ETHERNET
ADAPTER CARDS
PRODUCT BRIEF
Innova™ IPsec Adapter Card
10/40Gb Ethernet Adapter delivering high-performance inline IPsec
encryption acceleration combined with advanced network offloads
for security at every end point
†
Mellanox Innova IPsec Adapter Card accelerates IPsec cryptographic
functions at wire speed to enable a more efficient use of compute resources
for the most demanding cloud, Web 2.0, telecommunication and storage
systems and other applications
Mellanox Innova™ IPsec Adapter Card delivers
40GbE IPsec traffic with lower CPU utilization,
freeing CPU resources for application execution.
Growing concerns over Internet traffic interception
by government agencies and how unencrypted
information can be gathered and used have kindled
a global desire for protecting privacy. As such,
encryption to protect data-at-rest and data-in-motion
is gaining momentum within data centers.
Encryption of data-in-motion is particularly CPU
intensive. As a result, more CPU resources are being
used to perform encryption functions instead of
focusing on applications. Furthermore server CPUs
cannot scale to support the ever-growing volume
and velocity of traffic to be processed.
Innova IPsec adapter lowers the Total Cost of
Ownership (TCO) compared to discrete encyption
acceleration solutions by combining encryption
offload with advanced network capabilities on a
single adapter.
IPsec Offload
The Innova IPsec adapter uses FPGA based
AES-GCM and AES-CBC cryptographic engines
to efficiently offload IPsec compute intensive
encryption and authentication tasks from the CPU
and freeing it for business application execution.
The FPGA is a ‘bump-in-the-wire’ architecture, with
the encryption and decryption being performed
©2017 Mellanox Technologies. All rights reserved.
inline with the network flow. This means that
the on-board ConnectX-4 Lx adapter’s advanced
offloads (overlay networks, RoCE) are being
maintained while the IPsec encryption feature is
activated, enabling the offload of network features
with encrypted packets.
I/O Virtualization
Innova IPsec supports SR-IOV technology and
enables dedicated adapter resources and guaranteed isolation and protection for virtual machines
(VMs) within the server. This I/O virtualization
provides data center administrators with better
server utilization while reducing cost, power, and
cable complexity, allowing more Virtual Machines
and more tenants on the same hardware.
Acceleration for Overlay Networks
In order to better scale their networks, data center
operators often create overlay networks that carry
traffic from individual virtual machines over logical
tunnels in encapsulated formats such as NVGRE or
VXLAN. While this solves network scalability issues,
it hides the TCP packet from the hardware offloading
engines, placing higher loads on the host CPU. The
Innova IPsec adapter effectively addresses this by
providing advanced NVGRE, VXLAN, and GENEVE
hardware offloading engines that encapsulate
and de-capsulate the overlay protocol headers,
enabling the traditional offloads to be performed
on the encapsulated traffic for these and other
tunneling protocols (GENEVE, MPLS, QinQ, and so
HIGHLIGHTS
BENEFITS
–– Up to 4X lower CPU utilization compared
to non-offloaded encryption solutions
–– Minimal changes to a customer’s
software stack
–– Maintains network adapter offloads with
encrypted traffic
–– Industry-leading throughput for Web
2.0, storage and telecommunications
applications
–– Reduced TCO due to a combination of an
encryption offload engine and a network
adapter on one board
–– Cutting-edge performance in virtualized
overlay networks
KEY FEATURES
–– AES-GCM, AES-CBC encryption/
decryption and authentication algorithm
offloads
–– Erasure Coding offload
–– Virtualization
–– Low latency RDMA over Converged
Ethernet
–– CPU offloading of transport operations
–– Application offloading
–– Mellanox PeerDirect communication
acceleration
–– Hardware offloads for NVGRE, VXLAN,
and GENEVE encapsulated traffic
–– End-to-end QoS and congestion control
–– Hardware-based I/O virtualization
–– RoHS-R6
†
For illustration only. Actual products may vary.
Mellanox Innova™ IPsec Adapter Card 10/40Gigabit Ethernet Adapter Card with FPGA
on). With the Innova IPsec adapter, data center
operators can achieve native performance in
the new network architecture.
RDMA over Converged Ethernet (RoCE)
The Innova IPsec adapter supports RoCE
specifications delivering low-latency and
high- performance over Ethernet networks.
Leveraging data center bridging (DCB)
capabilities as well as the Innova IPsec
adapter’s advanced congestion control
hardware mechanisms, RoCE provides efficient
low-latency RDMA services over Layer 2 and
Layer 3 networks.
Mellanox PeerDirect™
PeerDirect communication provides high
efficiency RDMA access by eliminating
unnecessary internal data copies between
components on the PCIe bus (for example,
from GPU to CPU), and therefore significantly
reduces application run time. The Innova
IPsec adapter’s advanced acceleration
technology enables higher cluster efficiency
and scalability to tens of thousands of nodes.
page 2
advantages over multi-fabric networks.
Innova IPsec also offers Erasure Coding
offloading capability, enabling distributed
Redundant Array of Inexpensive Disks (RAID),
a data storage technology that combines
multiple disk drive components into a logical
unit for the purposes of data redundancy
and performance improvement. Innova
IPsec’s Reed-Solomon capability introduces
redundant block calculations, which, together
with RDMA, achieves high performance and
reliable storage access.
Software Support
Innova IPsec adapter is supported by the
Mellanox standard OFED release that
includes kernel and DPDK implementations.
