This invention is related to wireless networks, and in particular to a MAC controller and method for MAC cryptography that carries out the actual cryptographic functions outside of the wireless station containing the MAC processor, for example, in an entity coupled to the wireless station by a packet network link.
FIG. 1 shows a traditional prior-art wireless network connection 100, e.g., for a wireless local area network (WLAN) that conforms to one of the IEEE 802.11 standards. The radio part 101 includes one or more antennas 103 that are coupled to a radio transceiver 105 including an analog RF part and a digital modem. The digital modem of radio 101 is coupled to a MAC processor 107 that implements the MAC protocol. The MAC processor 107 is connected via one or more busses, shown symbolically as a single bus subsystem 111, to a host processor. The host processor includes a memory, e.g., RAM connected to the host bus, shown here as part of the bus subsystem 111.
In implementing the MAC protocol, e.g., the IEEE 802.11 MAC protocol, the MAC processor 107 decides which MAC packets to transmit at what time. A typical prior art MAC processor 107 includes a fast but relatively small local memory, shown as MAC memory 109 in FIG. 1, that makes sure the MAC processor has fast access to the packets it needs to transmit. The host processor decides which MAC packets the MAC processor is likely to need, and sends such packets to be included in the local MAC memory 109. When there are one or more packets to transmit, the MAC processor then takes such packets from its MAC memory 109.
There recently has been a desire to move more and more of the MAC processing functions to the host processor. The host, for example, may implement a WLAN access point. By moving more and more of the functionality to software on the host, more flexibility is achieved.
In one such arrangement, the MAC processing functions are divided between a “Lower MAC” that implements in hardware such aspects as interfacing to the physical radio (the PHY) 101, encryption, and the actual receiving and sending of MAC packets. The Lower MAC may be implemented using a processor and includes a local memory. The “Higher MAC” functions, i.e., the remaining MAC functions, are implemented in software running on a host processor. The Lower MAC is coupled to the host processor via a bus subsystem.
When to-be-transmitted packets are ready, the host passes information to the Lower MAC on such packets. The information, for example, may include information on where the payload for the MAC packets resides in the host memory. This information is stored locally on the Lower MAC. When the Lower MAC is set up to transmit the to-be-transmitted MAC packets, the Lower MAC sets up DMA transfer of the required data. The data is then passed to the Lower MAC processor via DMA from the host.
This avoids the miss situation of the prior-art method that includes the host predicting and pre-loading the local MAC memory with to-be-transmitted packets.
There has recently been a desire to move more of the intelligence of a station used as an access point (AP) to the switch. For example, it may be that some of the MAC functionality will be carried out in a switch to which the access point is connected.
In the Parent Patent Application is described a method and an apparatus that provides for data streaming of a to-be-transmitted packet from a switch to which the AP is directly connected, e.g., via a fast (e.g., Gigabit) Ethernet. The Parent Patent Application introduces a special Ethernet controller that, in addition to the standard Ethernet MAC and PHY function, acts as a network DMA controller. The Parent Patent Application further introduces a special packet of a first new type that contains a pointer and length that is created by the special Ethernet controller, and that is sent to the switch or other device connected to the AP. The Parent Patent Application further introduces a special packet of a second new type for sending the data requested by the first-type special packet. The switch or other device connected to the AP has a matching special Ethernet controller that understands and creates such special packets. Thus, when the switch receives a packet of the first special type, it responds with the requisite data. The data for the packet is streamed directly from the switch to the MAC in transmit time.
The Lower MAC processor of a prior art AP typically includes a cryptography engine to encrypt packets for transmission, on the fly, or to decrypt received packets, again on the fly. One reason encryption is done on the fly, at the last minute, is for example, if there is a need to re-encrypt packets for transmission, the packets are to be locally available and the encryption performed at the last moment.
One disadvantage of encrypting the data using an encryption engine in the MAC processor is that unencrypted data is then present locally at the wireless station, adding to vulnerability. Furthermore the local wireless station needs to locally store and maintain the required encryption keys, again adding to vulnerability.
Thus there is a need in the art for a method and apparatus that allows encryption to be carried out on a device remote from the AP, e.g., the edge switch.
As described in the Parent Application, it may be that some of the MAC functionality will be carried out in a switch to which the access point is connected. With the system described in the Parent Application, one may carry out the encryption in the switch prior to streaming the data for transmission. That is, one could effectively encrypt prior to enqueue on the AP. However, this is undesired. This decouples the encryption process on the switch from the process of selecting the next packet in the AP. In order to do this, the switch must make assumption about what will happen and when. When those assumptions are incorrect, the AP must at best request a newly encrypted version of the packet, or at worst, simply discard the packet and wait for the higher layers to sort out the situation. That is, the inventors believe that encrypting at the switch prior to the enqueue is too early. For example, depending on what happens with the packet, there may be a need to request that the to-be-transmitted packet be re-encrypted. If such encryption is carried out at the switch, this would require sending packets back to the switch from the MAC. This not only implies a need for the switch to maintain the unencrypted packets until they are transmitted, but also adds significant latency to the transmission time. Furthermore, such an arrangement may considerably complicate the architecture.
There is thus a need in the art for a mechanism that provides for more of the MAC functionality to reside in a device remote from the wireless station itself, including encryption, without the negative side effects that may require re-encryption of data. There therefore is a need for a method and apparatus that carries out the encryption process inline with the wireless transmission, e.g., by maintaining the coupling between the AP's transmitting information and the encryption.