Shared buffers for processing elements on a network device

US 9,973,335 B2
Filed: 03/15/2013
Issued: 05/15/2018
Est. Priority Date: 03/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

exchanging a key between an input/output device for a network device and a first processing element operating on the network device, the key including one of a block cipher key or a stream cipher key;

receiving a plurality of data packets, each of the plurality of data packets having a header and a payload at the input/output device, the plurality of data packets having a destination associated with the first processing element;

encrypting each of the payloads using the key;

encrypting each of the plurality of headers together as a group using the key;

sending the encrypted payloads to first shared buffers maintained at least in part in memory for the network device, the memory arranged to be shared with at least a second processing element operating on the network device;

sending the encrypted group of headers to a second buffer maintained at least in part in the memory and assigned to the second processing element, the network device to include a virtual machine manager to establish a pool of buffers that includes the first and second buffers and at least a first virtual machine that includes at least the first processing elements; and

indicating to the first virtual machine that the encrypted payloads have been sent to the first buffer, the first virtual machine to;

obtain the encrypted payloads from the first shared buffers responsive to the indication; and

decrypt the encrypted payloads using the key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Examples are disclosed for exchanging a key between an input/output device for network device and a first processing element operating on the network device. Data having a destination associated with the first processing element may be received by the input/output device. The exchanged key may be used to encrypt the received data. The encrypted data may then be sent to a buffer maintained at least in part in a memory for the network device. The memory may be arranged to enable sharing of the buffer with at least a second processing element operating on the network device. Examples are also disclosed for the processing element to receive an indication of the storing of the encrypted data in the buffer. The processing element may then obtain the encrypted data from the buffer and decrypt the data using the exchanged key.

43 Citations

View as Search Results

18 Claims

1. A method comprising:
- exchanging a key between an input/output device for a network device and a first processing element operating on the network device, the key including one of a block cipher key or a stream cipher key;
  
  receiving a plurality of data packets, each of the plurality of data packets having a header and a payload at the input/output device, the plurality of data packets having a destination associated with the first processing element;
  
  encrypting each of the payloads using the key;
  
  encrypting each of the plurality of headers together as a group using the key;
  
  sending the encrypted payloads to first shared buffers maintained at least in part in memory for the network device, the memory arranged to be shared with at least a second processing element operating on the network device;
  
  sending the encrypted group of headers to a second buffer maintained at least in part in the memory and assigned to the second processing element, the network device to include a virtual machine manager to establish a pool of buffers that includes the first and second buffers and at least a first virtual machine that includes at least the first processing elements; and
  
  indicating to the first virtual machine that the encrypted payloads have been sent to the first buffer, the first virtual machine to;
  
  obtain the encrypted payloads from the first shared buffers responsive to the indication; and
  
  decrypt the encrypted payloads using the key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, comprising the block cipher key or the stream cipher key to be based on one of Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES).
  - 3. The method of claim 1, comprising indicating to the first processing element that the encrypted payloads have been sent to the first shared buffers, the first processing element arranged to obtain the encrypted payloads from the first buffer responsive to the indication, the first processing element also arranged to decrypt the encrypted payloads using the key.
  - 4. The method of claim 3, comprising the destination associated with the first processing element to include the destination also being associated with an application arranged to operate in cooperation with the first processing element, the first processing element to obtain the encrypted payload by performing a copy and decrypt operation that includes copying the encrypted payload and decrypting the encrypted payload before sending the decrypted payload to a portion of the memory for the network device that is accessible to the application.
  - 5. The method of claim 1, comprising indicating to the first processing element that the encrypted payload has been sent to the first buffer and the header has been sent to the second buffer, responsive to the indication, the first processing element arranged to obtain the encrypted payload from the first buffer and obtain the header from the second buffer, the first processing element also arranged to decrypt the encrypted payload using the key.
  - 6. The method of claim 1, comprising the first processing element and the second processing element as one of separate cores of a multi-core processor or separate virtual machines implemented on one or more cores of the multi-core processor.
  - 7. The method of claim 6, comprising the first processing element included in the first virtual machine and the second processing element included in a second virtual machine.
  - 8. The method of claim 7, comprising the virtual machine manager, responsive to the first virtual machine decrypting the payload, indicating to the input/out device that the first buffer is available to at least temporarily store additionally received data having a destination associated with the first virtual machine or the second virtual machine.

