Systems and methods for processing packets for encryption and decryption

US 7,962,741 B1
Filed: 09/12/2002
Issued: 06/14/2011
Est. Priority Date: 09/12/2002
Status: Active Grant

First Claim

Patent Images

1. A network device for processing a data packet, the network device comprising:

at least one network interface to;

receive the data packet, the data packet requiring encryption-related processing, andforward the data packet;

a forwarding module to;

receive information regarding the data packet,identify security association information for the data packet,include the security association information with the information regarding the data packet, andforward the information regarding the data packet including the security association information; and

an encryption services module, which is separate from the forwarding module, to;

receive the information regarding the data packet including the security association information, andprocess the data packet in accordance with the security association information,where the encryption services module comprises a plurality of hardware-implemented logic engines corresponding to stages in a pipeline, where;

a first one of the plurality of hardware-implemented logic engines is to at least one of add a field to the data packet or add padding to the data packet,a second one of the plurality of hardware-implemented logic engines is to receive the data packet from the first one of the plurality of hardware-implemented logic engines and rewrite a header of the data packet,a third one of the plurality of hardware-implemented logic engines is to receive the data packet from the second one of the plurality of hardware-implemented logic engines and remove at least one field from the data packet,a fourth one of the plurality of hardware-implemented logic engines is to receive the data packet from the third one of the plurality of hardware-implemented logic engines and at least one of encrypt or decrypt the data packet, and is to add, to the data packet, status information to be used by a down stream hardware-implemented logic engine to determine whether to accept or drop the data packet,a fifth one of the plurality of hardware-implemented logic engines is to receive the data packet after processing by the fourth hardware-implemented logic engine, and remove at least one field from the data packet,a sixth one of the plurality of hardware-implemented logic engines is to receive the data packet from the fifth one of the plurality of hardware-implemented logic engines and at least one of error check the data packet or perform anti-replay checking, anda seventh one of the plurality of hardware-implemented logic engines is to receive the data packet from the sixth one of the plurality of hardware-implemented logic engines and remove padding from the data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network device for processing data packets includes an encryption services module, a number of network interfaces and a forwarding module. A network interface receives a packet requiring encryption services and forwards the packet. The forwarding module receives at least a portion of the data packet, where the portion includes header information. The forwarding module identifies a security association for the data packet, appends the security association to the portion of the data packet and forwards the portion of the data packet including the security association to the encryption services module. The encryption services module processes the packet in accordance with the security association.

34 Citations

View as Search Results

14 Claims

1. A network device for processing a data packet, the network device comprising:
- at least one network interface to;
  
  receive the data packet, the data packet requiring encryption-related processing, andforward the data packet;
  
  a forwarding module to;
  
  receive information regarding the data packet,identify security association information for the data packet,include the security association information with the information regarding the data packet, andforward the information regarding the data packet including the security association information; and
  
  an encryption services module, which is separate from the forwarding module, to;
  
  receive the information regarding the data packet including the security association information, andprocess the data packet in accordance with the security association information,where the encryption services module comprises a plurality of hardware-implemented logic engines corresponding to stages in a pipeline, where;
  
  a first one of the plurality of hardware-implemented logic engines is to at least one of add a field to the data packet or add padding to the data packet,a second one of the plurality of hardware-implemented logic engines is to receive the data packet from the first one of the plurality of hardware-implemented logic engines and rewrite a header of the data packet,a third one of the plurality of hardware-implemented logic engines is to receive the data packet from the second one of the plurality of hardware-implemented logic engines and remove at least one field from the data packet,a fourth one of the plurality of hardware-implemented logic engines is to receive the data packet from the third one of the plurality of hardware-implemented logic engines and at least one of encrypt or decrypt the data packet, and is to add, to the data packet, status information to be used by a down stream hardware-implemented logic engine to determine whether to accept or drop the data packet,a fifth one of the plurality of hardware-implemented logic engines is to receive the data packet after processing by the fourth hardware-implemented logic engine, and remove at least one field from the data packet,a sixth one of the plurality of hardware-implemented logic engines is to receive the data packet from the fifth one of the plurality of hardware-implemented logic engines and at least one of error check the data packet or perform anti-replay checking, anda seventh one of the plurality of hardware-implemented logic engines is to receive the data packet from the sixth one of the plurality of hardware-implemented logic engines and remove padding from the data packet.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The network device of claim 1, where the fourth hardware-implemented logic engine is to at least one of encrypt or decrypt the data packet in accordance with the security association information.
  - 3. The network device of claim 1, where the forwarding module is further to:
    - include program type information with the data packet; and
      
