In recent years, network bandwidth has been increasing much faster than the speed of processing systems, such as computer systems and other systems that communicate with such networks. Increases in network bandwidth have been a result of new technologies and standards for both wide area networks (WANS) as well as for local area networks (LANs). WAN technologies such as SONET (synchronous optical networks) using DWDM (dense wavelength division multiplexing) have resulted in several orders of magnitude increase in available bandwidth over the span of only a few years. Similarly, LAN technologies such as gigabit Ethernet and ten gigabit Ethernet on copper and optical fiber have increased available network bandwidth by two orders of magnitude relative to standard 10- and 100-megabit Ethernet standards. During the same time period, the computational power of computers and other systems has been doubling about every 18 months. Because of the disparity between the processing speed of communication chips and the bandwidth of underlying network technologies to which they connect, many devices attached to networks cannot exploit the full bandwidth because of the lack of processing power on these devices.
FIG. 6 shows an example of a local area network. The devices on the local area network can include general purpose computers, such as computers 601a, 601b, and 601c, as well as storage devices such as network storage devices 602a and 602b, as well as appliances for performing specialized functions, such as data caching and load balancing or other custom processing (see specialized appliances 603a and 603b). The actual communication path, whether by copper wire, optical fiber or wireless, can be implemented in a variety of topologies, such as switches, rings, or buses such as the bus 604 shown for the local area network 605. The local area network typically also includes a link 606 which may be a gateway system to other networks, such as the Internet.
The most common implementation of a local area network in use today is TCP/IP on Ethernet (or IEEE 802.3). TCP is a reliable, connection oriented stream protocol that runs on top of IP which is a packet based protocol. UDP is a datagram oriented protocol running on top of IP. Thus, processing systems, such as computer systems in a computer network typically transmit information over the network in the form of packets. A number of different packet based protocols have been defined to enable interconnected network computers to communicate with each other. Generally, the network protocol requires each processing system connected to the network to check, process and route control information contained in each information packet.
An application program which is executing on a computer, such as a general purpose computer which is coupled to the network, may need to send data to another device on the network. A common way is for the application program to make a call to a network protocol stack socket interface, which calls the TCP/IP and the Ethernet drivers. Data is encapsulated first by a TCP (Transmission Control Protocol) header, subsequently by an IP (Internet protocol) header, and lastly by an Ethernet header as shown in FIG. 1. The application data 101 may be text or graphics or a combination of text and graphics or video/motion pictures or other types of data. As shown in FIG. 1, the TCP header 102 is appended to the application data 101 and then the IP header 103 is appended to the combination of the application data 101 and the TCP header 102. Finally, the Ethernet driver appends an Ethernet header 104 and an Ethernet trailer 113. After the Ethernet driver has completed the encapsulation process, the entire packet (containing 101, 102, 103, 104, and 113) is transmitted over the communication medium of the network, which may be a copper wire, optical fiber, or wireless or other communication media to another device which is coupled to the network. The receiving device goes through the reverse sequence.
Much of the information transmitted across the Internet according to the Transmission Control Protocol/Internet Protocol (TCP/IP) is vulnerable to eavesdropping and tampering. IPSec is an extension of the TCP/IP suite of protocols, as described in more detail below. An IPSec header 107 may be included in the header field 100. Various “physical layer” headers, such as an Ethernet header 104, may also be added. The TCP header 102 handles the flow of application data between two systems. The IP header 103 helps determine the path according to which data is moved around in the network.
Any system connected to the Internet may intercept, replay or reproduce an IP packet. There has thus been a growing demand to protect Internet transmissions, while using the existing infrastructure. Responding to that demand, IPSec (IP security protocol) has been standardized by the Internet Engineering Task Force (IETF). IPSec is an enhancement to the TCP/IP suite of network protocols for secure communication between two devices. As shown in FIG. 1, the IPSec approach encrypts an IP packet and encapsulates it into a new IP packet 105 having an IPSec header 107 and a second IP header 106. The new IP packet 105 may also be referred to as an IPSec packet or an IPSec datagram.
IPSec (Internet Protocol Security) protocols are designed to provide authentication, data integrity, anti-replay and confidentiality services to both the current (IPv4) and the next-generation (IPv6) Internet Protocols (as well as others that may be added in the future). Two IPSec headers (AH and ESP) are implemented to provide these services. Referring to FIG. 1, the IPSec header 107 may be either AH or ESP. The AH (Authentication header) provides the services of authentication and data integrity, as well as an anti-replay mechanism. The ESP (Encapsulating Security Payload) provides confidentiality as well as a partial form of traffic flow confidentiality.
There are two modes of use for the AH and ESP protocols. The two modes are “transport mode” and “tunnel mode.” According to Cryptography and Network Security: Principles and Practice—2nd edition, by William Stallings, “ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header. AH in transport mode authenticates the IP payload and selected portions of the IP header. ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header. AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header.” (Stallings, William. Cryptography and Network Security: Principles and Practice—2nd edition p. 407–408).
Referring to FIG. 2, to accomplish the IPSec encryption, decryption, or authentication the acceleration device 202 uses various algorithms (DES, RC4, MD5, SHA-1, etc). These algorithms are computationally intense. Custom circuits optimized to accelerate computation may be developed to enhance the IPSec process. Such circuits can achieve 1–2 orders of magnitude higher computational throughput as compared to typical microprocessor arithmetic logic units (ALUs) configured to perform the encryption or decryption in software. The acceleration device 202 shown in the receiving system 200 of FIG. 2, is an example of such an acceleration device.
A problem with the scheme in FIG. 2, is the memory bandwidth and system interconnect bandwidth required to move data between its storage location 201 and the acceleration device 202. In devices such as the one shown in FIG. 2, IPSec datagrams arrive at the network interface 203 and are sent in encrypted form to the system memory 201 (via system cpu/chipset 204). The system cpu/chipset 204 then dispatches the datagram and associated control information to the acceleration device 202 for decryption. The acceleration device 202 then decrypts the packet and sends it back to the system cpu/chipset 204 for processing/removal of the IP and TCP headers 103, 102 (as seen in FIG. 1) and delivery of the application data 101 to the system.
An aspect of improving IPSec technology can focus on the architecture/method and circuits used to perform the IPSec processing by minimizing the bandwidth used in various system resources (DRAM bandwidth, system bus bandwidth, etc.). Decreasing system bandwidth utilization for IPSec processing acceleration leaves more bandwidth for the system to perform other tasks.