Mistletoe's
ability to work with 3rd-party silicon was verified when one of the boxes
I saw under test contained Marvell's 88E6185 eight-port GbE switch chip
coupled to the RDX engine (see Fig.
1).
networkZONE Products for the week of May 22, 2006
Mistletoe Technologies Says…
Mistletoe Security SoC, Software, and Reference Designs
Help OEMs Build Multi-Gigabit Security Appliances that Deliver 10x Price/Performance
Advantages
Mistletoe Technologies, Inc. has unveiled the company's extensive product line that target network equipment OEMs. Mistletoe's powerful solution will enable OEMs to provide unparalleled benefits for IT administrators in small, medium and large enterprises.
For OEMs planning to enter the rapidly growing enterprise security market, or vendors seeking to dramatically improve the security capabilities of existing products, Mistletoe's embedded and turnkey solutions provide the fastest time-to-market and time-to-revenue. Product development projects can be reduced from 18 months to 90 days. At the same time vendors will be able to offer a scalable line of security appliances that cost up to 80% less than competing boxes, while delivering 10x performance improvements over comparable network security devices.
"The impact of our Security System-on-a-Chip, based on Mistletoe RDX technology, is a security appliance with 10 times the performance at a fraction of the cost," said Som Sikdar, CEO of Mistletoe Technologies. Sikdar, former co-founder of Terabit switch/router vendor Force10 Networks also noted, "Mistletoe-based solutions will provide IT managers with the products to secure their entire network infrastructure, greatly enhance how appliances are deployed and meet the growing need to deliver more throughput, securely and within budget."
Mistletoe Technologies' customers are shipping products to end-users in North America, Europe and Asia with products deployed in government labs, information service providers, telecommunications and enterprise networks.
Mistletoe RDX technology reduces power consumption and silicon complexity by orders of magnitude over single and multi-core CPUs and Network Processors, resulting in low power, compact appliances and embedded systems. Mistletoe Security SoCs, based on Mistletoe RDX technology, offer a comprehensive feature set that includes:
analogZONE Says . . .
After covering networking silicon for over a decade and having worked with microprocessors for twice that long, I thought I'd pretty much seen every possible architecture that you could use to parse packets, bash bytes, or twiddle bits. But that was before I encountered Mistletoe's re-loadable direct execution (RDX) processor, and the wild things it does. Born from some truly kinky computing concepts originally developed in the 1970s, and honed on the sharp edge of the Moore curve, the processor resembles little else on the market. In fact, it's such a strange beastie that the only reason I was able to take Mistletoe's claims seriously is that company has hovered in stealth mode until it had working silicon, a full reference design, and even boxes using their chips in the retail chain before they uncloaked and swooped down on the unsuspecting security box market with all phasers blazing.
Yes, it's hard to believe Mistletoe's claims that their device can be used to build a $5-k box that does the work of a typical $40 k - $50 k firewall/VPN box from Cisco or Juniper. In fact I was so skeptical at first that it took a tour of Mistletoe's labs where I saw their chip already running in chassis from several ODMs (including one that's currently available from CDW) running at full load before I was ready to admit that their radical packet processing architecture is really capable of delivering the goods.
Without going into all the gory details (in part because some of them are under NDA and in part because I am still having trouble getting my head around a few of the concepts), the heart of the architecture is based on the direct execution engines built to support the LISP language and the way it can be used to manipulate source code as a data structure. Put simply, their RDX processor does not have a program per se and, instead, uses the incoming packets as instructions to parse their contents and extract parallelism, from the data stream. This contrasts sharply with conventional out-of-order processing techniques (used in Pentium and some other high-performance CPUs) which extract parallelism from instructions. Once the RDX engine deconstructs the packets and bundles related elements into separate tasks it passes them to an array of processing engines along with explicit control signals to govern their operations.
Besides the RDX core and its associated processing engines the chip sports a crypto core that accelerates DES/3DES, SHA, AES, and MD5 functions in hardware, plus separate IKE and TRNG logic. Together they can directly execute IPSEC, TCP/IP, UDP and other packet-oriented functions with none of the fetch-execute overhead or multiple instructions required when using conventional RISC or CISC-based processors. The chip also has an embedded ARM-9 processor to handle housekeeping and management tasks.
The RDX processor is pretty much a stand-alone device other than a modest collection of memory devices that surround it. Some of the main engine's configuration data is stored in its sophisticated on-chip cache but the bulk of it resides in a combination of external FLASH/DRAM (up to two 1 Gbyte banks of ECC-protected memory). Since everything is happening at wire-speed the cache subsystem actually uses four different caching structures to optimize different types of memory accesses for specific networking applications. The housekeeping processor has its own cache but shares the FLASH/DRAM for its programs. The RDX also has an interface for the optional TCAM (supplied by NetLogic) that's used in some applications requiring lots of fast look-ups (typically for ACL management, supporting large session & route tables, or UTM work). A PCI-X interface enables an easy, inexpensive host system connection if needed.
The result is a processor that performs almost any series of complex packet-oriented operations at the rate of 1 Gbit/s - 2 Gbit/s while only drawing 10 W - 12 W worth of power. It can serve pretty much as a standalone firewall/VPN appliance on a 1 Gbit/s - 2 Gbit/s LAN/WAN interface. In these applications the software is completely developed in-house and turned over to the customer as part of a complete reference design. A pre-packaged unified threat management (UTM) application is also in development.
