WO2001005086A2 - Distributed processing in a cryptography acceleration chip - Google Patents
Distributed processing in a cryptography acceleration chip Download PDFInfo
- Publication number
- WO2001005086A2 WO2001005086A2 PCT/US2000/018537 US0018537W WO0105086A2 WO 2001005086 A2 WO2001005086 A2 WO 2001005086A2 US 0018537 W US0018537 W US 0018537W WO 0105086 A2 WO0105086 A2 WO 0105086A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- cryptography
- packet
- packets
- chip
- processing
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/30—Arrangements for executing machine instructions, e.g. instruction decode
- G06F9/38—Concurrent instruction execution, e.g. pipeline, look ahead
- G06F9/3877—Concurrent instruction execution, e.g. pipeline, look ahead using a slave processor, e.g. coprocessor
- G06F9/3879—Concurrent instruction execution, e.g. pipeline, look ahead using a slave processor, e.g. coprocessor for non-native instruction execution, e.g. executing a command; for Java instruction set
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2207/00—Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F2207/72—Indexing scheme relating to groups G06F7/72 - G06F7/729
- G06F2207/7219—Countermeasures against side channel or fault attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Definitions
- the present invention relates generally to the field of cryptography, and more particularly to an architecture and method for cryptography acceleration.
- VLSI VMS115 chip requires attached synchronous SRAM, which is the most expensive type of memory.
- SRAM the most expensive type of memory.
- the actual sustained performance of these chips is much less than peak throughput that the internal cryptography engines (or "crypto engines") can sustain.
- the chips have a long "context" change time.
- the prior art chips must swap out the current context and load a new context, which reduces the throughput.
- the new context must generally be externally loaded from software, and for many applications, such as routers and gateways that aggregate bandwidth from multiple connections, changing contexts is a very frequent task.
- the present invention provides an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs.
- the architecture enables parallel processing of packets through a plurality of cryptography engines and includes a classification engine configured to efficiently process encryption/decryption of data packets.
- Cryptography acceleration chips in accordance may be incorporated on network line cards or service modules and used in applications as diverse as connecting a single computer to a WAN, to large corporate networks, to networks servicing wide geographic areas (e.g., cities).
- the present invention provides improved performance over the prior art designs, with much reduced local memory requirements, in some cases requiring no additional external memory.
- the present invention enables sustained full duplex Gigabit rate security processing of IPSec protocol data packets.
- the present invention provides a cryptography acceleration chip.
- the invention provides a method for accelerating cryptography processing of data packets.
- the method involves receiving data packets on a cryptography acceleration chip, processing the data packets and matching classification information for the packets, and distributing the data packets to a plurality of cryptography processing engines for cryptographic processing.
- the data packets are cryptographically processed in parallel on the cryptography processing engines, and the cryptographically processed data packets are output from the chip in correct per flow packet order.
- the combination of the distribution and cryptographic processing further maintains packet ordering across a plurality of flows.
- Figs. 1A and B are high-level block diagrams of systems implementing a cryptography accelerator chip in accordance with one embodiment the present invention.
- Fig. 2 is a high-level block diagram of a cryptography accelerator chip in accordance with one embodiment the present invention.
- Fig. 3 is a block diagram of a cryptography accelerator chip architecture in accordance with one embodiment of the present invention.
- Fig. 4 is a block diagram illustrating a DRAM-based or SRAM-based packet classifier in accordance with one embodiment the present invention.
- Figs. 6A and 6B are flowcharts illustrating aspects of inbound and outbound packet processing in accordance with one embodiment the present invention.
- Fig. 7 shows a block diagram of a classification engine in accordance with one embodiment of the present invention, illustrating its structure and key elements.
- the present invention provides an architecture for a cryptography accelerator chip that allows significant performance improvements over previous prior art designs.
- the chip architecture enables "cell-based" processing of random-length EP packets, as described in copending U.S. Patent Application No. 09/510,486, entitled SECURITY CHIP ARCHITECTURE AND IMPLEMENTA ⁇ ONS FOR CRYPTOGRAPHY ACCELERA ⁇ ON, incorporated by reference herein in its entirety for all purposes.
- cell-based packet processing involves the splitting of LP packets, which may be of variable and unknown size, into smaller fixed-size "cells.” The fixed-sized cells are then processed and reassembled (recombined) into packets.
- the cell-based packet processing architecture of the present invention allows the implementation of a processing pipeline that has known processing throughput and timing characteristics, thus making it possible to fetch and process the cells in a predictable time frame.
- the cells may be fetched ahead of time (pre-fetched) and the pipeline may be staged in such a manner that the need for attached (local) memory to store packet data or control parameters is minimized or eliminated.
- IB illustrate two examples of implementations of the invention as a cryptography acceleration chip incorporated into a network line card or a system module, respectively, in a standard processing system in accordance with embodiments of the present invention.
- the cryptography acceleration chip 102 on the card 103 also has associated with it a local processing unit 108 and local memory 110.
- the local memory 110 may be RAM or CAM and may be either on or off the chip 102.
- the system also generally includes a LAN interface (not shown) which attaches the processing system 100 to a local area network and receives packets for processing and writes out processed packets to the network.
- packets are received from the LAN or WAN and go directly through the cryptography acceleration chip and are processed as they are received from or are about to be sent out on the WAN, providing automatic security processing for IP packets.
- the chip features a streamlined EP packet- in/packet-out interface that matches line card requirements in ideal fashion.
- chips in accordance with the present invention may provide distributed processing intelligence that scales as more line cards are added, automatically matching up security processing power with overall system bandwidth.
- integrating the chip onto line cards preserves precious switching fabric bandwidth by pushing security processing to the edge of the system. In this way, since the chip is highly autonomous, shared system CPU resources are conserved for switching, routing and other core functions.
- the cryptography acceleration chip 152 may be part of a service module 153 for cryptography acceleration.
- the chip 152 in the service module 153 may be connected to a system bus 154 via a standard system interface 156.
- the system bus 154 may be, for example, a high speed system switching matrix, as are well known to those of skill in the art.
- the processing system 150 includes a processing unit 164, which may be one or more processing units, and a system memory unit 166.
- the cryptography acceleration chip 152 in the service module 153 also has associated with it a local processing unit 158 and local memory 160.
- the local memory 160 may be RAM or CAM and may be either on or off the chip 152.
- the system also generally includes a LAN interface which attaches the processing system 150 to a local area network and receives packets for processing and writes out processed packets to the network, and a WAN interface that connects the processing system 150 to a WAN, such as the Internet, and manages in-bound and out-bound packets.
- the LAN and WAN interfaces are generally provided via one or more line cards 168, 170. The number of line cards will vary depending on the size of the system. For very large systems, there may be thirty to forty or more line cards.
- Fig. 2 is a high-level block diagram of a cryptography chip architecture in accordance with one embodiment of the present invention.
- the chip 200 may be connected to external systems by a standard PCI interface (not shown), for example a 32-bit bus operating at up to 33 MHz.
- PCI interface not shown
- other interfaces and configurations may be used, as is well known in the art, without departing from the scope of the present invention.
- packet header information is sent to a packet classifier unit 204 where a classification engine rapidly determines security association information required for processing the packet, such as encryption keys, data, etc.
- the classification engine performs lookups from databases stored in associated memory.
- the memory may be random access memory (RAM), for example, DRAM or SSRAM, in which case the chip includes a memory controller 212 to control the associated RAM.
- the associated memory may also be contact addressable memory (CAM), in which case the memory is connected directly with the cryptography engines 216 and packet classifier 204, and a memory controller is unnecessary.
- the associated memory may be on or off chip memory.
- the security association information determined by the packet classifier unit 204 is sent to a packet distributor unit 206.
- the distributor unit 206 determines if a packet is ready for EPSec processing, and if so, distributes the security association information (SA) received from the packet classifier unit 204 and the packet data among a plurality of cryptography processing engines 124, in this case four, on the chip 200, for security processing.
- SA security association information
- the cryptography engines may include, for example, "3DES-CBC/DES X” encryption/decryption "MD5/SHA1" authentication/digital signature processing and compression/decompression processing. It should be noted, however, that the present architecture is independent of the types of cryptography processing performed, and additional cryptography engines may be incorporated to support other current or future cryptography algorithms. Thus, a further discussion of the cryptography engines is beyond to scope of this disclosure.
- the distributor unit 206 Once the distributor unit 206 has determined that a packet is ready for EPSec processing, it will update shared EPSec per-flow data for that packet, then pass the packet along to one of the four cryptography and authentication engines 214. The distributor 206 selects the next free engine in round-robin fashion within a given flow. Engine output is also read in the same round-robin order. Since packets are retired in a round-robin fashion that matches their order of issue packet ordering is always maintained within a flow ("per flow ordering"). For the per-flow ordering case, state is maintained to mark the oldest engine (first one issued) for each flow on the output side, and the newest (most recently issued) engine on the input side; this state is used to select an engine for packet issue and packet retiring.
- the chip has an engine scheduling module which allows new packets to be issued even as previous packets from the same flow are still being processed by one or more engines.
- the SA Buffers will indicate a hit (SA auxiliary structure already on-chip), shared state will be updated in the on-chip copy of the SA auxiliary structure, and the next free engine found in round-robin order will start packet processing.
- the distributor 206 performs sequential portions of EPSec processing that rely upon packet-to-packet ordering, and hands off a parallelizable portion of EPSec to the protocol and cryptography processing engines.
- the distributor also handles state cleanup functions needed to properly retire a packet (including ensure that packet ordering is maintained) once EPSec processing has completed.
- Per-flow ordering offers a good trade-off between maximizing end-to-end system performance (specifically desktop PC TCP/IP stacks), high overall efficiency, and design simplicity.
- scenarios that involve a mix of different types of traffic such as voice-over-EP (VoEP), bulk ftp/e-mail, and interactive telnet or web browsing will run close to 100% efficiency.
- Splitting, if necessary, a single EPSec tunnel into multiple tunnels that carry unrelated data can further enhance processing efficiency.
- Per-flow EPSec data includes EPSec sequence numbers, anti-replay detection masks, statistics, as well as key lifetime statistics (time-based and byte-based counters). Note that some of this state cannot be updated until downstream cryptography and authentication engines have processed an entire packet. An example of this is the anti-replay mask, which can only be updated once a packet has been established as a valid, authenticated packet.
- the distributor 206 handles these situations by holding up to eight copies of per-flow EPSec information on-chip, one copy per packet that is in process in downstream authentication and crypto engines (each engine holds up to two packets due to internal pipelining). These copies are updated once corresponding packets complete processing.
- This scheme will always maintain ordering among EPSec packets that belong to a given flow, and will correctly process packets under all possible completion ordering scenarios.
- strong ordering may be maintained by combining the distributor unit with an order maintenance packet retirement unit.
- the distributor completes the sequential portions of EPSec processing, and assigns the packet to the next free engine.
- the processed packet is placed in a retirement buffer.
- the retirement unit extracts processed packets out of the retirement buffer in the same order that the chip originally received the packets, and outputs the processed packets.
- packets may process through the multiple cryptography engines in out of order fashion; however, packets are always output from the chip in the same order that the chip received them. This is an "out-of-order execution, in-order retirement" scheme. The scheme maintains peak processing efficiency under a wide variety of workloads, including a mix of similar size or vastly different size packets.
