Distributed Security Offload and DU Routing

In 5G networks, data travels from the radio tower to the Radio Unit (RU), via the Distributed Unit (DU), onward to the Central Unit (CU), before reaching the User Plane Functionality (UPF), which then forwards it to the core network. The same path occurs in reverse, as well.

The vast majority of security functions are handled within the CU.  This includes the application of IPSec, header compression, PDCP header encapsulation/decapsulation, ciphering and deciphering, and integrity protection, verification, and reordering.

Wireline access networks run through a DSLAM, which is Layer 2 network equipment that requires no routing, as all traffic is forwarded within a single network. However, in mobile networks for 3G, 4G, or 5G, a cell site router becomes a necessary component to handle connectivity over the overlay network, as well as for DU connectivity toward the many CUs distributed throughout a cloud-based Radio Access Network (RAN). This is generally expected to be handled by external, standalone cell site router devices.

Moreover, when so many CUs are connected to DUs, there can be as much as 100Gbps of throughput. The CPUs that are being relied on in Open RAN 5G deployments are inefficient at handling security functions even under the best of circumstances, let alone at 100G. Performing all these security functions, especially IPSec, on 100G of traffic is a cumbersome, onerous task which will cause a serious bottleneck at the CU unless those functions can be offloaded and distributed better throughout the RAN.

Ethernity therefore proposes using FPGAs as the de facto platform for Open RAN security. By offloading the heavy tasks of data encryption/decryption and IPSec from the sequential processing of CPU cores to the much more efficient parallel processing of FPGAs, the CU IPSec bottleneck can be distributed more evenly across multiple DUs. In other words, it makes sense to handle the encryption offload when it is small.

For example, Ethernity can apply the IPSec protocols to data via its FPGA-based ACE-NIC100 SmartNIC as it passes through a white-box DU server, before it ever is routed to the CU. Furthermore, that same ACE-NIC100 incorporates a complete router on the on-board FPGA, eliminating the need for an external cell site router between the DU and CU.  Alternatively, by installing the ACE-NIC100, it is possible to co-locate both the DU and CU functionalities into a single server, saving space, power, and latency in the Open RAN 5G network.

We have spoken to numerous potential OEM customers who are excited by the possibility of handling both DU and CU in one box. We have spoken to many system integrators, some of whom prefer to keep the cell site router as an external device, and others of whom prefer to incorporate routing into the NIC.  Based on these conversations, there is little doubt in which direction the market is trending.

Thanks to the agility of the FPGA and the unique innovative development of our IP,  Ethernity has products to meet all these preferences, allowing us to continue to remain ahead of the curve.