TW589846B - Method and system for high-speed processing IPSec security protocol packets - Google Patents

Abstract

A packet processing system is embodied on an ASIC is optimized for processing IPSec security protocol packets in a hardware configuration. Embedded RISC processors operate with hardware support modules providing for IPSec packet processing at OC24 data rates and greater. IPSec packets are received through a streaming interface and buffered in an external memory. When the entire packet is in external memory, portions are buffered in a local memory for crypto-processing. As portions of the packets complete processing, the portions are buffered to an output portion of the external memory associated with the channel. When an entire packet competes processing, portions are buffered to a local memory for streaming. The hardware accordingly reduces the involvement of the RISC processors and significantly increases channel throughput providing for high-speed IPSec packet processing.

Description

589846 A7 _____ B7 _ V. Description of the invention (丨) j: Field of invention (please read the notes on the back before filling out this page) The present invention relates to the field of data communication, especially the Internet that implements confidentiality agreements Protocol (IP) communications, and especially the processing of IPSec confidentiality agreement packets to achieve high-speed privacy in IP networks. BACKGROUND OF THE INVENTION Confidentiality agreements are widely used in modern communications to provide confidentiality between different physical, logical, or virtual media. One of the purposes of the confidentiality agreement is with regard to information hiding. One such non-disclosure agreement is the confidentiality of the standard iPSec network protocols described in "Required Notes" (RFC) 2401, 2402, and 2406. The IPSec protocol may be implemented in a tunnel mode or a transmission mode. In a typical tunnel mode, unilaterally-arranged addresses are used to arrange a "tunnel" between two nodes passing through the network. Tunneling enables the network to transmit data over another network link, compressing the packet protocols carried by the second network. For example, the links between relay stations on the Internet are independently managed and are often transparent to the end stations. For example, IPSec confidential agreement communications can be established between separate locations in an organization to help protect data communications between the locations. The use of IPSec confidentiality enables a group of people to establish a confidential virtual private network (VPN). One of the difficulties in handling confidentiality agreement packets such as IPSec, which is difficult to meet the processing requirements of high-speed packet communication. Basically, outbound packets must be compressed according to the requirements of IPSec, and inbound IPSec packets must be uncompressed. For example, the IPSec packet processing implemented in a typical software processing system, such as ____3_ which is satisfactory for many networks. This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 --_____ B7____ 5 2. Description of the invention (>) For OC24 level communication, it is not easy to achieve. In the coming future, for example, in broadband communication networks, for example, IPSec communication is expected to achieve the OC192 data transmission rate. What is needed is a system and method that can provide improved IPSec packet processing. There is also a need for a system and method that can provide IPSec packet processing at least OC24 data transmission rate. Also needed is a system and method for IPSec packet processing, which can achieve higher data transmission rates. Also needed is a special application integrated circuit (ASIC) capable of performing high-speed processing of IPSec packets. Summary of the Invention According to a preferred embodiment, a special application integrated circuit (ASIC) is provided to process IPSec confidentiality agreement packets. According to one of the preferred embodiments, the ASIC includes a first stream interface that communicates with the network processor through a stream interface, such as a SONET packet-third physical layer interface to receive the stream packet. The ASIC also includes an input buffer to store the streaming packet portion along with the packet control information, an encryption core engine to perform IPSec encryption operations on the packet, and a processed portion of the streaming packet. An output buffer, and a second stream interface for receiving a processed portion of the stream packet from the output buffer, and providing the IPSec packet processed by the network processor through the stream interface. According to a preferred embodiment, a channel is selected from a plurality of channels for processing streaming packets. The input buffer has a portion connected to each channel. According to this embodiment, the ASIC includes a plurality of RISC processing cores. Each processing core is connected to one of the channels and is connected through 4 ___-This paper size applies Chinese National Standard (CNS) A4 (210 x 297 public love) _____________, #i — (Please read the precautions on the back first (Fill in this page again) · i-line · 589846 A7 ____B7_ V. Description of the invention ()) The closed channel controls the processing of IPSec confidential agreement packets. According to a preferred embodiment, the transmitting direct memory access (DMA) interface receives the streamed confidential data packets, selects a channel for processing the streamed confidential data packets, and transmits the streamed confidential data packets to an external Memory. After all the parts of the streamed confidential data packet have been transferred to the external memory, an input DMA engine retrieves the parts of the streamed confidential data packet from the external memory. A first-in-first-out (FIFO) queue receives a stream of confidential data packets in a predetermined size block from the input DMA engine. These sections are reserved as part of the input FIFO allocated to the selected channel. An associative random access memory (RAM) receives a secret association database (SAD) entry associated with the selected channel. The SAD entry is retrieved from the external memory by the input DMA engine. When a packet can be processed, an input encryption DMA engine provides a block of confidential data packets to a processing engine for processing. As can be seen, any potential factors associated with accessing external memory are significantly reduced. According to this embodiment, the output part of the system includes: an output coded FIFO that receives the processed blocks of the sealed packet from the processing engine; an output DMA engine that sends the processed blocks of the sealed packet to the external output memory; And a receive (Rx) DMA interface, which retrieves the processed block of the sealed packet from the external output memory after all parts of the processed confidential data packet have been transferred to the external memory (158). The receive (Rx) DMA interface sends the processed blocks of the confidential data packet to the streaming interface for streaming. The receive (Rx) DMA interface preferably includes a plurality of registers for storing the length information of each of the processed confidential data packets. Receiving — ___5_ This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) ---------------- (Please read the precautions on the back before filling this page ) · -Line · 589846 A7 __B7 _ V. Description of the invention (bucket) (Please read the precautions on the back before filling this page) (Rx) The DMA interface corresponds to the storage of the processed confidential data packet length information. Perform a retrieval operation. The associated RAM preferably includes a section that stores program status information about the selected channel. The transmit (Tx) DMA interface preferably selects the least busy channel based on the amount of buffer space available to the channel in external memory. When the sealed packet is an outbound IPSec sealed packet, when a part of the packet is buffered in the input FIFO, an external header and the IPSec header are added to the outbound IPSec sealed packet. When the sealed packet is an incoming IPSec sealed packet, an external header and the IPSec header are removed from the outgoing IPSec sealed packet before a part of the packet is buffered to the input FIFO. BRIEF DESCRIPTION OF THE DRAWINGS The invention is specifically defined by the scope of patent application. However, a more complete understanding of the present invention can be obtained by referring to the related drawings, referring to the detailed description and the scope of patent applications, where the same component reference symbols correspond to similar items throughout the drawings, and the drawings are suitable for illustration. A simplified functional block diagram of a system architecture for implementing a preferred embodiment of the present invention; FIG. 2 is a high-level simplified functional block diagram illustrating a packet processing system according to a preferred embodiment of the present invention; FIG. A detailed functional block diagram of a packet processing system; Figure 4 is a simplified flowchart illustrating processing of a packet according to a preferred embodiment of the present invention; Figure 5 is a diagram illustrating outgoing IPSec according to a preferred embodiment of the present invention — ____6_ This paper size applies China National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 ______B7 _ V. Simplified diagram of the description of the (S) data packet; Figure 6 illustrates the inbound IPSec data according to the preferred embodiment of the present invention A simplified diagram of a packet; FIG. 7 illustrates the security of an outbound IPSec data packet according to a preferred embodiment of the present invention A simplified example of the database entry; Figure 8 is a simplified flowchart illustrating the procedure for processing outgoing packets according to a preferred embodiment of the present invention; Figure 9 is a flowchart illustrating processing for inward packets according to a preferred embodiment of the present invention Simplified flowchart of the procedure; FIG. 10 illustrates a simplified example of a security association database entry for inwardly sending an IPSec data packet according to a preferred embodiment of the present invention. The example listed here illustrates one form of the preferred embodiment of the present invention, and this example is not intended to be limiting. Description of Symbols 50: IP data packets sent out 51: IP header 52: Upper Layer Protocol (ULP) field 5 3: User data column Upper layer field 54: Confidentiality Association Database (SAD) tag 55: IPSEC header 56 : Micro external title

