mcs1000 MosChip, mcs1000 Datasheet - Page 19

Manufacturer Part Number

mcs1000

Description

Security Processor

Manufacturer

MosChip

Datasheet

1.MCS1000.pdf (30 pages)

MCS1000

Security Processor

DMA Channel (Router and Arbiter)

The DMA channel connects the operators and the IO channels into chains. The structure of the chain will

depend on the IPSec mode negotiated between the communicating parties and the available operators. It is

possible to process the data sequentially with a small number of operators or to “wake up” sleeping operators

in case more processing power is required. When disconnected the operators will be idle and consume very

little power.

Functionally the operators do not require any information about the data stream origin or its fragmentation.

When new data is received the operator processes the block and delivers the next block of data for output. The

chain is a FIFO block and therefore, automatically flushes the channel as the data moves through the blocks.

IPSec Unit Operation

The operator blocks within the IPSec Unit perform the data transformations required by the IPSec standard.

These are encryption, decryption and signing of the IP packet. The packet is fed into the operators from the

Packet Cache by the block I/O channels. There is an arbiter within the Hardware IPSec Module that enables

sharing of the system memory between competing devices and uses a round-robin based priority scheme in

the arbiter to allow for evenly distributed access between the channels. The arbitration scheme will not cause

the device to lock-up because the cipher block is aware of the I/O status, and will not request additional data

before output is flushed. The CPU Subsystem has concurrent access to the Packet Cache and can perform

packet analysis concurrently.

The operator block works on the stream(s) of data by processing it on the fly. The packet data stream is fetched

from memory by Input Channel(s), processed by the operator block(s) and sent back to memory through Output

Channel(s). The Input channel serializes the memory data for the operator blocks and the Output channel

writes the processed stream back into the memory. Two types of operator blocks process the data stream. The

Block Encryption (BL) operator encrypts or decrypts the stream data. The signature operator (HM) calculates

the Integrity Check Value (ICV) but since it does not alter the data it only has read capabilities. Several

operators can be connected into a chain to allow data processing in a pipeline. This mode can be used for

IPSec tunneling and avoids unnecessary data transfers between the memory and cipher block. The stream

connection is controlled by the router block inside the connection unit.

Consider for example the common calculation in IPSec: the AH-ESP set. This requires two signatures and one

encryption. The first signature must start from the beginning. The second signature and encryption must start

at the ESP header. For this to take place the operators are pre-configured with the correct set of keys and the

start/end points in the data-stream.

Rev. 1.1

Page 19