- the distributor's protocol processor is programmed via on- chip microcode stored in a microcode storage unit 208.
- the protocol processor is microcode-based with specific instructions to accelerate EPSec header processing.
- the chip also includes various buffers 210 for storing packet data, security association information, status information, etc., as described further with reference to Fig. 3, below.
- buffers 210 for storing packet data, security association information, status information, etc., as described further with reference to Fig. 3, below.
- fixed-sized packet cells may be stored in payload or packet buffers
- context or security association buffers may be used to store security association information for associated packets/cells.
- the output cells are then stored in an output FEFO 216, in order to write the packets back out to the system.
- the processed cells are reassembled into packets and sent off the chip by the output FEFO 216.
- Fig. 3 is a block diagram of a cryptography accelerator chip architecture in accordance with one embodiment of the present invention.
- the chip 300 includes an input FEFO 302 into which EP packets are read. From the input FEFO 302, packet header information is sent to a packet classifier unit 204 where a classification engine rapidly determines security association information required for processing the packet, such as encryption keys, data, etc. As described in further detail below, the classification engine performs lookups from databases stored in associated memory.
- the memory may be random access memory (RAM), for example, DRAM or SSRAM, in which case the chip includes a memory controller 308 to control the associated RAM.
- RAM random access memory
- the associated memory may also be contact addressable memory (CAM), in which case the memory is connected directly with the cryptography engines 316 and packet classifier 304, and a memory controller is unnecessary.
- the associated memory may be on or off chip memory.
- the security association information determined by the packet classifier unit 304 is sent to a packet distributor unit 306 via the chip's internal bus 305.
- the packet distributor unit 306 then distributes the security association information (SA) received from the packet classifier unit 304 and the packet data via the internal bus 305 among a plurality of cryptography processing engines 316, in this case four, on the chip 200, for security processing.
- the crypto engines may include "3DES-CBC/DES X” encryption/decryption "MD5/SHA1" authentication/digital signature processing and compression/decompression processing.
- the present architecture is independent of the types of cryptography processing performed, and a further discussion of the cryptography engines is beyond to scope of this disclosure.
- the packet distributor unit 306 includes a processor which controls the sequencing and processing of the packets according to microcode stored on the chip.
- the chip also includes various buffers associated with each cryptography engine 316.
- a packet buffer 312 is used for storing packet data between distribution and crypto processing.
- each crypto engine 316 has a pair of security association information (SA) buffers 314a, 314b associated with it. Two buffers per crypto engine are used so that one 314b, may hold the SA for a current packet (packet currently being processed) while the other 314a is being preloaded with the security association information for the next packet.
- SA security association information
- a status buffer 310 may be used to store processing status information, such as errors, etc.
- Processed packet cells are reassembled into packets and sent off the chip by an output FEFO 318.
- the packet distributor 306 controls the output FEFO 318 to ensure that packet ordering is maintained.
- the EPSec cryptography protocol specifies two levels of lookup: Policy (Security Policy Database (SPD) lookup) and Security Association (Security Association Database (SAD) lookup).
- SPD Security Policy Database
- SAD Security Association Database
- the policy look-up is concerned with determining what needs to be done with various types of traffic, for example, determining what security algorithms need to be applied to a packet, without determining the details, e.g., the keys, etc.
- the Security Association lookup provides the details, e.g., the keys, etc., needed to process the packet according to the policy identified by the policy lookup.
- the present invention provides chip architectures and methods capable of accomplishing this EPSec function at sustained multiple full duplex gigabit rates.
- the classification engine provides support for general EPSec policy rule sets, including wild cards, overlapping rules, conflicting rules and conducts deterministic searches in a fixed number of clock cycles. In preferred embodiments, it may be implemented either as a fast DRAM/SSRAM lookup classification engine, or on-chip CAM memory for common situations, with extensibility via off-chip CAM, DRAM or SSRAM.
- Engines in accordance with some embodiments of the present invention engine are capable of operating at wirespeed rates under any network load.
- the classifier processes packets down to 64 bytes at OC12 full duplex rates (1.2Gb/s throughput); this works out to a raw throughput of 2.5M packets per second.
- the classifier includes four different modes that allow all EPSec selector matching operations to be supported, as well as general purpose packet matching for packet filtering purposes, for fragment re-assembly purposes, and for site blocking purposes.
- the classifier is not intended to serve as a general-purpose backbone router prefix-matching engine.
- the classifier supports general EPSec policies, including rules with wildcards, ranges, and overlapping selectors. Matching does not require a linear search of overlapping rules, but instead occurs in a deterministic number of clock cycles.
- Security and filtering policies are typically specified using flexible rule sets that allow generic matching to be performed on a set of broad packet selector fields.
- Rule overlap and ordered matching add a level of complexity to hardware- based high-speed rule matching implementations.
- the requirement to select among multiple rules that match based on the order in which these rules are listed precludes direct implementation via high-speed lookup techniques that immediately find a matching rule independent of other possible matches.
- Chips in accordance with the present invention provide a solution to the problem of matching in a multiple overlapping order-sensitive rule set environment involving a combination of rule pre-processing followed by direct high-speed hardware matching, and supports the full generality of security policy specification languages.
- a pre-processing de-correlation step handles overlapping and possibly conflicting rule sets.
- This de-co ⁇ elation algorithm produces a slightly larger equivalent rule set that involves zero intersection
- the new rule set is then implemented via high-speed hardware lookups.
- High performance algorithms that support incremental de-correlation are available in the art.
- CAM is used
- a binarization step is used to convert range-based policies into mask-based lookups suitable for CAM arrays.
- the function of the packet classifier is to perform EPSec-specified lookup as well as EP packet fragmentation lookup. These lookups are used by the distributor engine, as well as by the packet input engine (FEFO).
- classification occurs based on a flexible set of selectors as follows:
- the result of packet classification is a classification tag.
- This structure holds EPSec security association data and per-flow statistics.
- a classifier in accordance with the present invention can be implemented using several different memory arrays for rule storage; each method involves various cost/performance trade-offs.
- the main implementations are external CAM-based policy storage; on-chip CAM-based policy storage; and external RAM (DRAM, SGRAM, SSRAM) based storage. Note that RAM-based lookups can only match complete (i.e. exact) sets of selectors, and hence tend to require more memory and run slower than CAM-based approaches.
- On-chip CAM offers an attractive blend of good capacity, high performance and low cost.
- a preferred approach for cost-insensitive versions of a cryptography acceleration chip in accordance with the present invention is to implement an on-chip CAM and to provide a method to add more CAM storage externally.
- Rule sets tend to be relatively small (dozens of entries for a medium corporate site, a hundred entries for a large site, perhaps a thousand at most for a mega-site) since they need to be managed manually.
- the de-co ⁇ elated rule sets will be somewhat larger, however even relatively small CAMs will suffice to hold the entire set.
- a preferred method for cost-sensitive versions of a cryptography acceleration chip in accordance with the present invention is to implement DRAM-based classification, with a dedicated na ⁇ ow DRAM port to hold classification data (i.e. a 32-bit SGRAM device).
- a higher performance alternative is to use external SSRAM, in which case a shared memory system can readily sustain the required low latency.
- the RAM-based variant illustrated in Fig. 4 relies upon a classification entry structure in external memory.
- the RAM-based classifier operates via a hash-based lookup mechanism.
- RAM-based classification requires one table per type of match: one for EPSec quintuples, one for EPSec triples, and a small table for fragmentation lookups.
- DRAM-based matching An important property of DRAM-based matching is that only exact matches are kept in the DRAM-based tables, i.e., it is not possible to directly match with wildcards and bit masks the way a CAM can.
- Host CPU assistance is required to dynamically map EPSec policies into exact matches. This process occurs once every time a new connection is created. The first packet from such a connection will require the creation of an exact match based on the applicable EPSec policy entry. The host CPU load created by this process is small, and can be further reduced by providing microcode assistance.
- the input match fields are hashed to form a table index, which is then used to look up a Hash Map table.
- the output of this table contains indexes into a Classification Entry table that holds a copy of match fields plus additional match tag information.
- Hash Map and Classification Entry tables are typically stored in off-chip
- the hash table returns indexes to three entries that could match in one DRAM access.
- the first entry is fetched from the Classification Table; if this matches the classification process completes. If not, the second then the third entry are fetched and tested for a match against the original match field. If both fail to match, a rehash distance from the original hash map entry is applied to generate a new hash map entry, and the process repeated a second time. If this fails too, a host CPU interrupt indicating a match failure is generated. When this occurs, the host CPU will determine if there is indeed no match for the packet, or if there is a valid match that has not yet been loaded into the classifier DRAM tables.
- Each hash bucket holds up to three entries pointing
- Host software can set the rehash distance per hash entry to minimize
- a Hash Map structure entry is 128-bits long, and a Classification Entry is 192-bits long.
- This relatively compact representation enables huge numbers of simultaneous security associations to be supported in high-end systems, despite the fact that DRAM-based matching requires that only exact matches be stored in memory.
- the DRAM usage for 256K simultaneous sessions for EPSec quintuple matches is as follows: Classification Entry memory: 24 Bytes * 256K - ⁇ 6.1 Mbytes of DRAM usage
- Hash Map memory Sparse (0.5 entries per hash bucket avg), 2 * 16 Bytes * 256K - 8M Bytes
- Total DRAM usage for 256K simultaneous sessions is under 16 Mbytes; 256K sessions would be sufficient to cover a major high-tech metropolitan area, and is appropriate for super high-end concentrator systems.
- a third table is needed for fragmentation lookups, but this table is of minimal size.
- the CAM based classifier is conceptually much simpler than the DRAM based version. In one embodiment, it is composed of a 104-bit match field that returns a 32-bit match tag, for a total data width of 136-bits. In contrast to DRAM-based classification, a common CAM array can readily be shared among different types of lookups. Thus a single CAM can implement all forms of lookup required by a cryptography acceleration chip in accordance with the present invention, including fragment lookups, EPSec quintuple matches, and EPSec triple matches. This is accomplished by storing along with each entry, the type of match that it corresponds to via match type field.
- the set of EPSec rules are pre-processed via a de-correlation step and a binarization step prior to mapping to CAM entries, it is not necessary for the CAM to support any form of ordered search. Rather, it is possible to implement a fully parallel search and return any match found.
- the prefe ⁇ ed implementation involves an on-chip CAM that is capable of holding 128 entries. Each entry consists of a match field of 106-bits (including a 2-bit match type code) and a match tag of 32-bits.
- An efficient, compact CAM implementation is desired in order to control die area. The CAM need not be fast; one match every 25 clock cycles will prove amply sufficient to meet the performance objective of one lookup every 400ns. This allows a time-iterated search of CAM memory, and allows further partitioning of CAM contents into sub-blocks that can be iteratively searched. These techniques can be used to cut the die area required for the classifier CAM memory.
- CAM matching is done using a bit mask to reflect binarized range specifiers from the policy rule set.
- bit masks are used to choose between EPSec quintuple, triple, fragment or non-EPSec basic matches.
- an extension mechanism is provided to access a much larger off-chip CAM that supports bit masks.
- An example of such a device is Lara Technologies' LTI1710 8Kxl36/4Kx272 ternary CAM chip.
- Typical security policy rule sets range from a few entries to a hundred entries (medium corporate site) to a maximum of a thousand or so entries (giant corporate site with complex policies). These rule sets are manually managed and configured, which automatically limits their size.