57: MAC 58: Dark information 59: Control information _________7__ This paper size is applicable to China National Standard (CNS) A4 (21〇 X 297 mm) (Please read the precautions on the back before filling this page)

589846 A7 _B7_ V. & Explanation of invention 61: External title field

62: ULP (Please read the precautions on the back before filling out this page) 63: User Information 65 ·· IPSEC Title Field 66: IP Title Field Outward

67: MAC 68: Dark data field 69: Control information 100: Architecture 110: Main control bus 120: Main processor 130: Connected to network processor 140: Processing system 141: Interface 142: Pre-programmed sealed packet processing Subsystem 144: sealed packet processing subsystem 146: post-sealed packet processing system 148: controller subsystem 150: streaming interface 152: streaming interface 154: streaming interface 156: input external random access memory 158: Output external random access memory 306: Input DMA engine This paper size is applicable to Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 _B7_ V. Description of the invention (1) 308: Input FIFO 丨 Ning Lie 310: input encryption direct memory access engine (please read the precautions on the back before filling out this page) 312: input streaming interface 314: transmission (Tx) direct memory access interface 320: output encryption first in first out 丨Ning Lie 322: Output Direct Memory Access Engine 324: Receive (Rx) Direct Memory Access Interface 326: Streaming Interface 340: Encrypted Core Engine 342: Output Random Access Memory 352: Processing Core 354: Core Random Access Memory 350: Streaming controller 360: main interface 370: hardware accelerator 400: packet processing program 402: pre-programmed sealed packet processing operation 404: coded sealed packet processing operation 406: post-coded sealed packet processing operation 700: table 701: confidential association sequential number 702 : Secret-associated current byte counter 703: Keyword 705: Jumping flag specimen paper size applicable to Chinese National Standard (CNS) A4 (210 X 297 mm) 589846 A7 _____B7___ V. Description of the invention (<?) 708: SPI number 710: IV flag field 711: flag 712: index 713: tunnel source end address 714: destination end address 715: field 800: procedure 1000: SAD entry 1002: privacy policy serial number field 1004: IV Size field 1006: Flag field 1008: Hardware byte period field 1010: Hardware time period 1012: Keyword information indicator field 1014: RFU field 1016: Current byte period field 1018: SA Sequential Number Field Schematic Detailed Description The present invention particularly provides a system and method for improving IPSec packet processing. According to a preferred embodiment, a special application integrated circuit (ASIC) provides hardware acceleration of IPSec packet processing through the use of a new type of hardware architecture, a hardware acceleration engine, and a RISC processor core. IPSec processing is provided for both inbound and outbound packets. The IPSec of this invention _ίο _ This paper size is applicable to China National Standard (CNS) A4 specification (210 X 297 mm) (Please read the precautions on the back before filling this page)

589846 A7 ___ Β7 ___ V. Description of the Invention (Yah) (Please read the precautions on the back before filling this page) The packet processing system and method, which provide encryption, decryption, sending and inspection of OC24 full duplex and larger data packets . The IPSec packet processing system and method of the present invention also provide encryption and decryption operations using, for example, Data Encryption Standard (DES), Triple DES, or Advanced Encryption Standard (AES) algorithms. The IPSec packet processing system and method of the present invention also provide message authentication algorithms such as HMAC-MD5 and HMAC-SHA1. According to a preferred embodiment, the IPSec packet processing system and method of the present invention can be used to implement IPSec in a "tunnel" mode and a "transport" mode, and to implement a compression privacy agreement (ESP) and an authentication header (AH) agreement. Generally speaking, when the compression field of the IPSec AH packet is verified, the compression field of the IPSec ESP packet is encrypted and can be verified. The elements that implement the various embodiments of the present invention are illustrated in certain scenarios at the architectural level. Many elements can be constructed using well-known structures. The functionality and processing described herein are described in a way that enables the general functionality of the architecture's functionality and processing. Figure 1 is a simplified functional block diagram illustrating a system architecture suitable for implementing a preferred embodiment of the present invention. The architecture 100 includes a main processor 120 connected to a network processor 130 by a main control bus 110 also connected to the processing system 140. Although other bus forms are also suitable, the main control bus 110 is preferably a PCI bus. The processing system 140 is preferably a processing system optimal for performing IPSec processing. The processing system 140 is connected to the network processor 130 by a streaming interface 150. Although UTOPIA, LX SPI-4, and other interface formats are suitable, interface 150 is preferably a streaming interface in the form of a SONET packet / third physical layer (POS / PHY3). The IP data packet is ____ η ____ This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 __ B7_ V. Description of the invention (P) Received and transmitted to the external network via the network processor 130. The network processor 130 provides data packets with outbound and inbound data that may require IPSec processing. In other words, the inbound incoming packets formatted for IPSec security are received by the network processor 130 and routed to the IPSEC processing system 140 via the streaming interface 150. The IPSEC processing system 140 performs IPSEC processing on the received incoming packet, and returns the processed packet to the network processor 130. Outbound packets formatted for IPSEC confidentiality and formatting are provided by the network processor 130, processed in the IPSEC processing system 14o, and sent back to the network processor 130 through the streaming interface 150. The streaming interface 150 includes a first streaming interface 152 (eg, a transmission (Tx) interface) through which a streaming packet is received by the processing system 140 and a second streaming interface through which the streaming packet is provided to the processing system 140 154 (eg, receive (Rx) interface). The main processor 120 is a processing system that communicates with the network processor 130 and the IPSEC processing system 140 through the bus 110. The bus 110 includes an interface 141 to the IPSec processing system 140. In addition, the main control bus 110 provides a communication path for packet processing with less time and urgency and a slower path function. These functions may include, for example, confidential association database (SAD) maintenance, packet removal, and other management functions related to IPSec processing performed in the processing system 140. The interface 150 is preferably a stream follower interface operating at a clock rate of about 133 MHz, and supports a bit rate throughput of at least 2.5 Gbps with full-duplex operation. The PCI interface 141 is preferably a 32-bit 66MHz PCI interface, which is used for maintenance operations including SAD entry, packet removal, and maximum _ _12_ This paper size applies to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) (Please read the precautions on the back before filling out this page) Order · · Line-589846 A7 ___B7___ V. Description of the Invention (Η) The operation of the transmission unit violates the title operation of external memory management. (Please read the precautions on the back before filling out this page.) Figure 2 is a high-level simplified functional block diagram illustrating a packet processing system according to a preferred embodiment of the present invention. The processing system 140 includes a controller subsystem 148, a pre-programmed sealed packet processing subsystem 142, an edited sealed packet processing subsystem 144, and a post-programmed sealed packet processing system 146. When the shunt interface 154 provides processed packets from the system 140, the streaming interface 152 provides packets to be processed in the system 140. Controller subsystem 148 communicates with subsystems 142, 144, and 146 via internal buses. According to a preferred embodiment of the present invention, the pre-encapsulated packet processing system 142 receives packets from the network processor 130 through the streaming interface 152, and executes the packets required to prepare the packets for processing by the encapsulation packet processing system 144. Pre-processing. -• line- Generally used for outgoing IPSec packets, the pre-programmed sealed packet processing system 142 reads the SAD tag after reading the SAD entry corresponding to the channel of the area memory. A one-byte counter and sequential number are used to update the entry. It performs a packet existence time check and