C H A P T E R 1

Product Overview

This chapter provides an overview of the Sun Crypto Accelerator 4000 board, and contains the following sections:

Product Features

Hardware Overview

Hardware and Software Requirements

Product Features

The Sun Crypto Accelerator 4000 board is a Gigabit Ethernet-based network interface card that supports cryptographic hardware acceleration for IPsec and SSL (both symmetric and asymmetric) on Sun servers. In addition to operating as a standard Gigabit Ethernet network interface card for unencrypted network traffic, the board contains cryptographic hardware to support a higher throughput for encrypted IPsec traffic than the standard software solution.

Once installed, the board is initialized and configured with the vcaadm utility which manages the keystore and user information and determines the level of security in which the board operates. Once a keystore and security officer account are configured, Java and PKCS11 applications such as Sun ONE server software, and OpenSSL applications such as Apache can be configured to use the board for cryptographic acceleration.

Note - Solaris 10 or future compatible versions of the Solaris Operating System are required to use version 2.0 of the board.

Caution - Do not use the Sun Crypto Accelerator 4000 board as a boot device.

What's New in Version 2.0

The Sun Crypto Accelerator 4000 version 2.0 adds the following features to what was provided in previous releases:

Support for new Solaris 10 Operating System features

The board acts as a cryptographic service provider for the Solaris Cryptographic Framework. User applications can now access the board and other cryptographic services through the common Solaris Cryptographic Framework interfaces. Refer to the Solaris Cryptographic Framework documentation for detailed information.

Support for Sun's Predictive Self-Healing, which provides improved fault detection and diagnosis.

Support for the new Service Management Facility (SMF), which is an improved mechanism for controlling system startup and the relationship between services.

Multi-Admin keystore security, supporting the requirement of multiple security officers to authenticate keystore backup and restore operations. This feature provides an optional added level of keystore security.

Jumbo frames (9 Kbyte) support over the board's network interface. The larger frame size can be used to improve system performance in networks which support jumbo frames.

Support for the AES algorithm.

Note - AES support is implemented in the firmware and provides less performance than available on the host system. AES is only intended to be used by applications that require the added security of keeping keys in the Sun Crypto Accelerator 4000 hardware. By default, AES support is not enabled.

Key Protocols and Interfaces

The Sun Crypto Accelerator 4000 board is interoperable with existing Ethernet equipment assuming standard Ethernet minimum and maximum frame size (64 to 1518 bytes), frame format, and compliance with the following standards and protocols:

Full-size PCI 33/66 Mhz, 32/64-bit

IEEE 802.3 CSMA/CD (Ethernet)

IEEE 802.2 Logical Link Control

SNMP (limited MIB)

Full- and half-duplex Gigabit Ethernet interface (IEEE 802.z)

Universal dual voltage signaling (3.3V and 5V)

Key Features

Gigabit Ethernet with either copper or fiber interface

Accelerates IPsec and SSL cryptographic functions

Session establishment rate - up to 8000 operations per second

Bulk encryption rate - up to 800 Mbps

Provides up to 2048-bit RSA encryption

Delivers up to 10 times faster 3DES bulk data encryption

Provides tamper-proof, centralized security key and certificate administration for Sun ONE Web Server for increased security and simplified key management

Designed for FIPS 140-2 Level 3 certification

Low CPU utilization - frees up server system resource and bandwidth

Secure private key storage and management

Dynamic reconfiguration (DR) and redundancy/failover support on Sun's midframe and high-end servers

Load balancing for RX packets among multiple CPUs

Full flow control support (IEEE 802.3x)

The Sun Crypto Accelerator 4000 boards are designed to comply with the security requirements for cryptographic modules as documented in the Federal Information Processing Standard (FIPS) 140-2, Level 3.