      where the encryption services module is to;
      
      process the data packet in accordance with the security association information and the program type information.
  - 4. The network device of claim 1, where the encryption services module is to:
    - forward the processed packet to the forwarding module; and
      
      where the forwarding module is further to;
      
      process the packet to identify an output interface, andforward the processed packet to the identified output interface.
  - 5. The network device of claim 1, where the encryption services module is located on a card, the card being located separate from the at least one network interface and the forwarding module.
  - 6. The network device of claim 1, where the encryption services module comprises a printed circuit card separate from the at least one network interface.

7. A method for processing data packets in a network device, the method comprising:
- receiving, at a forwarding module, a data packet requiring encryption-related processing;
  
  identifying, using the forwarding module, security association information for the data packet;
  
  forwarding the data packet, and the security association information, to an encryption services card that is separate from the forwarding module; and
  
  processing the data packet, by the encryption services card, using a plurality of pipelined hardware engines and in accordance with the security association information for the data packet, the processing comprising;
  
  using a first one of the pipelined hardware engines to at least one of add a field to the data packet or add padding to the data packet,receiving, at a second one of the pipelined hardware engines, the data packet from the first one of the pipelined hardware engines and rewriting, using the second one of the pipelined hardware engines, a header of the data packet,receiving, at a third one of the pipelined hardware engines, the data packet from the second one of the pipelined hardware engines and removing, using the third one of the pipelined hardware engines, at least one field from the data packet,receiving, at a fourth one of the pipelined hardware engines, the data packet from the third one of the pipelined hardware engines and encrypting or decrypting, using the fourth one of the engines, the data packet, and adding status information, using the fourth one of the pipelined hardware engines, to the data packet, where the status information is to be used by a down stream pipelined hardware engine to determine whether to accept or drop the data packet,receiving, at a fifth one of the pipelined hardware engines, the data packet from the fourth one of the pipelined hardware engines and removing, using the fifth one of the pipelined hardware engines, at least one field from the data packet,receiving, at a sixth one of the pipelined hardware engines, the data packet from the fifth one of the pipelined hardware engines and checking the data packet for errors or performing anti-replay checking, using the sixth one of the pipelined hardware engines, andreceiving, at a seventh one of the pipelined hardware engines, the data packet from the sixth one of the pipelined hardware engines and removing, using the seventh one of the pipelined hardware engines, padding from the data packet.
- View Dependent Claims (8, 9, 10)
- - 8. The method of claim 7, further comprising:
    - identifying a program type for the data packet;
      
      including the security association information and the program type with the data packet prior to forwarding the data packet to the encryption services card; and
      
      processing the data packet, by the encryption services card, in accordance with the security association information and the program type.
  - 9. The method of claim 7, where the plurality of pipelined hardware engines comprises a plurality of micro-coded pipelined hardware engines.
  - 10. The method of claim 7, further comprising:
    - forwarding the processed data packet, by the encryption services card, to an input/output manager;
      
      identifying an output interface for the processed data packet; and
      
      forwarding the processed data packet to the output interface.

