Anti Replay Core
Detect replay attacks at hundreds of millions of requests per second.
Synogate’s Anti Replay core is a fast, robust and reliable solution to detect and prevent replay attacks, ensuring the integrity of your data transmissions.
Our digital circuit design has been successfully integrated into devices approved by the German Federal Office of Information Security (BSI) and is currently in use by the German Federal Government, ensuring its reliability and security in high-stakes applications.
- High-speed packet processing
- Hardware-agnostic VHDL code
- Low latency and low power consumption
- Compliance with IPsec standards and BSI requirements
Contact us if you have questions or want to license it.
Defense against Replay Attacks at 200 GbE
Replay attacks involve intercepting and retransmitting valid data packets to deceive the recipient. This can lead to unauthorized access, data breaches, and compromised network security.
With its unparalleled throughput of hundreds of millions of packets per second, our IP core is the perfect choice for appliances and organizations requiring high-security data transmissions.
Download our evaluation package, or contact us to learn more about licensing our Anti-Replay Core for your organization’s specific needs.
- Hardware-implented protection against replay attacks at line rates of up to 200G
- Prevent packet replay attacks that can exploit weaknesses in underlying protocols
- Enjoy flexible configuration options to adapt to changing requirements
- Benefit from high-throughput, vendor-agnostic, and easy-to-integrate design
Hardware-implemented Protection against Replay Attacks
Cryptographic protocols like IPsec (RFC 4301, RFC 4303) require duplicated packets to be detected and dropped. It is a necessity, as packet replay attacks can exploit weaknesses in the underlying protocols that the encryption is trying to protect.
The Synogate Anti-Replay Core implements such a packet replay detection as a RTL design capable of handling 200 GbE line rate on suitable FPGAs. For a number of connections, it stores and manages a bitmap that keeps track of seen and yet unseen packages. Checks and updates are very fast, allowing the core to sustain a guaranteed throughput of one packet per clock cycle.
The IP-core is provided as a configurable generator which outputs VHDL code as well as sdc/xdc files, tcl scripts for easy integration, and dynamic documentation for the specific configuration. The generator can output VHDL code with vendor specific macros for Intel and Xilinx devices, or vendor agnostic VHDL code.
Feel free to download and evaluate the design, or get in touch to learn more.
At a glance
| Number of connections | Configurable |
| Windows size | Configurable |
| Sequence number size | Configurable |
| Storage type | On-chip or external fixed-latency memory mapped interface (e.g. for external QDR eSRAM) |
| Throughput | One query&update operation per clock cycle at a fixed but configurable latency. This equates to > 200G line rate on suitable FPGAs. |
| Input/Output | Avalon Streams with configurable signals for payload (e.g. network packets) commands and results piggybacked to input/output streams. |
| Price for evaluation and non-commercial use | Free |
| Price for commercial use | 20000 € |
Typical resource consumption
| Connections | Window size | Pipelining | Storage | Device | Fmax [MHz] | ALM | FF | M20K |
|---|---|---|---|---|---|---|---|---|
| 512 | 3968 | moderate | on-chip | Arria 10 | 270 | 1932 | 2997 | 132 |
| 512 | 3968 | moderate | on-chip | Agilex-F | 470 | 2541 | 3497 | 108 |
| 2048 | 3584 | moderate | on-chip | Arria 10 | 270 | 2747 | 4475 | 521 |
| 2048 | 3584 | moderate | on-chip | Agilex-F | 470 | 4034 | 5380 | 425 |
| 16384 | 3584 | moderate | external | Arria 10 | 220 | 3683 | 4451 | 129 |
| 16384 | 3584 | moderate | external | Agilex-F | 460 | 4455 | 6357 | 128 |
Features
High throughput
The IP-core can sustain one check/update per clock cycle and synthesizes at up to 500MHz on modern FPGAs resulting in a throughput of hundreds of millions of packets per second. Since the throughput is fixed, the IP-core can not be DOSed by saturating with specifically crafted traffic.
Full Flexibility
The IP-Core is shipped as a generator that allows configuration of all relevant aspects. This allows to adjust the IP-core to your specific needs and, if need be, readjust it if requirements change during the
Adjust capacities, payloads and channels, storage types, or even pipelining amount simply by rerunning the generator. This allows you to adapt the IP-core to changing requirements even after purchase.
Vendor Agnostic
With this IP-core, you are not committing to a specific target device or even device vendor.
The generator exports the RTL design as regular vhdl 2008 code that can be used in common tool chains. Project files and tcl scripts for easy testing/integration can also be provided by the generator. Optionally, the generator can be configured to use vendor specific macros in the vhdl code.
Internal or external storage
The generator can be configured to use on-chip storage (e.g. block rams) or provide a memory mapped interface for connecting external storage such as QDR eSRAM.
The latency of the external memory can be configured in the generator which will automatically build the necessary read-during-write and read-modify-write hazard logic.
Since you can change configurations even after purchase, you gain the flexibility to free up on-chip resources if later stages of your development reveal that you need them.
Easy Integration
Since the IP-core is often used as part of a packet processing pipeline, a packet based interface is provided with Avalon packet input and output streams onto which the command and result streams piggyback. The packet payload and additional side channel information can be piped through the IP-core. The generator automatically builds a fifo for the Avalon packet stream to bridge the latency of the IP-core and keep the results of the replay detection synchronous with the packet beats.
Extensive Documentation
The product is bundled with detailed documentation explaining the involved algorithms, the available configuration parameters and their tradeoffs, as well as how to use the generator. For the specific configuration chosen, the generator also performs tests with an internal cycle-exact simulator that runs the driver and logic in a closed loop to verify design correctness. A specific interface documentation for the chosen configuration is also generated that shows and describes the exact functional blocks, associated signals, and waveforms.