- the built-in CAM size should be sufficient to cover typical sites with moderately complex rule sets; off-chip CAM can be added to cover mega-sites.
- CAM-based classification is extremely fast, and will easily provide the required level of performance. As such, the classifier unit does not need any pipelining, and can handle multiple classification requests sequentially.
- Figs. 6A and 6B provide process flow diagrams showing aspects of the inbound and outbound packet processing procedures (including lookups) associated with packet classification in accordance with one embodiment of the present invention.
- Fig. 6A depicts the flow in the inbound direction (600).
- an inbound packet is received by the packet classifier on a cryptography acceleration chip in accordance with the present invention, its header is parsed (602) and a SAD lookup is performed (604).
- the packet may be dropped (606), passed-through (608), or directed into the cryptography processing system.
- the packet is decrypted and authenticated (610), and decapsulated (612). Then, a SPD lookup is performed (614).
- Fig. 6B depicts the flow in the outbound direction (650).
- an outbound packet is received by the packet classifier on a cryptography acceleration chip in accordance with the present invention, its header is parsed (652) and a SPD lookup is performed (654).
- the packet may be dropped (656), passed-through (658), or directed into the cryptography processing system.
- a SAD lookup is conducted (660).
- the packet is encapsulated (666), encrypted and authenticated (668).
- the encrypted packet is then sent out of the system (670) to the external network (WAN).
- the purpose of the SA buffer prefetch unit is to hold up to eight Security
- Association Auxiliary structures two per active processing engine. This corresponds to up to two packet processing requests per engine, required to support the double- buffered nature of each engine.
- the double buffered engine design enables header prefetch, thus hiding DRAM latency from the processing units.
- the structures are accessed by SA index, as generated by the packet classifier.
- the SA Buffer unit prefetches the security auxiliary entry corresponding to a given SA index. Given an S A index, the S A buffer checks to see if the S A Aux entry is already present; if so, an immediate SA Hit indication is returned to the distributor micro-engine. If not, the entry is pre-fetched, and a hit status is then returned. If all SA entries are dirty (i.e. have been previously written but not yet flushed back to external memory) and none of the entries is marked as retired, the SA Buffer unit stalls. This condition corresponds to all processing engines being busy anyway, such that the distributor is not the bottleneck in this case.
- the distributor unit has a micro-engine large register file (128 entries by 32-bits), good microcode RAM size (128 entries by 96-bits), and a simple three stage pipeline design that is visible to the instruction set via register read delay slots and conditional branch delay slots.
- Microcode RAM is downloaded from the system port at power-up time, and is authenticated in order to achieve FEPS 140-1 compliance.
- the micro-engine is started by an event- driven mechanism.
- a hardware prioritization unit automatically vectors the micro- engine to the service routing for the next top-priority outstanding event; packet
- the key challenge is to ensure that any given stage keeps up with the overall throughput goal of one packet every 50 clock cycles. This challenge is especially important to the micro-engine, and limits the number of micro-instructions that can be expended to process a given packet.
- the following pseudo-code provides an overview of micro-code functionality both for packet issue and for packet retiring, and estimate the number of clock cycles spent in distributor micro-code.
- Example 3 Advanced Classification Ensine (ACE)
- ACE Advanced Classification Engine
- a classification engine referred to as the Advanced Classification Engine (ACE)
- ACE Advanced Classification Engine
- the EETF EPSec protocol provides packet classification via wildcard rules, overlapping rules and conflict resolution via total rule ordering.
- the challenge solved by ACE is to implement this functionality in wirespeed hardware.
- the Advanced Classification Engine of a chip in accordance with the present invention handles per-packet lookup based on header contents. This information then determines the type of EPSec processing that will be implemented for each packet.
- ACE functions as a complete hardware EPSec Security Association Database lookup engine.
- ACE supports full EPSec Security Association lookup flexibility, including overlapping rules, wildcards and complete ordering.
- ACE provides extremely high hardware throughput.
- ACE provides value- added functions in the areas of statistics gathering and maintenance on a flexible per link or per Security Association basis, and SA lifetime monitoring.
- a separate unit within ACE, the Automatic Header Generator deals with wirespeed creation of EPSec compliant headers.
- the input to ACE consists of packet classification fields: src/dst address, src/dst ports, and protocol.
- the output of ACE is an EPSec Security Association matching entry, if one exists, for this classification information within the EPSec Security Association Database.
- the matching entry then provides statistics data and control information used by automatic EPSec header generation.
- a global state flag controls the processing of packets for which no matching entry exists - silent discard, interrupt and queue up packet for software processing, or pass through.
- SATC-AUX Security Association Auxiliary Data table Cache
- Quad Refill Engine handles the servicing of SATC-CL misses. When ever a miss occurs, the corresponding entry in the SATC-AUX is simultaneously fetched in order to maintain cache inclusion of all SATC-AUX entries within SATC-CL entries. This design simplifes and speeds up the cache hit logic considerably.
- the refill engine accepts and processes up to 4 outstanding miss requests simultaneously.
- Quad Header Buffers Holds up to 4 complete IPv4 headers, and up to 256 bytes each of 4 IPv6 headers. Used to queue up headers that result in SATC-CL misses. Headers that result in a cache hit are immediately forwarded for EPSec header generation.
- Header/Trailer processing and buffer For input datagrams, interprets and strips EPSec ESP or AH header. For output datagrams, adjusts and calculates header and trailer fields. Holds a complete IPv4 fragment header, and up to 256 bytes of an IPv6 header. Requires input from the cryptography modules for certain fields
- authentication codes for instance
- SAT-CL Complete Security Association Table- Classification Field
- SAT-AUX Complete Security Association Auxiliary Data table
- ACE implements multiple techniques to accelerate processing.
- the design is fully pipelined, such that multiple headers are in different stages of ACE processing at any given time.
- ACE implements non-blocking out-of-order processing of up to four packets.
- Performance-enhancing DRAM access techniques such as read combining and page hit combining are used to full benefit by issuing multiple requests at once to refill SATC-CL and SATC-AUX caches. Furthermore, this scheme avoids a problem similar to Head Of Line Blocking in older routers, and minimizes overall packet latency.
- ACE die area is estimated as follows based on major components and a rough allocation for control logic and additional data buffering:
- Total estimated gate count is 500Kg.
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP00950299A EP1192781B1 (en) | 1999-07-08 | 2000-07-07 | Distributed processing in a cryptography acceleration chip |
AU63422/00A AU6342200A (en) | 1999-07-08 | 2000-07-07 | Distributed processing in a cryptography acceleration chip |
DE60034453T DE60034453T2 (en) | 1999-07-08 | 2000-07-07 | DISTRIBUTED PROCESSING IN A CRYPTOGRAPHY ACCELERATION SCHIP |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14287099P | 1999-07-08 | 1999-07-08 | |
US60/142,870 | 1999-07-08 | ||
US15901199P | 1999-10-12 | 1999-10-12 | |
US60/159,011 | 1999-10-12 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2001005086A2 true WO2001005086A2 (en) | 2001-01-18 |
WO2001005086A3 WO2001005086A3 (en) | 2001-12-06 |
Family
ID=26840503
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/018617 WO2001005087A2 (en) | 1999-07-08 | 2000-07-07 | Classification engine in a cryptography acceleration chip |
PCT/US2000/018537 WO2001005086A2 (en) | 1999-07-08 | 2000-07-07 | Distributed processing in a cryptography acceleration chip |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2000/018617 WO2001005087A2 (en) | 1999-07-08 | 2000-07-07 | Classification engine in a cryptography acceleration chip |
Country Status (6)
Country | Link |
---|---|
US (3) | US7996670B1 (en) |
EP (2) | EP1192782B1 (en) |
AT (2) | ATE360317T1 (en) |
AU (2) | AU6342500A (en) |
DE (2) | DE60036284T2 (en) |
WO (2) | WO2001005087A2 (en) |
Cited By (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001086430A2 (en) * | 2000-05-11 | 2001-11-15 | Netoctave, Inc. | Cryptographic data processing systems, computer programs, and methods of operating same |
WO2002051099A2 (en) * | 2000-12-19 | 2002-06-27 | Qualcomm Incorporated | Method and system to accelerate cryptographic functions for secure e-commerce applications using cpu and dsp to calculate the cryptographic functions |
EP1282025A2 (en) * | 2001-07-24 | 2003-02-05 | Cavium Networks Inc. | An interface for a security coprocessor |
EP1288783A2 (en) * | 2001-08-24 | 2003-03-05 | Broadcom Corporation | Methods and apparatus for collapsing interrupts |
EP1292082A2 (en) * | 2001-07-24 | 2003-03-12 | Cavium Networks Inc. | Method and apparatus for establishing secure session |
WO2002060150A3 (en) * | 2001-01-24 | 2003-03-13 | Broadcom Corp | Method for processing multiple security policies applied to a data packet structure |
WO2003024058A1 (en) * | 2001-09-06 | 2003-03-20 | Intel Corporation | Techniques for offloading cryptographic processing for multiple network traffic streams |
WO2003039093A2 (en) | 2001-10-30 | 2003-05-08 | Hi/Fn, Inc. | Method and system for packet ordering for parallel packet transform processing |
EP1324175A1 (en) | 2001-12-28 | 2003-07-02 | Bull S.A. | Module for securing data by encryption/decryption and/or signature/verification of signature |
