System and method for managing security packet processing

US 20020188871A1
Filed: 05/30/2002
Published: 12/12/2002
Est. Priority Date: 06/12/2001
Status: Abandoned Application

First Claim

Patent Images

1. A processing system comprising:

a security engine to process inbound and outbound security packets received from a network processor; and

a processor to execute a software stack comprising a policy manager and a security manager, the policy manager to at least administer a security policy database (SPD), the security manager to allocate memory for the security engine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An IPSec packet processing system includes an IPSec manager to interface with an IPSec engine, to manage memory and to handle exceptions associated with IPSec packet processing. The IPSec manager may be a software module operating as part of a software stack on a host processor while the IPSec engine may perform IPSec packet processing. The IPSec manager may also initiate the negotiation of new keys, send ICMP messages for PMTU violations and log entries for exceptions.

190 Citations

51 Claims

1. A processing system comprising:
- a security engine to process inbound and outbound security packets received from a network processor; and
  
  a processor to execute a software stack comprising a policy manager and a security manager, the policy manager to at least administer a security policy database (SPD), the security manager to allocate memory for the security engine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein the security manager also initializes the security engine and performs exception logging for the security engine.
  - 3. The system of claim 1 wherein the SPD includes security policies indicating an action to perform on a packet comprising one of either a process, bypass, or drop action based on either source or destination addresses, and the policy manager creates a security association pair for each security policy to specify security packet processing.
  - 4. The system of claim 1 wherein the policy manager provides security association database (SAD) entries to the security manager as for each additional security policy, the policy manager also providing an SPD index to correlate security policies with the SAD.
  - 5. The system of claim 1 wherein the security manager allocates memory to the security engine for input and output packet buffering, allocates memory for the SAD entries, allocates memory for key information for each security association and allocates memory for log entries.
  - 6. The system of claim 5 wherein the security manager receives a configuration file describing the memory allocated and maintains a memory map for the security engine.
  - 7. The system of claim 3 wherein the security manager checks a hash table for the security association to determine when a soft time-lifetime threshold has been exceeded and notifies the policy manager to refresh the security association when the lifetime threshold has been exceeded.
  - 8. The system of claim 3 wherein the security engine creates log entries that contain error and statistical information, including security association expirations and packet maximum transmission unit (PMTU) violations, wherein when one of the log entries indicates an expiration of one of the security associations, the security manager notifies the policy manager to refresh the security association.
  - 9. The system of claim 1 wherein the security engine creates log entries for packet maximum transmission unit (PMTU) violations, and wherein when of the log entries indicates a PMTU violation, the security manager generates an Internet control message protocol (ICMP) message for sending to a host device.

10. A security management system comprising:
- a policy manager to establish security association database (SAD) entries from configuration information defining a number of security associations; and
  
  a security manager to parse the SAD entries into an SA packet processing block and an SA key information block for use by a security engine.
- View Dependent Claims (11, 12, 13, 14, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 36, 37, 38, 40, 41, 42, 43, 44, 45, 46, 48, 50, 51)
- - 11. The system of claim 10 wherein the policy manager generates an SAD-free memory list to include entries identifying addresses of memory available for the SAD entries, and the security manager removes an entry from the SAD free memory list when one of the SAD entries is established.
  - 12. The manager of claim 10 wherein SAD entries are either inbound SAD entries or outbound SAD entries, and wherein prior to establishing an inbound SAD entry, the policy manager requests a security policy index (SPI) number from the security manager, and the security manager provides a memory address of a security association packet processing block as the SPI number.
  - 13. The manager of claim 12 wherein the security manager updates an action table in a memory of the security engine with a SA packet processing address of an outbound SAD entry.
  - 14. The manager of claim 10 wherein the SA packet processing block includes a pointer to the SA key information block.
  - 16. The method of claim 15 wherein allocating is performed by the security manager, the security manager comprised of a software module executed on a host processor in communication with the security packet processing system.
  - 17. The method of claim 15 further comprising initializing the security processing system, wherein initializing comprises:
    - receiving configuration information defining a number of security associations to be used for processing security packets; and
      
      generating security association database (SAD) entries from the configuration information for each security association.
  - 18. The method of claim 17 wherein initializing further comprises copying security firmware into the memory allocated to the security processing system.
  - 19. The method of claim 17 wherein, for each security association, source and destination addresses, and key information for processing security packets are received from a policy manager.
  - 20. The method of claim 17 wherein initializing further comprises generating an SAD free memory list to include addresses of memory available for the SAD entries and the key information.
  - 21. The method of claim 17 wherein initializing further comprises generating hash tables to indicate active inbound SAD entries and active outbound SAD entries.
  - 22. The method of claim 15 wherein allocating memory comprises allocating memory to the security processing system for input and output packet buffering.
  - 23. The method of claim 15 wherein allocating memory comprises allocating memory for inbound and outbound security association database (SAD) entries.
  - 24. The method of claim 15 wherein allocating memory comprises allocating memory for key information for security associations.
  - 25. The method of claim 15 wherein allocating memory comprises allocating memory for log entries.
  - 26. The method of claim 15 further comprising receiving a configuration file to describe amounts of memory allocated.
  - 27. The method of claim 15 further comprising maintaining a memory map for the security processing system.
  - 28. The method of claim 15 wherein a network processor performs a security policy check for inbound and outbound security packets, and wherein the method further comprises:
    - receiving security policy selectors from a policy manager when a new inbound security policy is created; and
      
