In recent years, network bandwidth has been increasing much faster than the speed of processing systems, such as computer systems and other systems that communicate with such networks. Increases in network bandwidth have been a result of new technologies and standards for both wide area networks (WANs) as well as for local area networks (LANs). WAN technologies such as SONET (synchronous optical networks) using DWDM (dense wavelength division multiplexing) have resulted in several orders of magnitude increase in available bandwidth over the span of only a few years. Similarly, LAN technologies such as gigabit Ethernet and ten gigabit Ethernet on copper and optical fiber have increased available network bandwidth by two orders of magnitude relative to standard 10- and 100-megabit Ethernet standards. During the same time period, the computational power of computers and other systems has been doubling about every 18 months. Because of the disparity between the processing speed of communication chips and the bandwidth of underlying network technologies to which they connect, many devices attached to networks cannot exploit the full bandwidth of the network because of the lack of processing power of these devices.
FIG. 1 shows an example of a local area network. The devices on the local network can include general purpose computers, such as computers 101a, 101b, and 101c, as well as storage devices such as network storage devices 102a and 102b, as well as appliances for performing specialized functions, such as data caching and load balancing or other custom processing (see specialized appliances 103a and 103b). The actual communication path, whether by copper wire, optical fiber or wireless, can be implemented in a variety of topologies, such as switches, rings, or buses such as the bus 104 shown for the local area network 105. The local area network typically also includes a link 106 which may be a gateway system to other networks, such as the Internet.
The most common implementation of a local area network in use today is TCP/IP on Ethernet (or IEEE 802.3). TCP is a reliable, connection oriented stream protocol that runs on top of IP, which is a packet-based protocol. UDP is a datagram-oriented protocol running on top of IP. Thus, processing systems, such as computer systems in a computer network typically transmit information over the network in the form of packets. A number of different packet based protocols have been defined to enable interconnected network computers to communicate with each other. Generally, the network protocol requires each processing system connected to the network to check, process and route information contained in each packet.
An application program which is executing on a computer (an example of a host system), such as a general purpose computer which is coupled to the network, may need to send data to another device on the network. A common way is for the application program to make a call to a network protocol stack socket interface, which calls the TCP/IP and the Ethernet drivers. Data is encapsulated first by a TCP (Transmission Control Protocol) header, subsequently by an IP (Internet Protocol) header, and lastly by an Ethernet header as shown in FIG. 2. The application data 201 may be text or graphics or a combination of text and graphics or video/motion pictures or other types of data. As shown in FIG. 2, the TCP header 202 is appended to the application data 101 and then the IP header 203 is appended to the combination of the application data 201 and the TCP header 202. Finally, the Ethernet driver appends an Ethernet header 204 and an Ethernet trailer 205. After the Ethernet driver has completed the encapsulation process, the entire packet (containing 201, 202, 203, 204, and 205) is transmitted over the communication medium of the network, which may be a copper wire, optical fiber, or wireless or other communication media to another device which is coupled to the network. The receiving device goes through the reverse sequence.
Much of the information transmitted across the internet according to the Transmission Control Protocol/Internet Protocol (TCP/IP) is vulnerable to eavesdropping and tampering. Any system connected to the internet may intercept, replay or reproduce an IP packet. There has thus been a growing demand to protect internet transmissions, while using the existing infrastructure. Secure Socket Layer (SSL), is a security protocol which was developed by Netscape Communications to compensate for the lack of data protection then in place on the Internet. SSL can be used for any type of Internet service, whether it is FTP, GOPHER, NNTP (USENET News) or Web, but currently its most popular use is for World Wide Web traffic. Further detailed information concerning the SSL specification can be found on Netscape Communications' web site at http://home.netscape.com/eng/ss13/. Recently, SSL has been enhanced and replaced by Transport Layer Security (TLS) developed by the Internet Engineering Task Force (IETF). Further detailed information concerning the development of TLS can be found on IETF's web site at http://www.ietf.org.
SSL allows a user to send and receive information to other entities on the World Wide Web in an encrypted manner. This means that any information (pictures, text, forms, etc.) that is transmitted from a server to an SSL-capable Web browser will be completely encrypted. Thus, while the data may travel across 20 or 30 networks, nobody will be able to read or tamper with the data the user is sending or receiving.
SSL is an enhancement to the TCP/IP suite of network protocol for secure communication between two devices. As shown in FIG. 3, an SSL header 306 may be included in the header field 300. Various communication protocol headers, such as an Ethernet header 304, may also be added. The TCP header 302 handles the flow of application data between two systems. The IP header 303 helps determine the path according to which data is moved around in the network.
Secure communication involves adding a Message Authentication Code (MAC) 307 to the application data 301 and then encrypting the application data and MAC using a symmetric cipher. To establish a secure connection, the client device opens a normal TCP/IP connection to the server on a special port. After this connection is established, the client and server exchange handshake messages that establish the methodology for key exchanges and data transfer between the two devices. Once a pair of keys is exchanged, both devices send data over that particular connection as encrypted and authenticated data. Exchanges of keys can be done through several protocols. In some situations, there is no key exchanged at all.
Each receiving system maintains a TCP table. The TCP table contains the source IP address, destination IP address, source port and destination port, and other information. These information are encapsulated in the TCP/IP header when a TCP/IP connection is established. After a TCP/IP connection is established each receiving system and sending system stores the above information in its TCP table. A secure connection can be requested by a sending system, specifying a secure destination port (e.g., port 443 for web server requests, while a normal connection is port 80). Based on this information, the receiving system knows the connection being established is a secure connection. Further determination of whether SSL processing is required can also be based on the secure destination port.
When a device desires to send SSL encrypted/authenticated data to the network, the application communicates with the SSL library. With the standard keys generated during the connection handshaking, the SSL library partitions the data into SSL Records and authenticates/encrypts each SSL Record. It then passes each Record to the TCP layer and subsequently to the IP layer for IP encapsulation function and final transmittal to the Ethernet interface. The receiving device goes through a similar sequence in reverse order.
Referring to FIG. 4, to accomplish SSL encryption, decryption, or authentication the acceleration device 402 uses various known algorithms (DES, RC4, MD5, SHA-1, etc.). These algorithms are computationally intense. Custom circuits optimized to accelerate computation have been developed to enhance the SSL process. Such circuits can achieve 1–2 orders of magnitude higher computational throughput as compared to a typical microprocessor's Arithmetic Logic Unit (ALUs) configured to perform the encryption or decryption in software. The acceleration device 402 shown in the system 400 of FIG. 4, is an example of such an acceleration device.
In conventional implementations, SSL and TCP/IP are distinct modules that operate on the application data sequentially. Due to its complexity, TCP/IP stack processing is often restricted to the host CPU. A problem with the scheme in FIG. 4, is the memory bandwidth and system interconnect bandwidth required to move data between its storage location 401 and the acceleration device 402. In devices such as the one shown in FIG. 4, system cpu/chipset 404 (e.g., a Pentium microprocessor and its associated chipset) dispatches outgoing application data from system memory 401 to the acceleration device 402. The acceleration device 402 then encrypts/authenticates the data and sends it back to the system cpu/chipset 404 for processing/addition of the IP and TCP headers 303, 302 (as seen in FIG. 3) and delivery of the IP packets 311 to the network interface for final transmission. Outgoing data processing path as discussed above is illustrated in FIG. 5a. Packet reception is analogous but in the reverse order as shown in FIG. 5b. As a result, system resources are heavily involved and it leaves fewer resources available for other tasks. Thus, a more efficient system is desired.