EP1326400A2 (en) * | 2001-12-21 | 2003-07-09 | Agere Systems Inc. | Processor with packet processing order maintenance based on packet flow identifiers |
EP1328104A2 (en) | 2002-01-10 | 2003-07-16 | Broadcom Corporation | System on a chip for network storage devices |
WO2003075520A2 (en) * | 2002-03-05 | 2003-09-12 | International Business Machines Corporation | Method and system for ordered dynamic distribution of packet flows over network processors |
WO2003088072A1 (en) * | 2002-04-11 | 2003-10-23 | Hi/Fn, Inc. | Processing a packet using multiple pipelined processing modules |
WO2004016034A1 (en) * | 2002-08-13 | 2004-02-19 | Starent Networks Corporation | Communicating in voice and data communications systems |
EP1427133A2 (en) * | 2002-12-05 | 2004-06-09 | Broadcom Corporation | System, method and device for security processing of data packets |
EP1435716A2 (en) * | 2002-12-31 | 2004-07-07 | Broadcom Corporation | Security association updates in a packet load-balanced system |
WO2004080026A1 (en) * | 2003-03-04 | 2004-09-16 | Lukas Wunner | Method, system and storage medium for introducing data network accessibility information |
WO2005086461A1 (en) * | 2004-03-02 | 2005-09-15 | Advanced Micro Devices, Inc. | Two parallel engines for high speed transmit ipsec processing |
WO2005112395A1 (en) * | 2004-05-06 | 2005-11-24 | Advanced Micro Devices, Inc. | Network interface with security association data prefetch for high speed offloaded security processing |
WO2006001917A1 (en) * | 2004-06-14 | 2006-01-05 | Intel Corporation | Method and apparatus to manage heterogeneous cryptographic operations |
WO2006052017A2 (en) * | 2004-11-12 | 2006-05-18 | Sony Computer Entertainment Inc. | Methods and apparatus for secure data processing and transmission |
US7299350B2 (en) * | 2002-01-17 | 2007-11-20 | Intel Corporation | Internet protocol security decryption with secondary use speculative interrupts |
US7305567B1 (en) | 2002-03-01 | 2007-12-04 | Cavium Networks, In. | Decoupled architecture for data ciphering operations |
US7412726B1 (en) * | 2003-12-08 | 2008-08-12 | Advanced Micro Devices, Inc. | Method and apparatus for out of order writing of status fields for receive IPsec processing |
US7624263B1 (en) | 2004-09-21 | 2009-11-24 | Advanced Micro Devices, Inc. | Security association table lookup architecture and method of operation |
US8321687B2 (en) | 2003-11-28 | 2012-11-27 | Bull S.A.S. | High speed cryptographic system with modular architecture |
US9015467B2 (en) | 2002-12-05 | 2015-04-21 | Broadcom Corporation | Tagging mechanism for data path security processing |
US11436375B2 (en) | 2017-01-31 | 2022-09-06 | Huawei Technologies Co., Ltd. | Processing device for reducing a load on a system bus |
Families Citing this family (148)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7996670B1 (en) | 1999-07-08 | 2011-08-09 | Broadcom Corporation | Classification engine in a cryptography acceleration chip |
US7003118B1 (en) * | 2000-11-27 | 2006-02-21 | 3Com Corporation | High performance IPSEC hardware accelerator for packet classification |
US6959346B2 (en) * | 2000-12-22 | 2005-10-25 | Mosaid Technologies, Inc. | Method and system for packet encryption |
US20020120874A1 (en) * | 2000-12-22 | 2002-08-29 | Li Shu | Method and system for secure exchange of messages |
US6909713B2 (en) * | 2001-09-05 | 2005-06-21 | Intel Corporation | Hash-based data frame distribution for web switches |
US7403999B2 (en) * | 2001-12-28 | 2008-07-22 | International Business Machines Corporation | Classification support system and method for fragmented IP packets |
US7318160B2 (en) * | 2002-02-01 | 2008-01-08 | Hewlett-Packard Development Company, L.P. | Cryptographic key setup in queued cryptographic systems |
WO2003103233A1 (en) * | 2002-05-31 | 2003-12-11 | 富士通株式会社 | Packet repeating installation, network connection device, packet repeating method, recording medium, program |
US20040123120A1 (en) * | 2002-12-18 | 2004-06-24 | Broadcom Corporation | Cryptography accelerator input interface data handling |
US7434043B2 (en) | 2002-12-18 | 2008-10-07 | Broadcom Corporation | Cryptography accelerator data routing unit |
US20040123123A1 (en) * | 2002-12-18 | 2004-06-24 | Buer Mark L. | Methods and apparatus for accessing security association information in a cryptography accelerator |
US7568110B2 (en) | 2002-12-18 | 2009-07-28 | Broadcom Corporation | Cryptography accelerator interface decoupling from cryptography processing cores |
US7669234B2 (en) * | 2002-12-31 | 2010-02-23 | Broadcom Corporation | Data processing hash algorithm and policy management |
US7657933B2 (en) * | 2003-04-12 | 2010-02-02 | Cavium Networks, Inc. | Apparatus and method for allocating resources within a security processing architecture using multiple groups |
US7661130B2 (en) * | 2003-04-12 | 2010-02-09 | Cavium Networks, Inc. | Apparatus and method for allocating resources within a security processing architecture using multiple queuing mechanisms |
US7337314B2 (en) * | 2003-04-12 | 2008-02-26 | Cavium Networks, Inc. | Apparatus and method for allocating resources within a security processor |
TWI225999B (en) * | 2003-08-22 | 2005-01-01 | Ind Tech Res Inst | A method for searching Peer-based security policy database |
US8949380B2 (en) * | 2003-09-29 | 2015-02-03 | Eqapez Foundation, L.L.C. | Method and system for distributing images to client systems |
US20050083926A1 (en) * | 2003-10-15 | 2005-04-21 | Mathews Robin M. | Packet storage and retransmission over a secure connection |
US7826614B1 (en) | 2003-11-05 | 2010-11-02 | Globalfoundries Inc. | Methods and apparatus for passing initialization vector information from software to hardware to perform IPsec encryption operation |
US7310728B2 (en) | 2003-11-24 | 2007-12-18 | Itt Manufacturing Enterprises, Inc. | Method of implementing a high-speed header bypass function |
US20050177713A1 (en) * | 2004-02-05 | 2005-08-11 | Peter Sim | Multi-protocol network encryption system |
US20060004697A1 (en) * | 2004-06-09 | 2006-01-05 | Lipsky Scott E | Method and system for restricting the display of images |
US7730519B2 (en) | 2004-09-17 | 2010-06-01 | At&T Intellectual Property I, L.P. | Detection of encrypted packet streams using feedback probing |
US7451309B2 (en) | 2004-09-17 | 2008-11-11 | At&T Intellectual Property L.P. | Signature specification for encrypted packet streams |
US7761705B2 (en) * | 2004-09-17 | 2010-07-20 | At&T Intellectual Property I, L.P. | Detection of encrypted packet streams |
DE602004012291T2 (en) * | 2004-11-30 | 2009-03-19 | Alcatel Lucent | Ethernet Digital Subscriber Line Access Multiplexer DSLAM with flow control |
US20060136717A1 (en) | 2004-12-20 | 2006-06-22 | Mark Buer | System and method for authentication via a proximate device |
US8295484B2 (en) * | 2004-12-21 | 2012-10-23 | Broadcom Corporation | System and method for securing data from a remote input device |
US7613669B2 (en) * | 2005-08-19 | 2009-11-03 | Electronics And Telecommunications Research Institute | Method and apparatus for storing pattern matching data and pattern matching method using the same |
US7724754B2 (en) * | 2006-02-24 | 2010-05-25 | Texas Instruments Incorporated | Device, system and/or method for managing packet congestion in a packet switching network |
US20070214502A1 (en) * | 2006-03-08 | 2007-09-13 | Mcalister Donald K | Technique for processing data packets in a communication network |
US7895646B2 (en) * | 2006-05-25 | 2011-02-22 | International Business Machines Corporation | IKE daemon self-adjusting negotiation throttle |
JP4634349B2 (en) * | 2006-08-22 | 2011-02-16 | 株式会社日立製作所 | IPSec processing device, network system, and IPSec processing program |
US7925886B2 (en) | 2007-06-13 | 2011-04-12 | International Business Machines Corporation | Encryption output data generation method and system |
US8594322B2 (en) * | 2007-07-10 | 2013-11-26 | Stmicroelectronics S.R.L. | Encoding/decoding apparatus |
GB0713787D0 (en) * | 2007-07-16 | 2007-08-22 | Cellfire Security Technologies | Security protocol, secure communication system and method |
CN101197664B (en) * | 2008-01-03 | 2010-12-08 | 杭州华三通信技术有限公司 | Method, system and device for key management protocol negotiation |
US20090178104A1 (en) * | 2008-01-08 | 2009-07-09 | Hemal Shah | Method and system for a multi-level security association lookup scheme for internet protocol security |
US8114117B2 (en) * | 2008-09-30 | 2012-02-14 | Tyco Healthcare Group Lp | Compression device with wear area |
US8339959B1 (en) | 2008-05-20 | 2012-12-25 | Juniper Networks, Inc. | Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane |
JP5654983B2 (en) * | 2008-06-17 | 2015-01-14 | アティヴィオ,インコーポレイテッド | Sequence message processing |
US8955107B2 (en) * | 2008-09-12 | 2015-02-10 | Juniper Networks, Inc. | Hierarchical application of security services within a computer network |
US8191134B1 (en) * | 2008-09-29 | 2012-05-29 | Sonicwall, Inc. | Lockless distributed IPsec processing |
US7796541B1 (en) | 2008-09-30 | 2010-09-14 | Juniper Networks, Inc. | Methods and apparatus for range matching during packet classification based on a linked-node structure |
US7738454B1 (en) * | 2008-09-30 | 2010-06-15 | Juniper Networks, Inc. | Methods and apparatus related to packet classification based on range values |
US8804950B1 (en) | 2008-09-30 | 2014-08-12 | Juniper Networks, Inc. | Methods and apparatus for producing a hash value based on a hash function |
US7835357B2 (en) * | 2008-09-30 | 2010-11-16 | Juniper Networks, Inc. | Methods and apparatus for packet classification based on policy vectors |
US8675648B1 (en) | 2008-09-30 | 2014-03-18 | Juniper Networks, Inc. | Methods and apparatus for compression in packet classification |
US8798057B1 (en) | 2008-09-30 | 2014-08-05 | Juniper Networks, Inc. | Methods and apparatus to implement except condition during data packet classification |
US8763008B2 (en) | 2008-09-30 | 2014-06-24 | Ebay Inc. | System and method for processing messages using native data serialization/deserialization in a service-oriented pipeline architecture |
US7961734B2 (en) | 2008-09-30 | 2011-06-14 | Juniper Networks, Inc. | Methods and apparatus related to packet classification associated with a multi-stage switch |
US8135785B2 (en) * | 2008-09-30 | 2012-03-13 | Ebay Inc. | System and method for processing messages using pluggable protocol processors in a service-oriented pipeline architecture |
US8806506B2 (en) * | 2008-09-30 | 2014-08-12 | Ebay Inc. | System and method for processing messages using a common interface platform supporting multiple pluggable data formats in a service-oriented pipeline architecture |