establishes an external IP header for outgoing IPSec packets. According to a preferred embodiment of the present invention, the processing system 140 generates an IPSEC confidentiality agreement packet sent out, and establishes an external IPSEC header before performing the encryption operation on the packet. The procedure for processing outgoing IPSec packets is described in detail in Figure 8 below. For incoming IPSec packets, that is, IPSec packets that include IPSec headers (among other things), the IPSEC processing system 140 parses the headers of the packets to locate the IPSEC headers, and performs a time-of-life check on the packets. In some cases, Changed fields in the title of "Zero to Zero" external IP, and submitting __ 13_____ This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 ___B7_ V. Description of the invention (A) (please first (Please read the note on the back and fill in this page) Before adding the packet to the encryption processing subsystem 144, add the encryption control information. The procedure for processing incoming IPSec packets is described in detail in Figure 9 below. The encrypted packet processing subsystem 144 performs an encryption operation on the IPSec packet on the IPSec packet sent out or in. For example, for packets sent out, encryption operations and / or signaling operations can be performed. For incoming packets, a decryption operation and / or a verification operation may be performed. Post-encapsulation packet processing subsystem operation 146. According to a preferred embodiment of the present invention, after the encapsulation packet processing subsystem 144 has processed the packet, , Perform IPSEC processing. For example, for outgoing packets, the number in the variable field (AH packet) of the external IP header is replaced, and the message verification code can be added before the packet is sent to the network processor 130 through the streaming interface 154. For example, for incoming packets, a SAD entry is read into the area memory, the message authentication code (MAC) is checked, and a privacy check is performed to check that for a particular tunnel, the internal IP source address is correct. In addition, for incoming packets, before the packets are sent to the network processor 130 through the streaming interface 154, a repetitive check is also performed. Firmware used to perform packet processing is preferably present in the controller subsystem 148. The procedures for processing inbound and outbound IPSec packets are described in detail in Figures 8 and 9 below. FIG. 3 is a detailed functional block diagram illustrating a packet processing system according to a preferred embodiment of the present invention. The input streaming interface 312 provides for receiving streaming packets from the network processor 130. Transmission (Tx) direct memory access (DMA) interface ____14 _ This paper size is applicable to the Chinese National Standard (CNS) A4 specification (210 x 297 mm) 589846 A7 ___B7___ 5. Description of the invention (〇) 314 Transmission stream packets to In external buffers, as shown by input external rAM 156. According to a preferred embodiment of the present invention, the Tx DMA interface 314 selects one of several channels for processing input data packets. The least busy channel is preferably selected based on the amount of buffer space available in the external memory (156). The input DMA 314 is a DMA engine that provides data packets from the input stream interface 312 to the input external ram 156 through several control registers accessed by the processing core 352. The input RAM arbiter 304 requires access to the external ram 156 from multiple sources including the main processor 120, the processing core 352, the input DMA, and allows access to the highest priority claimant. The input controller RAM 302 provides a memory bus protocol to read and write the input RAM 156. In operation, the Tx DMA interface 314 receives the stream confidential data packet, selects a channel for processing the stream confidential data packet, and transmits the stream confidential data packet to the external memory 156. When all the stream-preserving packets have been transferred to the external memory, the input DMA engine 306 retrieves a portion of the stream confidential data packets from the external memory. In other words, the engine packets stored in external memory will be retrieved before the DMA engine is input. The input first-in, first-out queue 308 receives a portion of the stream confidential data packet from the input DMA engine 306 in a predetermined byte size block. The packet block is left in the input first-in-first-out queue 308 assigned to the selected channel. The predetermined size of the data block is preferably 64 bytes, but other sizes are also suitable. Associative random access memory 308 receives the secret association database SAD entry for the selected channel. The SAD entry is retrieved from the external memory by the input DMA engine 306. Associated Random Access Memory 308 also stores its ____15_____ This paper size applies to Chinese National Standard (CNS) A4 (210 X 297 mm) (Please read the precautions on the back before filling this page). -Line · 589846 A7 _____ Β7_ V. Status information of the channel in the description of the invention (αγ) (Please read the precautions on the back before filling this page). The input encryption direct memory access engine 310 provides the confidential data packet block to the processing engine for processing. Associative random access memory 308, although shown as part of FIFO 308, is logically separable 'and can be implemented as a separate functional element. When the packet block is retrieved by the input encryption direct memory access engine 310, the input direct memory access engine 306 keeps the FIFO queue 308 full. The input direct memory access engine 306 provides data transmission from the random access memory 156 for each channel through a control register accessed by one of the processing cores 352. According to a preferred embodiment of the present invention, the pre-programmed sealed packet processing system 142 includes a plurality of input FIFO / associated random access memories 308, preferably each channel. The input engine 310 transmits data from the input first in, first out / associated random access memory 308 to the associated buffer of the encryption core engine 340. The data transmission of a specific channel is performed through the control register which is accessed by the processing core. Multiple independent channels are best used to process independent packets at the same time. According to the preferred embodiment, eight independent channels process forty packets, of which each channel processes five 64-bit packets simultaneously. It should be noted that the main advantage of the architecture illustrated in Figure 3 is that it is scalable, making it easy to architect to implement many channels. In the embodiment of the present invention, half of the channels are configured to send inward packets for processing, while the other half of the channels are configured to send out packets for processing, although any channel configuration may be appropriate. The input external random access memory 156 and the output external random access memory 158 are preferably 64-bit DDR-SDRAM components. The size of the paper is ___16______ and the Chinese National Standard (CNS) A4 specification (210 X 297 mm) (Centi) 589846 A7 _B7___ —__ 5. Description of the Invention (A) 133MHz or higher clock cycle is implemented to buffer the packets and store the confidentiality related to the packets. (Please read the precautions on the back before filling out this page) Each processing core 352 is preferably a 32-bit RISC processor core operating at least 20mHz. When a packet passes through the processing system, the firmware executed on the processing core coordinates the operations of various hardware components, including the IPSec packet processing operations described below. The encryption core engine 340 provides encryption, decryption, hashing, verification, and other functions performed on the IPSEC data packet. According to a preferred embodiment of the present invention, multiple parallel processing lines (e.g., channels) are used to receive a relatively high amount of communication. The encryption core engine 340 is connected to the input encryption direct memory access engine 31 and the output encryption first-in-first-out queue 320 by providing a streaming interface for each channel to buffer sufficient output I / O queues. According to the preferred embodiment of the present invention, the post-coded packet processing system 146 includes a plurality of output coded first-in-first-out queues 320, preferably for each channel. The post-sealed packet processing system 146 operates as described below. The output encryption first-in-first-out queue 320 receives the processed sealed packet block from the processing engine, and the output direct memory access engine 322 sends the processed sealed packet block to the external memory 158. The Rx direct memory access interface 324 After the processed confidential data packet has been transferred to the external output memory 158, the processed security packet block is retrieved from the external output memory 158. The Rx direct memory access interface 324 sends the processed confidential data packets to the streaming interface for streaming. The Rx direct memory access interface 324 preferably includes a plurality of registers each for storing length information of a plurality of processed confidential data packets. The Rx direct memory access interface 324 is from external memory 158, corresponding to a __17___ This paper size applies to China National Standard (CNS) A4 specifications (210 X 297 mm) 589846 A7 ___B7 ______ 5. Description of the invention (J) (Please (Please read the notes on the back before filling in this page.) The length information of the related processed confidential data packets can be stored. 'Perform the operation of retrieved processed packets. The output random access memory 342 provides a memory bank protocol ′ to read and write to the output external random access memory 158 ° random access memory 158 provides storage and buffering of the output data of each channel. The random access memory 158 also provides access to the data structure, which includes keywords and other data used by the encryption core engine 340 to perform encryption processing operations. Output The coded first-in-first-out queue 320 contains a memory component that retrieves processed data from the coded core engine. The output direct memory access engine 322 provides data transmission from the output first-in-first-out queue 320 to the external random access memory 158. Each channel is best handled by a separate control register accessed by the processing core. The output random access memory 328 provides the sharing of the output random access memory bandwidth between the encryption core engine 340 and the Rx direct memory access interface 324. line-