The RDX can also be used to add wire-speed VPN and security capabilities to standard L2/L3 merchant LAN switch silicon. As with its security appliance reference designs, Mistletoe does all the software development required to provide a turnkey design that enables a chip maker to plug holes in their feature set or accelerate existing functionality at will. The processor's field-upgradeable software can also enable switch silicon makers to quickly and painlessly add customer-requested features or support a subscription-based security upgrade program.
Mistletoe's
ability to work with 3rd-party silicon was verified when one of the boxes
I saw under test contained Marvell's 88E6185 eight-port GbE switch chip
coupled to the RDX engine (see Fig.
1).
Mistletoe's application note describes the lash-up
in the following manner:
"In the security appliance reference design, the 88E6185 is configured
to have all packets forwarded to the CPU ports adding the option to switch
packets locally on the 88E6185 and bypass the policies on the VF4510. This
configuration allows the VF4510 to act on all packets as well as enforce
firewall functions such as: DOS attacks, rate limiting, etc…The 88E6185
adds specific information to packets forwarded to the CPU ports indicating
which port the packet came from, preserving any VLAN tag that exists on
a packet. The 88E6185 also expects this same tag information on packets
sent from the CPU ports, so that packets can be sent out the correct switch
port. This information is auto-generated and kept within the tables on the
VF4510."
Of course all this programmability does have a downside. For one thing, you probably need a post-doctorate in computer science to write code for the little critter. This might explain why Mistletoe is keeping its applications work and development tools (including an XML-like language used to describe security and packet processing functions) under tight in-house control.
The fact that Mistletoe's RDX engine does not program like any standard processor is at once its greatest technical strength and its greatest marketing weakness. There are many examples of brilliant, but non-standard processing architectures (such as Freescale's ingenious reconfigurable compute fabric) which have failed to thrive in a market that's increasingly dominated by official and unofficial standards. Even processors which use extensions of standard architectures for their performance gains (such as Stretch's Tensilica-based configurable array processor) have had some tough sledding before they finally found a few key customers.
Fortunately, there are exceptions: oddball processors which have succeeded, such as PicoChip's massive DSP array, which is enjoying many design wins in the wireless arena thanks in equal parts to its enormous processing power and its strong suite of development tools. Likewise, Xelerated's family of wicked-fast pipeline packet processors is at least enjoying some level of market acceptance.
So while it's not a sure bet that Mistletoe's processor falls into this latter group of dark horse success stories, they have employed several strategies that will give them a fighting chance of actually making more money than the VCs originally sank into the company. For one thing, Mistletoe has worked around any programmability issues by holding its development efforts in house and treating each application-specific software/hardware pairing more like an ASIC. This strategy is quite similar to how, until recently, Freescale closely controlled the microcode for the CPM and QUICC Engine communications processor cores that lurk within its PowerQUICC network processors. And, even now, only one 3rd-party software vendor (Arabella) is permitted to write code for these highly-specialized processors.
They were also very smart to focus their efforts on security applications, a high-value portion of the market which has not been subject to as much price erosion that switches, routers, and most access devices have experienced. While it looks like the RDX chip's flexible architecture will allow it to handle almost any kind of data manipulation or analysis, targeting very cost-effective alternatives to top-tier security appliances such as the Juniper NetScreen-500/ISG-2000 lines is a gutsy and, potentially, very lucrative first move. The fact that I saw reference design boxes bearing the labels of several high-volume ODMs in their lab is a good indicator that they may well have a shot at single-handedly making security processing a commodity item much like commercial switch silicon did L2 Ethernet back in the late 1990s.
Of course, it's tempting to speculate which market Mistletoe might try to crash next with their packet munching monster. And if one were looking for another compute-intensive application which is still in its infancy one could easily imagine applying RDX technology to regular expression (RegEx) processing or other deep, stateful, packet inspection techniques currently being pioneered by the likes of NetLogic, Sensory Networks, and Tarari. When I asked about this, the folks at Mistletoe replied that indeed their technology could support RegEx if supplied with the appropriate software. Their concept would be to cluster two or more chips together to offer the RegEx functions in addition to existing functions. But, for the moment, they also offer the chip in embedded designs used in conjunction with 3rd party security applications and accelerator hardware that I mentioned above.
The Mistletoe RDX processor has already been quietly released, with limited production, since Q4 2005 It is available in four different speed grades; 200 Mbit/s, 2 Gbit/s, 4 Gbit/s and 8 Gbit/s - 10 Gbit/s. Despite my repeated badgering Mistletoe declined to release any pricing information other than to say that an RDX processor capable of supporting 2 Gbit/s worth of firewall, or 2 Gbit/s worth of VPN, is priced so that an ODM should be able to sell a production box at a $5 k retail price with a tidy profit.
Mistletoe's slightly elevated but still credible Vapor Index Rating reflects my concerns about the feasibility and marketability of any standalone chip of this size and complexity being tempered by actually having seen working silicon, and having seen it running in name-brand customer boxes to boot.
|
| ||||