US8040808B1 (en) | 2008-10-20 | 2011-10-18 | Juniper Networks, Inc. | Service aware path selection with a network acceleration device |
US8341280B2 (en) * | 2008-12-30 | 2012-12-25 | Ebay Inc. | Request and response decoupling via pluggable transports in a service oriented pipeline architecture for a request response message exchange pattern |
US7889741B1 (en) | 2008-12-31 | 2011-02-15 | Juniper Networks, Inc. | Methods and apparatus for packet classification based on multiple conditions |
US8488588B1 (en) | 2008-12-31 | 2013-07-16 | Juniper Networks, Inc. | Methods and apparatus for indexing set bit values in a long vector associated with a switch fabric |
US8111697B1 (en) | 2008-12-31 | 2012-02-07 | Juniper Networks, Inc. | Methods and apparatus for packet classification based on multiple conditions |
US8595479B2 (en) * | 2009-02-25 | 2013-11-26 | Cisco Technology, Inc. | Aggregation of cryptography engines |
US9037810B2 (en) * | 2010-03-02 | 2015-05-19 | Marvell Israel (M.I.S.L.) Ltd. | Pre-fetching of data packets |
US20110228674A1 (en) * | 2010-03-18 | 2011-09-22 | Alon Pais | Packet processing optimization |
US9069489B1 (en) | 2010-03-29 | 2015-06-30 | Marvell Israel (M.I.S.L) Ltd. | Dynamic random access memory front end |
US8327047B2 (en) | 2010-03-18 | 2012-12-04 | Marvell World Trade Ltd. | Buffer manager and methods for managing memory |
US9141831B2 (en) * | 2010-07-08 | 2015-09-22 | Texas Instruments Incorporated | Scheduler, security context cache, packet processor, and authentication, encryption modules |
US8495656B2 (en) | 2010-10-15 | 2013-07-23 | Attivio, Inc. | Ordered processing of groups of messages |
US9282060B2 (en) | 2010-12-15 | 2016-03-08 | Juniper Networks, Inc. | Methods and apparatus for dynamic resource management within a distributed control plane of a switch |
US20120210018A1 (en) * | 2011-02-11 | 2012-08-16 | Rikard Mendel | System And Method for Lock-Less Multi-Core IP Forwarding |
US9098203B1 (en) | 2011-03-01 | 2015-08-04 | Marvell Israel (M.I.S.L) Ltd. | Multi-input memory command prioritization |
JP5848570B2 (en) * | 2011-09-30 | 2016-01-27 | ラピスセミコンダクタ株式会社 | Communication apparatus, reception control method, and transmission control method |
US9251535B1 (en) | 2012-01-05 | 2016-02-02 | Juniper Networks, Inc. | Offload of data transfer statistics from a mobile access gateway |
US10044582B2 (en) | 2012-01-28 | 2018-08-07 | A10 Networks, Inc. | Generating secure name records |
US8964554B2 (en) * | 2012-06-07 | 2015-02-24 | Broadcom Corporation | Tunnel acceleration for wireless access points |
US9390240B1 (en) * | 2012-06-11 | 2016-07-12 | Dell Software Inc. | System and method for querying data |
US9578060B1 (en) | 2012-06-11 | 2017-02-21 | Dell Software Inc. | System and method for data loss prevention across heterogeneous communications platforms |
US9501744B1 (en) | 2012-06-11 | 2016-11-22 | Dell Software Inc. | System and method for classifying data |
US9779260B1 (en) | 2012-06-11 | 2017-10-03 | Dell Software Inc. | Aggregation and classification of secure data |
DE102012214794A1 (en) * | 2012-08-21 | 2014-02-27 | BSH Bosch und Siemens Hausgeräte GmbH | COMMUNICATION MODULE FOR A HOME DEVICE |
US9722918B2 (en) | 2013-03-15 | 2017-08-01 | A10 Networks, Inc. | System and method for customizing the identification of application or content type |
US9912555B2 (en) | 2013-03-15 | 2018-03-06 | A10 Networks, Inc. | System and method of updating modules for application or content identification |
US9374344B1 (en) | 2013-03-29 | 2016-06-21 | Secturion Systems, Inc. | Secure end-to-end communication system |
US9355279B1 (en) | 2013-03-29 | 2016-05-31 | Secturion Systems, Inc. | Multi-tenancy architecture |
US9798899B1 (en) * | 2013-03-29 | 2017-10-24 | Secturion Systems, Inc. | Replaceable or removable physical interface input/output module |
US9317718B1 (en) | 2013-03-29 | 2016-04-19 | Secturion Systems, Inc. | Security device with programmable systolic-matrix cryptographic module and programmable input/output interface |
US9524399B1 (en) * | 2013-04-01 | 2016-12-20 | Secturion Systems, Inc. | Multi-level independent security architecture |
WO2014176461A1 (en) | 2013-04-25 | 2014-10-30 | A10 Networks, Inc. | Systems and methods for network access control |
US9473298B2 (en) * | 2013-08-15 | 2016-10-18 | Blue Cedar Networks, Inc. | Simplifying IKE process in a gateway to enable datapath scaling using a two tier cache configuration |
US9294503B2 (en) | 2013-08-26 | 2016-03-22 | A10 Networks, Inc. | Health monitor based distributed denial of service attack mitigation |
US9906422B2 (en) | 2014-05-16 | 2018-02-27 | A10 Networks, Inc. | Distributed system to determine a server's health |
US9349016B1 (en) | 2014-06-06 | 2016-05-24 | Dell Software Inc. | System and method for user-context-based data loss prevention |
KR102263880B1 (en) * | 2014-06-19 | 2021-06-11 | 삼성전자주식회사 | Host controller and system-on-chip |
US9756071B1 (en) | 2014-09-16 | 2017-09-05 | A10 Networks, Inc. | DNS denial of service attack protection |
US9537886B1 (en) | 2014-10-23 | 2017-01-03 | A10 Networks, Inc. | Flagging security threats in web service requests |
US9621575B1 (en) | 2014-12-29 | 2017-04-11 | A10 Networks, Inc. | Context aware threat protection |
US9584318B1 (en) | 2014-12-30 | 2017-02-28 | A10 Networks, Inc. | Perfect forward secrecy distributed denial of service attack defense |
US9900343B1 (en) | 2015-01-05 | 2018-02-20 | A10 Networks, Inc. | Distributed denial of service cellular signaling |
WO2016118523A1 (en) | 2015-01-19 | 2016-07-28 | InAuth, Inc. | Systems and methods for trusted path secure communication |
US9848013B1 (en) | 2015-02-05 | 2017-12-19 | A10 Networks, Inc. | Perfect forward secrecy distributed denial of service attack detection |
US10063591B1 (en) | 2015-02-14 | 2018-08-28 | A10 Networks, Inc. | Implementing and optimizing secure socket layer intercept |
US10326748B1 (en) | 2015-02-25 | 2019-06-18 | Quest Software Inc. | Systems and methods for event-based authentication |
US10417613B1 (en) | 2015-03-17 | 2019-09-17 | Quest Software Inc. | Systems and methods of patternizing logged user-initiated events for scheduling functions |
US9992223B2 (en) | 2015-03-20 | 2018-06-05 | Nxp Usa, Inc. | Flow-based anti-replay checking |
US9990506B1 (en) | 2015-03-30 | 2018-06-05 | Quest Software Inc. | Systems and methods of securing network-accessible peripheral devices |
US9563782B1 (en) | 2015-04-10 | 2017-02-07 | Dell Software Inc. | Systems and methods of secure self-service access to content |
US9842220B1 (en) | 2015-04-10 | 2017-12-12 | Dell Software Inc. | Systems and methods of secure self-service access to content |
US9641555B1 (en) | 2015-04-10 | 2017-05-02 | Dell Software Inc. | Systems and methods of tracking content-exposure events |
US9842218B1 (en) | 2015-04-10 | 2017-12-12 | Dell Software Inc. | Systems and methods of secure self-service access to content |
US9569626B1 (en) | 2015-04-10 | 2017-02-14 | Dell Software Inc. | Systems and methods of reporting content-exposure events |
US10097345B2 (en) * | 2015-04-14 | 2018-10-09 | PeerNova, Inc. | Secure hash algorithm in digital hardware for cryptographic applications |
IL238690B (en) * | 2015-05-07 | 2019-07-31 | Mellanox Technologies Ltd | Network-based computational accelerator |
US10152441B2 (en) | 2015-05-18 | 2018-12-11 | Mellanox Technologies, Ltd. | Host bus access by add-on devices via a network interface controller |
JP2017011392A (en) * | 2015-06-18 | 2017-01-12 | 株式会社リコー | Decryption circuit, communication device using the same, and communication system |
US10212138B1 (en) * | 2015-06-19 | 2019-02-19 | Amazon Technologies, Inc. | Hardware security accelerator |
US10051000B2 (en) * | 2015-07-28 | 2018-08-14 | Citrix Systems, Inc. | Efficient use of IPsec tunnels in multi-path environment |
US10536352B1 (en) | 2015-08-05 | 2020-01-14 | Quest Software Inc. | Systems and methods for tuning cross-platform data collection |
US11283774B2 (en) | 2015-09-17 | 2022-03-22 | Secturion Systems, Inc. | Cloud storage using encryption gateway with certificate authority identification |
US9794064B2 (en) | 2015-09-17 | 2017-10-17 | Secturion Systems, Inc. | Client(s) to cloud or remote server secure data or file object encryption gateway |
US9787581B2 (en) | 2015-09-21 | 2017-10-10 | A10 Networks, Inc. | Secure data flow open information analytics |
US10218588B1 (en) | 2015-10-05 | 2019-02-26 | Quest Software Inc. | Systems and methods for multi-stream performance patternization and optimization of virtual meetings |
US10157358B1 (en) | 2015-10-05 | 2018-12-18 | Quest Software Inc. | Systems and methods for multi-stream performance patternization and interval-based prediction |
US10708236B2 (en) | 2015-10-26 | 2020-07-07 | Secturion Systems, Inc. | Multi-independent level secure (MILS) storage encryption |
US10469594B2 (en) | 2015-12-08 | 2019-11-05 | A10 Networks, Inc. | Implementation of secure socket layer intercept |
US10142391B1 (en) | 2016-03-25 | 2018-11-27 | Quest Software Inc. | Systems and methods of diagnosing down-layer performance problems via multi-stream performance patternization |
US10812348B2 (en) | 2016-07-15 | 2020-10-20 | A10 Networks, Inc. | Automatic capture of network data for a detected anomaly |
US10341118B2 (en) | 2016-08-01 | 2019-07-02 | A10 Networks, Inc. | SSL gateway with integrated hardware security module |
US10382562B2 (en) | 2016-11-04 | 2019-08-13 | A10 Networks, Inc. | Verification of server certificates using hash codes |
US10250475B2 (en) | 2016-12-08 | 2019-04-02 | A10 Networks, Inc. | Measurement of application response delay time |
US10397270B2 (en) | 2017-01-04 | 2019-08-27 | A10 Networks, Inc. | Dynamic session rate limiter |
US10187377B2 (en) | 2017-02-08 | 2019-01-22 | A10 Networks, Inc. | Caching network generated security certificates |
IL251683B (en) * | 2017-04-09 | 2019-08-29 | Yoseph Koren | System and method for dynamic management of private data |
CN107256363B (en) * | 2017-06-13 | 2020-03-06 | 杭州华澜微电子股份有限公司 | High-speed encryption and decryption device composed of encryption and decryption module array |
US10382350B2 (en) | 2017-09-12 | 2019-08-13 | Mellanox Technologies, Ltd. | Maintaining packet order in offload of packet processing functions |
US11502948B2 (en) | 2017-10-16 | 2022-11-15 | Mellanox Technologies, Ltd. | Computational accelerator for storage operations |
