Förderverein Informationstechnik und Gesellschaft
[Man lese diesen Text vor der Hintergrund der Diskussion ueber die Zweit- und Drittkeys in Microsofts Krypto-APIs .... --AHH]
3Com has developed a revolutionary family of client and server Network Interface Cards (NICs) to optimize the offload capabilities of Windows 2000. 3Comís vision, developed in tandem with Microsoft, was to use Windows 2000 capabilities to reduce CPU utilization, offload key TCP/IP functions and maximize system and network performance. This new generation of NICs for desktops, workstations, and servers includes a 3Com-developed ASIC, the 3XP processor, that combines a 10/100 Ethernet MAC and an embedded ARM9 RISC processor.
The integrated 3XP processor enables customers to exploit new advanced features in Windows 2000 resulting in lower CPU utilization and exceptional system performance. These new generation NICs, for which nine patents have been submitted, represent a significant technical advance. The 3XP processor facilitates the most efficient Windows 2000 networking, including offloads such as TCP segmentation and TCP/IP checksum. In addition, these NICs include a 3DES encryption chip, which accelerates and offloads the CPU-intensive IPSec encryption algorithms from Windows 2000, allowing customers to implement high-speed LAN security without sacrificing system performance. The outstanding performance results include a 33% savings of CPU utilization while running IPSec, and a 13% savings of CPU utilization when running TCP segmentation processing.
Encrypt data without sacrificing system performance
When most people think of network security, they think of securing against intrusion from outside the enterprise. However the FBI Computer Crime Unit says that more than 80% of all network security breaches are "inside jobs," coming from inside the enterprise itself, where the firewall does no good. Even if the enterprise has employed tunnel-mode security to protect data between routers, significant breaches can easily occur as the data is transmitted to the client PC, workstation or server.
Although many companies have no need for enterprise-wide security, almost every organization has departments, such as human resources or finance, where at least interdepartmental security from the server to the desktop would be considered useful.
But IPSec, or Internet Protocol Security, has historically come with a price. Encryption and hashing algorithms, which have traditionally been performed by the host CPU, place a huge burden on the PC, workstation, or server. Windows 2000 includes new Application Programming Interfaces (APIs), which allow the NIC to assume the burden of processing the compute-intensive encryption and hashing algorithms, includingn 3DES, DES, MD5 and SHA-1.
The integrated 3XP processor sends the data to the dedicated encryption chip, which leaves the host CPU free. Early tests show when implementing LAN security through software only, throughput degrades 77%. By contrast, when using 3Com NICs with encryption co- processing to deliver LAN security, throughput is maintained and CPU utilization is reduced 33%. 3Com is the first in the industry to implement IPSec encryption acceleration on the NIC, allowing customers to experience the advantages of true end-to-end security without sacrificing performance. IPSec is a standard feature of Windows 2000; no additional software is necessary to offload IPSec. Encryption acceleration is an integral, standard feature with this new NIC product family.
Increase performance while processing TCP segmentation
Any desktop, workstation, or server running bandwidth intensive applications needs to devote maximum CPU cycles to processing applications and avoid expending cycles on processing network traffic. The host CPU has historically been called upon to perform segmentation whenever a data block exceeds the maximum Ethernet frame size of 1513 bytes. This transaction, which requires data segmentation, duplication of IP headers, and creation of unique TCP headers for each new segment of data, becomes a drain when transmitting large files or when the host CPU is trying to run bandwidth intensive applications. This is because while the CPU is processing network traffic, it is unavailable to do anything else.
Windows 2000 has also created A PIs to offload this process. Windows 2000 offloads the entire block of data from the host CPU to 3Comís integrated 3XP processor. The 3XP processor performs the task of segmentation and IP header duplication, then creates a TCP header "template," called a pseudo header. The unique fields in the TCP header are then filled in, saving even more time and processing power. The host CPU is free during the entire transaction to continue handling applications, running searches, etc. This results in an impressive savings on use of the host CPU to process network traffic. [...]