1. Field of the Invention
The present invention relates to the field of network routers. More specifically, the present invention relates to the use of a reflected interrupt to execute encryption-related processing of packets by a router.
2. The Background
An Internetwork Operating System (IOS) is a system that provides common functionality, scalability, and security for all products contained in a computer network. It generally allows centralized, integrated, and automated installation and management of internetworks, while ensuring support for a wide variety of protocols, media, services, and platforms.
Traditionally, IOS has been implemented in software. However, it can be much more efficient to implement certain aspects of IOS in hardware. This allows not only the obvious advantage of hardware execution of commands (which is usually much faster than software execution), but also the advantage of permitting some commands to be run in parallel with commands being executed in software, creating efficiency through pipelining.
One area in which this offloading of IOS functionality to hardware is especially effective is in encryption. In order to provide security, most IOS implementations include an encryption library, a series of commands for implementing security-relation encryption. Generally such commands are executed on packets received or sent by a router. Since most routers receive a large amount of traffic, the speed and efficiency of the execution of such commands are of utmost concern to manufacturers.
When such commands were implemented solely in software, it was common for the software to be divided into two separate parts: public and restricted. The public portion would contain public keys and subroutines, while the restricted portion would contain protected source code and cryptographic libraries. Execution of commands would involve calls between these two parts.
With the movement towards hardware implementation, the commands may now be implemented in a hardware-based encryption accelerator. A hardware application program interface (API) is created which replaces the calls between the public and restricted parts by interfacing with the hardware-based encryption accelerator.
There are generally three types of encryption/decryption commands. The first is registration. These are simply the commands used to indicate to the API that hardware encryption is going to be performed. Commands of this type may be executed fairly rarely, such as only when the IOS is initialized.
A second group of encryption/decryption commands includes protocol commands. These are commands which indicate the proper protocol that commands to the driver should be in, as well as the protocol the driver will use for responding. These commands are also executed fairly rarely, such as perhaps once every day or so.
The third group of encryption/decryption commands includes bulk encryption and decryption. Commands of this type do the actual work of encrypting and decrypting packets, as well as error-correcting. Commands of this type are executed very often and are therefore the most important to consider when speed and efficiency is an issue.
Typically, when a bulk encryption or decryption command is executed, the hardware is placed in what is known as a critical section. During the critical section, network interrupts are generally masked so that no packets may be handled until after the encryption or decryption process has finished. Parallel execution of commands is limited to other encryption or decryption commands. This is necessary to ensure proper security. Unfortunately, there are several problems that arise with such an implementation.
If the encryption or decryption commands are being executed on fairly large packets, there is a possibility of non-encryption-related commands on other packets not being executed for long periods of time since the IOS is stuck in the critical section. This is known as starvation, and also may occur if a large number of packets requiring encryption or decryption are received within a relatively short period of time. If these starved packets are time-sensitive, such as Voice-over-IP packets, then starvation becomes an even bigger problem.
Additionally, given the speed at which the hardware implementation is able to execute, it is generally a good idea to keep all the queues full to ensure proper efficiency of system resources.
What is needed is a solution which prevents the starvation of time-critical packets as well as ensures proper efficiency of system resources.