Chaining port scheme for network security

US 8,112,622 B2
Filed: 12/08/2006
Issued: 02/07/2012
Est. Priority Date: 12/08/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A network chip comprising:

a chaining port configured to perform an external loop-back function including a first security engine transmitting a frame of data through the chaining port and receiving the frame of data back through the chaining port;

an external port configured to send and receive the frame of data to and from at least one provider device, the at least one provider device being external from the network chip;

the first security engine associated with the chaining port, the first security engine being configured to execute a first addition operation to add an inner encryption layer to the frame in conjunction with the first security engine transmitting the frame of data and configured to perform a first removal operation to remove the inner encryption layer in conjunction with the first security engine receiving the frame of data;

a second security engine associated with the external port, coupled to the first security engine, the second security engine being configured to perform a second addition operation to add an outer encryption layer to the frame when the external port sends the frame of data to the at least one provider device and configured to perform a second removal operation to remove the outer encryption layer when the external port receives the frame of data, wherein the first and second security engines are configured to sequentially operate on the frame of data to add or remove the inner encryption layer and the outer encryption layer; and

control logic configured to cause the first security engine to;

perform the first addition operation but not the first removal operation if the frame of data is to be transmitted by the external port to the at least one provider device; and

perform the first removal operation but not the first addition operation if the frame of data was received by the external port from the at least one provider device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A networking method, microchip, and device are described in which a first security engine may be associated with a chaining port and configured to perform an inner processing for an inner layer of encryption for a frame of data, while a second security engine may be associated with an external port and configured to perform an outer processing for an outer layer of encryption for the frame of data. Control logic may be configured to instruct the first security engine to execute both a transmit operation and a receive operation of the frame of data in association with the inner processing.

36 Citations

View as Search Results

11 Claims

1. A network chip comprising:
- a chaining port configured to perform an external loop-back function including a first security engine transmitting a frame of data through the chaining port and receiving the frame of data back through the chaining port;
  
  an external port configured to send and receive the frame of data to and from at least one provider device, the at least one provider device being external from the network chip;
  
  the first security engine associated with the chaining port, the first security engine being configured to execute a first addition operation to add an inner encryption layer to the frame in conjunction with the first security engine transmitting the frame of data and configured to perform a first removal operation to remove the inner encryption layer in conjunction with the first security engine receiving the frame of data;
  
  a second security engine associated with the external port, coupled to the first security engine, the second security engine being configured to perform a second addition operation to add an outer encryption layer to the frame when the external port sends the frame of data to the at least one provider device and configured to perform a second removal operation to remove the outer encryption layer when the external port receives the frame of data, wherein the first and second security engines are configured to sequentially operate on the frame of data to add or remove the inner encryption layer and the outer encryption layer; and
  
  control logic configured to cause the first security engine to;
  
  perform the first addition operation but not the first removal operation if the frame of data is to be transmitted by the external port to the at least one provider device; and
  
  perform the first removal operation but not the first addition operation if the frame of data was received by the external port from the at least one provider device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The network chip of claim 1 wherein the inner encryption layer includes a MACSec layer.
  - 3. The network chip of claim 1 wherein the first security engine is configured to execute the first addition operation by applying to the frame of data an inner cryptographic key associated with an inner security tag of the frame of data.
  - 4. The network chip of claim 1, wherein the control logic is further configured to route the frame of data between the first security engine and the second security engine.
  - 5. The network chip of claim 1 wherein:
    - the first security engine is configured to execute the first addition operation including adding an inner security tag to the frame of data; and
      
      the second security engine is configured to execute the second addition operation including adding an outer security tag to the frame of data when the frame of data is transmitted from the network chip.
  - 6. The network chip of claim 1 wherein the second security engine is configured to execute the second removal operation including removing an outer security tag from the frame of data and the first security engine is configured to execute the first removal operation including removing an inner security tag from the frame of data when the frame of data is received by the network chip.
  - 7. The network chip of claim 1, wherein:
    - the outer layer of encryption is associated with the provider device, andthe inner layer of encryption is associated with a customer device, the customer device being at least one hop further away from the network chip than the provider device.
  - 8. The network chip of claim 1, wherein:
    - the outer layer of encryption is associated with at least one cryptographic key held by the provider device; and
      
      the inner layer of encryption is associated with at least one cryptographic key held by a customer device, the customer device being at least one hop further away from the network chip than the provider device.
  - 9. The network chip of claim 1, wherein:
    - the first security engine includes a first transmit module configured to execute the first addition operation and a first receive module configured to execute the first removal operation; and
      
      the second security engine includes a second transmit module configured to execute the second addition operation and a second receive module configured to execute the second removal operation.

10. A network device comprising:
- a chaining port configured to perform an external loop-back function including a first security engine transmitting a frame of data through the chaining port and receiving the frame of data back through the chaining port;
  
  an external port configured to send and receive the frame of data to and from at least one provider device, the at least one provider device being external from the network device;
  
  the first security engine associated with the chaining port, the first security engine being configured to process an inner layer of encryption on the frame of data; and
  
  a second security engine, associated with the external port and coupled to the first security engine, and configured to process a different outer layer of encryption on the frame of data;
  
  wherein the first security engine is configured to add the inner layer of encryption in conjunction with the first security engine transmitting the frame of data and the second security engine is configured to add the different outer layer of encryption when the external port sends the frame of data from the network device to the at least one provider device; and
  
  wherein the second security engine is configured to remove the different outer layer of encryption when the external port receives the frame of data from the at least one provider device and the first security engine is configured to remove the inner layer of encryption in conjunction with the first security engine receiving the frame of data.
- View Dependent Claims (11)
- - 11. The network device of claim 10 wherein the outer layer of encryption includes an outer MACSec layer, and the inner layer of encryption includes an inner MACSec layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies General IP PTE Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Qi, Zheng
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
POTRATZ, DANIEL B

Application Number

US11/635,880
Publication Number

US 20080141023A1
Time in Patent Office

1,887 Days
Field of Search

713/150, 713/151, 713/153, 713/170, 713/160, 380/257, 380/261, 726/11, 726/12, 709/230, 709/236
US Class Current

713/153
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/0478 applying multiple layers of...

Chaining port scheme for network security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

36 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Chaining port scheme for network security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links