Vendors with MIPS-based processors are looking into adding security functions to their chips with the goal of boosting the performance of network equipment at the same time as cutting costs.

The development reflects the growing use of MIPS processors in data planes, where encryption is handled, in addition to their traditional use in control planes. The fact that vendors of network processors have already started adding security functions to their products has probably also spurred the MIPS chips brigade to make a move.

Integrated Device Technology Inc. (IDT) (Nasdaq: IDTI) appears to be leading the charge. It expects to announce a MIPS chip with added security by the first quarter of 2003. Broadcom Corp. (Nasdaq: BRCM) and PMC-Sierra Inc. (Nasdaq: PMCS) are looking in that direction, too, but more cautiously, in part because these chips have uses outside of networking, in less security-intensive boxes such as printers.

The intellectual property to build these chips comes from MIPS Technologies Inc. (Nasdaq: MIPS; OTC: MIPBV), a Silicon Graphics Inc. (SGI) (NYSE: SGI) spinoff, and is licensed out to several companies, among them IDT, Broadcom, PMC-Sierra, and SandCraft Inc.

In networking, MIPS processors tend to be control-plane devices, processing exception cases and just generally overseeing the operations of a switch or router. (See Network Processor Architectures.) But the devices increasingly are finding uses in the data plane, particularly in the enterprise, and their workload there is increasing as enterprise boxes tackle more functions at Layer 3 and higher.

In IDT's case, the company wants to integrate security functions into MIPS-based processors such as its RC32332. As a first step, the company plans to show its processors interoperating with a separate security chip from SafeNet Inc. (Nasdaq: SFNT), a maker of VPN hardware and software. Actual integration of the security functions should start in 2003.

The goal is twofold: Boost performance by putting security functions in hardware, then lower the system price by integrating that hardware onto the microprocessor.

"We will roll out a number of products over the next few years having the security engine on them, because people are going to want the cost advantages of integrating the chip," says Ian Ferguson, strategic marketing manager for IDT's processor division.

Of course, several companies already are putting security functions in hardware. Hifn Inc. (Nasdaq: HIFN), Broadcom and others have developed chips to accelerate encryption or to handle the entirety of a security protocol such as IPSec or SSL.These vendors say they won't become extinct as IDT and others integrate security onto processor chips, because integration slows down the system's overall performance. IDT agrees; in fact, that's why the company is unlikely to spin its security functions into a separate chip.

"We would probably be perceived as being behind the curve," says Ferguson, noting that security co-processors are winning use among IDT's customers.

IDT is not covering quite the same ground as Intel Corp. (Nasdaq: INTC) or Agere Systems (NYSE: AGR/A), which are planning to add security to their network processors (see Intel Moves on Security, Agere, Hifn Team on Security and Agere and Intoto, too!). While network processors tend to be composed of multiple small processing cores, MIPS devices tend to be single microprocessors -- really big ones, originally developed for SGI workstations and built to outdistance what a PC's microprocessor can do.

Most network processors were intended for core IP routing, whereas MIPS parts tend to be used for control functions, or as the lone processor in a simple system such as a Layer 2 Ethernet switch. But as their customers' boxes begin to absorb higher-layer functions, MIPS-processor vendors will have to follow suit.

"We're seeing security touching a number of the boxes we're going to be in," Ferguson says, noting that enterprise VPNs are a particularly promising example. Corporate wireless networks might be a possible market as well, because the upcoming 802.11i standard mandates support for the complicated AES encryption algorithm.

Other vendors of MIPS-based processors are considering security add-ons as well. PMC is mulling the possibility of adding security to its RM5000, RM7000 and RM9000 families of chips. Integration of extra functions in general is "probable, especially at the lower end of the performance range," says John Monson, vice president of marketing for PMC's MIPS-processor division.

It seems even more obvious that Broadcom would pursue integration, because the company already has both halves in-house. It already sells security chips, and it got into the MIPS business with the acquisition of SiByte (see Broadcom's on a Buying Spree). Broadcom officials say such integration would be a snap, but the market doesn't justify it yet.

"Right now, we want to keep the SiByte processors as general-purpose as possible," says Krishna Anne, Broadcom strategic marketing manager. "It gives them a bigger total available market."

When the day for integration comes, Broadcom's security efforts might be more comprehensive than IDT's, says Joe Wallace, product line manager for Broadcom's security group. IDT and other processor vendors tend to integrate just the algorithmic portions of security -- the math behind the 3DES or AES algorithms, for example -- whereas Broadcom could integrate functions such as SSL record-layer processing, already offered in the company's BCM5850 chip (see Broadcom Intros SSL/TLS Chip).

"That's an example of the kind of functionality we could integrate into one of our SiByte cores very easily," Wallace says.

Indeed, IDT will start by integrating the encryption algorithms with its processors, Ferguson says. Its target is more specific than Broadcom's, however. IDT has its eye on enterprise VPNs, where the primary function apart from encryption is the establishment of VPN tunnels. IDT is being coy about whether it plans to integrate that function onto its MIPS processors.

Going beyond security, IDT has been looking at the possibilities of integrating Layer 7 applications, a possibility that opened up with its September acquisition of Solidum Systems (see IDT to Acquire Solidum).

"Some of their intellectual property could be useful in intrusion detection -- something that might be very intrusive for a [general-purpose] processor, but that their network programming engine can handle, if you set up certain rules," Ferguson says.

— Craig Matsumoto, Senior Editor, Light Reading
www.lightreading.com