9. An apparatus maintained at an input/output device for a network device comprising:
- a processor circuit; and
  
  a memory unit communicatively coupled to the processor circuit, the memory unit arranged to store instructions for logic operative on the processor circuit, the logic configured to exchange a key with a first processing element operating on the network device, the key including one of a block cipher key or a stream cipher key, the logic also configured to encrypt a payload of each of a plurality of data packets, each of the plurality of data packets also having a header, the plurality of data packets received by the input/output device, the received plurality of data packets having a destination associated with the first processing element, the payloads encrypted using the key, the logic also configured to encrypt each of the plurality of headers together as a group using the key, the logic also configured to cause the encrypted payloads to be sent to first shared buffers maintained at least in part in memory for the network device, the memory arranged to be shared with at least a second processing element operating on the network device and send the encrypted group of headers to a second buffer maintained at least in part in the memory and assigned to the second processing element, the network device to include a virtual machine manager to establish a pool of buffers that includes the first and second buffers and at least a first virtual machine that includes at least the first processing element, the logic also configured to indicate to the first virtual machine that the encrypted payloads have been sent to the first buffer, the first virtual machine to obtain the encrypted payloads from the first shared buffers responsive to the indication and to decrypt the encrypted payloads using the key.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The apparatus of claim 9, comprising the memory unit to include volatile memory.
  - 11. The apparatus of claim 9, comprising the block cipher key or the stream cipher key to be based on one of Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES).
  - 12. The apparatus of claim 11, comprising the second processing element included in a second virtual machine implemented on one or more cores of a multi-core processor.
  - 13. The apparatus of claim 12, comprising the logic also configured to receive an indication from the virtual machine manager that the first shared buffers are available to at least temporarily store additionally received data having a destination associated with the first virtual machine or the second virtual machine, the indication received responsive to the first virtual machine decrypting the payloads.

14. A method comprising:
- exchanging a key between an input/output device for a network device and a first processing element operating on the network device, the key including one of a block cipher key or a stream cipher key;
  
  receiving, at a first virtual machine, an indication that an encrypted payload of each of a plurality of data packets received by the input/output device and having a destination associated with the first processing element have been encrypted using the key, the indication also to include information to indicate that the encrypted payloads are stored in first shared buffers maintained at least in part in memory for the network device, the memory arranged to be shared with at least a second processing element operating on the network device, the information to also indicate that headers for the plurality of data packets is stored, as an encrypted group of headers, to a second buffer maintained at least in part in the memory and assigned to the second processing element, the first shared buffers and the second buffer included in a pool of buffers established by a virtual machine manager of the network device, at least the first processing elements included in the first virtual machine;
  
  obtaining the encrypted payloads from the first shared buffers and the encrypted group of headers from the second buffer responsive to receipt of the indication; and
  
  decrypting the encrypted payloads using the key.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, comprising the block cipher key to be based on one of Triple Data Encryption Standard (3DES) or Advanced Encryption Standard (AES).
  - 16. The method of claim 14, comprising the destination associated with the first processing element to include the destination also being associated with an application arranged to operate in cooperation with the first processing element, the first processing element to obtain the encrypted payload by performing a copy and decrypt operation that includes copying the encrypted payloads and decrypting the encrypted payloads before sending the decrypted payloads to a portion of the memory for the network device that is accessible to the application.
  - 17. The method of claim 14, comprising the second processing element included in a second virtual machine implemented on one or more cores of a multi-core processor.
  - 18. The method of claim 17, comprising the virtual machine manager to send an indication to the input/output device that the first buffer is available to at least temporarily store additionally received data having a destination associated with the first virtual machine or the second virtual machine, the indication to be sent responsive to the first virtual machine decrypting the payload.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Friedman, Ben-Zion, Tamir, Eliezer, Louzoun, Eliel, Falik, Ohad
Primary Examiner(s)
Gracia, Gary S

Application Number

US13/839,080
Publication Number

US 20130262868A1
Time in Patent Office

1,887 Days
Field of Search

713171
US Class Current
CPC Class Codes

G06F 21/72   in cryptographic circuits

H04L 63/0485   Networking architectures fo...

H04L 9/0618   Block ciphers, i.e. encrypt...

Shared buffers for processing elements on a network device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Shared buffers for processing elements on a network device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links