Supported Applications

Solaris Cryptographic Framework

Sun ONE Server software

Apache Web Server

Supported Cryptographic Protocols

The board supports the following protocols:

IPsec for IPv4 and IPv6, including IKE

SSLv2, SSLv3, TLSv1

The board accelerates the following IPsec functions:

ESP (DES, 3DES) encryption

ESP (SHA1, MD5) authentication *

AH (SHA1, MD5) authentication *

^{* When configured for in-line IPsec acceleration (See In-Line IPsec Hardware Acceleration)}

The board accelerates the following SSL functions:

Secure establishment of a set of cryptographic parameters and secret keys between a client and a server

Secure key storage on the board - keys are encrypted if they leave the board

Diagnostic Support

User-executable self-test using OpenBoot PROM

SunVTS diagnostic tests

Security officer initiated diagnostics (vcadiag and vcaadm)

Cryptographic Algorithm Acceleration

Together with the Solaris Cryptographic Framework, the board accelerates cryptographic algorithms in both hardware and software. The reason for this complexity is that the cost of accelerating cryptographic algorithms is not uniform across all algorithms. Some cryptographic algorithms were designed specifically to be implemented in hardware, others were designed to be implemented in software. For hardware acceleration, there is the additional cost of moving data from the user application to the hardware acceleration device, and moving the results back to the user application. Note that a few cryptographic algorithms can be performed by highly tuned software as quickly as they can be performed in dedicated hardware.

Supported Cryptographic Algorithms

The Sun Crypto Accelerator 4000 driver (vca) examines each cryptographic request and determines the best location for the acceleration (host processor or Sun Crypto Accelerator 4000), to achieve maximum throughput. Load distribution is based on the cryptographic algorithm, the current job load, and the data size.

The board accelerates the following IPsec algorithms.

TABLE 1-1 IPsec Cryptographic Algorithms
Type	Algorithm
Symmetric	DES, 3DES
Hash*	MD5, SHA1

^{* When configured for in-line IPsec hardware acceleration.}

The board accelerates the following SSL algorithms.

TABLE 1-2 SSL Cryptographic Algorithms
Type	Algorithm
Symmetric	DES, 3DES, AES
Asymmetric	Diffie-Hellman (Apache only) and RSA (up to 2048 bit key), DSA

IPsec Acceleration

The board supports two forms of IPsec acceleration: out-of-band and in-line. Both configurations offload high-overhead cryptographic operations from the SPARC® processor to the board. See IPsec Hardware Acceleration Configuration.

TABLE 1-3 Accelerated IPsec Algorithms
Algorithm	Out-of-Band	In-Line
AES	X
DES	X	X
3DES	X	X
MD5	X	X
SHA1	X	X

Out-of-Band IPsec Hardware Acceleration

When the board is configured for out-of-band IPsec acceleration, supported encryption and decryption operations are accelerated in hardware. All IPsec specific packet processing is performed by the host Solaris IPsec software. See Enabling Out-of-Band IPsec Acceleration.

Note - No IPsec configuration or tuning is required to use the board for out-of-band IPsec acceleration in Solaris 10. You simply install the Sun Crypto Accelerator 4000 packages and reboot.

In-Line IPsec Hardware Acceleration

When configured for in-line IPsec acceleration, supported encryption, decryption, and authentication operations are accelerated in hardware. Portions of the IPsec specific packet processing are performed directly by the board. See Enabling In-Line IPsec Acceleration for instructions on how to configure the board for in-line IPsec acceleration.

SSL Acceleration

TABLE 1-4 shows which SSL accelerated algorithms may be off-loaded to hardware and which software algorithms are provided for Sun ONE and Apache Web Servers.

TABLE 1-4 Supported SSL Algorithms
Algorithm	Sun ONE Web Servers	Apache Web Servers
AES	X
RSA	X	X
DSA	X	X
DES	X	X
3DES	X	X

Hardware Overview

The Sun Crypto Accelerator 4000 hardware is a full-size (4.2 inches x 12.283 inches) cryptographic accelerator PCI Gigabit Ethernet adapter that enhances the performance of IPsec and SSL on Sun servers.

Sun Crypto Accelerator 4000 MMF Adapter

The Sun Crypto Accelerator 4000 MMF adapter is a single-port Gigabit Ethernet fiber optics PCI bus card. It operates in 1000 Mbps Ethernet networks only.

