Security association management through the use of lookup tables
First Claim
Patent Images
1. A method comprising:
- receiving at a device driver a network packet having a corresponding security association (SA);
determining if the packet is an ingress packet or an egress packet;
determining for the packet a key value corresponding to the SA;
if the packet is an ingress packet, hashing the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hashing the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table;
retrieving from the entry an index to a location of the SA in memory; and
retrieving the SA from memory based on the index.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatuses for managing tables of security associations (SA) are described. A device driver operating in an environment, for example, NDIS, where a unique handle is selected for each transmit SA and the SPI for each receive SA is selected with a random algorithm, divides transmit SAs from receive SAs in separate tables. An SA lookup table having a whole binary number of entries that is the lowest binary number greater than five times the number of SAs supported by the device driver contains information to match an SA to a data packet, and locate the SA in memory. The lookup table is searched using a bit-wise AND hash function.
-
Citations
30 Claims
-
1. A method comprising:
-
receiving at a device driver a network packet having a corresponding security association (SA); determining if the packet is an ingress packet or an egress packet; determining for the packet a key value corresponding to the SA; if the packet is an ingress packet, hashing the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hashing the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table; retrieving from the entry an index to a location of the SA in memory; and retrieving the SA from memory based on the index. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An article comprising a machine-accessible storage medium to provide content to cause one or more electronic systems to:
-
receive at a device driver a network packet having a corresponding security association (SA); determine if the packet is an ingress packet or an egress packet; determine for the packet a key value corresponding to the SA; if the packet is an ingress packet, hash the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hash the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table; retrieve from the entry an index to a location of the SA in memory; and retrieve the SA from memory based on the index. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An electronic system comprising:
-
one or more processors; a network interface coupled with the one or more processors to provide a communications path between the electronic system and a network, the network interface to have a corresponding device driver to be executed on one or more of the processors; and a memory coupled with the one or more processors, the memory to have a program to provide instructions for the electronic system to receive at the device driver a network packet having a corresponding security association (SA), the program to determine if the packet is an ingress packet or an egress packet, to determine for the packet a key value corresponding to the SA, and if the packet is an ingress packet, hash the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hash the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table, to retrieve from the entry an index to a location of the SA in memory, and to retrieve the SA from memory based on the index. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification