Network safety processing equipment and method thereof

Abstract

The invention relates to network security processing installation and its method. It adopts data bus and internal storage bus to transmit data message and the SA data, this make the access of SA data do not influence the access of the other data from the system. Thus the efficiency of the system data bus is improved, and the waiting time of the network security processor is reduced. As well as, the invention adopts local-storage to save SA data, this make the capacity of the system be adjusted flexibly according to the demand in order to support more links. In addition, two Hash arithmetic units are used in the encrypt / decrypt Hash unit, moreover, the compress process module and decompress module are also installed so that the more security IPSec binding process and compressing process can be finished in one process. Thus, the entire process ability of the net security processing installation is improved.

Description

technical field [0001] The present invention relates to the technical field of network communication, in particular to a network security processing device and method thereof. Background technique [0002] With the development of network communication technology, more and more users access IP (Internet Protocol) network. Therefore, ensuring the security of network communication has become an important problem to be solved in communication network. At present, in IP network security, IPSec (Internet Network Security Protocol) is widely used to realize network security. IPSec security authentication technology includes two security protocols, namely Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) protocol. These two protocols and the Internet Key Exchange Protocol (IKE) can be used together to ensure the security and reliability of network communication. [0003] The function provided by the AH protocol is the authentication of the entire IP messa...

AI Technical Summary

Problems solved by technology

That is, if the bound IPSec processing is to be supported, data packets must pass through the data bus to enter and exit the chip multiple times, which will inevitably lead to a decrease in system performance

[0016] From the above description of the prior art, it can be seen that since the messages are stored in the host memory, the DMA module needs to transport the data messages and SA data through a general data bus or other buses, resulting in the bus congestion and low encryption rate

At the same time, since the content of the SA data must be read before performing operations such as encryption and authentication, and then read the data message, this often causes the encryption engine inside the hardware accelerator to be in a waiting state, and the encryption processing performance of the system cannot be greatly improved. Increase in magnitude

Moreover, since the SA data is stored in the host memory, if the system needs to support more links, more SA data needs to be stored in the host memory, and the capacity of the host memory of general network devices is limited, which will lead to system failure. Link capacity is limited by the size of host memory

[0017] In addition, the existing technology adopts the mechanism of sharing memory with system data, that is, the data sending and receiving of other service cards of the host must also be realized by accessing the host memory. At this time, frequent access to the host memory caused by encryption operations will cause the entire System performance degradation

[0018] Moreover, the prior art does not support IPComp (IP packet compression protocol). If the system needs to compress data packets, a special compression processor needs to be added.

Images