Firewall including local bus

US 8,490,158 B2
Filed: 07/15/2010
Issued: 07/16/2013
Est. Priority Date: 04/01/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A network device comprising:

a first interface to receive, from a first network, a plurality of packets destined for a second network;

a controller to transfer, via a first bus and within the network device, a first packet, of the plurality of packets, from the first interface to a memory in the network device; and

a processor, connected to the memory via the first bus and via a second bus of the network device, to;

determine whether the first bus is available,retrieve, via the first bus, the first packet from the memory when the first bus is available,retrieve, via the second bus, the first packet from the memory when the first bus is not available,the second bus being different than the first bus,the second bus connecting the processor to the memory without connecting the controller to the memory, and perform a plurality of operations on the first packet,the plurality of operations including one or more authentication operations, one or more encryption operations, one or more decryption operations, one or more virtual private network (VPN) processing operations, or one or more firewall operations,when performing the plurality of operations on the first packet, the processor is to perform a first operation and a second operation, of the plurality of operations, on the first packet in parallel,the first operation including one of;

an authentication operation of the one or more authentication operations, or

an encryption operation, of the one or more encryption operations, or

a decryption operation of the one or more decryption operations, andthe second operation being different than the first operation and including a different one of the authentication operation, the encryption operation, or the decryption operation.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway for screening packets transferred over a network. The gateway includes a plurality of network interfaces, a memory and a memory controller. Each network interface receives and forwards messages from a network through the gateway. The memory temporarily stores packets received from a network. The memory controller couples each of the network interfaces and is configured to coordinate the transfer of received packets to and from the memory using a memory bus. The gateway includes a firewall engine couples to the memory bus. The firewall engine is operable to retrieve packets from the memory and screen each packet prior to forwarding a given packet through the gateway and out an appropriate network interface. A local bus is coupled between the firewall engine and the memory providing a second path for retrieving packets from memory when the memory bus is busy.

69 Citations

23 Claims

1. A network device comprising:
- a first interface to receive, from a first network, a plurality of packets destined for a second network;
  
  a controller to transfer, via a first bus and within the network device, a first packet, of the plurality of packets, from the first interface to a memory in the network device; and
  
  a processor, connected to the memory via the first bus and via a second bus of the network device, to;
  
  determine whether the first bus is available,retrieve, via the first bus, the first packet from the memory when the first bus is available,retrieve, via the second bus, the first packet from the memory when the first bus is not available,the second bus being different than the first bus,the second bus connecting the processor to the memory without connecting the controller to the memory, and perform a plurality of operations on the first packet,the plurality of operations including one or more authentication operations, one or more encryption operations, one or more decryption operations, one or more virtual private network (VPN) processing operations, or one or more firewall operations,when performing the plurality of operations on the first packet, the processor is to perform a first operation and a second operation, of the plurality of operations, on the first packet in parallel,the first operation including one of;
  
  an authentication operation of the one or more authentication operations, or
  
  an encryption operation, of the one or more encryption operations, or
  
  a decryption operation of the one or more decryption operations, andthe second operation being different than the first operation and including a different one of the authentication operation, the encryption operation, or the decryption operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The network device of claim 1, where, when performing the plurality of operations, the processor is further to perform at least two operations, of the plurality of operations, on the first packet, andwhere the at least two operations comprise at least two of the one or more authentication operations, the one or more encryption operations, the one or more decryption operations, the one or more VPN processing operations, or the one or more firewall operations.
  - 3. The network device of claim 1, where the first operation includes the authentication operation and the second operation includes the decryption operation.
  - 4. The network device of claim 1, where, when performing the first operation and the second operation in parallel, the processor is to:
    - initiate the first operation, andinitiate, after a plurality of clock cycles following initiating the first operation and without interruption of the first operation, the second operation.
  - 5. The network device of claim 1, where the plurality of operations comprise at least two of data encryption standard (DES) encryption, message digest 5(MD5) authentication, triple DES encryption, or secure hash algorithm (SHA-1) authentication.
  - 6. The network device of claim 5, where, when performing the plurality of operations, the processor is to:
    - perform in parallel;
      
      one of the DES encryption or the triple DES encryption, andone of the MD5 authentication or the secure hash algorithm (SHA-1).
  - 7. The network device of claim 1, where the memory includes:
    - a first port connected to the first bus, anda second port, different than the first port, connected to the second bus.
  - 8. The network device of claim 7, where a memory location, of a plurality of memory locations in the memory, is simultaneously accessible via the first port and the second port.
  - 9. The network device of claim 1, where the first bus is to only allow one transfer at a time of the first packet or a second packet of the plurality of packets.
  - 10. The network device of claim 1, further comprising:
    - a second interface to send, after the plurality of operations have been performed, the first packet to the second network.