11. A system comprising:
- one or more processing devices to;
  
  receive a data packet;
  
  determine whether the data packet requires encryption-related processing; and
  
  forward the data packet to an encryption services module, when the data packet requires encryption-related processing; and
  
  a plurality of hardware-implemented pipelined processing devices to process the data packet, where the plurality of hardware-implemented pipelined processing devices includes;
  
  a first hardware-implemented pipelined processing device to at least add a field to the data packet or add padding to the data packet,a second hardware-implemented pipelined processing device to receive the data packet from the first hardware-implemented pipelined processing device and rewrite the header of the data packet,a third hardware-implemented pipelined processing device to receive the data packet from the second hardware-implemented pipelined processing device and remove least one field from the data packet,a fourth hardware-implemented pipelined processing device to receive the data packet from the third hardware-implemented pipelined processing device and encrypt or decrypt the data packet, and add, to the data packet, status information to be used by a down stream hardware-implemented pipelined processing device to determine whether to accept or drop the data packet,a fifth hardware-implemented pipelined processing device to receive the data packet from the fourth hardware-implemented pipelined processing device and remove at least one field from the data packet,a sixth hardware-implemented pipelined processing device to receive the data packet from the fifth hardware-implemented pipelined processing device and at least one of error check the data packet or perform anti-replay checking on the data packet, anda seventh hardware-implemented pipelined processing device to receive the data packet from the sixth hardware-implemented pipelined processing device and remove padding from the data packet, andwhere the plurality of hardware-implemented pipelined processing devices are separate from the one or more processing devices.

12. A network device, comprising:
- a plurality of interfaces, where each of the plurality of interfaces is coupled to a network link and each of the plurality of interfaces is to receive and forward data packets;
  
  an encryption card; and
  
  forwarding logic, which is separate from the encryption card, to;
  
  receive a data packet from a first one of the plurality of interfaces,determine whether the data packet requires encryption-related processing, andforward the data packet to the encryption card;
  
  where the encryption card comprises a plurality of pipelined hardware engines, including;
  
  a first one of the plurality of pipelined hardware engines to at least one of add a field to the data packet or add padding to the data packet,a second one of the plurality of pipelined hardware engines to receive the data packet from the first one of the plurality of pipelined hardware engines and rewrite a header of the data packet,a third one of the plurality of pipelined hardware engines to receive the data packet from the second one of the plurality of pipelined hardware engines and remove at least one field from the data packet,a fourth one of the plurality of pipelined hardware engines to receive the data packet from the third one of the plurality of pipelined hardware engines and at least one of encrypt or decrypt the data packet, and to add, to the data packet, status information to be used by a down stream pipelined hardware engine to determine whether to accept or drop the data packet,a fifth one of the plurality of pipelined hardware engines receive the encrypted or decrypted data packet from the fourth one of the plurality of pipelined hardware engines and remove at least one field from the data packet,a sixth one of the plurality of pipelined hardware engines to receive the data packet from the fifth one of the plurality of pipelined hardware engines and at least one of error check the data packet or perform anti-replay checking, anda seventh one of the plurality of pipelined hardware engines to receive the data packet from the sixth one of the plurality of pipelined hardware engines and remove padding from the data packet.
- View Dependent Claims (13, 14)
- - 13. The network device of claim 12, where the forwarding logic is further to:
    - include at least one of security association information and program type information with the data packet prior to forwarding the data packet to the encryption card; and
      
      where the encryption card is to;
      
      process the data packet in accordance with at least one of the security association information and the program type information.
  - 14. The network device of claim 13, where the encryption card is further to:
    - forward the processed data packet to the forwarding logic; and
      
      where the forwarding logic is further to;
      
      identify an output interface for the data packet, andforward the data packet for output on the identified output interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zhang, Jing, Alexander, Thomas, Ahlgrim, Steven, Chang, Jessica Ming
Primary Examiner(s)
Davis; Zachary A

Application Number

US10/241,478
Time in Patent Office

3,197 Days
Field of Search

726/3, 726/2, 713/192, 713/193, 713/151, 713/160, 380/28, 709/230, 709/232
US Class Current

713/151
CPC Class Codes

H04L 49/309   Header conversion, routing ...

H04L 63/0485   Networking architectures fo...

H04L 63/164   at the network layer

H04L 65/765   intermediate

Systems and methods for processing packets for encryption and decryption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for processing packets for encryption and decryption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links