A classic networking problem is securing connections with encrypted data, but implementing strong encryption algorithms at wire speeds can limit performance. However, introducing blazing-fast connectivity without an encryption strategy leaves systems vulnerable. The architects in the UALink Consortium, including Synopsys representation, understood their assignment. UALink defines point-to-point accelerator links with a switched architecture for scaling up AI clusters to 1,024 accelerators, and the latest UALink 200G specification solidifies the UALinkSec security framework. As a companion to its UALink controller IP and robust 224G PHY IP, Synopsys is introducing its UALinkSec_200 Security Module, the first specification-compliant implementation for UALink security.
Inserting UALinkSec in the UALink network layers
UALink borrows a standard Ethernet PHY physical layer and adds unique link, transaction, and protocol layers to build in advanced features for point-to-point connections. This physical-layer choice enables immediate reuse of Ethernet 802.3dj-compliant PHY components, including the Synopsys 224G PHY IP. Low latency is a primary consideration, and simplifying assumptions helps. Fixed payloads carry either 64 or 640 bytes; reducing cable length keeps it under 4 meters; and endpoints are limited to fewer than 1,024. Link-layer retransmission and credit-based flow control keep data moving, with retransmissions occurring in less than 1 usec. A high-level overview of the stack from the UALink 200 v1.0 spec:
Between the transaction and protocol layer sits UALinkSec, deceptively thin in its description as “[end-to-end] encryption and authentication.” Its role is to protect network traffic and switches from any adversary, whether physically present or virtually inserted. UALinkSec supports encryption and authentication of all the UPLI protocol channels – requests, read responses, and write responses. When enabled, it provides data confidentiality and integrity. A simplified view, with the keys indicating UALinkSec operation:
Encryption based on AES-GCM for security and speed
The good news is UALinkSec is cleanly decoupled from the other UALink layers, making it ripe for a dedicated hardware co-processor block. Still, processing encryption algorithms can be a heavy-duty task, and power efficiency in AI data centers is a growing concern, especially since it scales directly with the number of AI nodes. Any encryption battle where processing time and power consumption are crucial parameters is won or lost on a simple decision: choosing the right encryption algorithm. If an algorithm is efficient, it’s a much more straightforward task to wrap processing around it and deliver encrypted data on time with as few watts as possible.
When you create a new security specification, you can choose a modern encryption algorithm that offers both security and speed. For UALinkSec, that choice would be AES-GCM, a variant of AES that uses Galois/Counter Mode for extremely fast symmetric-key block ciphers. Dedicated, inexpensive hardware unleashes the full speed of AES-GCM.
Against that background, Synopsys created a new IP block, the UALinkSec_200 Security Module, which complements its UALink controller IP and 224G PHY, forming a complete UALink IP Solution. The UALinkSec_200 Security Module aligns with the UALinkSec component of the UALink 200 specification. In addition to encryption and decryption functions, it supports key derivation functionality and optional authentication support – all at full UALink speeds of 200 GT/s per lane. A block diagram shows how it handles both transmit and receive data paths:
For more background, the UALink Consortium has a white paper that provides an introduction to the UALink 200G specification, including a section on UALinkSec.
Synopsys teams detail their solution in a blog post discussing the architecture and features of the UALinkSec_200 Security Module, along with additional information, including overviews and data sheets for all three components of the UALink IP Solution. Learn more at these links.
Blog post: Securing UALink: Introducing Synopsys UALinkSec_200 Security Module
Webpages:
Synopsys UALinkSec_200 Security Module
UALink for Scalable AI Systems
Share this post via:
Comments
There are no comments yet.
You must register or log in to view/post comments.