The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Modern communication networks use devices known as “routers” to direct network traffic between sources and destinations at Layer 3 of the Open System Interconnection (OSI) model. Typically, the router forwards electronic messages in the form data packets according to a routing protocol, such as the Internet protocol (IP). Based on the routing protocol and routing tables, the router reads the address information in each packet, decides the next routing point (the “next hop”) to which to send the packet, and places the address of the next routing point in the destination address field of the packet's header. The process of changing the destination address of the packet and forwarding the packet to the next routing point is referred to as “packet switching.” The next routing point may be the final destination for the packet or an intermediate destination on a path to the final destination.
Routers may be used within local area networks (LANs) to perform a variety of functions other than packet switching, including but not limited to, load-balancing network traffic, performing policy management, and filtering traffic for security purposes. Routers may also be used to send packets between networks, such as between a LAN and a wide area network (WAN), or between an enterprise's intranet and the world-wide global packet based network known as the Internet. Routers are also used in the backbone of the Internet to perform packet switching.
A router may apply one or more “features” to a packet. As used herein, the term “feature” denotes functions or processes that are used to alter one or more characteristics of the packet based on one or more operations. For example, compression is a feature that is used to reduce the size of the payload portion of a packet according to a compression technique. The original payload is input to the compression technique to generate a smaller payload as output. Upon receipt of a compressed packet, a reverse compression feature can be used to restore the original payload. Another example of a feature is encryption, which may be required to be applied for packets between two routers, such as in a virtual private network (VPN). The sending router uses an encryption feature to encrypt some or all of the packet and the receiving router uses a decryption feature to decrypt the encrypted packet, thereby restoring the packet to the original form prior to encryption. Other examples of features include, but are not limited to, load balancing, applying quality of service (QoS) policies, and filtering for security.
An example of an encryption approach used by some networks to secure traffic is the Internet Protocol security architecture (IPsec or IPSec), as defined in RFCs 2401, 2402, and 2406, which is often used with VPNs. IPsec uses security associations (SA's) that specify the parameters to be used to secure the IPsec traffic. IPsec operates in one of two modes, transport mode or tunnel mode, using one of two protocols, Encapsulating Security Payload (ESP) or Authentication Header (AH). ESP secures data that follows the ESP header, while AH secures both data that follows the AH header and the IP header that is before the AH header. A transport mode security association is an SA between two hosts. A transport mode security protocol header (either ESP or AH) appears immediately after the IP header and before any higher layer protocols (e.g., transmission control protocol (TCP) or user datagram protocol (UDP)). A tunnel mode security association is an SA that is applied to an IP tunnel. Whenever either end of a security association is a security gateway, the SA is a tunnel mode SA.
IPsec uses Security Parameter Index (SPI) values to identify the SA used for the secured traffic between two nodes, such as between two routers over a VPN. The SA defines the encryption protocols, keys, and other parameters relating to the IPsec secured traffic. The SPI for each node is determined during the second phase of the Internet Key Exchange (IKE) portion of the IPsec protocol as the SA is negotiated between the two IPsec nodes.
Conventionally, a router employs a single processor that applies a set of features to the packets and performs packet switching. However, a recent development in router design is the use of multiple processors for a router, in which the multiple processors share the workload that is conventionally performed by a single-processor router. For example, a dual-processor router implementation may attempt to evenly divide the routing workload between the two processors by designating some routing functions and features to be handled by one processor, with the remaining functions and features handled by the other processor. Each processor may be configured to efficiently handle the particular tasks and features that are handled by that processor.
Another recent development in router design is the concept of distributed features, in which the tasks for a particular feature are divided between multiple processors. For example, in a dual-processor router, the encryption feature may be distributed such that one processor is responsible for decryption while the second processor is responsible for encryption. Either or both processors may use additional hardware devices, such as compression accelerators and encryption accelerators, to apply compression and encryption features, respectively. However, in some dual-processor router implementations, only one processor controls or accesses the additional hardware devices. For example, in a dual-processor router that employs distributed encryption in which one processor is responsible for decryption and the other processor is responsible for encryption, only one of the two processors is allowed to control and access the encryption accelerator.
The use of distributed feature processing with hardware accelerators that are controlled by one processor in a multiple processor system can lead to performance problems. For example, the processor performing encryption may not be able to directly access the encryption accelerator because the processor that performs decryption is the only processor that is allowed to control and access the encryption accelerator. Therefore, all traffic between the encryption processor and the hardware processor must be routed through the other processor that handles decryption. In addition, the processor that cannot directly access the accelerator must interrupt processing the features for the packet until the encryption accelerator has completed the encryption task and passed the results back through the other processor.
FIG. 1 is a block diagram that depicts a dual-processor router 100 that uses hardware acceleration. Dual-processor router 100 includes a routing processor 120, an input/output processor 130, an input interface 140, an output interface 150, and a hardware accelerator 160. Note that while dual-processor router 100 is depicted as including all the elements discussed herein, one or more elements may be provided by other devices that are separate from dual-processor router 100, such as a separate hardware accelerator device. Furthermore, additional elements may be included in dual-processor router 100 and single elements depicted in FIG. 1 may be distributed over multiple elements.
Assume for this example that the workload of the single processor of a conventional router has been divided between routing processor 120 and input/output processor 130 of dual-processor router 100 as follows: routing processor 120 handles the switching of packets and applies some features to the packets, and input/output processor 130 handles input and output functions of dual-processor router 100 and applies other features to the packets.
Packets are received by dual-processor router 100 via input interface 140 that is communicatively coupled to input/output processor 130. After packets are passed from input interface 140 to input/output processor 130, some inbound features are applied to the packet by input/output processor 130 and then the packet is passed to routing processor 120 for applying additional features and switching the packet. After routing processor 120 is finished, the packet is passed back to input/output processor 130 to apply outbound features before passing the packet to output interface 150 that passes the packet out of dual-processor 100. Note that while input/output processor 130 is communicatively coupled to input interface 140, output interface 150, and hardware accelerator 160, routing processor 120 is only communicatively coupled to input/output processor 130.
In this example, dual-processor router 100 employs encryption in a distributed fashion, such that input/output processor 130 performs decryption on incoming packets that are received by dual-processor router 100 and routing processor 120 performs encryption and encryption parameter negotiation. While each processor of dual-processor router 100 performs these respective tasks of the encryption feature, both processors use hardware accelerator 160 for decryption and encryption of packet payloads.
When routing processor 120 needs to use hardware accelerator 160 for encryption, the performance problems arise because routing processor 120 cannot directly access hardware accelerator 160. Instead, any communication and data that is sent between routing processor 120 and hardware accelerator 160 passes through input/output processor 130. In addition, processing of the packet by routing processor 120 is interrupted while the necessary information is passed via input/output processor 130 and is processed by hardware accelerator 160.
One approach to solve this performance problem is to have input/output processor 130 perform both encryption and decryption. However, this defeats the distributed feature processing approach because the encryption feature is no longer distributed. Furthermore, even if the features are not distributed between routing processor 120 and input/output processor 130, there may be some features assigned to routing processor 120 that use hardware accelerator 160 or additional accelerators not shown in FIG. 1. In such instances, either routing processor 120 must again work through input/output processor 130, or routing processor 120 must interface directly with the accelerators, which may not be as efficient as having a single processor perform all interface operations.
Based on the foregoing, it is desirable to provide improved techniques for applying features in a router. It is also desirable to have improved techniques for employing distributed feature processing in multiple processor computing systems that include a hardware accelerator that does not suffer from the disadvantages discussed above.