      managing a security policy search table that includes the security policy selectors.
  - 29. The method of claim 28 wherein the security policy check verifies whether source and destination addresses for the inbound and outbound security packets are within a range indicated by a security association.
  - 30. The method of claim 28 further comprising providing a network processor with an action indication in response to the security policy check, the action indication comprising one of either a process, bypass, or drop action.
  - 31. The method of claim 15 wherein the security processing system creates log entries that indicate packet maximum transmission unit (PMTU) violations, and when of the log entries is a PMTU violation, the method includes generating an Internet control message protocol (ICMP) message for sending to a host.
  - 32. The method of claim 15 wherein performing exception logging comprises tracking soft time lifetimes of a security association by checking a hash table to determine when a soft time lifetime threshold has been exceeded, and notifying a policy manager to refresh the security association when the soft time lifetime threshold has been exceeded.
  - 33. The method of claim 15 wherein the security processing system creates log entries that contain error and statistical information, and wherein performing exception logging comprises reading, processing and removing the log entries.
  - 34. The method of claim 33 wherein when one of the log entries indicates expiration of a security association, and the method further includes notifying a policy manager to refresh the expired security association.
  - 36. The method of claim 35 further comprising parsing the SAD entry into an SA packet processing block and an SA key information block for use by a security packet processing system, wherein the SA packet processing block includes a pointer to the SA key information block.
  - 37. The method of claim 35 wherein SAD entries are either inbound SAD entries or outbound SAD entries, and wherein prior to establishing an inbound SAD entry, the method comprises requesting a security policy index (SPI) number from a security manager, the security manager providing a memory address of a SA packet processing block as the SPI number.
  - 38. The method of claim 37 further comprises updating an action table in a memory of the security processing system with a SA packet processing address of one of the outbound SAD entries.
  - 40. The computer readable medium of claim 39 wherein the instructions when executed further result in initializing the security processing system by:
    - receiving configuration information defining a number of security associations for use in processing the security packets; and
      
      generating security association database (SAD) entries from the configuration information for each security association.
  - 41. The computer readable medium of claim 40 wherein the configuration information includes, for each security association, source and destination addresses, correlating and key information for processing security packets.
  - 42. The computer readable medium of claim 39 wherein allocating memory includes:
    - allocating memory to the security processing system for input and output packet buffering;
      
      allocating memory for inbound and outbound security association database (SAD) entries;
      
      allocating memory for key information for each security association; and
      
      allocating memory for log entries.
  - 43. The computer readable medium of claim 39 wherein performing exception logging includes checking a hash table for a security association to determine when a lifetime threshold has been exceeded and notifying a policy manager to refresh the security association when the lifetime threshold has been exceeded.
  - 44. The computer readable medium of claim 39 wherein performing exception logging includes creating log entries that contain error and statistical information, including security association expirations and packet maximum transmission unit (PMTU) violations.
  - 45. The computer readable medium of claim 44 wherein when one of the log entries indicates an expiration of one of the security associations, the security manager notifies the policy manager to refresh the security association.
  - 46. The computer readable medium of claim 44 wherein when of the log entries indicates a PMTU violation, the security manager generates an Internet control message protocol (ICMP) message for sending to a host.
  - 48. The processing engine of claim 47 wherein security packets processed by the crypto-engine are transmitted by the streaming interface, and the communication interface receives information from security association database entries and key information for processing the security packets.
  - 50. The system of claim 49 wherein the policy manager, when executed, provides security association database (SAD) entries to the security manager as for each additional security policy, the policy manager also providing an SPD index to correlate security policies with the SAD.
  - 51. The system of claim 49 wherein the security manager, when executed, allocates memory to the security engine for input and output packet buffering, allocates memory for the SAD entries, allocates memory for key information for each security association and allocates memory for log entries.

15. A method of managing security packet processing with a security manager, the method comprising:
- allocating memory to a security processing system for packet processing; and
  
  performing exception logging associated with security packet processing.

35. A method of managing security associations (SA) for processing security packets comprising:
- establishing security association database (SAD) entries from configuration information defining security associations;
  
  generating an SAD free memory list to include entries identifying memory available for the SAD entries; and
  
  removing an entry from the SAD free memory list when an SAD entry is established.

39. A computer readable medium having program instructions stored thereon for managing security packet processing that when executed within a digital processing device, result in:
- allocating memory for security packet processing by a security processing system; and
  
  performing exception logging associated with security packet processing.

47. A processing engine comprising:
- a streaming interface to receive inbound and outbound security packets for security processing;
  
  a crypto-engine to process the security packets; and
  
  a communication interface to interface with memory allocated to the processing engine.

49. A security packet processing system comprising:
- memory to store a software stack comprising a policy manager and a security manager; and
  
  a processor to execute the software stack, wherein when executed, the policy manager to at least administer a security policy database (SPD), the security manager to allocate memory for a security engine for processing inbound and outbound security packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Corrent Corp.
Original Assignee
Corrent Corp.
Inventors
Mercer, Chad W., Noehring, Lee P.

Application Number

US10/160,330
Publication Number

US 20020188871A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0272   Virtual private networks

H04L 63/0485   Networking architectures fo...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 69/12   Protocol engines

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

System and method for managing security packet processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

190 Citations

51 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for managing security packet processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

190 Citations

51 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links