The Rx direct memory access interface 324 is based on the direct memory access engine, which provides data transmission from the output random access memory 158 to the output stream interface 156. Each stream channel is controlled by the access by the processing core. Register. When processing has been completed by the packet processing system 140, the streaming interface 326 provides a network processor to receive streaming data. Bus Protocol Provides confirmation of the channel number of the streaming data. The controller subsystem 148 includes a plurality of processing cores 352, which provide hardware control and memory data processing. According to a preferred embodiment of the present invention, the controller subsystem 148 also includes a plurality of code random access memories 354, each of which is associated with a particular processor core. Random access memory for each code ______18__ This paper size applies to China National Standard (CNS) A4 specification (210 X 297 public love) --- 589846 A7 ___B7 _ V. Description of the invention (1) Body 354 provided by processor core 352 Microcode execution. According to a preferred embodiment, each processor core 352 has an instruction bus controller 350 for accessing instructions, hardware control registers, and memory data. The hardware accelerator 370 provides hardware acceleration, such as checking and summing operations, preventing repeated operations, and the like. Hardware acceleration 370 provides hardware acceleration, which improves performance typically achievable in microcode. The main interface 360 provides read / write access to the structure register and the area random access memory by the external main processor 120. FIG. 4 is a simplified flowchart illustrating processing of a packet according to a preferred embodiment of the present invention. The packet processing program 400 includes a pre-edited sealed packet processing operation that performs step 402, a post-edited sealed packet processing operation that performs step 406, and a compiled-seal packet processing operation that performs step 404. According to a preferred embodiment of the present invention, the program 400 is executed by the packet processing system 140 (FIG. 1). Job 402 is preferably performed by pre-programmed sealed packet processing subsystem 142 (Figure 2), step 404 is preferably performed by edited sealed packet processing subsystem 144 (Figure 2), and step 406 is preferably performed by post-programmed sealing The packet processing subsystem 146 (Figure 2) is executed. In step 402, the packet is received from the network processor. Different operations are performed based on whether the packet is an outbound or inbound packet. For outgoing packets, the packet processing program 400 compresses the packets according to the implementation of the IPSEC encryption protocol. For incoming packets, the compression is removed. Figure 8 details the processing of outgoing packets, and Figure 9 details the processing of incoming packets. FIG. 5 is a simplified diagram illustrating outgoing IPSec data packets according to a preferred embodiment of the present invention. Initially, an IP data packet 50 sent out typically includes an IP header 51, an upper-layer agreement (ULP) column 52, and use_ 19___ This paper size applies the Chinese National Standard CCNS) A4 specification (210 X 297 mm) '' ( Please read the notes on the back before filling this page.) Order ·-; line · 589846 A7 ___B7_ V. Inventor's Note (β) Information Box 53. The upper layer protocol column 52 indicates, for example, a UDP or TCP / IP upper layer protocol. According to a preferred embodiment of the present invention, the security association database (SAD) tag 54 is pre-attached with an IP data packet before processing as shown in item 50A. During pre-sealed packet processing, compressed headers 55 and 56 are added to the packet, which are referred to as external headers 56 and IPSEC headers 55. The outgoing IP header 56 is collectively called the tunnel header. In processing step 404 (Figure 4), the user information 53, the IP title and the ULP 52 may be encrypted and / or verified, as shown in the dark information 58 in item 50C. The control information 59 is pre-attached with a complete IPSEC packet as shown in item 50c used by the system. A marker field (not shown) may also be included between the control information field 59 and the external title field 56. A verification code as shown in MAC 57 is also included as part of the complete IPSec packet. The procedure for processing outgoing IPSec packets is described in detail in Figure 8 below. FIG. 6 is a simplified diagram illustrating an inbound IPSec data packet according to a preferred embodiment of the present invention. The inbound IPSEC packet includes an IP header field 66, an IPSEC header field 65, and a dark data field 68 that are sent out. The external IP header 66 is collectively called a tunnel header. A verification code as shown in MAC 67 is also included as part of the complete IPSec packet. The control information 69 attaches a packet before the encryption processing. A marker field (not shown) may also be included before the external title field 66 in 60A and before the external title field 61 in 60C. After encrypting and processing the IPSEC data packets sent in, the dark data resulted in the erasure of the textual information of the IP header 61, ULP 62, and user data 63. As shown in packet 60C. As used here, the dark data is called compiled and verified data. _20 __ This paper size applies to China National Standard (CNS) A4 (210 X 297 mm). (Please read the note on the back first Please fill in this page again for matters) aj. --Line_ 589846 A7 ___B7___ 5. Description of invention (j), or only verified information. The procedure for processing incoming IPSec packets is described in detail in Figure 9 below. FIG. 7 illustrates a simplified example of a security association database entry for sending out IPSec data packets according to a preferred embodiment of the present invention. Although table 700 illustrates the specified locations of specific data elements, it should be understood that the specific data structure of table 700 is not a requirement of the present invention. In other words, the elements of table 700 can be distributed and stored in many different ways. According to the preferred embodiment of the present invention, the privacy policy established by the customer is expected to be able to communicate. This confidentiality policy is based on acceptable items such as source and destination addresses, ULPs, and allowable communication ports. The information is best stored in the privacy policy database (SPD), which is the secret related database (SAD) entry (Figure 10) that is expected and used to send packets into the past, and the confidential related database (packed in the past) SAD) entrance (Figure 7). The table 700 includes a security association sequential number 701 and a security association status byte counter 702. The keyword 703 is an 8-bit field for checking. The SAD entry specified by the network processor is a valid SAD entry. The jump flag 705 is set to confirm whether to copy the jump field from the SAD entry or the internal header of the packet. The flag 711 includes a repetition prevention flag, which confirms whether the SAD entry ends when a sequential number overflows, an agreement flag, which confirms whether the IPSEC protocol is an ESP or AH agreement, a network protocol version flag, which confirms Whether the tunnel IP address is an IPv4 or IPv6 address, and a hash flag indicating whether the hash operation is performed on the ESP packet. For example, in the case of an ESP packet, a MAC field will be added at the end of the packet. The flag 711 also includes a secret flag, which states that the ESP packet __ 21___ P-scale is applicable to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) (Please read the precautions on the back before filling this page ) > aj · • .line-589846 A7 ___B7_ V. Description of the invention (/) (Please read the notes on the back before filling this page) Will it be compiled? Other flags may also be included in the flag field 711. The IV flag field 710 is preferably a two-bit field, which indicates the IV size and is valid when the secret flag is set. The SAD entry table 700 sent out also includes the SPI number 708, the index 712 of the key structure of the security association key, the tunnel source end address 713, the tunnel destination end address 714, and the field 715. Through the understanding of the following procedure 800 (Figure 8), the use of elements as shown in Table 700 will become apparent. -Line- FIG. 8 is a simplified flowchart illustrating a procedure for processing an outbound packet according to a preferred embodiment of the present invention. The program 800 is preferably executed by the processing system 140 in conjunction with the network processor 130 (Figure 1), although other hardware and firmware systems may be suitable. Generally speaking, the IP-encapsulated packet sent out from the network processor 130 first passes through the processing system 140 for IPSec