Summary
The NA 1000-L2X is a dedicated encryption acceleration card delivering near-40 Gbps throughput through dual Intel QuickAssist Technology (QAT) engines. Based on Intel's Lewisburg platform and connected via PCIe x8 interface, this card offloads symmetric and asymmetric cryptographic operations from security appliances. Integration with NEXCOM appliances such as the NSA 5181 demonstrates practical throughput improvements reducing CPU processing load while maintaining full encryption coverage.
Problem / Requirements
Modern security appliances must inspect and encrypt high-bandwidth data flows while maintaining stateful firewall and threat detection operations. Standalone CPU-based encryption becomes a critical bottleneck in appliances processing tens of gigabits per second. Organizations require:
- Hardware acceleration for cryptographic operations (symmetric, asymmetric, RSA, elliptic curve)
- Transparent integration with existing security appliances via PCIe expansion
- Support for contemporary cipher suites and key sizes
- Data compression functionality alongside encryption for throughput optimization
Technical Approach
The NA 1000-L2X implements purpose-built cryptographic processing outside the appliance CPU, preserving processor capacity for packet inspection, threat detection, and policy enforcement. Dual Intel QAT engines operate in parallel, enabling multiple concurrent encryption flows—critical for multi-threaded security software.
The Lewisburg platform provides specialized cryptographic instruction sets unavailable in general-purpose processors. Supported algorithms include:
- Symmetric: AES (various modes), DES, 3DES
- *symmetric: RSA, Diffie-Hellman (DH), Elliptic Curve Cryptography (ECC)
- Data Compression: Integrated compression reduces encrypted data size
PCIe x8 interface bandwidth proves sufficient for most data plane encryption requirements while maintaining compatibility with legacy appliance architectures. Verification testing with NSA 5181 appliances established that nearly 40 Gbps throughput is achievable using AES encryption—sufficient for high-performance security appliance deployments.
Implementation Notes
The NA 1000-L2X integrates into NEXCOM security appliances through PCIe slot insertion, requiring no external cabling or system redesign. Driver integration with standard Linux kernel encryption libraries (OpenSSL, kernel netlink crypto interfaces) enables transparent acceleration—existing security applications automatically benefit from card presence without code modifications.
Deployment in NSA 5181 appliances creates a tiered encryption architecture: CPU-intensive RSA key exchange operations use the QAT card, while bulk AES data encryption offloads to QAT engines for sustained throughput. This specialization preserves CPU capacity for complementary security functions.
The card's power consumption remains modest relative to cryptographic throughput delivered, improving overall appliance power efficiency. Cooling requirements are minimal, enabling deployment in passively-cooled compact appliances.
Challenge-Solution Mapping
/table
Challenge | Solution
CPU encryption becomes throughput bottleneck at high speeds | Dual QAT engines offload cryptographic operations entirely
Symmetric and asymmetric operations compete for CPU cycles | Separate instruction sets on Lewisburg eliminate competition
Legacy appliances lack cryptographic performance | PCIe expansion card integrates without redesign
Encrypted data transmission consumes full throughput | Integrated compression reduces encrypted data volume
Multiple concurrent encryption flows exceed single CPU capacity | Dual engines enable parallel cryptographic processing
Power consumption scales with encryption workload | Specialized silicon proves more efficient than CPU encryption
/endtable
Specifications Snapshot
/table
Specification | Detail
Platform | Intel Lewisburg
QAT Engines | 2x Intel QuickAssist Technology
Interface | PCIe x8
Throughput | ~40 Gbps with AES algorithms
Symmetric Encryption | AES, DES, 3DES (multiple modes)
Asymmetric Encryption | RSA, Diffie-Hellman, ECC
Data Compression | Integrated compression support
Integration | Linux kernel crypto library compatibility
/endtable
Key Takeaways
1. Dedicated cryptographic hardware eliminates CPU encryption bottlenecks – Offloading encryption to QAT engines preserves processor cycles for packet inspection and threat analysis, improving overall appliance throughput.
2. Dual QAT engines enable concurrent encryption flows – Multiple parallel cryptographic operations accommodate multi-threaded security software and simultaneous client connections without contention.
3. Lewisburg platform specialization supports diverse cipher suites – Separate instruction sets for symmetric and asymmetric encryption prevent algorithm-specific performance degradation.
4. Nearly 40 Gbps throughput on AES validates production deployment – Real-world testing with NSA 5181 demonstrates achievable performance for carrier-grade security appliances.
5. PCIe x8 integration ensures compatibility with existing appliance architectures – Card-based acceleration requires no major redesign, simplifying retrofit into shipping product lines.
Contact NEXCOM
For specifications, availability, and technical inquiries, contact NEXCOM via the official website.
