Method and apparatus for out of order writing of status fields for receive IPsec processing

US 7,412,726 B1
Filed: 12/08/2003
Issued: 08/12/2008
Est. Priority Date: 12/08/2003
Status: Active Grant

First Claim

Patent Images

1. A network interface system for interfacing a host system with a network to provide outgoing data from the host system to the network and to provide incoming data from the network to the host system, the network interface system comprising:

a bus interface system operably coupled with a host bus in the host system, the bus interface system being adapted to transfer data between the network interface system and the host system;

a media access control system operably coupled with the network, the media access control system being adapted to transfer data between the network interface system and the network;

a security system adapted to selectively encrypt outgoing data and to selectively decrypt incoming data from the network; and

a memory system, comprising first and second memories, the first memory being coupled with the media access control system and the security system and storing data from the network prior to security processing, the second memory being coupled to the security system and the bus interface system and storing data processed by the security system prior to transfer to the host system;

wherein the security system comprises an input control system that controls data flow from the first memory into the security processing system, a core module that performs security processing on data received from the input control system, and an output control system that controls data flow from the security system to the second memory system;

wherein the core module of the security system simultaneously decrypt and authenticate a packet payload for out-of-order writing of packet data to the output control system and wherein the output control system assembles the out-of-order data in correct order within the second memory; and

wherein the output control system receive at least a part of a decrypted payload of a subsequent packet before a status word of a preceding packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network interface systems are disclosed comprising a bus interface system, a media access control system, a memory system, a security system for selectively encrypting outgoing data and decrypting incoming data, where the network interface system may be fabricated as a single integrated circuit chip. Systems and methods are disclosed wherein out-of-order writing is used to improve throughput for the security system on the receive end.

75 Citations

View as Search Results

19 Claims

1. A network interface system for interfacing a host system with a network to provide outgoing data from the host system to the network and to provide incoming data from the network to the host system, the network interface system comprising:
- a bus interface system operably coupled with a host bus in the host system, the bus interface system being adapted to transfer data between the network interface system and the host system;
  
  a media access control system operably coupled with the network, the media access control system being adapted to transfer data between the network interface system and the network;
  
  a security system adapted to selectively encrypt outgoing data and to selectively decrypt incoming data from the network; and
  
  a memory system, comprising first and second memories, the first memory being coupled with the media access control system and the security system and storing data from the network prior to security processing, the second memory being coupled to the security system and the bus interface system and storing data processed by the security system prior to transfer to the host system;
  
  wherein the security system comprises an input control system that controls data flow from the first memory into the security processing system, a core module that performs security processing on data received from the input control system, and an output control system that controls data flow from the security system to the second memory system;
  
  wherein the core module of the security system simultaneously decrypt and authenticate a packet payload for out-of-order writing of packet data to the output control system and wherein the output control system assembles the out-of-order data in correct order within the second memory; and
  
  wherein the output control system receive at least a part of a decrypted payload of a subsequent packet before a status word of a preceding packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The network interface system of claim 1, wherein the bus interface system, the media access control system, the memory system, and the security system are included within a single integrated circuit.
  - 3. The network interface system of claim 1, wherein the input control system writes control words or status words associated with packets to be processed directly to the output control system, bypassing the core module.
  - 4. The network interface system of claim 1, wherein the output control system receive control words for a packet while still waiting for part of a preceding packet.
  - 5. The network interface system of claim 4, wherein the part of the preceding packet comprises processed payload data within the core module.
  - 6. The network interface system of claim 1, wherein the output control system receive one or more status words for a packet after receiving part of a subsequent packet.
  - 7. The network interface system of claim 1, wherein the control module write decrypted data for a current packet prior to the second memory to writing a status word for a preceding packet thereto.
  - 8. The network interface system of claim 1, wherein the input control system selectively provide one copy of an initialization vector to the core module and another copy directly to the output control system.
  - 9. The network interface system of claim 1, wherein:
    - the second memory is not word-addressable;
      
      the output control system comprises a word addressable buffer; and
      
      the output control system writes the contents of the word addressable buffer to the output buffer.
  - 10. The network interface system of claim 1, wherein the core module selectively authenticates packet using the HMAC-MD5-96 algorithm.
  - 11. The network interface system of claim 1, wherein the core module selectively authenticates packets using the HMAC-SHA-1-96 algorithm.

12. A network interface system for interfacing a host system with a network to provide outgoing data from the host system to the network and to provide incoming data from the network to the host system, the network interface system comprising:
- a bus interface system operably coupled with a host bus in the host system, the bus interface system being adapted to transfer data between the network interface system and the host system;
  
  a media access control system operably coupled with the network, the media access control system being adapted to transfer data between the network interface system and the network;
  
  a security system adapted to selectively decrypt and authenticate incoming data from the network; and
  
  a memory system, comprising first and second memories, the first memory being coupled with the media access control system and the security system and storing data from the network prior to security processing, the second memory being coupled to the security system and the bus interface system and storing data processed by the security system prior to transfer to the host system;
  
  wherein the security system begin writing decrypted data for a subsequent packet to the second memory while completing authentication for a current packet; and
  
  a core module decrypt completely the subsequent packet prior to authenticating the current packet.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The network interface system of claim 12, wherein the bus interface system, the media access control system, the memory system, and the security system are included within a single integrated circuit.
  - 14. The network interface system of claim 12, wherein the security system contains pipelines for authentication and decryption that operate in parallel.
  - 15. The network interface system of claim 12, wherein the core module authenticates the current packet using the HMAC-MD5-96 algorithm.
  - 16. The network interface system of claim 12, wherein the core module authenticates the current packet using the HMAC-SHA-1-96 algorithm.
  - 17. The network interface system of claim 12, wherein the security system comprises:
    - an input control system;
      
      a core module coupled to the input control system; and
      
      an output control system coupled to both the input control system and the core module,wherein the input control system is operable to receive a packet containing a control word data portion, a payload data portion, and a status word data portion, forward the control word data portion and the status word data portion directly to the output control system, and forward the payload data portion to the core module for decryption and authentication thereof.
  - 18. The network interface system of claim 17, wherein the output control system is operable to write decrypted data for the subsequent packet to the second memory concurrently with the core module completing authentication for the current packet.
  - 19. The network interface system of claim 17, wherein the output control system is operable to transmit the control word data portion, the payload data portion, and the status word data portion of packets to the second memory such that such packet portions are ordered in a predetermined fashion independent of an order such portions are received by the output control system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Advanced Micro Devices, Inc.
Original Assignee
Advanced Micro Devices, Inc.
Inventors
Viswanath, Somnath
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
YALEW, FIKREMARIAM A

Application Number

US10/730,621
Time in Patent Office

1,709 Days
Field of Search

713/189, 713/166, 713/170, 726/26
US Class Current

726/26
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0485   Networking architectures fo...

H04L 63/164   at the network layer

Method and apparatus for out of order writing of status fields for receive IPsec processing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

75 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for out of order writing of status fields for receive IPsec processing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

75 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others