Technical Report Number
Because of its ﬂexibility and high performance, reconﬁgurable logic functions implemented on the Field-programmable Port Extender (FPX ) are well suited for implementing network processing such as packet classiﬁcation, ﬁltering and intrusion detection functions. This project focuses on two key aspects of the FPX system. One is providing a Gigabit Ethernet interface by designing logic for a FPGA which is located on a line card. Address Resolution Protocol (ARP) packets are handled in hardware and Ethernet frames are processed and transformed into cells suitable for standard FPX application. The other eﬀort is to provide a secure channel to enable remote control and conﬁguration of the FPX system through public internet. A suite of security hardware cores were implemented that include the Advanced Encryption Standard (AES), Triple Data Encryption Standard (3DES), Hashed Message Authentication Code (HMAC), Message Digest Version 5 (MD5) and Secure Hash Algorithm (SHA-1). An architecture and an associated protocol have been developed which provide a secure communication channel between a control console and a hardware-based reconﬁgurable network node. This solution is unique in that it does not require a software process to run on the network stack, so that it has both higher performance and prevents the node from being hacked using traditional vulnerabilities found in common operating systems. The mechanism can be applied to the design and implementation of re-motely managed FPX systems. A hardware module called the Secure Control Packet Processor (SCPP) has been designed for a FPX based ﬁrewall. It utilizes AES or 3DES in Error Propagation Block Chaining (EPBC) mode to ensure data conﬁdentiality and data integrity. There is also an authenticated engine that uses HMAC. to generate the acknowledgments. The system can protect the FPX system against attacks that may be sent over the control and conﬁguration channel. Based on this infrastructure, an enhanced protocol is addressed that provides higher eﬃciency and can defend against replay attack. To support that, a control cell encryption module was designed and tested in the FPX system.
Song, Haoyu, "Secure Remote Control and Configuration of FPX Platform in Gigabit Ethernet Environment" Report Number: WUCSE-2003-68 (2003). All Computer Science and Engineering Research.