Method and system for high-speed processing IPSec security protocol packets
First Claim
1. A security data packet processing system comprising:
- a transmitting (Tx) direct memory access (DMA) interface (314) receiving a streamed security data packet, selecting a least busy channel for processing the streamed security data packet, based on an amount of buffer space available for a channel in an external memory, and transferring the streamed security data packet to the external memory;
an input DMA engine (306) retrieving portions of the streamed security data packet from the external memory after all portions of the streamed security data packet have been transferred to the external memory;
an input FIFO (308) receiving the portions of the streamed security data packet from the input DMA engine (306) in blocks of a predetermined byte size, portions being retained in a portion of the input FIFO allocated to the selected channel;
a context RAM (308) receiving a security association database (SAD) entry associated with the selected channel, the SAD entry being retrieved from the external memory by the input DMA engine; and
an input crypto DMA engine (310) providing the blocks of the security data packet to a processing engine for processing.
4 Assignments
0 Petitions
Accused Products
Abstract
A packet processing system is embodied on an ASIC is optimized for processing IPSec security protocol packets in a hardware configuration. Embedded RISC processors operate with hardware support modules providing for IPSec packet processing at OC24 data rates and greater. IPSec packets are received through a streaming interface and buffered in an external memory. When the entire packet is in external memory, portions are buffered in a local memory for crypto-processing. As portions of the packets complete processing, the portions are buffered to an output portion of the external memory associated with the channel. When an entire packet competes processing, portions are buffered to a local memory for streaming. The hardware accordingly reduces the involvement of the RISC processors and significantly increases channel throughput providing for high-speed IPSec packet processing.
196 Citations
32 Claims
-
1. A security data packet processing system comprising:
-
a transmitting (Tx) direct memory access (DMA) interface (314) receiving a streamed security data packet, selecting a least busy channel for processing the streamed security data packet, based on an amount of buffer space available for a channel in an external memory, and transferring the streamed security data packet to the external memory; an input DMA engine (306) retrieving portions of the streamed security data packet from the external memory after all portions of the streamed security data packet have been transferred to the external memory; an input FIFO (308) receiving the portions of the streamed security data packet from the input DMA engine (306) in blocks of a predetermined byte size, portions being retained in a portion of the input FIFO allocated to the selected channel; a context RAM (308) receiving a security association database (SAD) entry associated with the selected channel, the SAD entry being retrieved from the external memory by the input DMA engine; and an input crypto DMA engine (310) providing the blocks of the security data packet to a processing engine for processing. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for processing a security data packet comprising:
-
receiving a streamed security data packet; determining a least busy channel based on an amount of buffer space available for a channel in an external memory; selecting, using a transmitting (Tx) DMA interface (314), the least busy channel for processing the streamed security data packet; transferring the streamed security data packet to the external memory; retrieving portions of the streamed security data packet from The external memory after all portions of the streamed security data packet have been transferred to the external memory; transferring the portions of the streamed security data packet in an input FIFO (308) from an input DMA engine (306) in blocks of a predetermined byte size, portions being retained in a portion of the input FIFO allocated to the selected channel; receiving at a context RAM (308), a security association database (SAD) entry associated with the selected channel, the SAD entry being retrieved from the external memory by the input DMA engine; and providing to an input crypto DMA engine (310) the blocks of the security data packet to a processing engine for processing. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A method of processing an IPSec security protocol packet, the IPSec security protocol packet comprising an IPSec header, the method comprising:
-
buffering an IPSec security protocol packet in an external memory; reading portions of the buffered IPSec security protocol packet into a first local buffer, the portions having a predetermined number of bytes; verifying header information of the IPSec security protocol packet; reading a security association database (SAD) entry into the first local buffer; determining a least busy channel of a plurality of channels based on an amount of buffer space available for a channel in an external memory; selecting the least bus channel for processing the IPSec security protocol packet; processing the IPSec security protocol packet based on information in the SAD entry; and storing the processed IPSec security protocol packet in an external memory, wherein the external memory has a portion associated with the least busy channel. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. An application specific integrated circuit for processing IPSec security protocol packets comprising:
-
an input streaming interface communicating with a network processor over a first streaming interface and receiving a streamed packet a transmitting (Tx) direct memory access (DMA) interface coupled to receive the streamed packet from the input streaming interface and configured to select a least busy channel from a plurality of channels for processing the streamed packet, based on an amount of buffer space available for a channel in an external memory; an input buffer, having a portion thereof associated with each of the plurality of channels, for storing portions of the streamed packet along with control information for the packet; a crypto core engine for performing IPSec cryptographic operations on the packet in accordance with the control information; an output buffer, having a portion thereof associated with each of the plurality of channels, for storing processed portions of the streamed packet; and an output streaming interface for receiving the processed portions of the streamed packet from the output buffer and providing the network processor a processed IPSec packet over the streaming interface. - View Dependent Claims (21)
-
-
22. A method of processing data packets for implementing a security protocol, the method comprising:
-
receiving at an input streaming interface an IP data packet from a network processor, the IP data packet including a security association database (SAD) tag prepended thereto; determining a least busy channel from a plurality of channels based on an amount of buffer space available for a channel in an external memory; selecting the least busy channel for processing the IP data packet; moving at least portions of the IP data packet in a first portion of a first buffer; reading an SAD entry corresponding to the SAD tag into a second portion of the flint buffer; prepending control information to the IP data packet; processing the IP data packet by performing a cryptographic operation on the IP data packet to generate a security protocol data packet; and streaming the security protocol data packet from a second streaming interface to the network processor for transmission through the network. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification