As is known in the art, a network processor is a programmable hardware device designed to process packets in a packet switching network at high speed. Network processors typically differ from other processors in that network processors include hardware that can rapidly perform protocol processing tasks.
As is also known, there is a trend to provide network processors which perform cryptographic processing of packet data. To facilitate the cryptographic processing, the network processors include cryptographic acceleration units (also referred to as “crypto units”). The crypto units accelerate the cryptographic processing of packet data to support cryptographic processing at line rate. One example of a network processor including a crypto unit is the Intel® IXP2850 network processor manufactured by Intel Corporation, 2200 Mission College Blvd. Santa Clara, Calif. 95052 USA.
Two types of cryptographic processing that are commonly performed on packet data are authentication processing (or more simply authentication) and ciphering processing (or more simply ciphering). Authentication is the process of creating a digest of the packet, which is sent along with the packet, and allows the receiver to verify that the packet was indeed sent by the sender (rather than by some third party) and was not modified in transit. Ciphering is the process of encrypting the packet, so that only the intended receiver, with the correct cryptographic key, can decrypt the packet and read its contents. The most commonly used security protocols perform both ciphering and authentication on each packet.
In order to support the ciphering of relatively small packets, the crypto units in the Intel® IXP2850 each have six processing contexts, which are each used to process one packet at a time. Each processing context contains storage for the cipher keys and algorithm context associated with the processing of one packet. Multiple processing contexts allow the latency of loading cryptographic key material and packet data to be hidden by pipelining the loading of data and key material into some of the contexts with the processing of data in other contexts. This allows the crypto unit to achieve close to full utilization of the cipher and authentication cores.
The crypto units in the Intel® IXP2850 implement the 3DES and AES cipher algorithms as well as the SHA1 authentication algorithm. Each of the crypto units contains a single AES core and a pair of 3DES and SHA1 cores because the structure of those algorithms make it difficult for a single core to operate at the required data rates. By implementing a pair of cores and allowing both cores to process data in parallel, the crypto units meet desired data rate requirements. This approach, however, presents a problem of how to schedule the operation of the individual cores within a pair.
There are several ways to solve this problem. For example, the contexts within a crypto unit can be divided into two groups and the each of the cores in a pair can be assigned to process requests from a group of contexts. Since the programmer controls which packets are processed by which processing context, this approach pushes the problem of load balancing work between the individual cores in a pair to the programmer.
For example, in a 3DES crypto unit the programmer must ensure that half of the packets requiring processing by the 3DES algorithm are assigned to one of the contexts serviced by one 3DES core, and the other half of the packets requiring processing by the 3DES algorithm are assigned to one of the contexts serviced by the other 3DES core.