US11005771B2 (en) | 2017-10-16 | 2021-05-11 | Mellanox Technologies, Ltd. | Computational accelerator for packet payload operations |
US10841243B2 (en) | 2017-11-08 | 2020-11-17 | Mellanox Technologies, Ltd. | NIC with programmable pipeline |
US10708240B2 (en) | 2017-12-14 | 2020-07-07 | Mellanox Technologies, Ltd. | Offloading communication security operations to a network interface controller |
US11546370B2 (en) | 2018-01-31 | 2023-01-03 | Nxp Usa, Inc. | Anti-replay protection for network packet communications |
US10824469B2 (en) | 2018-11-28 | 2020-11-03 | Mellanox Technologies, Ltd. | Reordering avoidance for flows during transition between slow-path handling and fast-path handling |
US11184439B2 (en) | 2019-04-01 | 2021-11-23 | Mellanox Technologies, Ltd. | Communication with accelerator via RDMA-based network adapter |
CN109905412B (en) * | 2019-04-28 | 2021-06-01 | 山东渔翁信息技术股份有限公司 | Network data parallel encryption and decryption processing method, device and medium |
CN110309374A (en) * | 2019-05-22 | 2019-10-08 | 深圳市金泰克半导体有限公司 | A kind of analytic method, system, terminal device and computer readable storage medium |
US11196715B2 (en) * | 2019-07-16 | 2021-12-07 | Xilinx, Inc. | Slice-aggregated cryptographic system and method |
CN114095153A (en) | 2020-08-05 | 2022-02-25 | 迈络思科技有限公司 | Cipher data communication device |
IL276538B2 (en) | 2020-08-05 | 2023-08-01 | Mellanox Technologies Ltd | Cryptographic data communication apparatus |
EP4060936A1 (en) * | 2021-03-16 | 2022-09-21 | Nokia Solutions and Networks Oy | Enhanced processing for ipsec stream |
US11934333B2 (en) | 2021-03-25 | 2024-03-19 | Mellanox Technologies, Ltd. | Storage protocol emulation in a peripheral device |
US11934658B2 (en) | 2021-03-25 | 2024-03-19 | Mellanox Technologies, Ltd. | Enhanced storage protocol emulation in a peripheral device |
US20230015106A1 (en) * | 2021-07-09 | 2023-01-19 | Lexmark International, Inc. | Methods and Systems for Determining the Authenticity of a Component |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5796836A (en) * | 1995-04-17 | 1998-08-18 | Secure Computing Corporation | Scalable key agile cryptography |
Family Cites Families (98)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5870474A (en) | 1995-12-04 | 1999-02-09 | Scientific-Atlanta, Inc. | Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers |
JPS57153359A (en) | 1981-03-18 | 1982-09-21 | Ibm | Data processing system with common memory |
USRE33189E (en) | 1981-11-19 | 1990-03-27 | Communications Satellite Corporation | Security system for SSTV encryption |
GB8526620D0 (en) * | 1985-10-29 | 1985-12-04 | British Telecomm | Communications network |
US5161193A (en) | 1990-06-29 | 1992-11-03 | Digital Equipment Corporation | Pipelined cryptography processor and method for its use in communication networks |
US5365589A (en) * | 1992-02-07 | 1994-11-15 | Gutowitz Howard A | Method and apparatus for encryption, decryption and authentication using dynamical systems |
US5297206A (en) | 1992-03-19 | 1994-03-22 | Orton Glenn A | Cryptographic method for communication and electronic signatures |
WO1993026109A1 (en) | 1992-06-17 | 1993-12-23 | The Trustees Of The University Of Pennsylvania | Apparatus for providing cryptographic support in a network |
NL9301841A (en) * | 1993-10-25 | 1995-05-16 | Nederland Ptt | Device for processing data packets. |
NL9400428A (en) | 1994-03-18 | 1995-11-01 | Nederland Ptt | Device for cryptographically processing data packets, as well as a method of generating cryptographic processing data. |
US5471482A (en) | 1994-04-05 | 1995-11-28 | Unisys Corporation | VLSI embedded RAM test |
US5936967A (en) | 1994-10-17 | 1999-08-10 | Lucent Technologies, Inc. | Multi-channel broadband adaptation processing |
US5631960A (en) | 1995-08-31 | 1997-05-20 | National Semiconductor Corporation | Autotest of encryption algorithms in embedded secure encryption devices |
WO1998034403A1 (en) | 1995-09-29 | 1998-08-06 | Intel Corporation | Apparatus and method for securing captured data transmitted between two sources |
US5734829A (en) * | 1995-10-20 | 1998-03-31 | International Business Machines Corporation | Method and program for processing a volume of data on a parallel computer system |
US5949881A (en) | 1995-12-04 | 1999-09-07 | Intel Corporation | Apparatus and method for cryptographic companion imprinting |
GB2309558A (en) * | 1996-01-26 | 1997-07-30 | Ibm | Load balancing across the processors of a server computer |
US6038551A (en) | 1996-03-11 | 2000-03-14 | Microsoft Corporation | System and method for configuring and managing resources on a multi-purpose integrated circuit card using a personal computer |
US5933503A (en) | 1996-03-15 | 1999-08-03 | Novell, Inc | Controlled modular cryptography apparatus and method |
US5943338A (en) | 1996-08-19 | 1999-08-24 | 3Com Corporation | Redundant ATM interconnect mechanism |
US5983350A (en) | 1996-09-18 | 1999-11-09 | Secure Computing Corporation | Secure firewall supporting different levels of authentication based on address or encryption status |
JPH10143439A (en) | 1996-11-12 | 1998-05-29 | Fujitsu Ltd | Data processor |
US6493347B2 (en) * | 1996-12-16 | 2002-12-10 | Juniper Networks, Inc. | Memory organization in a switching device |
US6791947B2 (en) | 1996-12-16 | 2004-09-14 | Juniper Networks | In-line packet processing |
US5818939A (en) | 1996-12-18 | 1998-10-06 | Intel Corporation | Optimized security functionality in an electronic system |
US6111858A (en) | 1997-02-18 | 2000-08-29 | Virata Limited | Proxy-controlled ATM subnetwork |
US6069957A (en) | 1997-03-07 | 2000-05-30 | Lucent Technologies Inc. | Method and apparatus for providing hierarchical key system in restricted-access television system |
US6101255A (en) | 1997-04-30 | 2000-08-08 | Motorola, Inc. | Programmable cryptographic processing system and method |
US6003135A (en) | 1997-06-04 | 1999-12-14 | Spyrus, Inc. | Modular security device |
US5796744A (en) | 1997-09-12 | 1998-08-18 | Lockheed Martin Corporation | Multi-node interconnect topology with nodes containing SCI link controllers and gigabit transceivers |
US6704871B1 (en) | 1997-09-16 | 2004-03-09 | Safenet, Inc. | Cryptographic co-processor |
US6708273B1 (en) | 1997-09-16 | 2004-03-16 | Safenet, Inc. | Apparatus and method for implementing IPSEC transforms within an integrated circuit |
JPH11109856A (en) | 1997-09-30 | 1999-04-23 | Matsushita Electric Ind Co Ltd | Decoding apparatus |
US6216167B1 (en) | 1997-10-31 | 2001-04-10 | Nortel Networks Limited | Efficient path based forwarding and multicast forwarding |
US6226710B1 (en) * | 1997-11-14 | 2001-05-01 | Utmc Microelectronic Systems Inc. | Content addressable memory (CAM) engine |
US6378072B1 (en) | 1998-02-03 | 2002-04-23 | Compaq Computer Corporation | Cryptographic system |
US6295604B1 (en) | 1998-05-26 | 2001-09-25 | Intel Corporation | Cryptographic packet processing unit |
US6157955A (en) | 1998-06-15 | 2000-12-05 | Intel Corporation | Packet processing system including a policy engine having a classification unit |
US6269163B1 (en) | 1998-06-15 | 2001-07-31 | Rsa Security Inc. | Enhanced block ciphers with data-dependent rotations |
US6862278B1 (en) | 1998-06-18 | 2005-03-01 | Microsoft Corporation | System and method using a packetized encoded bitstream for parallel compression and decompression |
US6189100B1 (en) * | 1998-06-30 | 2001-02-13 | Microsoft Corporation | Ensuring the integrity of remote boot client data |
WO2000003256A1 (en) | 1998-07-08 | 2000-01-20 | Broadcom Corporation | Network switch utilizing packet based per head-of-line blocking prevention |
US6320964B1 (en) | 1998-08-26 | 2001-11-20 | Intel Corporation | Cryptographic accelerator |
US6393026B1 (en) | 1998-09-17 | 2002-05-21 | Nortel Networks Limited | Data packet processing system and method for a router |
US6519636B2 (en) * | 1998-10-28 | 2003-02-11 | International Business Machines Corporation | Efficient classification, manipulation, and control of network transmissions by associating network flows with rule based functions |
US6347143B1 (en) | 1998-12-15 | 2002-02-12 | Philips Electronics No. America Corp. | Cryptographic device with encryption blocks connected parallel |
CA2257008C (en) | 1998-12-24 | 2007-12-11 | Certicom Corp. | A method for accelerating cryptographic operations on elliptic curves |
US20020057796A1 (en) | 1998-12-24 | 2002-05-16 | Lambert Robert J. | Method for accelerating cryptographic operations on elliptic curves |
US6295602B1 (en) | 1998-12-30 | 2001-09-25 | Spyrus, Inc. | Event-driven serialization of access to shared resources |
US6760444B1 (en) * | 1999-01-08 | 2004-07-06 | Cisco Technology, Inc. | Mobile IP authentication |
US6529508B1 (en) * | 1999-02-01 | 2003-03-04 | Redback Networks Inc. | Methods and apparatus for packet classification with multiple answer sets |
US6484257B1 (en) * | 1999-02-27 | 2002-11-19 | Alonzo Ellis | System and method for maintaining N number of simultaneous cryptographic sessions using a distributed computing environment |
US7086086B2 (en) | 1999-02-27 | 2006-08-01 | Alonzo Ellis | System and method for maintaining N number of simultaneous cryptographic sessions using a distributed computing environment |
US6701432B1 (en) | 1999-04-01 | 2004-03-02 | Netscreen Technologies, Inc. | Firewall including local bus |
US6349405B1 (en) | 1999-05-18 | 2002-02-19 | Solidum Systems Corp. | Packet classification state machine |
US6490556B2 (en) * | 1999-05-28 | 2002-12-03 | Intel Corporation | Audio classifier for half duplex communication |
US6751728B1 (en) * | 1999-06-16 | 2004-06-15 | Microsoft Corporation | System and method of transmitting encrypted packets through a network access point |
US6477646B1 (en) | 1999-07-08 | 2002-11-05 | Broadcom Corporation | Security chip architecture and implementations for cryptography acceleration |
US20030014627A1 (en) | 1999-07-08 | 2003-01-16 | Broadcom Corporation | Distributed processing in a cryptography acceleration chip |
US7996670B1 (en) | 1999-07-08 | 2011-08-09 | Broadcom Corporation | Classification engine in a cryptography acceleration chip |
GB2353676A (en) | 1999-08-17 | 2001-02-28 | Hewlett Packard Co | Robust encryption and decryption of packetised data transferred across communications networks |
US6751677B1 (en) | 1999-08-24 | 2004-06-15 | Hewlett-Packard Development Company, L.P. | Method and apparatus for allowing a secure and transparent communication between a user device and servers of a data access network system via a firewall and a gateway |
