Security association updates in a packet load-balanced system

US 20040128553A1
Filed: 07/11/2003
Published: 07/01/2004
Est. Priority Date: 12/31/2002
Status: Active Grant

First Claim

Patent Images

1. A packet processing method comprising:

receiving a plurality of packets;

generating header information for the packets;

adding the header information to the packets to generate encapsulated packets; and

distributing the encapsulated packets to a plurality of encryption processors.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and associated systems for providing secured data transmission over a data network are disclosed. Security association updates may be provided in a load-balanced system. Before encryption, the system may calculate values for header fields that need to be updated as a result of an encryption process. Encrypted packets may be decrypted by a parallel decryption system. After decryption, the system may calculates value for fields in the header information that need to be updated as a result of the decryption process.

Citations

31 Claims

1. A packet processing method comprising:
- receiving a plurality of packets;
  
  generating header information for the packets;
  
  adding the header information to the packets to generate encapsulated packets; and
  
  distributing the encapsulated packets to a plurality of encryption processors.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the information comprises one or more of the group consisting of sequence number and byte count.
  - 3. The method of claim 1 wherein the encapsulated packets comprise IPsec packets.
  - 4. The method of claim 1 wherein packets are encapsulated on a per-packet basis.
  - 5. The method of claim 1 wherein the packets are not encapsulated using parallel processing.
  - 6. The method of claim 1 wherein the packets are received from a host processor.

7. A packet processing method comprising:
- receiving a plurality of packets;
  
  identifying security association information associated with the packets;
  
  retrieving the security association information from a data memory;
  
  modifying at least a portion of the security association information;
  
  adding header information to the packets to generate encapsulated packets, wherein the header information comprises the modified at least a portion of the security association information; and
  
  distributing the encapsulated packets to a plurality of encryption processors.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7 wherein the at least a portion of the security association information comprises one or more of the group consisting of sequence number and byte count.
  - 9. The method of claim 8 wherein a byte count retrieved from the data memory is modified by adding a length of an outer IP header and a security header.
  - 10. The method of claim 7 wherein the encapsulated packets comprise IPsec packets.
  - 11. The method of claim 7 wherein packets are encapsulated on a per-packet basis.
  - 12. The method of claim 7 wherein the packets are not encapsulated using parallel processing.
  - 13. The method of claim 7 wherein the packets are received from a host processor.

14. A packet processing method comprising:
- receiving a plurality of encrypted packets comprising header information;
  
  distributing the encrypted packets to a plurality of decryption processors;
  
  modifying, by a common processing component, at least a portion of the header information of the decrypted packets; and
  
  transmitting the decrypted packets.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14 wherein the at least a portion of the header information comprises one or more of the group consisting of sequence number and byte count.
  - 16. The method of claim 14 wherein the encrypted packets comprise IPsec packets.
  - 17. The method of claim 14 wherein the at least a portion of the header information is modified on a per-packet basis.
  - 18. The method of claim 14 wherein the at least a portion of the header information is not modified using parallel processing.
  - 19. The method of claim 14 wherein the packets are transmitted to a host processor.

20. A packet processing method comprising:
- receiving a plurality of encrypted packets;
  
  identifying security association information associated with the packets;
  
  distributing the encrypted packets to a plurality of decryption processors to generate decrypted packets;
  
  modifying, by a common processing component, at least a portion of the security association information; and
  
  transmitting the decrypted packets comprising the modified security association information.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27)
- - 21. The method of claim 20 wherein the at least a portion of the security association information comprises one or more of the group consisting of sequence number and byte count.
  - 22. The method of claim 20 wherein the encrypted packets comprise IPsec packets.
  - 23. The method of claim 20 further comprising:
    - retrieving a first portion of the security association information from at least one data memory; and
      
      distributing the first portion of the security association information to the plurality of decryption processors.
  - 24. The method of claim 20 wherein the at least a portion of the security association information comprises at least one address associated with at least one updateable field in the security association information, the method further comprising:
    - retrieving the at least a portion of the security association information from at least one data memory; and
      
      distributing the at least a portion of the security association information to the plurality of decryption processors; and
      
      retrieving, according to the at least a portion of the security association information, the at least one updateable field from the at least one data memory.
  - 25. The method of claim 20 wherein the at least a portion of the security association information associated with the packets is modified on a per-packet basis.
  - 26. The method of claim 20 wherein the at least a portion of the security association information associated with the packets is not modified using parallel processing.
  - 27. The method of claim 20 wherein the decrypted packets are transmitted to a host processor.

28. A packet processing system comprising:
- at least one media access controller for receiving a plurality of packets;
  
  at least one data memory for storing security association information;
  
  a header processor for modifying at least a portion of the security association information and adding header information to the packets to generate encapsulated packets, wherein the header information comprises the modified at least a portion of the security association information; and
  
  a plurality of encryption processors for encrypting the encapsulated packets.
- View Dependent Claims (29)
- - 29. The packet processing system of claim 28 wherein the at least a portion of the security association information comprises one or more of the group consisting of sequence number and byte count.

30. A packet processing system comprising:
- at least one media access controller for receiving a plurality of encrypted packets;
  
  at least one data memory for storing security association information;
  
  a plurality of decryption processors for decrypting the encrypted packets to generate decrypted packets;
  
  a header processor for modifying at least a portion of the security association information and modifying header information for the decrypted packets, wherein the header information comprises the modified at least a portion of the security association information.
- View Dependent Claims (31)
- - 31. The packet processing system of claim 30 wherein the at least a portion of the security association information comprises one or more of the group consisting of sequence number and byte count.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Qi, Zheng, Buer, Mark L., Paaske, Timothy R.

Granted Patent

US 7,454,610 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 2463/061   applying further key deriva...

H04L 63/0272   Virtual private networks

H04L 63/045   wherein the sending and rec...

H04L 63/164   at the network layer

H04L 67/1001   for accessing one among a p...

H04L 67/1008   based on parameters of serv...

H04L 67/1017   based on a round robin mech...

Security association updates in a packet load-balanced system

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Security association updates in a packet load-balanced system

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links