Systems and methods for processing packets for encryption and decryption
First Claim
1. A network device for processing a data packet, the network device comprising:
- at least one network interface to;
receive the data packet, the data packet requiring encryption-related processing, andforward the data packet;
a forwarding module to;
receive information regarding the data packet,identify security association information for the data packet,include the security association information with the information regarding the data packet, andforward the information regarding the data packet including the security association information; and
an encryption services module, which is separate from the forwarding module, to;
receive the information regarding the data packet including the security association information, andprocess the data packet in accordance with the security association information,where the encryption services module comprises a plurality of hardware-implemented logic engines corresponding to stages in a pipeline, where;
a first one of the plurality of hardware-implemented logic engines is to at least one of add a field to the data packet or add padding to the data packet,a second one of the plurality of hardware-implemented logic engines is to receive the data packet from the first one of the plurality of hardware-implemented logic engines and rewrite a header of the data packet,a third one of the plurality of hardware-implemented logic engines is to receive the data packet from the second one of the plurality of hardware-implemented logic engines and remove at least one field from the data packet,a fourth one of the plurality of hardware-implemented logic engines is to receive the data packet from the third one of the plurality of hardware-implemented logic engines and at least one of encrypt or decrypt the data packet, and is to add, to the data packet, status information to be used by a down stream hardware-implemented logic engine to determine whether to accept or drop the data packet,a fifth one of the plurality of hardware-implemented logic engines is to receive the data packet after processing by the fourth hardware-implemented logic engine, and remove at least one field from the data packet,a sixth one of the plurality of hardware-implemented logic engines is to receive the data packet from the fifth one of the plurality of hardware-implemented logic engines and at least one of error check the data packet or perform anti-replay checking, anda seventh one of the plurality of hardware-implemented logic engines is to receive the data packet from the sixth one of the plurality of hardware-implemented logic engines and remove padding from the data packet.
1 Assignment
0 Petitions
Accused Products
Abstract
A network device for processing data packets includes an encryption services module, a number of network interfaces and a forwarding module. A network interface receives a packet requiring encryption services and forwards the packet. The forwarding module receives at least a portion of the data packet, where the portion includes header information. The forwarding module identifies a security association for the data packet, appends the security association to the portion of the data packet and forwards the portion of the data packet including the security association to the encryption services module. The encryption services module processes the packet in accordance with the security association.
-
Citations
14 Claims
-
1. A network device for processing a data packet, the network device comprising:
-
at least one network interface to; receive the data packet, the data packet requiring encryption-related processing, and forward the data packet; a forwarding module to; receive information regarding the data packet, identify security association information for the data packet, include the security association information with the information regarding the data packet, and forward the information regarding the data packet including the security association information; and an encryption services module, which is separate from the forwarding module, to; receive the information regarding the data packet including the security association information, and process the data packet in accordance with the security association information, where the encryption services module comprises a plurality of hardware-implemented logic engines corresponding to stages in a pipeline, where; a first one of the plurality of hardware-implemented logic engines is to at least one of add a field to the data packet or add padding to the data packet, a second one of the plurality of hardware-implemented logic engines is to receive the data packet from the first one of the plurality of hardware-implemented logic engines and rewrite a header of the data packet, a third one of the plurality of hardware-implemented logic engines is to receive the data packet from the second one of the plurality of hardware-implemented logic engines and remove at least one field from the data packet, a fourth one of the plurality of hardware-implemented logic engines is to receive the data packet from the third one of the plurality of hardware-implemented logic engines and at least one of encrypt or decrypt the data packet, and is to add, to the data packet, status information to be used by a down stream hardware-implemented logic engine to determine whether to accept or drop the data packet, a fifth one of the plurality of hardware-implemented logic engines is to receive the data packet after processing by the fourth hardware-implemented logic engine, and remove at least one field from the data packet, a sixth one of the plurality of hardware-implemented logic engines is to receive the data packet from the fifth one of the plurality of hardware-implemented logic engines and at least one of error check the data packet or perform anti-replay checking, and a seventh one of the plurality of hardware-implemented logic engines is to receive the data packet from the sixth one of the plurality of hardware-implemented logic engines and remove padding from the data packet. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for processing data packets in a network device, the method comprising:
-
