Patent•
Two Parallel Engines for High Speed Transmit IPSEC Processing
02 Mar 2004-
TL;DR: In this article, the authors describe a network interface system for interfacing a host system with a network, which includes a bus interface system, a media access control system, and a security system.
Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.
Citations
More filters
Patent•
21 Jun 2012
TL;DR: In this paper, a method of offloading data intensive tasks from a processor, comprises, at processor, preparing a TCP packet comprising a TCP header and a data payload, transmitting the TCP packet to a configurable logic device (CLD); and at the CLD, receiving the TCP packets, generating set of TCP segment packets containing, a copy of the TCP header, an incrementing segment sequence identifier, and a portion of the data payload.
Abstract: A method of offloading data intensive tasks from a processor, comprises, at a processor, preparing a TCP packet comprising a TCP header and a data payload, transmitting the TCP packet to a configurable logic device (CLD); and at the CLD, receiving the TCP packet, generating set of TCP segment packets containing, a copy of the TCP header, an incrementing segment sequence identifier, and a portion of the data payload, and transmitting the set of TCP segment packets on an external network interface.
151Â citations
Patent•
13 Feb 2009TL;DR: In this article, a method for communicating location and access network information for an end user to a policy and charging rules function (PCRF) element that is coupled to a network element is presented.
Abstract: A method is provided in one example embodiment and includes communicating location and access network information for an end user to a policy and charging rules function (PCRF) element that is coupled to a network element. The network element receives packets for a communications flow from the end user if the flow is initiated through a wireless network and through a wireline network. In more specific embodiments, the location and access network information is used to initiate one or more applications for the end user. The method could also include communicating to an application function that the end user has attached to one of the networks, has been assigned an Internet Protocol (IP) address, and the location and access network information for the end user.
124Â citations
23 Oct 2006
TL;DR: A set of control messages based on the IPSEC authentication header (AH) methodology that provide these security mechanisms for ATM and FR network switching equipment and signaling protocols are described.
Abstract: Methodologies developed in the Internet Engineering Task Force (IETF) Internet Protocol Security (IPSEC) Working Group can be incorporated into asynchronous transfer mode (ATM) and frame relay (FR) signaling to provide message integrity and origin authentication. In turn, these mechanisms can provide a virtual private network (VPN) infrastructure with call control message integrity, origin verification, and transit network filtering. In this paper, we describe a set of control messages based on the IPSEC authentication header (AH) methodology that provide these security mechanisms for ATM and FR network switching equipment and signaling protocols.
117Â citations
Patent•
10 Nov 2005TL;DR: In this paper, the authors proposed a mechanism for transferring processor control of secure Internet Protocol (IPSec) security association (SA) functions between a host and a target processing devices of a computerized system, such as processors in a host CPU and a NIC.
Abstract: The invention provides mechanisms for transferring processor control of secure Internet Protocol (IPSec) security association (SA) functions between a host and a target processing devices of a computerized system, such as processors in a host CPU and a NIC In one aspect of the invention, the computation associated with authentication and/or encryption is offloaded while the host maintains control of when SA functions are offloaded, uploaded, invalidated, and re-keyed The devices coordinate to maintain metrics for the SA, including support for both soft and hard limits on SA expiration Timer requirements are minimized for the target The offloaded SA function may be embedded in other offloaded state objects of intermediate software layers of a network stack
78Â citations
Patent•
06 May 2004TL;DR: In this article, a network interface system includes a bus interface system, a media access control system, and a security system that selectively performs security processing on data incoming from the network based on security associations stored in a memory external to the network interface.
Abstract: One aspect of the invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The security system selectively perform security processing on data incoming from the network based on security associations stored in a memory external to the network interface system, typically a host system memory. The security association for any given frame, when available, is fetched from the external memory after the frame begins to arrive in the network interface system based in part on information contained in the frame. Preferably, the fetch begins before the frame is fully received and the security association is queued whereby security processing can begin without having to wait for the security association to be fetched.
74Â citations
References
More filters
Patent•
05 Jun 2003TL;DR: In this paper, the authors present a Gigabit Ethernet adapter that adapts to multiple communication protocols via a modular construction and design, and it provides a compact hardware solution to handling high network communication speeds.
Abstract: The invention is embodied in a gigabit Ethernet adapter. A system according to the invention provides a compact hardware solution to handling high network communication speeds. In addition, the invention adapts to multiple communication protocols via a modular construction and design.
352Â citations
Patent•
13 Jun 2001TL;DR: In this paper, a packet processing system is embodied on an ASIC is optimized for processing IPSec security protocol packets in a hardware configuration, where the hardware accordingly reduces the involvement of the RISC processors and significantly increases channel throughput providing for high-speed IPSec packet processing.
Abstract: A packet processing system is embodied on an ASIC is optimized for processing IPSec security protocol packets in a hardware configuration. Embedded RISC processors operate with hardware support modules providing for IPSec packet processing at OC24 data rates and greater. IPSec packets are received through a streaming interface and buffered in an external memory. When the entire packet is in external memory, portions are buffered in a local memory for cryptoprocessing. As portions of the packets complete processing, the portions are buffered to an output portion of the external memory associated with the channel. When an entire packet competes processing, portions are buffered to a local memory for streaming. The hardware accordingly reduces the involvement of the RISC processors and significantly increases channel throughput providing for high-speed IPSec packet processing.
152Â citations
TL;DR: The authors advocate a large, out-of-order-issue instruction window, clustered (separated) banks of functional units and hierarchical scheduling of ready instructions to provide a high-speed, implementable execution core that is capable of sustaining the necessary instruction throughput.
Abstract: Billion-transistor processors will be much as they are today, just bigger, faster and wider (issuing more instructions at once). The authors describe the key problems (instruction supply, data memory supply and an implementable execution core) that prevent current superscalar computers from scaling up to 16- or 32-instructions per issue. They propose using out-of-order fetching, multi-hybrid branch predictors and trace caches to improve the instruction supply. They predict that replicated first-level caches, huge on-chip caches and data value speculation will enhance the data supply. To provide a high-speed, implementable execution core that is capable of sustaining the necessary instruction throughput, they advocate a large, out-of-order-issue instruction window (2,000 instructions), clustered (separated) banks of functional units and hierarchical scheduling of ready instructions. They contend that the current uniprocessor model can provide sufficient performance and use a billion transistors effectively without changing the programming model or discarding software compatibility.
129Â citations
Patent•
07 Jul 2000TL;DR: In this article, the authors present an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory.
Abstract: Provided is an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs. In various embodiments, the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets. Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities). The present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory. In some embodiments, the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.
114Â citations
Patent•
18 Dec 2001
TL;DR: In this paper, a network media access controller operates as a centralized control point for managing secure data storage in a network-attached data storage subsystem, which includes first and second network interfaces.
Abstract: A network media access controller operates as a centralized control point for managing secure data storage in a network-attached data storage subsystem. The network media access controller includes first and second network interfaces. The first network interface is coupleable through a first network connection to a network-attached data storage subsystem including a storage device. The network-attached data storage subsystem is responsive to a data storage command to store first data to the storage device. The second network interface is coupleable through a second network connection to a client computer system. The client computer system selectively provides the data storage command with respect to second data. A network data processor is coupled to the first network interface to provide the data storage command and first data and to the second network interface to receive the data storage command and second data. The network data processor including an encryptor coupled to selectively encrypt the second data to provide the first data based on an encryption key corresponding to the storage device.
109Â citations