processing. Although the program 800 is used to describe the implementation of the IPSec tunneling protocol to send outbound packets according to the preferred embodiment of the present invention, it should be understood that the present invention can be equally applicable to the realization of other tunneling technologies. In step 802, a security policy lookup is performed, and a security association database (SAD) entry address (e.g., a tag) is pre-attached to send out a packet. In addition, several tags can be pre-packed. Preferably, steps 802 and 804 of the program 800 are executed by the network processor 130, and step 804 after 832 (as described below) is executed by the processing system 140. In step 804, the network processor 130 sends the outbound IP-secured packet to the input stream interface, and in step 806, a channel is selected to process the packet. The best and least busy channel is chosen. The selected channel is used to process the entire packet and the packet is sent back to the network processor. --22__ This paper size applies Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 __; _B7_____ V. Description of the invention (correction) (Please read the precautions on the back before filling this page) The packet is first buffered and stored in external memory (for example, memory 156 in FIG. 3), and a part of the packet is allocated to each channel. Preferably, the memory is configured to hold at least two packets per channel. According to a preferred embodiment of the present invention, the packet size is determined by the maximum transmission unit (PMTU) size of the packet for a particular channel. According to a preferred embodiment, when all channels are too busy processing packets, the input streaming interface can regulate the network processor's traffic. In step 814, the SAD entry is checked by comparing the SAD entry address with a valid SAD address in advance and appending the data packet in advance. If the SAD entry is invalid, the packet is discarded (step 810), and the error is recorded (step 812). In step 816, a hardware deadline check on the SAD portal is preferably performed in conjunction with a software deadline check. Hardware expiration indicates that the keywords used for the encryption operation have been exceeded, while software expiration indicates that new keywords should be re-approved immediately. For software expiration, a message is sent to the network processor to re-verify the keywords. In the case of hardware expiration, the packet is discarded (step 810) and an error is recorded (step 812). Step 816 also performs hardware term byte counting. When the hardware deadline byte count exceeds, the packet is discarded (step 810) and an error is recorded (step 812). When the software byte count has been exceeded, a log entry can be created. Step 816 also includes calculating the total number of bytes sent out of the packet, which is used to increment the current byte count of the SAD entry. The total number of bytes preferably includes the additional bytes required for the compressed header constructed in steps 818 and 820 below. In the case of ESP packets, the current byte count is best marked by the ESP ___23____ This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 _ B7__ V. Description of the invention (〆) Additional length of questions to increase. After updating the SAD entry in step 816, the 'signal controller retrieves "maintenance" on the SAD entry. In step 818, the external IP header (such as the external header 56 in FIG. 5), which is called a tunnel header, is constructed using the information from the SAD entry. According to a preferred embodiment of the present invention, the external IP header (such as the tunnel header) includes the identification of the IP version, the address of the tunnel source end and the tunnel destination end, an IPSec protocol type, the length of the header, and the length of the charge. For IPv4 packets, the one-to-one checksum is calculated and written to the external header. For AH packets, the external header includes a change field, which is removed and stored in associative memory 308 (Figure 1). In step 820, an IPSec header (such as the external header 55 in FIG. 5) is constructed using information from the SAD entry. The IPSec header preferably includes at least a privacy policy sequence (SPI) number and an SA sequence number. Step 820 also includes pre-adding an IPSec header and an external IP header on the outgoing data packet. In addition, in step 802, a tag of an internal IP header is attached in advance, and an external IP title is attached together with a status field. The status field, for example, can be a 32-bit field used to indicate the success of an operation, and is updated later when an error occurs during processing. In step 822, a preliminary packet maximum transmission unit (PMTU) check is performed to determine whether the length of the packet exceeds the PMTU for the tunnel, including the external IP header and the IPSec header. If PMTU 値 is exceeded, the packet is best discarded. It is better that when the PMTU is exceeded, the sender of the packet will be notified, such as changing the PMTU length of the tunnel in a message. After step 822, the control information is pre-packed (for example, ____24_ in Figure 5) This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) (Please read the precautions on the back before filling this page) Order · Line _ 589846 A7 ______JB7_ V. Description of the invention (/ η) Control information). The control information includes the total packet length, byte offsets used to perform encryption and / or verification operations (e.g., encryption and / or hashing functions), flow direction, and indicators of confidentiality association (SA) keyword structure . The confidential association keyword structure includes keywords used for encryption and / or verification with confirmation of the encryption algorithm and verification algorithm information. The encryption algorithm can include, but is not limited to, DES, 3DES, and AES. The verification algorithm may include, but is not limited to, MD-5 and SHA-1. In step 824, the packet is processed in the packet processing subsystem, such as the sealed packet processing subsystem 144 (Figure 2). The encryption core engine 340 (Figure 3) notifies the input encryption direct memory access engine 340 (Figure 1) that it is ready to process packets on multiple channels. The input encryption direct memory access engine 340 (Figure 1) provides a packet encryption core engine 340 (Figure 3) packet block, which is buffered in the input FIFO queue 308, and the input direct memory access engine 306 operates to maintain The first-in-first-out queue 308 was full. Preferably, the packet is processed in one of the plurality of outgoing channels selected in step 806, and the packet is moved into a byte-sealed packet processing subsystem 144 in byte blocks (64-bit blocks). The pre-attached control information is used by the coding packet processing subsystem 144 to process packets. In the case of ESP packets, encryption operations are typically performed, and verification operations can be performed. In the case of AH packets, only one verification operation is typically performed. When the encoded packet processing subsystem 144 finishes processing each packet block, the processed block is sent to the output buffer. For example, the output encryption first-in-first-out queue 320 buffers each processed block, and the output direct memory access engine sends each processed block to the external random access memory 158. Best, advanced output coding _25____ This paper size is applicable to China National Standard (CNS) A4 (210 X 297 mm) (Please read the precautions on the back before filling this page) Order:; line _ 589846 A7 __ B7 V. Description of the invention (4) The queue 320 is first notified to the encryption core engine 34, and it is ready to receive the processed packet. In addition, the output encryption first-in-first-out queue 320 retrieves status information (including the variable field of the AH packet) from the associated random access memory and stores it in the area register. In step 826, the external IP header of the packet is updated. In the case of the AH packet, the variable field removed in step 818 is stored again. The total packet length is also retrieved from the internal IP packet. The processed packet blocks continue to be buffered and copied to the external buffer allocated to the channel. Preferably, an external memory such as external random access memory 158 (Figure 3) is used as an external buffer. The coded packet processing subsystem provides a status field, which is appended to the end of the complete packet and indicates when an error has been detected during processing. In step 828, the status field of the processed packet is checked, and when the status field indicates an error, the packet is discarded (step 810). When errors are pointed out, an error record is also preferably created (step 812). When an error is indicated, step 830 is performed. In step 830, the status field added after the first tag in step 802 is updated. The tags and information are sent to the network processor, indicating that, for example, the packet has been successfully processed completely. When no error is indicated, for ESP packets, a message authentication code (HMAC) is appended to the processed packet, and for AH packets, the HMAC is inserted into the header. When the entire processed packet is complete and transferred to the RAM 158, the processed packet block may then be transferred by the Rx DMA controller 324 to the streaming interface 326. In step 832, the packet is streamed to the network processor. 