DE60007543D1 (en) | 1999-10-20 | 2004-02-05 | Aep Systems Ltd | CRYPTOGRAPHIC FASTER |
US6327625B1 (en) * | 1999-11-30 | 2001-12-04 | 3Com Corporation | FIFO-based network interface supporting out-of-order processing |
US7005733B2 (en) | 1999-12-30 | 2006-02-28 | Koemmerling Oliver | Anti tamper encapsulation for an integrated circuit |
ATE319249T1 (en) | 2000-01-27 | 2006-03-15 | Ibm | METHOD AND DEVICE FOR CLASSIFICATION OF DATA PACKETS |
US6983366B1 (en) | 2000-02-14 | 2006-01-03 | Safenet, Inc. | Packet Processor |
US6983374B2 (en) | 2000-02-14 | 2006-01-03 | Kabushiki Kaisha Toshiba | Tamper resistant microprocessor |
US7039641B2 (en) | 2000-02-24 | 2006-05-02 | Lucent Technologies Inc. | Modular packet classification |
US6971021B1 (en) | 2000-03-08 | 2005-11-29 | Rainbow Technologies, Inc. | Non-wire contact device application for cryptographic module interfaces |
US7177421B2 (en) | 2000-04-13 | 2007-02-13 | Broadcom Corporation | Authentication engine architecture and method |
US6807183B1 (en) | 2000-05-09 | 2004-10-19 | Advanced Micro Devices, Inc. | Arrangement for reading a prescribed location of a FIFO buffer in a network switch port |
US6820105B2 (en) | 2000-05-11 | 2004-11-16 | Cyberguard Corporation | Accelerated montgomery exponentiation using plural multipliers |
JP4955182B2 (en) | 2000-05-15 | 2012-06-20 | サンディスク アイエル リミテッド | Integer calculation field range extension |
US6778495B1 (en) | 2000-05-17 | 2004-08-17 | Cisco Technology, Inc. | Combining multilink and IP per-destination load balancing over a multilink bundle |
US7075926B2 (en) | 2000-05-24 | 2006-07-11 | Alcatel Internetworking, Inc. (Pe) | Programmable packet processor with flow resolution logic |
US7062657B2 (en) | 2000-09-25 | 2006-06-13 | Broadcom Corporation | Methods and apparatus for hardware normalization and denormalization |
US20020078342A1 (en) | 2000-09-25 | 2002-06-20 | Broadcom Corporation | E-commerce security processor alignment logic |
US20030058274A1 (en) | 2000-11-17 | 2003-03-27 | Jake Hill | Interface device |
US7003118B1 (en) | 2000-11-27 | 2006-02-21 | 3Com Corporation | High performance IPSEC hardware accelerator for packet classification |
US7502463B2 (en) | 2000-12-13 | 2009-03-10 | Broadcom Corporation | Methods and apparatus for implementing a cryptography engine |
US7280540B2 (en) | 2001-01-09 | 2007-10-09 | Stonesoft Oy | Processing of data packets within a network element cluster |
US6996842B2 (en) | 2001-01-30 | 2006-02-07 | Intel Corporation | Processing internet protocol security traffic |
US7266703B2 (en) | 2001-06-13 | 2007-09-04 | Itt Manufacturing Enterprises, Inc. | Single-pass cryptographic processor and method |
US7017042B1 (en) | 2001-06-14 | 2006-03-21 | Syrus Ziai | Method and circuit to accelerate IPSec processing |
US7861104B2 (en) | 2001-08-24 | 2010-12-28 | Broadcom Corporation | Methods and apparatus for collapsing interrupts |
US6909713B2 (en) | 2001-09-05 | 2005-06-21 | Intel Corporation | Hash-based data frame distribution for web switches |
CN100379194C (en) | 2001-10-03 | 2008-04-02 | Nxp股份有限公司 | Memory encryption |
US7248585B2 (en) | 2001-10-22 | 2007-07-24 | Sun Microsystems, Inc. | Method and apparatus for a packet classifier |
US6715085B2 (en) | 2002-04-18 | 2004-03-30 | International Business Machines Corporation | Initializing, maintaining, updating and recovering secure operation within an integrated system employing a data access control function |
US7650510B2 (en) | 2002-04-30 | 2010-01-19 | General Dynamics Advanced Information Systems, Inc. | Method and apparatus for in-line serial data encryption |
US20040039936A1 (en) | 2002-08-21 | 2004-02-26 | Yi-Sern Lai | Apparatus and method for high speed IPSec processing |
US7369657B2 (en) | 2002-11-14 | 2008-05-06 | Broadcom Corporation | Cryptography accelerator application program interface |
US20040123123A1 (en) | 2002-12-18 | 2004-06-24 | Buer Mark L. | Methods and apparatus for accessing security association information in a cryptography accelerator |
US7434043B2 (en) | 2002-12-18 | 2008-10-07 | Broadcom Corporation | Cryptography accelerator data routing unit |
US20040123120A1 (en) | 2002-12-18 | 2004-06-24 | Broadcom Corporation | Cryptography accelerator input interface data handling |
US7568110B2 (en) | 2002-12-18 | 2009-07-28 | Broadcom Corporation | Cryptography accelerator interface decoupling from cryptography processing cores |
US7191341B2 (en) | 2002-12-18 | 2007-03-13 | Broadcom Corporation | Methods and apparatus for ordering data in a cryptography accelerator |
-
2000
- 2000-07-06 US US09/610,722 patent/US7996670B1/en not_active Expired - Fee Related
- 2000-07-06 US US09/610,798 patent/US7600131B1/en not_active Expired - Fee Related
- 2000-07-07 AU AU63425/00A patent/AU6342500A/en not_active Abandoned
- 2000-07-07 EP EP00950302A patent/EP1192782B1/en not_active Expired - Lifetime
- 2000-07-07 AT AT00950299T patent/ATE360317T1/en not_active IP Right Cessation
- 2000-07-07 WO PCT/US2000/018617 patent/WO2001005087A2/en active IP Right Grant
- 2000-07-07 WO PCT/US2000/018537 patent/WO2001005086A2/en active IP Right Grant
- 2000-07-07 AU AU63422/00A patent/AU6342200A/en not_active Abandoned
- 2000-07-07 DE DE60036284T patent/DE60036284T2/en not_active Expired - Lifetime
- 2000-07-07 AT AT00950302T patent/ATE372636T1/en not_active IP Right Cessation
- 2000-07-07 DE DE60034453T patent/DE60034453T2/en not_active Expired - Lifetime
- 2000-07-07 EP EP00950299A patent/EP1192781B1/en not_active Expired - Lifetime
-
2002
- 2002-08-12 US US10/218,206 patent/US20030023846A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5796836A (en) * | 1995-04-17 | 1998-08-18 | Secure Computing Corporation | Scalable key agile cryptography |
Non-Patent Citations (8)
Title |
---|
3COM: "3Com Launces New Era of Network Connectivity" 3COM PRESS RELEASE, 14 June 1999 (1999-06-14), XP002163286 Santa Clara, CA * |
ANALOG DEVICES: "Analog Devices and IRE announce first DSP-based internet security system-on-a-chip (ADSP2141)" ANALOG DEVICES PRESS RELEASE, [Online] 19 January 1999 (1999-01-19), XP002163285 Nordwood, Ma Retrieved from the Internet: <URL:http://content.analog.com/pressreleas e/prdisplay/0,1622,16,00.html> [retrieved on 2001-03-20] * |
E. SMIRNI, E. ROSTI, L.W. DOWDY, G. SERAZZI : "Evaluation of multiprocessor allocation policies" TECHNICAL REPORT, VANDERBILT UNIVERSITY, [Online] 1993, XP002163346 Retrieved from the Internet: <URL:http://citeseer.nj.nec.com/smirni93ev aluation.html> [retrieved on 2001-03-20] * |
KEROMYTIS A D ET AL: "IMPLEMENTING IPSEC" GLOBAL TELECOMMUNICATIONS CONFERENCE (GLOBECOM),US,NEW YORK, IEEE, 3 November 1997 (1997-11-03), pages 1948-1952, XP000737854 ISBN: 0-7803-4199-6 * |
PIERSON L G ET AL: "CONTEXT-AGILE ENCRYPTION FOR HIGH SPEED COMMUNICATION NETWORKS" COMPUTER COMMUNICATIONS REVIEW,US,ASSOCIATION FOR COMPUTING MACHINERY. NEW YORK, vol. 29, no. 1, January 1999 (1999-01), pages 35-49, XP000823872 ISSN: 0146-4833 * |
SHOLANDER P ET AL: "THE EFFECT OF ALGORITHM-AGILE ENCRYPTION ON ATM QUALITY OF SERVICE" GLOBAL TELECOMMUNICATIONS CONFERENCE (GLOBECOM),US,NEW YORK, IEEE, 3 November 1997 (1997-11-03), pages 470-474, XP000737578 ISBN: 0-7803-4199-6 * |
TARMAN T D ET AL: "Algorithm-agile encryption in ATM networks" COMPUTER, SEPT. 1998, IEEE COMPUT. SOC, USA, vol. 31, no. 9, pages 57-64, XP002163283 ISSN: 0018-9162 * |
WASSAL A G ET AL: "A VLSI architecture for ATM algorithm-agile encryption" PROCEEDINGS NINTH GREAT LAKES SYMPOSIUM ON VLSI, PROCEEDINGS NINTH GREAT LAKES SYMPOSIUM ON VLSI, YPSILANTI, MI, USA, 4-6 MARCH 1999, pages 325-328, XP002163284 1999, Los Alamitos, CA, USA, IEEE Comput. Soc, USA ISBN: 0-7695-0104-4 * |
Cited By (73)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001086430A3 (en) * | 2000-05-11 | 2002-10-17 | Netoctave Inc | Cryptographic data processing systems, computer programs, and methods of operating same |
WO2001086430A2 (en) * | 2000-05-11 | 2001-11-15 | Netoctave, Inc. | Cryptographic data processing systems, computer programs, and methods of operating same |
WO2002051099A3 (en) * | 2000-12-19 | 2003-05-15 | Qualcomm Inc | Method and system to accelerate cryptographic functions for secure e-commerce applications using cpu and dsp to calculate the cryptographic functions |
US7305092B2 (en) | 2000-12-19 | 2007-12-04 | Qualcomm Incorporated | Method and system to accelerate cryptographic functions for secure e-commerce applications |
WO2002051099A2 (en) * | 2000-12-19 | 2002-06-27 | Qualcomm Incorporated | Method and system to accelerate cryptographic functions for secure e-commerce applications using cpu and dsp to calculate the cryptographic functions |
US7447902B2 (en) | 2001-01-24 | 2008-11-04 | Broadcom Corporation | Method for processing multiple wireless communications security policies |
US7457947B2 (en) | 2001-01-24 | 2008-11-25 | Broadcom Corporation | System for processing multiple wireless communications security policies |
US7174452B2 (en) | 2001-01-24 | 2007-02-06 | Broadcom Corporation | Method for processing multiple security policies applied to a data packet structure |
WO2002060150A3 (en) * | 2001-01-24 | 2003-03-13 | Broadcom Corp | Method for processing multiple security policies applied to a data packet structure |
US8010781B2 (en) | 2001-04-05 | 2011-08-30 | Qualcomm Incorporated | Method and system to accelerate cryptographic functions for secure E-commerce applications |
EP1292082A2 (en) * | 2001-07-24 | 2003-03-12 | Cavium Networks Inc. | Method and apparatus for establishing secure session |
US7240203B2 (en) | 2001-07-24 | 2007-07-03 | Cavium Networks, Inc. | Method and apparatus for establishing secure sessions |
EP1282025A2 (en) * | 2001-07-24 | 2003-02-05 | Cavium Networks Inc. | An interface for a security coprocessor |
EP1282025A3 (en) * | 2001-07-24 | 2005-07-20 | Cavium Networks Inc. | An interface for a security coprocessor |
EP1292082A3 (en) * | 2001-07-24 | 2005-07-20 | Cavium Networks Inc. | Method and apparatus for establishing secure session |
EP1288783A2 (en) * | 2001-08-24 | 2003-03-05 | Broadcom Corporation | Methods and apparatus for collapsing interrupts |
EP1288783A3 (en) * | 2001-08-24 | 2006-05-31 | Broadcom Corporation | Methods and apparatus for collapsing interrupts |
US7370352B2 (en) | 2001-09-06 | 2008-05-06 | Intel Corporation | Techniques for storing and retrieving security information corresponding to cryptographic operations to support cryptographic processing for multiple network traffic streams |
WO2003024058A1 (en) * | 2001-09-06 | 2003-03-20 | Intel Corporation | Techniques for offloading cryptographic processing for multiple network traffic streams |
