1. Field of the Invention
The present invention generally relates to encrypted networks. More particularly, the present invention relates to a system and method for improving the performance of an encrypted network by asserting interrupts to reduce latency that packets suffer during Secondary Use.
2. Discussion of the Related Art
Internet Protocol Security (“IPSec”) is employed to protect both the confidentiality and integrity of data that is transferred on a network. Because IPSec provides a way to encrypt and decrypt data below the transport layer (e.g., Transmission Control Protocol, “TCP” or User Datagram Protocol, “UDP”), the protection is transparent to applications that transfer data. Thus, no alterations are required at the application level in order to utilize IPSec. However, when implemented in software, the algorithms used for encryption, decryption, and authentication of the data for IPSec require execution of numerous CPU cycles. Because many CPU cycles must be delegated to such cryptography operations, there are correspondingly fewer CPU cycles available to applications and other parts of the protocol stack. This configuration adds latency to received data reaching the application, thereby decreasing the throughput of the system.
One current solution to this problem is to offload the cryptography operations to an external piece of hardware, such as a Network Interface Card (“NIC”). Generally, the most efficient way to offload such operations is to encrypt the data immediately before transmitting a packet, and to decrypt the data directly off the network before the packet is direct memory access (“DMA”) transferred to host memory. This process of decrypting and authenticating ingress data before it is transferred to host memory is known as “Inline Receive.”
An alternative to Inline Receive is the “Secondary Use” model. In this latter model, received packets are DMA transferred into host memory. The network driver then parses each packet to match it with its corresponding Security Association (“SA”), which is a data structure that contains all information necessary to encrypt, decrypt and/or authenticate a packet. Where a cryptography accelerator is included, the driver instructs the NIC to transfer the packet across the bus to the controller, perform the cryptography operation on the packet, and then transfer the packet back to host memory. The packet is thus transferred across the bus three times: (1) upon receipt from the network through the NIC across the bus and into host memory; (2) upon transfer from the host memory across the bus to the controller; and (3) upon transfer from the controller across the bus back to host memory.
An extra interrupt is often required to perform these transfers across the bus. However, such interrupts increase CPU utilization. Furthermore, the extra latency introduced can degrade throughput of protocols that are sensitive to the round trip time of packets, such as TCP.
From a performance perspective (both CPU utilization and throughput), Inline Receive is generally considered a better solution than Secondary Use. However, Inline Receive is more expensive to implement because the keys and matching information for cryptography operations must be stored on the network interface in an SA cache. Due to such limitations, the INTEL PRO/100 S Server Adapter, for example, supports only a limited number of connections that can use Inline Receive. Other connections use the Secondary Use model to offload secure traffic, though Secondary Use adds latency to packets at several steps. The primary source of the increased latency for Secondary Use is the delay related to the final interrupt of the Secondary Use operation.
Early ingress interrupts have been used on low speed buses where the transfer operation was expensive. The device typically transfers the header portion of the packet to host memory and then assert an interrupt. The header portion is used to determine if there was interest in transferring the rest of the packet to host memory. If not, the rest of the packet would be discarded. This scheme avoided burdening the bus with unnecessary data.
With the advent of busmasters in peripheral component interconnect (“PCI”), this use of early interrupts for any traffic has become scarce. In fact, to accommodate the high packet rates of high-speed networks such as Gigabit Ethernet, most input/output (“I/O”) controller devices offer interrupt coalescing features that delay interrupt assertions to allow several interrupt events to be processed in one occurrence of the interrupt handler. When Secondary Use is utilized extensively, sending packets across the PCI bus three times reduces the bus bandwidth available. This utilization, in turn, reduces the packet rate that can be processed, further reducing or eliminating the utility of the interrupt coalescing algorithms.
Accordingly, there is a need for a system and method of improving the performance of an encrypted network by asserting interrupts to reduce latency that packets suffer during Secondary Use.