26 This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) (Please read the precautions on the back before filling out this page}-· 589846 A7 __B7___ 5. Description of the Invention (A) (Please read the notes on the back before filling out this page) For example, use the streaming interface 326 (Figure 1) to provide a portion of the processed packets to the streaming interface 326 When step 832 is completed, the packet is compressed according to a confidentiality agreement such as the IPSec confidentiality agreement. Figure 9 is a simplified flowchart illustrating a procedure for processing an incoming packet according to a preferred embodiment of the present invention. The procedure 900 is preferably processed. System 140 (Figure 1) is implemented in conjunction with network processor 130 (Figure 1), although other hardware and firmware systems may be suitable. Generally speaking, network processor 130 (Figure 1) is routed through the network The IP security sealed packet received and compressed according to a specific protocol such as the IPSec confidentiality agreement is routed through the processing system 140. Although the procedure 900 is based on the preferred embodiment, the IPSec security is implemented by sending packets in the past. Agreement to explain, it should be understood that the present invention is equally applicable to the implementation of other confidentiality agreements and technologies. In step 902, the IPSec confidentiality agreement packet is confirmed. Preferably, if the destination address is related to the network processor (for example, Figure 1) When the destination address of the network processor 130), the network processor analyzes the packet header to determine whether the packet is an IPSec sealed packet. The packet header also confirms whether the packet is an AH or ESP IPSec sealed packet. When When the packet is confirmed as an IPSec sealed packet, step 904 is performed. In step 904, a label is attached to the packet and used in the packet processing. In step 906, the packet is streamed to the input stream interface, and Rx The DMA controller buffers each packet block to external memory. In step 908, a channel is selected for processing packets. According to a preferred embodiment of the present invention, once a channel is selected for processing packets, the selected channel is used for Receive and process each packet block. Part of the external memory is allocated to each _27__ This paper size applies to China National Standard (CNS) A4 specifications (2 10 X 297 mm) 589846 A7 ___B7____ 5. Description of the invention (4) The channel, and each part should be able to maintain at least two 64-byte packets. (Please read the precautions on the back before filling this page) After the entire packet is buffered in external memory, the packet block is transferred to regional memory. For example, the input direct memory access engine 306 (Figure 1) transfers the 64-byte packet block into the input FIFO 308. At work In 910, the label attached to the packet in step 904 is removed and stored, and the external IP header (for example, the external IP header 66 in FIG. 6) is called a tunnel header, and the IPSec packet sent inward is removed. In job 912, the IPSec header is analyzed to determine, for example, the IP version number (e.g., IPv4 or IPv6), the IPSec protocol form, the header and carrying length, and the source and / or destination address. The IPSec packets with invalid or missing header information are preferably discarded (step 917) and recorded separately in step 919. Step 912 also includes analyzing the IPSec header to determine the privacy policy sequence number (SPI), which is used to look up the corresponding SAD entry. According to a preferred embodiment, the SPI (R) includes pointers to SAD entries corresponding to the channel privacy policy database. Preferably, part of the SPI is the actual SAD entry address. The SPI frame also includes the number portion of each new SAD address that is incremented by reusing an SAD address. Therefore, old packets corresponding to the reused or repeatedly transmitted SAD address can be detected. In step 914, at least a part of the SAD table entry (Figure 10) is read into the area buffer. Part of the SAD table entry is preferably read into part of the area buffer, which is allocated to the selected channel for processing incoming IPSec packets. The input direct memory access engine 306 is best to retrieve the SAD entry from the external memory and move the part of the associated random access memory ____28____ This paper size applies to the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 _ B7 _ V. Invention description (price) 308, which is allocated to the selected channel. (Please read the notes on the back before filling this page) In step 916, the external header and SAD entry of the packet are validated. The tunnel source address range or the mask from the SAD entrance is best compared with the tunnel source address of the external title. The SAD entry is checked by confirming that the SPI number in the SAD entry is correct (for example, the same as the SPI number in the IPSec header of the packet). The deadline check is also performed based on the hardware deadline in the SAD entry to determine whether the SAD entry has been exceeded. When the SAD entry is determined to have been exceeded, the packet is preferably discarded (step 917) and an error record is created. Step 916 also includes storing the total length of the external header in the case of the AH packet, and eliminating the variable fields in the external header. This variable field is included in the external header, which can be changed during packet transmission and therefore cannot be used for verification. In step 918, control information is appended to the beginning of the first packet block. The control information is preferably three double words and contains the starting point for hashing and decryption, the flow direction (for example, indicating inward or outward), and the length of the packet corresponding to the SA keyword structure index of the SAD entry, Byte offset. In step 920, the packet is processed. According to a preferred embodiment of the present invention, step 920 is performed by the compiled sealed packet processing subsystem 144 (Figure 2), and step 908 after 918 is performed by the pre-programmed sealed packet processing subsystem 142 (Figure 2), and Step 9 through step 938 2 is executed by the post-encryption processing subsystem 146 (Figure 2). During processing, the input encryption direct memory access engine 310 transmits the envelope ______29_____ This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 ____B7_ V. Description of the invention (J) (Please read first Note on the back, please fill in this page again) to wrap the box to buffer in the encryption core engine 340 and wait for processing. As part of step 920, the external header and the IPSec header are removed along with any endings (such as ESP endings) and additional segments. For example, an ESP packet may specify an additional additional segment, which is appended to the encrypted IP packet. In this case, for example, the charge length of the internal IP header is compared with the expected length to detect additional segments. In the case of ESP packets, this additional segment is removed before decryption. Step 920 preferably performs an encryption operation on the block to process the IP packet in a byte block (64-byte block). Depending on whether the packet is confirmed as an AH packet or an ESP packet, the encryption operation may include a verification operation or a decryption and / or verification operation. The keywords and algorithms used for the encryption operation are confirmed by the SAD entry. Step 920 writes the processed packet block to the output encryption first-in-first-out queue 320, and outputs the direct memory access engine 322 to transmit the processed block to the external random access memory 158. The completion of step 920 causes an IP-secured sealed packet to be buffered to the external random access memory 158 in the form of a packet 60C (Figure 6). ESP packets are encrypted (for example, internal headers and data fields are encrypted), and authentication is preferably added to the encrypted part. AH packets have authentication added to the external header and compression. Because the external header part is changed during the packet transmission, this field may have been changed. It is called a changeable field, and it is executed before the AH packet is reset to zero. In step 922, the tag is stored to the beginning of the packet and the status word is inserted, preferably after the first tag. When the packet is processed, the status word is used by the encryption processing subsystem to indicate whether a processing error has occurred. ___30______ This paper size applies the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A7 ___ B7_ 5 2. Description of the invention (1) In step 924, the TTL / jump count 値 in the IP header is updated, and after the TTL is decremented, the header sum check is calculated. This sum calculation is best performed by a hardware accumulator. After the entire packet processing, step 926 is performed. In step 926, the status word is checked to determine whether the error was detected in step 920. This status word can also indicate when an HMAC comparison error is detected. If an error has been detected, step 930 is performed and the packet is preferably discarded (step 917), and an error record entry is preferably established (step 919). In step 930, the first label attached to the packet with the status word in step 922 is updated and sent to the network processor. In step 932, a privacy policy check is performed. The source address is best identified in the internal IP header, it is no longer compressed and compared to the range of source addresses in the corresponding SAD entry. When the packet does not comply with the privacy policy check, the packet is preferably discarded (step 917), an error record is created (step 919), and it is preferably sent to the network processor. In step 934, a duplicate check is performed to check that duplicate packets will not be received. When the packet does not comply with the privacy policy check, the packet is preferably discarded (step 917), an error record is created (step 919), and preferably sent to the network processor. In step 936, the current byte count field in the SAD entry is updated together with the prevent duplicate