Storage Acceleration
Storage applications will see improved
performance with the higher bandwidth that
the Innova IPsec adapter delivers. Moreover,
standard block and file access protocols can
leverage RoCE for high-performance storage
access. A consolidated compute and storage
network achieves significant cost-performance
COMPATIBILITY
PCI EXPRESS INTERFACE
–– PCIe Gen 3.0 compliant, 1.1 and 2.0
compatible
–– 2.5, 5.0, or 8.0GT/s link rate x8
–– Auto-negotiates to x8, x4, x2, or x1
–– Support for MSI/MSI-X mechanisms
‡
CONNECTIVITY
–– Interoperable with 10/40GbE switches
–– Passive copper cable with ESD protection
–– Powered connectors for optical and active
cable support
Not all operating systems will be supported for the first release of this card.
©2017 Mellanox Technologies. All rights reserved.
OPERATING SYSTEMS/DISTRIBUTIONS‡
–– RHEL/CentOS
–– Windows
–– FreeBSD
–– VMware
–– OpenFabrics Enterprise Distribution (OFED)
–– OpenFabrics Windows Distribution (WinOF-2)
Mellanox Innova™ IPsec Adapter Card 10/40Gigabit Ethernet Adapter Card with FPGA
page 3
FEATURES SUMMARY*
ETHERNET CONTROLLER
–– ConnectX-4 Lx EN
MAXIMUM POWER CONSUMPTION
–– ~25W (for 40GbE traffic)
ETHERNET
–– IEEE Std 802.3ae 10 Gigabit Ethernet
–– IEEE Std 802.3ba 40 Gigabit Ethernet
–– IEEE Std 802.3ad Link Aggregation
–– IEEE Std 802.1Q, .1P VLAN tags and priority
–– IEEE Std 802.1Qau Congestion Notification
–– IEEE Std 802.1Qbg
–– IEEE P802.1Qaz D0.2 ETS
–– IEEE P802.1Qbb D1.0 Priority-based Flow
Control
–– IEEE 1588v2
–– Jumbo frame support (9600B)
ENHANCED FEATURES
–– Hardware-based reliable transport
–– Collective operations offloads
–– Vector collective operations offloads
–– PeerDirect RDMA (aka GPUDirect
communication acceleration)
–– 64/66 encoding
–– Enhanced Atomic operations
–– Advanced memory mapping support, allowing
user mode registration and remapping of
memory (UMR)
–– On demand paging (ODP) – registration free
RDMA memory access
SECURITY OFFLOADS**
–– IPsec offload for Linux
–– IPsec offload for Windows
–– Authentication algorithms: SHA-1, SHA-2
–– Encryption algorithms: AES-GCM, AES-CBC
(key lengths 128/256)
STORAGE OFFLOADS
–– RAID offload – erasure coding (ReedSalomon) offload
OVERLAY NETWORKS
–– Stateless offloads for overlay networks and
tunneling protocols
–– Hardware offload of encapsulation and
decapsulation of NVGRE and VXLAN overlay
networks
HARDWARE-BASED I/O VIRTUALIZATION
–– Single Root IOV
–– Multi-function per port
–– Address translation and protection
–– Multiple queues per virtual machine
–– Enhanced QoS for vNICs
–– VMware NetQueue support
VIRTUALIZATION
–– SR-IOV: Up to 512 Virtual Functions
–– SR-IOV: Up to 16 Physical Functions per host
» Virtualizing Physical Functions on a physical
port
» SR-IOV on every Physical Function
–– 1K ingress and egress QoS levels
–– Guaranteed QoS for VMs
CPU OFFLOADS
–– RDMA over Converged Ethernet (RoCE)
–– TCP/UDP/IP stateless offload
–– LSO, LRO, checksum offload
–– RSS (can be done on encapsulated packet),
TSS, HDS, VLAN insertion/stripping, Receive
flow steering
–– Intelligent interrupt coalescence
REMOTE BOOT
–– Remote boot over Ethernet
–– Remote boot over iSCSI
–– PXE and UEFI
PROTOCOL SUPPORT
–– OpenMPI, IBM PE, OSU MPI (MVAPICH/2),
Intel MPI
–– Platform MPI, UPC, Open SHMEM
–– TCP/UDP, MPLS, VxLAN, NVGRE, GENEVE
–– iSER, NFS RDMA, SMB Direct
–– uDAPL
MANAGEMENT AND CONTROL
INTERFACES
–– NC-SI, MCTP over SMBus and MCTP over
PCIe
–– Baseboard Management Controller interface
–– SDN management interface for managing the
eSwitch
–– I2C interface for device control and
configuration
–– General Purpose I/O pins
–– SPI interface to Flash
–– JTAG IEEE 1149.1 and IEEE 1149.6
* This section describes hardware features and capabilities. Please refer to the driver release notes for feature availability.
** Additional algorithms can be added based on business needs.
Ordering Part Number
MNV101511A-BCIT
Description
Mellanox Innova™ IPsec 4 Lx EN, single-port QSFP, 40GbE,
PCIe3.0 x8
Dimensions w/o Brackets
Half height, half length (68.9mm x 167.65mm)
350 Oakmead Parkway, Suite 100, Sunnyvale, CA 94085
Tel: 408-970-3400 • Fax: 408-970-3403
www.mellanox.com
© Copyright 2017. Mellanox Technologies. All rights reserved.
Mellanox, Mellanox logo, ConnectX, and GPUDirect are registered trademarks of Mellanox Technologies, Ltd. Mellanox Innova, Mellanox PeerDirect, and LinkX are trademarks of Mellanox Technologies, Ltd.
All other trademarks are property of their respective owners.
15-5842PB
Rev 1.1