FIGURE 1-1 Sun Crypto Accelerator 4000 MMF Adapter

Illustration of the Sun Crypto Accelerator 4000 MMF adapter

LED Displays

TABLE 1-5 Front Panel Display LEDs for the MMF Adapter
Label	Meaning if Lit	Color
FAULT	On when the board is in the HALTED (fatal error) state or low-level hardware initialization failed. Flashing if an error occurred during the boot process.	Red
DIAG	On in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) state. Flashing when running DIAGNOSTICS.	Green
OPERATE	On in POST, DIAGNOSTICS, and DISABLED (driver not attached) state. Flashing in IDLE, OPERATIONAL, and FAILSAFE states.	Green
INIT	On if the security officer has initialized the board with `vcaadm`. See Initializing the Board With vcaadm. Flashing if the ZEROIZE jumper is present.	Green
FIPS	On when operating in FIPS 140-2 level 3 certified mode. Off when in non-FIPS mode.	Green
LINK	On when the link is up.	Green

Sun Crypto Accelerator 4000 UTP Adapter

The Sun Crypto Accelerator 4000 UTP adapter is a single-port Gigabit Ethernet copper-based PCI bus card. It can be configured to operate in 10, 100, or 1000 Mbps Ethernet networks.

Illustration of the Sun Crypto Accelerator 4000 UTP adapter FIGURE 1-2 Sun Crypto Accelerator 4000 UTP Adapter

LED Displays

TABLE 1-6 Front Panel Display LEDs for the UTP Adapter
Label	Meaning if Lit	Color
FAULT	On when the board is in the HALTED (fatal error) state or low level hardware initialization failed. Flashing if an error occurred during the boot process.	Red
DIAG	On in POST, DIAGNOSTICS, and FAILSAFE (firmware not upgraded) state. Flashing when running DIAGNOSTICS.	Green
OPERATE	On in POST, DIAGNOSTICS, and DISABLED (driver not attached) state. Flashing in IDLE, OPERATIONAL, and FAILSAFE states.	Green
INIT	On if the security officer has initialized the board with `vcaadm`. See Initializing the Board With vcaadm. Flashing if the ZEROIZE jumper is present.	Green
FIPS	On when operating in FIPS 140-2 level 3 certified mode. Off when in non-FIPS mode.	Green
1000	On when using Gigabit Ethernet.	Green
ACTIVITY (no label)	On when the link is transmitting or receiving.	Amber
LINK (no label)	On when the link is up.	Green

Dynamic Reconfiguration and High Availability

The Sun Crypto Accelerator 4000 hardware and associated software provides the capability to work effectively on Sun platforms supporting Dynamic Reconfiguration (DR) and hot-plugging. During a DR or hot-plug operation, the Sun Crypto Accelerator 4000 software layer automatically detects the addition or removal of a board, and adjusts the scheduling algorithms to accommodate the change in hardware resources.

For High Availability (HA) configurations, multiple Sun Crypto Accelerator 4000 boards can be installed within a system or domain to insure that hardware acceleration is continuously available. In the unlikely event of a Sun Crypto Accelerator 4000 hardware failure, the software layer detects the failure and removes the failed board from the list of available hardware cryptographic accelerators. Sun Crypto Accelerator 4000 software adjusts the scheduling algorithms to accommodate the reduction in hardware resources. Subsequent cryptographic requests are scheduled to the remaining boards.

Note that the Sun Crypto Accelerator 4000 hardware provides a source for high-quality entropy for the generation of long-term keys. If all the Sun Crypto Accelerator 4000 boards within a domain or system are removed, long-term keys are generated with lower-quality entropy.

Load Sharing

The Sun Crypto Accelerator 4000 software allows for the distribution of load across as many boards as are installed within the Solaris domain or system. Incoming cryptographic requests are distributed across the boards based on fixed-length work queues. Cryptographic requests are directed to the first board, and subsequent requests stay directed to the first board until it is running at full capacity. Once the first board is running at full capacity, further requests are queued to the next board available that can accept the request of this type. The queueing mechanism is designed to optimize throughput by facilitating request coalescing at the board.

Hardware and Software Requirements

TABLE 1-7 provides a summary of the hardware and software requirements for the Sun Crypto Accelerator 4000 adapter.

TABLE 1-7 Hardware and Software Requirements
Hardware and Software	Requirements
Hardware	Sun Fire V120, V210, V240, V250, 280R, V440, V490, V880, V880z, V890, 4800, 4900, 6800, 6900, 12K, 15K, 20K; Netra 20 (lw4), 120, 240; Sun Blade 150, 1500, 2000, 2500
Operating System	Solaris 10 and future compatible releases

Required Patches

Refer to the Sun Crypto Accelerator 4000 Board Version 2.0 Release Notes for detailed required patch information.