field. In step 938, the processed packet block is transferred from the external memory to the buffer allocated to the selected channel (such as the Rx DMA controller 324), and the output stream interface is notified that the packet has been _ 31_________ This paper standard applies China National Standard (CNS) A4 Specification (210 X 297 mm) < Please read the notes on the back before filling this page) Order-· Line-589846 A7 ______B7______ V. Description of Invention (V.) Ready to be streamed To the network processor. When the entire processed packet is completed and transmitted to the external random access memory 158, the processed block is then preferably transmitted to the streaming interface 326 by the Rx DMA controller 324. At step 938, the packet is streamed to a network processor, such as using a streaming interface 326 (Figure 3). The Rx DMA controller 324 (Figure 1) provides a portion of the processed packets to the streaming interface 326 in a predetermined size. When the procedure 900 is completed, the input IP security package is no longer compressed according to the confidentiality agreement. The programs 800 and 900 implemented in the hardware structure of FIG. 3 are preferably implemented by combining language codes. It should be noted that a major advantage of the present invention is that its processing core does not affect the performance of many of the steps in procedures 800 and 900. FIG. 10 illustrates a simplified example of a security association database (SAD) entry for inwardly entering an IPSec data packet according to a preferred embodiment of the present invention. The incoming SAD entry 1000 is used to process incoming IPSec confidential agreement packets according to the procedure 900 (Figure 9). Although Figure 10 only illustrates one SAD entry, it should be understood that for each security policy implemented by the system, its confidential association database contains the SAD entry that is sent inward. The SAD entry 1000 includes a privacy policy serial number field 1002, which is used to store the SPI number and IV size block 1004 and a flag field 1006. The flag field includes several flags, such as the duplicate prevention flag indicating when duplicate prevention is enabled, the agreement flag indicating whether the ESP or AH agreement is selected, and the hash flag used in the ESP agreement to indicate whether verification includes The packet and encryption flags are used in ESP packets to indicate when encryption is performed on the packets, and the range flag indicates when the source range is a range or subnet mask. Version 32 ) A4 specification (210 X 297 mm)-(Please read the notes on the back before filling this page) One SJ. 589846 A7 ___B7_ V. Description of the invention (呶) The flag indicates whether the source address is IPv4 or IPv6, And pre-encryption error flags are used to indicate errors detected during the encryption process. The SAD entry 1000 also includes a hardware byte term field 1008, a hardware time term 1010, a keyword information indicator field 1012, an RFU field 1014, a current byte term field 1016, and an SA sequential number field Bit 1018. The SAD entry 1000 also includes a duplicate prevention mask 1020, a source range / mask field 1022, an RFU field 1024, and an IPv4 address and IPv6 address field 1026. Therefore, an improved packet processing system and method for processing packets have been described. The IPSec security packet is essentially processed in hardware provided by at least the OC4 data rate. The packet processing system of the present invention can be resized so that many channels can be processed simultaneously. The foregoing description of specific embodiments will fully reveal the general characteristics of the present invention, so that by applying current knowledge, these specific embodiments can be easily modified and / or adjusted for various applications without departing from the general These adjustments and modifications should be understandable within the meaning and scope of the equivalents of the disclosed embodiments. It should be understood that the terminology and terminology used herein are for the purpose of illustration and are not limited thereto. Therefore, the present invention includes all changes, modifications, equivalents, and altered forms within the spirit and scope of the scope of the patent application. _; _ 33 This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) (Please read the precautions on the back before filling this page); # i 线 ·

Claims (1)

589846 SI VI. Patent Application Fanyuan 1. A confidential data packet processing system, including: (Please read the precautions on the back before filling out this page)-Transmit (Tx) direct memory access (DMA) interface (314), receive A streamed secret data packet, selecting a channel for processing the streamed secret data packet, and transmitting the streamed secret data packet to an external memory; an input to the DMA engine (306), where After all the parts of the streamed confidential data packet have been transmitted to the external memory, the parts of the streamed confidential data packet are retrieved from the external memory; the first-in-first-out queue (308) is input from the DMA engine (306), receiving a portion of the streamed confidential data packet in a block of a predetermined byte size, and the portion is reserved in a portion of the input FIFO queue allocated to the selected channel; The line is an associative random access memory (308) that receives a secure connected database (SAD) entry associated with the selected channel, the SAD entry being retrieved from the external memory by the input DMA engine; and an input The encryption DMA engine (310) provides the blocks of the confidential data packet to a processing engine for processing. 2. The system of claim 1 further includes: an output encryption FIFO (320) that receives the processed block of the sealed packet from the processing engine; an output DMA engine (322) that transmits the Protect the processed block of the packet to an external output memory (158); and a receive (Rx) DMA interface (324), where all parts of the processed confidential data packet have been transferred to the external output memory (158 ), Apply the Chinese National Standard (CNS) A4 specification (210 X 297 mm) 589846 A8B8C8D8 from this paper size 6. The scope of patent application The external output memory retrieves the processed block of the sealed package and transmits the confidential information The processed blocks of the packet are streamed to a streaming interface for streaming. 3. If the system of item 2 of the patent application scope, wherein the receiving (Rx) DMA interface (324) includes a plurality of temporary registers, storing the length information of each of the processed confidential data packets, the receiving (Rx) DMA The interface (324) performs the retrieval operation corresponding to the storage of the processed processed confidential data packet length information. 4. The system according to item 1 of the patent application scope, wherein the associated RAM (308) includes a part storing program status information about the selected channel. 5. The system according to item 1 of the patent application scope, wherein the transfer (Tx) DMA interface (314) selects the least busy channel based on the amount of buffer space available in the external memory (156). 6. The system of item 1 in the scope of patent application, wherein when the sealed packet is an IPSec sealed packet sent out, and the part of the packet is buffered in the input FIFO (308), an external header (56 ) And the IPSec header (55) are added to the outbound IPSec sealed packet. 7. The system according to item 1 of the scope of patent application, wherein when the sealed packet is an IPSec sealed packet sent inward, and before part of the packet is buffered to the input FIFO (308), an external header ( 66) and IPSec header (65) are removed from the outbound IPSec sealed packet. 8 · — A method for processing a confidential data packet, including: receiving a streamed confidential data packet; ____2__ ^ The paper size applies the Chinese National Standard (CNS) A4 specification (210 x 297 mm)-'' ( (Please read the precautions on the back before writing this page). Word 589846 A8B8C8D8. 6. Apply for a patent. Select a channel for processing the diversified confidential data packet. Send the streamed confidential data packet to an external memory. After all parts of the streamed confidential data packet have been transferred to the external memory, retrieve the parts of the streamed confidential data packet from the external memory; from an input DMA engine (306), Sends a portion of the streamed confidential data packet in the input first-in-first-out queue (308) in a predetermined byte-size block, and the portion is reserved in the input FIFO allocated to the selected channel In a part of an associative random access memory (308), a security related database (SAD) entry related to the selected channel is received, and the SAD entry is recorded by the input DMA engine from the outside. The memory is retrieved; and the block of the confidential data packet is provided to a processing engine at an input encryption DMA engine (310) for processing. 9. The method of claim 8 in the patent application scope further includes: An output encryption FIFO (320) receives the processed block of the sealed packet from the processing engine; an output DMA engine (322) transmits the processed block of the sealed packet to an external output memory (158); After all parts of the processed confidential data packet have been transferred to the external memory (158), a receive (Rx) DMA interface (324) retrieves the processed block of the sealed packet from the external output memory ; And send the processed block of the confidential data packet to a streaming interface for streaming. _____3____ This paper size applies to China National Standard (CNS) A4 (210 X 297 mm) (Please read the note on the back first Matters are rewritten on this page), 1T- · line 丨 through 589846 C8 D8 VI. Patent application scope 10. If the method of patent application scope item 9 is further included in the receiving (Rx) DMA interface (324) plural In one of the registers, the length information of each processed confidential data packet is stored, and the receiving (Rx) DMA interface (324) executes fetching corresponding to the storage of the processed processed confidential data packet length information. 