Data communication networks may include various computers, servers, hubs, switches, nodes, routers, proxies, and other devices coupled to and configured to pass data to one another. These devices will be referred to herein as “network elements”. Data is communicated through the data communication network by passing protocol data units, such as frames, packets, cells, or segments, between the network elements by utilizing one or more communication links. A particular protocol data unit may be handled by multiple network elements and cross multiple communication links as it travels between its source and its destination over the network.
FIG. 1 illustrates an example communication network 10. As shown in FIG. 1, end users 12 will connect to the network 10 by connecting to an access network element 14. The access network elements connect to a core network implemented using core network elements 16. Links 18 interconnect all the various network elements so that data may be transmitted across the network. Many network architectures exist and the network shown in FIG. 1 is merely intended to be a reference network, and is not therefore intended to be limiting of the claims or the invention set forth below.
It is often desirable to encrypt the data before the data is transmitted on to the communication network by the end user 12 or at the ingress network element 14, so that it may be protected from being viewed and/or modified as it crosses the network 10. Thus, in the reference network of FIG. 1, either the end user equipment 12 or the access network element 14 may implement a cryptographic system to encrypt data before it is transmitted across network 10 and to decrypt data as it is received from the network 10. The cryptographic system may also perform other tasks such as compressing the data and signing the data.
FIG. 2 is a simplified functional block diagram of a network element 20 that may be used to implement end user equipment 12, access network elements 14, or core network elements 16. Many different ways of implementing network elements have been developed over time. For example, one common way is for the network element 20 to include a data plane and a control plane. The data plane handles data traffic on the network and the control plane interacts with other network elements, i.e. by engaging in protocol exchanges with other network elements, to determine how the network element should behave on the network. The control plane will then interact with the data plane to specify how the data plane should operate in connection with handling particular types of data or particular flows of data. Since the various techniques described herein reside primarily in the data plane, with minimal interaction with the control plane, only the data plane of the network element of FIG. 2 has been shown.
As shown in FIG. 2, the network element 20 includes a plurality of input/output cards 22. The I/O cards 22 have physical interfaces to links 18 to receive signals from the links according to whatever physical protocol is in operation on that link, to specify how the signals should be formatted for transmission on the particular link. The I/O cards thus allow the network element 20 to receive signals from the physical media implementing the links 18 and convert the signals into bits/bytes of data. When transmitting data, the I/O cards will conversely take the bits/bytes and format the physical signals that will be output onto the links 18. The I/O cards may perform other functions as well, such as framing the data to create PDUs from the received signals, depending on the implementation of the network element.
Once data has been received by the network element 20, it will be processed by a network processor 24 and optionally may be encrypted/decrypted by an cryptographic system 26. The data may be passed through a switch fabric 28 before or after being encrypted/decrypted and optionally may be processed by a different network processor 24 or the same network processor a second time before being output by the same I/O card or a different I/O card. Many network element architectures have been developed over time and, thus, the network element shown in FIG. 2 is merely intended as a reference network element.
When data is to be encrypted or decrypted, the data will be passed to the cryptographic system 26 for processing. The amount of data that a cryptographic system can handle in a given period of time is not constant, but rather is a function of the size of the packets that are being input to the cryptographic system, the transform algorithm being used by the cryptographic system, and whether the cryptographic system is encrypting the data or decrypting the data. Packet size is of particular importance when determining the throughput of a cryptographic system, as a cryptographic system may be able to handle a significantly higher volume of data formed as large sized packets than it can when the data is formed as smaller sized packets.
Cryptographic processing may be a relatively slow process and, hence, the cryptographic system may form a bottleneck on the amount of data a network element is able to handle. Accordingly, optimizing the use of the cryptographic system to output as much data as possible is important to the overall performance of the network element. Previously attempts have been made to optimize the output of the cryptographic system by queuing the data before sending the data to the cryptographic system, and then inputting the data at a steady rate from the input queue to the cryptographic system. This allows data to be available for the cryptographic system so that the cryptographic system has a steady stream of data to encrypt/decrypt and thus is more likely to be able to operate efficiently. Unfortunately, as discussed above, the amount of data a cryptographic system is able to process may vary dramatically depending on the format/size of the input data and the process to be implemented on the data. Thus, inputting the data at a steady state results in either under-utilization of the cryptographic system if the steady-state value of the amount of data to be input is selected based on the lowest sustained throughput, or oversubscription of the cryptographic system if the steady-state value of the amount of data to be input is selected based on the highest sustained throughput. In either case performance is not optimal, because either the cryptographic system is underutilized, or is occasionally overutilized which can cause packets to be dropped.