Security association management through the use of lookup tables

US 7,409,542 B2
Filed: 09/26/2001
Issued: 08/05/2008
Est. Priority Date: 09/26/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving at a device driver a network packet having a corresponding security association (SA);

determining if the packet is an ingress packet or an egress packet;

determining for the packet a key value corresponding to the SA;

if the packet is an ingress packet, hashing the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hashing the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table;

retrieving from the entry an index to a location of the SA in memory; and

retrieving the SA from memory based on the index.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses for managing tables of security associations (SA) are described. A device driver operating in an environment, for example, NDIS, where a unique handle is selected for each transmit SA and the SPI for each receive SA is selected with a random algorithm, divides transmit SAs from receive SAs in separate tables. An SA lookup table having a whole binary number of entries that is the lowest binary number greater than five times the number of SAs supported by the device driver contains information to match an SA to a data packet, and locate the SA in memory. The lookup table is searched using a bit-wise AND hash function.

Citations

30 Claims

1. A method comprising:
- receiving at a device driver a network packet having a corresponding security association (SA);
  
  determining if the packet is an ingress packet or an egress packet;
  
  determining for the packet a key value corresponding to the SA;
  
  if the packet is an ingress packet, hashing the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hashing the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table;
  
  retrieving from the entry an index to a location of the SA in memory; and
  
  retrieving the SA from memory based on the index.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein receiving the network packet comprises the device driver being passed an egress packet from an electronic system operating system.
  - 3. The method of claim 1 wherein receiving the network packet comprises the device driver being passed an ingress packet from a network interface device.
  - 4. The method of claim 1 wherein the key value is a handle created for the SA for an egress packet.
  - 5. The method of claim 1 wherein the key value is a security parameter index (SPI) extracted from the packet for an ingress packet.
  - 6. The method of claim 1 wherein the lookup table entry comprises the key value and the index.
  - 7. The method of claim 6 wherein the lookup table entry further comprises a counter to track collisions for the entry.
  - 8. The method of claim 1 further comprising the location in memory of an SA corresponding to egress traffic being in a first table, and the location in memory of an SA corresponding to ingress traffic being in a second table, the tables being separate tables in memory.
  - 9. The method of claim 1 further comprising supporting a number of network traffic streams, wherein the lookup table has 2^Nentries, where N is an integer, 2^Nbeing the lowest binary number greater than five times the number of network traffic streams supported.
  - 10. The method of claim 1 wherein hashing the key value comprises using a bit-wise AND hash function with a mask of value 2^N−
    - 1, where N is an integer, wherein the hash table contains 2^Nentries.

11. An article comprising a machine-accessible storage medium to provide content to cause one or more electronic systems to:
- receive at a device driver a network packet having a corresponding security association (SA);
  
  determine if the packet is an ingress packet or an egress packet;
  
  determine for the packet a key value corresponding to the SA;
  
  if the packet is an ingress packet, hash the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hash the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table;
  
  retrieve from the entry an index to a location of the SA in memory; and
  
  retrieve the SA from memory based on the index.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The article of claim 11 wherein to receive the network packet comprises the device driver to be passed an egress packet from an electronic system operating system.
  - 13. The article of claim 11 wherein to receive the network packet comprises the device driver to be passed an ingress packet from a network interface device.
  - 14. The article of claim 11 wherein the key value is a handle created for the SA for an egress packet.
  - 15. The article of claim 11 wherein the key value is a security parameter index (SPI) extracted from the packet for an ingress packet.
  - 16. The article of claim 11 wherein the lookup table entry comprises the key value and the index.
  - 17. The article of claim 16 wherein the lookup table entry further comprises a counter to track collisions for the entry.
  - 18. The article of claim 11 further comprising the location in memory of an SA corresponding to egress traffic being in a first table, and the location in memory of an SA corresponding to ingress traffic being in a second table, the tables being separate tables in memory.
  - 19. The article of claim 11 further comprising to support a number of network traffic streams, wherein the lookup table has 2^Nentries, where N is an integer, 2^Nbeing the lowest binary number greater than five times the number of network traffic streams supported.
  - 20. The article of claim 11 wherein to hash the key value comprises using a bit-wise AND hash function with a mask of value 2^N, where N is an integer, wherein the hash table contains 2^Nentries.

21. An electronic system comprising:
- one or more processors;
  
  a network interface coupled with the one or more processors to provide a communications path between the electronic system and a network, the network interface to have a corresponding device driver to be executed on one or more of the processors; and
  
  a memory coupled with the one or more processors, the memory to have a program to provide instructions for the electronic system to receive at the device driver a network packet having a corresponding security association (SA), the program to determine if the packet is an ingress packet or an egress packet, to determine for the packet a key value corresponding to the SA, and if the packet is an ingress packet, hash the key value to determine a location of an entry in an ingress lookup table, and if the packet is an egress packet, hash the key value to determine a location of an entry in an egress lookup table, the entry in the ingress lookup table and the entry in the egress lookup table containing information corresponding to the SA, the ingress lookup table being a separate lookup table from the egress lookup table, to retrieve from the entry an index to a location of the SA in memory, and to retrieve the SA from memory based on the index.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The electronic system of claim 21 wherein the program to receive the network packet comprises the device driver to be passed an egress packet from an operating system.
  - 23. The electronic system of claim 21 wherein the program to receive the network packet comprises the device driver to be passed an ingress packet from the network interface.
  - 24. The electronic system of claim 21 wherein the key value is a handle created for the SA for an egress packet.
  - 25. The electronic system of claim 21 wherein the key value is a security parameter index (SPI) extracted from the packet for an ingress packet.
  - 26. The electronic system of claim 21 wherein the lookup table entry comprises the key value and the index.
  - 27. The electronic system of claim 26 wherein the lookup table entry further comprises a counter to track collisions for the entry.
  - 28. The electronic system of claim 21 further comprising the location in memory of an SA corresponding to egress traffic being in a first table, and the location in memory of an SA corresponding to ingress traffic being in a second table, the tables being separate tables in memory.
  - 29. The electronic system of claim 21 further comprising the program to support a number of network traffic streams, wherein the lookup table has 2^Nentries, where N is an integer, 2^Nbeing the lowest binary number greater than five times the number of network traffic streams supported.
  - 30. The electronic system of claim 21 wherein to hash the key value comprises using a bit-wise AND hash function with a mask of value 2^N−
    - 1, where N is an integer, wherein the hash table contains 2^Nentries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tahoe Research Limited (f/k/a Learndale Limited) (Vector Capital Corporation)
Original Assignee
Intel Corporation
Inventors
Minnick, Linden
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
PYZOCHA, MICHAEL J

Application Number

US09/965,579
Publication Number

US 20030061495A1
Time in Patent Office

2,505 Days
Field of Search

713/200, 713/201, 713/153, 713/189
US Class Current

713/153
CPC Class Codes

H04L 63/0485 Networking architectures fo...

H04L 63/164 at the network layer

Security association management through the use of lookup tables

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Security association management through the use of lookup tables

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links