11. The method according to item 8 of the patent application scope further includes storing program status information related to the selected channel in a related RAM (308) section for the selected channel. 12. For example, the method of claiming a patent scope item 8 further includes selecting the least busy channel according to the amount of buffer space available for the channel in the external memory (156). The selection is made by the transfer (Tx) DMA interface (314). ) To execute. 13. The method according to item 8 of the patent application, wherein when the security packet is an IPSec security packet sent out, the method further includes, when a part of the packet is buffered into the input FIFO (308), an external A header (56) and an IPSec header (55) are added to the outgoing IPSec security packet. 14. The method according to item 8 of the patent application, wherein when the sealed packet is an inbound IPSec sealed packet, the method further includes, before a part of the packet is buffered to the input FIFO (308), an external Header (66) and IPSec header (65) are removed from the outbound IPSec sealed packet. 15. —A method for processing an IPSec confidential agreement packet 'The IPSec confidential agreement packet includes an IPSec header, and the method includes: — — — — — — — — — — — — — — — 1111 (Please read the precautions on the back before filling in this page.) 1. The size of the paper is applicable to the Chinese National Standard (CNS) A4 (210 X 297 mm) A8B8C8D8 589846 6. The scope of patent application is buffered in an external memory One of the IPSec confidentiality agreement packets; -------------------------- · _! (Please read the notes on the back before writing this page) Read part of the buffered IPSec confidential agreement packet into a first area buffer, the part has a predetermined number of bytes; confirm the header information of the IPSec confidential agreement packet; read the secret association database (SAD) entry to In the first area buffer, the IPSec confidential agreement packet is processed according to the information in the SAD entry: and the processed IPSec confidential agreement packet is stored in the external memory CjU 016. If the method of the scope of patent application No. 15, further Including analyzing the IPSec header to get an index back to the SAD entry. Π. If the method of the scope of patent application No. 15, wherein at the processing step, the method includes pre-adding control information to the SAD entry information in advance. The IPSec confidentiality agreement packet can use the control information in the processing step. 18. For example, the method in the scope of patent application No. 15 wherein the processing step includes performing an encryption operation on the IPSec confidentiality agreement packet. When the packet is an incoming packet, the encryption operation includes a decryption function or an authentication function 'and when the IPSec confidentiality agreement packet is an outgoing packet, the encryption operation is performed. The 15-item method further includes selecting the least busy channel of the plurality of channels to process the IPSec confidentiality agreement packet, and wherein the external memory has a paper standard related to the least busy standard applicable to the Chinese National Standard (CNS) ) A4 size (210 X 297 mm) 589846 A8? S8 D8 6. Part of the channel for patent application. (Please read the note on the back first (Notes are reproduced on this page.) 20. If the method of claim 15 is applied, after the processing step, the method includes buffering the processed IPSec confidentiality agreement packet in a buffer, which is allocated to The selected channel is used for the packet. 21. If the method in the scope of patent application No. 15 further includes performing a security policy check on the processed IPSec confidentiality agreement packet, the security policy check includes confirming that the IP source address is in Within the address range identified by the SAD entry. 22. The method according to item 15 of the scope of patent application, further comprising performing a duplicate prevention check on the processed IPSec confidentiality agreement packet, and updating the current byte count and the duplicate prevention field of the SAD entry. 23. —A special application integrated circuit for processing IPSec confidential agreement packets, including: a line-first stream interface, communicating with a network processor through a stream interface, and receiving a stream packet; an input buffer The device stores the stream packet part together with the control information of the packet. An encryption core engine executes the IPSec encryption operation on the packet according to the control information. An output buffer stores the processed part of the stream packet. And a second streaming interface, receiving the processed portion of the streaming packet from the output buffer, and providing the IPSec packet processed by the network processor through the streaming interface. This paper size applies to Chinese National Standard (CNS) A4 (210 X 297 mm) 589846 C8 D8 Κ, patent application scope (please read the precautions on the back before writing this page) 24. If the patent application scope is 23 The special application integrated circuit of the item, wherein the stream interface selects a channel from a plurality of channels used for processing the stream packet, and wherein the input buffer and the output buffer have a part related to each channel. 25. If the special application integrated circuit of item 24 of the patent application scope further includes a plurality of processing cores, each processing core is associated with one of the channels, and the processing of the IPSec confidentiality agreement packet is controlled through the associated channel. 26. A method for processing a data packet for implementing a confidentiality agreement, the method comprising: receiving an IP data packet from a network processor on a first stream interface, the IP data packet including a data packet pre-attached thereto A security association database (SAD) tag; moving at least a portion of the IP data packet to the first part of the first buffer y corresponding to the SAD tag reading an SAD entry to the second part of the first buffer; Attach control information of the IP data packet in advance; process the IP data packet by performing an encryption operation on the IP data packet to generate a confidentiality agreement data packet; and stream the confidentiality agreement from a second streaming interface Data packets are sent to the network processor for transmission over the network. 27. The method of claim 26 in the scope of patent application, wherein the confidential title and external title are based on the information imported from the corresponding SAD. _ ”____7__ This paper size applies to the Chinese National Standard (CNS) A4 (210 X 297 mm) 589846 A8 B8 C8 __ D8 VI. Application for Patent Scope 28 · If the method of applying for the scope of patent No. 27, the confidentiality agreement ( Please read the notes on the back before filling out this page) It is an IPSec agreement, and the confidentiality title is an IPSec title, and the confidentiality agreement data packet is formatted according to the IPSec confidentiality agreement. The method of 26, wherein the encryption operation comprises a encryption operation or a verification encryption operation, and wherein the method further comprises storing at least a part of the confidentiality agreement data packet in a second buffer. 30. If the method of the scope of patent application 26, further includes the input stream interface to select the least busy channel from a plurality of channels to process the IP data packet "31. If the method of the scope of patent application 26, It further includes, before reading, obtaining the SAD entry information to avoid modification of the data in the SAD entry by other channels. Line 32. The method according to item 31 of the scope of patent application, further comprising, after the praise, update the byte count and sequential number in the SAD entry. 33. The method of claim 26, wherein the storage includes a buffer of a confidentiality agreement data packet that includes a predetermined number of bytes. 34. The method of claim 26, wherein the control information confirms the algorithm and keywords used for the encryption operation so as to be applied to the IP data packet. 3 5 · If you apply for the method of item No. 26 of Chao Wei, further include checking the path of the IP data packet Maximum Transmission Unit (pMTU) 値, which includes a confidential header and an external pre-attachment to the IP data packet. ip title to determine _________8___ This paper Λ degree applies to China National Standard (CNS) A4 specifications (210 x 589846 A8 B8 C8 D8 ------- VI. When to apply for a patent Fanyuan PMTU 値 exceeds PMTU 値 used in a tunnel, The confidentiality agreement data packet is designated through the tunnel. 36. The method of the scope of application for patent No. 26, wherein the processing is performed by the encryption engine, and after processing, the method proceeds to ~ @ The status information is attached to the confidentiality agreement data packet, and when the encryption engine detects an error, the status information is generated by the processing and confirmation. 37_ The method of the 26th scope of the patent application, where, when confidential This stream is executed when all parts of the protocol data packet are stored in the second buffer. (Please read the precautions on the back before writing this page) Line-"This paper size applies to Chinese national standards (CNS) A4 size (210 X 297 mm)