1. Field of the Invention
The present invention relates to a device for handling a network security protocol. In particular, the present invention relates to a device that encrypts and decrypts data packets at network speed according to a network security protocol.
2. Discussion of the Related Art
In popular network protocol architectures, such as in a transport control protocol/internet protocol (TCP/IP) network, a network security protocol typically requires encrypting the payload of a data packet and providing integrity check data bits.
For example, FIG. 1 illustrates encryption of a packet under the “tunnel mode” of the IPsec network security protocol. As shown in FIG. 1, under the tunnel mode, data packet 101, including its header portion 101a and payload portion 101b, is encrypted using a cryptographic algorithm (e.g., DES, or Triple DES) specified under one or more agreed security policies and/or “Security Assocications” between the sender and the recipient. The resulting new packet 102 includes data packet 101 as its new payload 102b, new header 102a, and trailer 102c. Typically, trailer 102c includes “integrity check” data bits that are used by a recipient of data packet 102 to determine whether data packet 102 is corrupted or compromised in transit.
Network security protocols, such as IPsec, require extensive computation. In the prior art, IPsec is often provided as software executed in a general-purpose computer system, such as computer system 200 shown in FIG. 2. As shown in FIG. 2, computer system 200 includes central processing unit (CPU) 201, communicating over bus 208 with memory system 203, peripherals 204, storage system 205, direct memory access (DMA) controller 202, and input and output (I/O) devices 206 and 207. CPU 201 may be implemented, for example, by a general purpose microprocessor. DMA controller 202 provides access by peripheral and I/O devices 206 and 207 to memory system 203. I/O devices 206 and 207 may include, for example, network interfaces for interfacing computer system 200 with an external data network in which packetized secured communication under IPsec occurs.
The increase in processing power of a general purpose microprocessor (such as CPU 201 of computer system 200) cannot keep up with the increasing network data rates achieved in recent years. As a result, CPU 201 often becomes the performance bottleneck for network traffic. One method for providing a higher throughput includes off-loading the cryptographic processing of data packets for execution in a co-processor. In some implementations, to provide an even higher throughput and to avoid congestion at the system data bus, communication between the CPU and the co-processor is carried out on a separate data bus that typically operates at a higher data rate than bus 208 of computer system 200. FIG. 3 shows complex multi-bus computer system 300 for processing network traffic, which includes cryptographic co-processor (CCP) 301, and network processor (NPU) 303. In multi-bus computer system 300, dedicated data buses 304 and 305 provide high bandwidth data communication among CCP 301 and NPU 303. NPU 303, can be used to provide data traffic processing, such as switching and routing. NPU 303 can be provided with high speed memory 302 to achieve a high data rate. High speed memory 302 can be implemented, for example, by a content addressable memory (CAM). Often, additional hardware, such as a load-balancer, distributes the network traffic among a number of NPUs to provide parallelism for operations at higher data rates.
Multiple data buses, CCPs, NPUs and CAMs add substantial cost and complexity to the system. Moreover, even such complex systems cannot keep up with the rate at which network data rates increase.