11. A system comprising:
- a memory to store a plurality of packets;
  
  a controller, connected to the memory via a first bus, to control transfer of the plurality of packets to the memory;
  
  a processor, connected to the memory via the first bus and via a second bus, to;
  
  retrieve the plurality of packets from the memory via the first bus when the first bus is available,retrieve the plurality of packets from the memory via the second bus when the first bus is unavailable,the second bus being different than the first bus,the second bus directly connecting the processor to the memory without connecting the controller to the memory, andperform at least one of a plurality of operations on the plurality of packets, the plurality of operations including one or more authentication operations, one or more encryption operations, one or more decryption operations, one or more virtual private network (VPN) processing operations, or one or more firewall operations.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11, where the first bus is unavailable during the transfer of the plurality of packets to the memory.
  - 13. The system of claim 11, where the processor is further to transfer the plurality of packets, after performing the at least one of the plurality of operations, to the memory via the second bus.
  - 14. The system of claim 13, where the controller is further to control transfer of the plurality of packets, after the at least one of the plurality of operations has been performed, from the memory to a plurality of network links.
  - 15. The system of claim 11, where the memory comprises a dual-port memory,where the first bus is connected to a first port of the dual-port memory, andwhere the second bus is connected to a second port, of the dual-port memory, that is different than the first port.
  - 16. The system of claim 11, where the plurality of packets are received from a public network, andwhere the plurality of packets are transmitted to a private network after the at least one of the plurality of operations has been performed.
  - 17. The system of claim 11, where the plurality of packets are received from a first portion of a single network and are transmitted to a second portion, of the single network, different than the first portion.

18. A method comprising:
- transferring, via a first bus of a device, a packet to a memory of the device,the packet being transferred to the memory using a controller of the device,the controller being connected to the memory via the first bus;
  
  determining, by a processor of the device, whether the first bus is available;
  
  retrieving, by the processor and via the first bus, the packet from the memory when the first bus is available;
  
  retrieving, by the processor and via a second bus of the device, the packet from the memory when the first bus is not available;
  
  the processor being connected to the memory via the first bus and the second bus,the second bus connecting the processor to the memory without connecting the controller to the memory, andthe second bus being different than the first bus; and
  
  performing, by the processor, one or more operations on the packet,the one or more operations including one or more authentication operations, one or more encryption operations, one or more decryption operations, one or more virtual private network (VPN) processing operations, or one or more firewall operations.
- View Dependent Claims (19, 20)
- - 19. The method of claim 18, where performing the one or more operations includes:
    - performing at least two operations, of the one or more operations, that include at least two of the one or more authentication operations, the one or more encryption operations, the one or more decryption operations, the one or more VPN processing operations, or the one or more firewall operations.
  - 20. The method of claim 19, further comprising performing the at least two operations in parallel,where performing the at least two operations in parallel includes:
    - initiating a first operation of the at least two operations, andinitiating, after a plurality of clock cycles following initiating the first operation and without interruption of the first operation, a second operation of the at least two operations,the second operation being different than the first operation.

21. A non-transitory computer-readable medium comprising:
- a plurality of instructions which, when executed by a hardware component of a device, cause the hardware component to;
  
  determine whether a first bus of the device is available for retrieving a packet from a memory of device,the packet being transferred, via the first bus, to the memory of the device using a controller of the device,the controller being connected to the memory via the first bus;
  
  retrieve, via the first bus, the packet from the memory of the device when the first bus is available;
  
  retrieve, via a second bus of the device, the packet from the memory when the first bus is not available,the hardware component being connected to the memory via the first bus and the second bus,the second bus connecting the hardware component to the memory without connecting the controller to the memory, andthe second bus being different than the first bus; and
  
  perform a plurality of operations on the packet,the plurality of operations including one or more authentication operations, one or more encryption operations, one or more decryption operations, one or more virtual private network (VPN) processing operations, or one or more firewall operations,one or more instructions, of the plurality of instructions, to perform the plurality of operations on the packet including;
  
  one or more instructions to perform, on the packet in parallel, a first operation and a second operation of the plurality of operations,the first operation including one of;
  
  an authentication operation of the one or more authentication operations, or
  
  an encryption operation of the one or more encryption operations, or
  
  a decryption operation of the one or more decryption operations, and
  
  the second operation including a different one of the authentication operation, the encryption operation, or the decryption operation.
- View Dependent Claims (22, 23)
- - 22. The non-transitory computer-readable medium of claim 21, where one or more instructions, of the plurality of instructions, to perform the plurality of operations further include:
    - one or more instructions to perform at least two operations, of the plurality of operations, that include at least two of the one or more authentication operations, the one or more encryption operations, the one or more decryption operations, the one or more VPN processing operations, or the one or more firewall operations.
  - 23. The non-transitory computer-readable medium of claim 21, where the one or more instructions to perform the first operation and the second operation in parallel include:
    - one or more instructions to initiate the first operation, andone or more instructions to initiate, after a plurality of clock cycles following initiating the first operation and without interruption of the first operation, the second operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Deng, Feng, Ke, Yan, Luo, Dongping
Primary Examiner(s)
Poltorak, Peter

Application Number

US12/837,271
Publication Number

US 20100281532A1
Time in Patent Office

1,097 Days
Field of Search

726/11
US Class Current

726/2
CPC Class Codes

H04L 49/90   Buffering arrangements

H04L 49/901   using storage descriptor, e...

H04L 49/9057   Arrangements for supporting...

H04L 63/02   for separating internal fro...

H04L 69/16   Implementation or adaptatio...

H04L 69/22   Parsing or analysis of headers

H04L 9/40   Network security protocols

Firewall including local bus

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

69 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Firewall including local bus

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

69 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links