公开(公告)号：US11722525B2

公开(公告)日：2023-08-08

申请号：US17230675

申请日：2021-04-14

Applicant: Cisco Technology, Inc.

Inventor： Shuxian Lou ,  Jie Chu ,  Jonathan Rosen ,  Douglas Michael Toney ,  Harikrishnan Pillai ,  Feng Cao

IPC: H04L29/06 ,  H04L9/40 ,  G06F16/2455

CPC classification number: H04L63/20 ,  G06F16/2455

Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.

公开(公告)号：US20220337627A1

公开(公告)日：2022-10-20

申请号：US17230675

申请日：2021-04-14

Applicant: Cisco Technology, Inc.

Inventor： Shuxian Lou ,  Jie Chu ,  Jonathan Rosen ,  Douglas Michael Toney ,  Harikrishnan Pillai ,  Feng Cao

IPC: H04L29/06 ,  G06F16/2455

Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.