receiving, at a forwarding module, a data packet requiring encryption-related processing; identifying, using the forwarding module, security association information for the data packet; forwarding the data packet, and the security association information, to an encryption services card that is separate from the forwarding module; and processing the data packet, by the encryption services card, using a plurality of pipelined hardware engines and in accordance with the security association information for the data packet, the processing comprising; using a first one of the pipelined hardware engines to at least one of add a field to the data packet or add padding to the data packet, receiving, at a second one of the pipelined hardware engines, the data packet from the first one of the pipelined hardware engines and rewriting, using the second one of the pipelined hardware engines, a header of the data packet, receiving, at a third one of the pipelined hardware engines, the data packet from the second one of the pipelined hardware engines and removing, using the third one of the pipelined hardware engines, at least one field from the data packet, receiving, at a fourth one of the pipelined hardware engines, the data packet from the third one of the pipelined hardware engines and encrypting or decrypting, using the fourth one of the engines, the data packet, and adding status information, using the fourth one of the pipelined hardware engines, to the data packet, where the status information is to be used by a down stream pipelined hardware engine to determine whether to accept or drop the data packet, receiving, at a fifth one of the pipelined hardware engines, the data packet from the fourth one of the pipelined hardware engines and removing, using the fifth one of the pipelined hardware engines, at least one field from the data packet, receiving, at a sixth one of the pipelined hardware engines, the data packet from the fifth one of the pipelined hardware engines and checking the data packet for errors or performing anti-replay checking, using the sixth one of the pipelined hardware engines, and receiving, at a seventh one of the pipelined hardware engines, the data packet from the sixth one of the pipelined hardware engines and removing, using the seventh one of the pipelined hardware engines, padding from the data packet. - View Dependent Claims (8, 9, 10)
-
-
11. A system comprising:
-
one or more processing devices to; receive a data packet; determine whether the data packet requires encryption-related processing; and forward the data packet to an encryption services module, when the data packet requires encryption-related processing; and a plurality of hardware-implemented pipelined processing devices to process the data packet, where the plurality of hardware-implemented pipelined processing devices includes; a first hardware-implemented pipelined processing device to at least add a field to the data packet or add padding to the data packet, a second hardware-implemented pipelined processing device to receive the data packet from the first hardware-implemented pipelined processing device and rewrite the header of the data packet, a third hardware-implemented pipelined processing device to receive the data packet from the second hardware-implemented pipelined processing device and remove least one field from the data packet, a fourth hardware-implemented pipelined processing device to receive the data packet from the third hardware-implemented pipelined processing device and encrypt or decrypt the data packet, and add, to the data packet, status information to be used by a down stream hardware-implemented pipelined processing device to determine whether to accept or drop the data packet, a fifth hardware-implemented pipelined processing device to receive the data packet from the fourth hardware-implemented pipelined processing device and remove at least one field from the data packet, a sixth hardware-implemented pipelined processing device to receive the data packet from the fifth hardware-implemented pipelined processing device and at least one of error check the data packet or perform anti-replay checking on the data packet, and a seventh hardware-implemented pipelined processing device to receive the data packet from the sixth hardware-implemented pipelined processing device and remove padding from the data packet, and where the plurality of hardware-implemented pipelined processing devices are separate from the one or more processing devices.
-
-
12. A network device, comprising:
-
a plurality of interfaces, where each of the plurality of interfaces is coupled to a network link and each of the plurality of interfaces is to receive and forward data packets; an encryption card; and forwarding logic, which is separate from the encryption card, to; receive a data packet from a first one of the plurality of interfaces, determine whether the data packet requires encryption-related processing, and forward the data packet to the encryption card; where the encryption card comprises a plurality of pipelined hardware engines, including; a first one of the plurality of pipelined hardware engines to at least one of add a field to the data packet or add padding to the data packet, a second one of the plurality of pipelined hardware engines to receive the data packet from the first one of the plurality of pipelined hardware engines and rewrite a header of the data packet, a third one of the plurality of pipelined hardware engines to receive the data packet from the second one of the plurality of pipelined hardware engines and remove at least one field from the data packet, a fourth one of the plurality of pipelined hardware engines to receive the data packet from the third one of the plurality of pipelined hardware engines and at least one of encrypt or decrypt the data packet, and to add, to the data packet, status information to be used by a down stream pipelined hardware engine to determine whether to accept or drop the data packet, a fifth one of the plurality of pipelined hardware engines receive the encrypted or decrypted data packet from the fourth one of the plurality of pipelined hardware engines and remove at least one field from the data packet, a sixth one of the plurality of pipelined hardware engines to receive the data packet from the fifth one of the plurality of pipelined hardware engines and at least one of error check the data packet or perform anti-replay checking, and a seventh one of the plurality of pipelined hardware engines to receive the data packet from the sixth one of the plurality of pipelined hardware engines and remove padding from the data packet. - View Dependent Claims (13, 14)
-
Specification