Cavium Move May Spell End For 'Security Processor' Market

Cavium Networks Inc. hosted a coming-out party in Santa Clara, Calif. last night for its Octeon processor. The event marked more than the company's licensing of the 64-bit MIPS instruction set: By moving into control plane functions, Cavium could herald the slow demise of the standalone security processor.

The popularity of Cavium's Nitrox line of security processors would seem to dictate otherwise: With more than 70 customers and 125 design wins for that line, Cavium has attracted more than $40 million in venture capital since its founding in late 2000. But the mere existence of Octeon shows that long-range trends in embedded security favor control plane RISC cores alongside dedicated security silicon.

When the first-generation Nitrox was introduced less than a month after the 9/11 attacks, security topped the list of IT managers' corporate necessities. A few semiconductor players, including Hi/fn Inc. and SafeNet Inc., had expanded encryption and compression products to include virtual-private-network creation and embedded firewall support. But Cavium was at the fore of a second wave of startups focused solely on single-chip security devices.

In late 2000, during the early phases of the communications recession, Cavium chief executive officer Syed Ali had discussed network equipment design trends with an IC design team led by Anil Jain, formerly responsible for the 64-bit Alpha processor at Digital Equipment Corp. Jain realized that Cavium was not going to get attention following a me-too route.

Communications processor design had followed two main paths in the late 1990s. Startups involved in strict data-plane packet-forwarding devices " the chips most commonly called network processors " emphasized 10- and 40-Gbit/second services, with raw speed trumping higher-layer packet inspection. A smaller class of startups was following the model of Motorola's 68360 and PowerQuicc families, offering aggregation of multiple traffic types at lower speeds, but with more offline support for complex service mixes.Rather than follow either track, Cavium targeted multiple layers of security standards, offering support for VPNs, Internet Protocol Secure (IPsec) functions, intrusion-detection services and secure socket layer (SSL) transactions. Cavium chief technology officer Raghib Hussain, a founder of VPNet Systems Inc., brought in system-level expertise. Cavium later appointed a technology advisory board that included IPsec author Stephen Kent, SSL v3.0 author Paul Kocher and Gigabit Ethernet pioneer Rich Seifert.

The company's decision paid off, at least in the short term. As the communication recession persisted for three and even four years, network-processor and communication-aggregator companies alike were acquired, went out of business or focused on specialty accounts. Cavium advanced the consolidation trend last month when it acquired the assets of aggregator specialist Brecis Communications Inc.

But security applications have also failed to catch fire. Corrent Corp. (Tempe, Ariz.) has shifted its focus solely to boards and systems. NetOctave Inc. was acquired by CyberGuard Corp., and both NetOctave and startup Layer N Networks Inc. (Austin, Texas) have narrowed their focus to SSL and TCP offload devices.

Hi/fn led the move to control plane consolidation by acquiring the nPower picoprocessor business from IBM, but short-term Hi/fn is focusing largely on security processing for storage-area networks. SafeNet has opted for the broadest mix of product deliverables, offering software, boards, processor chips and semiconductor IP for functions ranging from VPNs to intrusion detection.

Cavium could have reached profitability solely by marketing multilayer security chips and add-in boards, Ali said, but it wanted an entry point to additional communications functions. The Brecis family comprised Cavium's first MIPS-based chips and has been rebranded Nitrox SoHo (small office/home office) in a bid to bring aggregation to the access market.But a 64-bit MIPS implementation developed in-house was Cavium's ticket to high-end network systems that integrate all Layer 4 through 7 functions using end-to-end security. "Our cnMIPS core was developed internally, from the ground up. We did not license RTL models from MIPS, just the instruction set," Ali said. "The cn prefix for this processor can either stand for Cavium Networks or Content Networking " they're both applicable."

Space crunch Cavium's presentation foils on network bottlenecks look remarkably similar to those from network equipment suppliers that are melding security and load-balancing functions, such as F5 Networks Inc. and Redline Networks Inc. (see Sept. 6, page 51). Web server managers cannot offer fast XML-based services when separate boxes are used for firewalls, intrusion detection, server load-balancing and anti-virus functions, Ali said. All such tasks at Layers 4 through 7 must be merged into a pizza box format, and that doesn't leave enough real estate for separate control plane and data path processors.

The Octeon processor marries the MIPS cores with dedicated hardwired devices such as a regular-expression processor, for pattern matching; a TCP acceleration engine, for 10-Gbit Layer 5 termination; compression processors; and packet I/O processors, for IPv4 and v6 forwarding.

The 600-MHz cnMIPS core had to be able to handle 10-Gbit speeds when dedicated to a single function or 4-Gbit/s speeds when serving a multifunction box. Cavium's designers realized the key was not to push absolute control plane speeds in a single architecture but to offer anywhere from two to 16 MIPS cores on one chip and to use a dual-issuance microarchitecture in each MIPS core instantiation.

The first four processors in the Octeon family will feature two MIPS cores (the cn3420), four cores (cn3430), eight cores (cn3840), or 16 cores (cn3860), ranging in price from $125 to $750 each in quantities of 10,000. By the time the processors sample in the first quarter, Ali said, Cavium could see control plane competition from such companies as Freescale Semiconductor Inc. or Broadcom Corp. But it hopes to keep a leg up on performance through its custom MIPS implementation, Ali said.0