache” that unifies the reference processing currently performed at each servicing of a filter, NAT/NAPT, IPsec, etc.

We are aiming to introduce effective methods for the transfer of IPsec processing more rapidly.

2. HARDWARE ARCHITECTURE

The hardware architecture of which the concept to achieve high performance packet forwarding, high performance IPsec processing indispensable the VPN router, and low cost was adopted when the high performance access router was developed.

This section explains the main hardware components and the speed-up method of the IPsec processing as an example of IX2010 from among the IX router series that has been commercialized based on this result of review.

2.1 Main Hardware Components

In the IX2010, a communication Embedded CPU is adopted as the CPU (Refer to Fig. 1).

In Fig.1, the Embedded CPU has a communication processor (Com Processor) that processes Layer 2, CPU Core (CPU Core) that processes Layer 3 or more, and PCI controller who has a bridge function (PCI Controller).

Outside of Embedded CPU, there is a physical interface device that sends and receives Ethernet frame (PHY), SDRAM used as a work area of the program and packet buffers, an IPsec accelerator that processes IPsec (IPsec), and some peripheral devices.
In addition, it is connected by the PCI-bus between the Embedded CPU and the IPsec accelerator, because the transfer time of the inter-chip has been speeded up.

### 2.2 The High Speed System of IPsec Processing

To communicate by IPsec, the following processing is needed.

1. Diffie-Hellman operation to generate common private key.
2. MD5 and SHA that is hush calculation algorithm.
3. DES, 3DES, and AES that is encryption processing.
4. Authentication header AH and ESP processing.

The processing speed of 1), 2), and 3) influences the number of sessions of IPsec that can be established at the same time among these processing, and the processing speed of 2), 3), and 4) influences the IPsec packet forwarding performance after the IPsec session is established. Therefore, it is able to achieve the speed-up of the IPsec processing by shortening the processing time from 1) to 4).

It explains flow when the IPsec processing is done only with software (hereafter, software processing), and when the IPsec accelerator is used (hereafter, hardware assistance processing) by **Fig. 2** and **Fig. 3** as follows.

- Receive processing of packet.
- Reading of packet.
- IPsec processing (inside of CPU Core).
- Writing IPsec processing completion packet.
- Transmission processing.

A lot of loads hang to CPU Core because it has achieved all processing concerning IPsec in addition to a usual IP packet forwarding with CPU Core in the software processing.

On the other hand, necessary all operations and header processing for IPsec are done at high speed in the IPsec accelerator in the hardware assistance processing. The flow of the hardware assistance processing is shown in Fig. 3.

- Receive processing of packet.
- Instruction to IPsec accelerator.
- Reading of packet.
- IPsec processing (inside of IPsec accelerator).
- Writing IPsec processing completion packet.
- Transmission processing.

The speed-up of processing and the reduction of the CPU Core load are achieved by doing almost IPsec processes in the IPsec accelerator in case of the hardware assistance processing.

**Figure 4** shows the measurement value of the packet forwarding performance when IPsec of the software processing and the hardware assistance processing is used. The forwarding performance of
about the maximum ten times the software processing was able to be achieved by using the hard assistance processing.

3. THE HIGH SPEED SYSTEM OF PACKET TRANSMISSION PROCESSING

IX series use the original software platform of NEC, in order to perform high-speed packet transmission.

As an advantage using an original platform, the maintenance of software becomes easily.

Furthermore, adjusting basic processing of OS can reduce the storing memory of software, and an execution memory. Making CPU processing load into the minimum carries out the maximum use of the spec of

![Fig. 2 IPsec software processing flow.](image)

![Fig. 3 IPsec hardware processing flow.](image)
hardware for a packet transmission processing. As a result, IX series have realized highly efficient forwarding processing. Below, the system of a forwarding mechanism is explained as original technology in high-speed packet transmission processing.

Fig. 4  Throughput comparison by the difference between software and hardware assisted processing.

Fig. 5  UFS cache packet processing.
UFS Cache

Services of the filter and IPsec, etc. of packet forwarding and receiving have the cache for store of the packet reference processing and its result, in order to decide which setup is applied according to a packet. Each service is independent respectively and has saved cache, and processing is performed based on the reference result.

Usually, a processing flow in case setup of a filter, IPsec and NAT are performed. The processing flow is performing reference processing in each service like the flow on the left-hand side of Fig. 5. For the reason, much processing load was applied for every packet.

Therefore, in IX series, the UFS cache system which is an original function is adopted as a forwarding mechanism used at the time of processing of packet transmission for realization of the further high speed of packet transmission.

In the flow on the right-hand side of Fig. 5, a UFS cache system unifies the reference processing currently performed with each service of a filter, NAT/NAPT, IPsec, etc. from reception of a packet before transmission, and unifies reference processing of two or more services into one reference cache.

It realized high performance and mitigated the load and time which are used on reference processing. Figure 6 shows the performance result in comparison with the UFS cache system with or without and the A company router of this price belt. In with UFS cache, compared with the case where it has no UFS cache, high performance of about 10% is realized. Moreover, even if it compares with A company, there is a performance difference divides.

When the IX series suppresses the performance deterioration by reduction of reference processing by using a UFS cache, high-speed transmission processing is realized.

4. CONCLUSION

In the IX series, even if it uses the above technology and compares with other routers of this price belt, degradation of the transmission performance in the time of high load is small, and has realized high-speed packet transmission in real environment.

In response to market needs, still more highly efficient product development is due to be performed from now on based on the technology in development of IX series.

Received August 27, 2004
Toru SUZUKI joined NEC Corporation in 1991, and currently he is Assistant Manager of Business Networks Division, Broadband Network Operations Unit, Network Platform Business Unit.

Ryuichi TOSHIDA joined NEC Corporation in 2002, and currently he is an engineer of Business Networks Division, Broadband Network Operations Unit, Network Platform Business Unit.

Atsushi MATSUKI joined NEC Corporation in 2003, and currently he is an engineer of Business Networks Division, Broadband Network Operations Unit, Network Platform Business Unit.

Tsuyoshi TATEISHI joined NEC Engineering, Ltd. in 1990, and currently he is Senior Engineering of the 2nd IP Network System Engineering Development Department, IP Business Division.

* * * * * * * * * * * * * * *