US8189591B2 (en) | 2001-10-30 | 2012-05-29 | Exar Corporation | Methods, systems and computer program products for packet ordering for parallel packet transform processing |
WO2003039093A3 (en) * | 2001-10-30 | 2003-07-17 | Netoctave Inc | Method and system for packet ordering for parallel packet transform processing |
AU2002230808B2 (en) * | 2001-10-30 | 2008-10-30 | Hi/Fn, Inc. | Method and system for packet ordering for parallel packet transform processing |
WO2003039093A2 (en) | 2001-10-30 | 2003-05-08 | Hi/Fn, Inc. | Method and system for packet ordering for parallel packet transform processing |
JP2009081897A (en) * | 2001-12-21 | 2009-04-16 | Agere Systems Inc | Processor maintaining sequence of packet processing on the basis of packet flow identifiers |
KR100945103B1 (en) | 2001-12-21 | 2010-03-02 | 에이저 시스템즈 인크 | Processor with packet processing order maintenance based on packet flow identifiers |
EP1326400A2 (en) * | 2001-12-21 | 2003-07-09 | Agere Systems Inc. | Processor with packet processing order maintenance based on packet flow identifiers |
US7088719B2 (en) | 2001-12-21 | 2006-08-08 | Agere Systems Inc. | Processor with packet processing order maintenance based on packet flow identifiers |
EP1326400A3 (en) * | 2001-12-21 | 2004-03-24 | Agere Systems Inc. | Processor with packet processing order maintenance based on packet flow identifiers |
FR2834361A1 (en) * | 2001-12-28 | 2003-07-04 | Bull Sa | DATA SECURITY MODULE BY ENCRYPTION / DECRYPTION AND / OR SIGNATURE / VERIFICATION OF SIGNATURE |
US7437569B2 (en) | 2001-12-28 | 2008-10-14 | Bull, S.A. | Module for secure management of digital date by encryption/decryption and/or signature/verification of signature which can be used for dedicated servers |
EP1324175A1 (en) | 2001-12-28 | 2003-07-02 | Bull S.A. | Module for securing data by encryption/decryption and/or signature/verification of signature |
EP1328104A3 (en) * | 2002-01-10 | 2005-10-19 | Broadcom Corporation | System on a chip for network storage devices |
EP1328104A2 (en) | 2002-01-10 | 2003-07-16 | Broadcom Corporation | System on a chip for network storage devices |
US7246245B2 (en) | 2002-01-10 | 2007-07-17 | Broadcom Corporation | System on a chip for network storage devices |
US7299350B2 (en) * | 2002-01-17 | 2007-11-20 | Intel Corporation | Internet protocol security decryption with secondary use speculative interrupts |
US7305567B1 (en) | 2002-03-01 | 2007-12-04 | Cavium Networks, In. | Decoupled architecture for data ciphering operations |
WO2003075520A3 (en) * | 2002-03-05 | 2004-03-04 | Ibm | Method and system for ordered dynamic distribution of packet flows over network processors |
CN100440851C (en) * | 2002-03-05 | 2008-12-03 | 国际商业机器公司 | Method and systems for ordered dynamic distribution of packet flows over network processing means |
WO2003075520A2 (en) * | 2002-03-05 | 2003-09-12 | International Business Machines Corporation | Method and system for ordered dynamic distribution of packet flows over network processors |
US7359318B2 (en) | 2002-03-05 | 2008-04-15 | International Business Machines Corporation | Method and systems for ordered dynamic distribution of packet flows over network processing means |
WO2003088072A1 (en) * | 2002-04-11 | 2003-10-23 | Hi/Fn, Inc. | Processing a packet using multiple pipelined processing modules |
AU2003226286B2 (en) * | 2002-04-11 | 2010-03-04 | Exar Corporation | Processing a packet using multiple pipelined processing modules |
US8599846B2 (en) | 2002-08-13 | 2013-12-03 | Cisco Technology, Inc. | Communicating in voice and data communications systems |
US8023507B2 (en) | 2002-08-13 | 2011-09-20 | Starent Networks Llc | Card to card communications in voice and data communications systems |
WO2004016034A1 (en) * | 2002-08-13 | 2004-02-19 | Starent Networks Corporation | Communicating in voice and data communications systems |
US8055895B2 (en) | 2002-12-05 | 2011-11-08 | Broadcom Corporation | Data path security processing |
US9015467B2 (en) | 2002-12-05 | 2015-04-21 | Broadcom Corporation | Tagging mechanism for data path security processing |
EP1427133A3 (en) * | 2002-12-05 | 2006-05-17 | Broadcom Corporation | System, method and device for security processing of data packets |
US7587587B2 (en) | 2002-12-05 | 2009-09-08 | Broadcom Corporation | Data path security processing |
EP1427133A2 (en) * | 2002-12-05 | 2004-06-09 | Broadcom Corporation | System, method and device for security processing of data packets |
US7454610B2 (en) | 2002-12-31 | 2008-11-18 | Broadcom Corporation | Security association updates in a packet load-balanced system |
EP1435716A2 (en) * | 2002-12-31 | 2004-07-07 | Broadcom Corporation | Security association updates in a packet load-balanced system |
EP1435716A3 (en) * | 2002-12-31 | 2005-06-22 | Broadcom Corporation | Security association updates in a packet load-balanced system |
WO2004080026A1 (en) * | 2003-03-04 | 2004-09-16 | Lukas Wunner | Method, system and storage medium for introducing data network accessibility information |
US8321687B2 (en) | 2003-11-28 | 2012-11-27 | Bull S.A.S. | High speed cryptographic system with modular architecture |
US7412726B1 (en) * | 2003-12-08 | 2008-08-12 | Advanced Micro Devices, Inc. | Method and apparatus for out of order writing of status fields for receive IPsec processing |
US9106625B2 (en) | 2004-03-02 | 2015-08-11 | Advanced Micro Devices, Inc. | Two parallel engines for high speed transmit IPSEC processing |
GB2427806A (en) * | 2004-03-02 | 2007-01-03 | Advanced Micro Devices Inc | Two parallel engines for high speed transmit IPSEC processing |
JP2007526718A (en) * | 2004-03-02 | 2007-09-13 | アドバンスト・マイクロ・ディバイシズ・インコーポレイテッド | Two parallel engines for high-speed transmission IPsec processing |
WO2005086461A1 (en) * | 2004-03-02 | 2005-09-15 | Advanced Micro Devices, Inc. | Two parallel engines for high speed transmit ipsec processing |
US7685434B2 (en) | 2004-03-02 | 2010-03-23 | Advanced Micro Devices, Inc. | Two parallel engines for high speed transmit IPsec processing |
KR101110289B1 (en) * | 2004-03-02 | 2012-02-15 | 어드밴스드 마이크로 디바이시즈, 인코포레이티드 | Two parallel engines for high speed transmit ipsec processing |
GB2427806B (en) * | 2004-03-02 | 2007-11-21 | Advanced Micro Devices Inc | Two parallel engines for high speed transmit IPSEC processing |
WO2005112395A1 (en) * | 2004-05-06 | 2005-11-24 | Advanced Micro Devices, Inc. | Network interface with security association data prefetch for high speed offloaded security processing |
US7502474B2 (en) * | 2004-05-06 | 2009-03-10 | Advanced Micro Devices, Inc. | Network interface with security association data prefetch for high speed offloaded security processing |
WO2006001917A1 (en) * | 2004-06-14 | 2006-01-05 | Intel Corporation | Method and apparatus to manage heterogeneous cryptographic operations |
US7624263B1 (en) | 2004-09-21 | 2009-11-24 | Advanced Micro Devices, Inc. | Security association table lookup architecture and method of operation |
WO2006052017A2 (en) * | 2004-11-12 | 2006-05-18 | Sony Computer Entertainment Inc. | Methods and apparatus for secure data processing and transmission |
US8001377B2 (en) | 2004-11-12 | 2011-08-16 | Sony Computer Entertainment Inc. | Methods and apparatus for secure data processing and transmission |
WO2006052017A3 (en) * | 2004-11-12 | 2006-08-24 | Sony Computer Entertainment Inc | Methods and apparatus for secure data processing and transmission |
US7502928B2 (en) | 2004-11-12 | 2009-03-10 | Sony Computer Entertainment Inc. | Methods and apparatus for secure data processing and transmission |
EP3514723A1 (en) * | 2004-11-12 | 2019-07-24 | Sony Interactive Entertainment Inc. | Methods and apparatus for secure data processing and transmission |
US11436375B2 (en) | 2017-01-31 | 2022-09-06 | Huawei Technologies Co., Ltd. | Processing device for reducing a load on a system bus |
Also Published As
Publication number | Publication date |
---|---|
DE60036284D1 (en) | 2007-10-18 |
WO2001005086A3 (en) | 2001-12-06 |
AU6342500A (en) | 2001-01-30 |
US7600131B1 (en) | 2009-10-06 |
ATE372636T1 (en) | 2007-09-15 |
DE60036284T2 (en) | 2008-05-29 |
WO2001005087A3 (en) | 2001-10-18 |
EP1192781B1 (en) | 2007-04-18 |
EP1192781A2 (en) | 2002-04-03 |
ATE360317T1 (en) | 2007-05-15 |
DE60034453T2 (en) | 2007-11-08 |
WO2001005087A2 (en) | 2001-01-18 |
EP1192782B1 (en) | 2007-09-05 |
EP1192782A2 (en) | 2002-04-03 |
DE60034453D1 (en) | 2007-05-31 |
AU6342200A (en) | 2001-01-30 |
US20030023846A1 (en) | 2003-01-30 |
US7996670B1 (en) | 2011-08-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7600131B1 (en) | Distributed processing in a cryptography acceleration chip | |
US20030014627A1 (en) | Distributed processing in a cryptography acceleration chip | |
US7685436B2 (en) | System and method for a secure I/O interface | |
US7017042B1 (en) | Method and circuit to accelerate IPSec processing | |
Shah | Understanding network processors | |
US7577758B2 (en) | Hardware support for wire-speed, stateful matching and filtration of network traffic | |
EP1435716B1 (en) | Security association updates in a packet load-balanced system | |
EP1791060B1 (en) | Apparatus performing network processing functions | |
JP5074558B2 (en) | Network processing using IPSec | |
US7290134B2 (en) | Encapsulation mechanism for packet processing | |
US20090240874A1 (en) | Framework for user-level packet processing | |
US11489773B2 (en) | Network system including match processing unit for table-based actions | |
Miltchev et al. | A study of the relative costs of network security protocols | |
US8438641B2 (en) | Security protocol processing for anti-replay protection | |
US7188250B1 (en) | Method and apparatus for performing network processing functions | |
US7603549B1 (en) | Network security protocol processor and method thereof | |
WO2004059448A2 (en) | Packet inspection | |
Güvensan et al. | Protocol Independent Lightweight Secure Communication. | |
Tan et al. | A 10 Gbit/s IPSec Gateway Implementation | |
Brooker | An IPsec Gateway Based on the Intel IXP2400 Network Processor | |
Framework et al. | Network Processors |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2000950299 Country of ref document: EP |
|
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
WWP | Wipo information: published in national office |
Ref document number: 2000950299 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWG | Wipo information: grant in national office |
Ref document number: 2000950299 Country of ref document: EP |