As is known in the art, there is a trend to provide network processors that perform cryptographic processing of packet data. To facilitate cryptographic processing, network processors include cryptographic acceleration units (also referred to as “crypto units”). The crypto units accelerate the cryptographic processing of packet data to support cryptographic processing at line rate. One example of a network processor including such a crypto unit is the Intel IXP2850 network processor manufactured by Intel Corporation of Santa Clara, Calif.
Two types of cryptographic processing that are commonly performed on packet data are authentication processing (or more simply authentication) and ciphering processing (or more simply ciphering). Authentication is the process of creating a digest of the packet, which is sent along with the packet, to allow the receiver to verify that the packet was indeed sent by the sender (rather than by some third party) and was not modified in transit. Ciphering is the process of encrypting the packet, so that only the intended receiver, with the correct cryptographic key, can decrypt the packet and read its contents. Most commonly used security protocols perform both ciphering and authentication on each packet.
The crypto units in the Intel IXP2850 network processor, for example, implement the well-known 3DES/DES (Data Encryption Standard) and AES (Advanced Encryption Standard) cipher algorithms, as well as the SHA1 (Secure Hash Algorithm authentication algorithm). Each of the crypto units contains a pair of 3DES/DES and SHA1 cores, and a single AES core. By implementing a pair of cores, the crypto units meet the data rate requirements by allowing both cores to process data in parallel, thereby doubling the data rate of a single core.
Data from the crypto units is transferred to a transmit buffer element in a media switch fabric interface of the processor and then transmitted over an interface, such as an SPI4.2 or NPSI interface. SPI4.2 (Optical Internetworking Forum (OIF) standard System Packet Interface level 4, Phase 2, published January, 2001) is an industry standard interface commonly used to interconnect MAC (Media Access Controller)/framer devices to network processors. NPSI (Network Processing Forum (NPF) Streaming Interface, September, 2002) is a related interface that is used for transmitting data between network processors. Data is transmitted over the SPI4.2/NPSI interfaces in blocks, referred to as mpackets. Protocol packets, such as IP (Internet Protocol) packets or Ethernet frames, are split into multiple mpackets. The amount of data within an mpacket is a multiple of 16 bytes, unless the mpacket is the last mpacket in a packet.
When block cipher algorithms such as AES and 3DES/DES are used, data is processed by the crypto unit in fixed size blocks and upon processing is transferred in fixed sized blocks into buffer elements of predetermined size. Because data in an mpacket must be a multiple of 16 bytes, all of the data from the last block may not fit into a given buffer element because the resulting data in the buffer element would not be a multiple of 16 bytes. In this case, the data would need to be split among multiple buffer elements. Software control over this splitting process can increase the processing overhead.
It would, therefore, be desirable to overcome the aforesaid and other disadvantages.