[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] 3Com / Microsoft: neue Abhaengigkeiten fuer den User?

[Man lese diesen Text vor der Hintergrund der Diskussion ueber die 
Zweit- und Drittkeys in Microsofts Krypto-APIs ....           --AHH]


------------------------------- CUT -------------------------------


3Com has developed a revolutionary family of client and server 
Network Interface Cards (NICs) to optimize the offload capabilities 
of Windows 2000. 3Comís vision, developed in tandem with Microsoft, 
was to use Windows 2000 capabilities to reduce CPU utilization, 
offload key TCP/IP functions and maximize system and network 
performance. This new generation of NICs for desktops, workstations, 
and servers includes a 3Com-developed ASIC, the 3XP processor, that 
combines a 10/100 Ethernet MAC and an embedded ARM9 RISC processor.  

The integrated 3XP processor enables customers to exploit new 
advanced features in Windows 2000 resulting in lower CPU utilization 
and exceptional system performance. These new generation NICs, for 
which nine patents have been submitted, represent a significant 
technical advance. The 3XP processor facilitates the most efficient 
Windows 2000 networking, including offloads such as TCP segmentation 
and TCP/IP checksum. In addition, these NICs include a 3DES 
encryption chip, which accelerates and offloads the CPU-intensive 
IPSec encryption algorithms from Windows 2000, allowing customers to 
implement high-speed LAN security without sacrificing system 
performance. The outstanding performance results include a 33% 
savings of CPU utilization while running IPSec, and a 13% savings of 
CPU utilization when running TCP segmentation processing.

Encrypt data without sacrificing system performance 

When most people think of network security, they think of securing 
against intrusion from outside the enterprise. However the FBI 
Computer Crime Unit says that more than 80% of all network security 
breaches are "inside jobs," coming from inside the enterprise itself, 
where the firewall does no good. Even if the enterprise has employed 
tunnel-mode security to protect data between routers, significant 
breaches can easily occur as the data is transmitted to the client 
PC, workstation or server.  

Although many companies have no need for enterprise-wide security, 
almost every organization has departments, such as human resources or 
finance, where at least interdepartmental security from the server to 
the desktop would be considered useful.  

But IPSec, or Internet Protocol Security, has historically come with 
a price. Encryption and hashing algorithms, which have traditionally 
been performed by the host CPU, place a huge burden on the PC, 
workstation, or server. Windows 2000 includes new Application 
Programming Interfaces (APIs), which allow the NIC to assume the 
burden of processing the compute-intensive encryption and hashing 
algorithms, includingn 3DES, DES, MD5 and SHA-1.  

The integrated 3XP processor sends the data to the dedicated 
encryption chip, which leaves the host CPU free. Early tests show 
when implementing LAN security through software only, throughput 
degrades 77%. By contrast, when using 3Com NICs with encryption co-
processing to deliver LAN security, throughput is maintained and CPU 
utilization is reduced 33%. 3Com is the first in the industry to 
implement IPSec encryption acceleration on the NIC, allowing 
customers to experience the advantages of true end-to-end security 
without sacrificing performance. IPSec is a standard feature of 
Windows 2000; no additional software is necessary to offload IPSec. 
Encryption acceleration is an integral, standard feature with this 
new NIC product family.  

Increase performance while processing TCP segmentation 

Any desktop, workstation, or server running bandwidth intensive 
applications needs to devote maximum CPU cycles to processing 
applications and avoid expending cycles on processing network 
traffic. The host CPU has historically been called upon to perform 
segmentation whenever a data block exceeds the maximum Ethernet frame 
size of 1513 bytes. This transaction, which requires data 
segmentation, duplication of IP headers, and creation of unique TCP 
headers for each new segment of data, becomes a drain when 
transmitting large files or when the host CPU is trying to run 
bandwidth intensive applications. This is because while the CPU is 
processing network traffic, it is unavailable to do anything else.  

Windows 2000 has also created A PIs to offload this process. Windows 
2000 offloads the entire block of data from the host CPU to 3Comís 
integrated 3XP processor. The 3XP processor performs the task of 
segmentation and IP header duplication, then creates a TCP header 
"template," called a pseudo header. The unique fields in the TCP 
header are then filled in, saving even more time and processing 
power. The host CPU is free during the entire transaction to continue 
handling applications, running searches, etc. This results in an 
impressive savings on use of the host CPU to process network traffic. 

------------------------------- CUT -------------------------------