Method and system for high-speed processing IPSec security protocol packets
First Claim
1. A security data packet processing system comprising:
- a transmitting (Tx) direct memory access (DMA) interface (314) receiving a streamed security data packet, selecting a channel for processing the streamed security data packet and transferring the streamed security data packet to an external memory;
an input DMA engine (306) retrieving portions of the streamed security data packet from the external memory after all portions of the streamed security data packet have been transferred to the external memory;
an input FIFO (308) receiving the portions of the streamed security data packet from the input DMA engine (306) in blocks of a predetermined byte size, portions being retained in a portion of the input FIFO allocated to the selected channel;
a context RAM (308) receiving a security association database (SAD) entry associated with the selected channel, the SAD entry being retrieved from the external memory by the input DMA engine; and
an input crypto DMA engine (310) providing the blocks of the security data packet to a processing engine for processing.
4 Assignments
0 Petitions
Accused Products
Abstract
A packet processing system is embodied on an ASIC is optimized for processing IPSec security protocol packets in a hardware configuration. Embedded RISC processors operate with hardware support modules providing for IPSec packet processing at OC24 data rates and greater. IPSec packets are received through a streaming interface and buffered in an external memory. When the entire packet is in external memory, portions are buffered in a local memory for crypto-processing. As portions of the packets complete processing, the portions are buffered to an output portion of the external memory associated with the channel. When an entire packet competes processing, portions are buffered to a local memory for streaming. The hardware accordingly reduces the involvement of the RISC processors and significantly increases channel throughput providing for high-speed IPSec packet processing.
-
Citations
37 Claims
-
1. A security data packet processing system comprising:
-
a transmitting (Tx) direct memory access (DMA) interface (314) receiving a streamed security data packet, selecting a channel for processing the streamed security data packet and transferring the streamed security data packet to an external memory;
an input DMA engine (306) retrieving portions of the streamed security data packet from the external memory after all portions of the streamed security data packet have been transferred to the external memory;
an input FIFO (308) receiving the portions of the streamed security data packet from the input DMA engine (306) in blocks of a predetermined byte size, portions being retained in a portion of the input FIFO allocated to the selected channel;
a context RAM (308) receiving a security association database (SAD) entry associated with the selected channel, the SAD entry being retrieved from the external memory by the input DMA engine; and
an input crypto DMA engine (310) providing the blocks of the security data packet to a processing engine for processing. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for processing a security data packet comprising:
-
receiving a streamed security data packet;
selecting a channel for processing the streamed security data packet;
transferring the streamed security data packet to an external memory;
retrieving portions of the streamed security data packet from the external memory after all portions of the streamed security data packet have been transferred to the external memory;
transferring the portions of the streamed security data packet in an input FIFO (308) from an input DMA engine (306) in blocks of a predetermined byte size, portions being retained in a portion of the input FIFO allocated to the selected channel;
receiving at a context PAM (308), a security association database (SAD) entry associated with the selected channel, the SAD entry being retrieved from the external memory by the input DMA engine; and
providing to an input crypto DMA engine (310) the blocks of the security data packet to a processing engine for processing. - View Dependent Claims (9, 10, 11, 12, 13, 14, 16, 17, 18, 19, 20, 21, 22, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
-
-
15. A method of processing an IPSec security protocol packet, the IPSec security protocol packet comprising an IPSec header, the method comprising:
-
buffering an IPSec security protocol packet in an external memory;
reading portions of the buffered IPSec security protocol packet into a first local buffer, the portions having a predetermined number of bytes;
verifying header information of the IPSec security protocol packet;
reading a security association database (SAD) entry into the first local buffer;
processing the IPSec security protocol packet based on information in the SAD entry; and
storing the processed IPSec security protocol packet in an external memory.
-
-
23. An application specific integrated circuit for processing IPSec security protocol packets comprising:
-
a first streaming interface communicating with a network processor over a streaming interface and receiving a streamed packet;
an input buffer storing portions of the streamed packet along with control information for the packet;
a crypto core engine performing IPSec cryptographic operations on the packet in accordance with the control information;
an output buffer storing processed portions of the streamed packet; and
a second streaming interface receiving the processed portions of the streamed packet from the output buffer and providing the network processor a processed IPSec packet over the streaming interface.
-
-
26. A method of processing data packets for implementing a security protocol, the method comprising:
-
receiving at a first streaming interface an IP data packet from a network processor, the IP data packet including a security association database (SAD) tag prepended thereto;
moving at least portions of the IP data packet in a first portion of a first buffer;
reading an SAD entry corresponding to the SAD tag into a second portion of the first buffer;
prepending control information to the IP data packet;
processing the IP data packet by performing a cryptographic operation on the IP data packet to generate a security protocol data packet; and
streaming the security protocol data packet from a second streaming interface to the network processor for transmission through the network.
-
Specification