US 11,722,525 B2
IPsec processing of packets in SoCs
Shuxian Lou, San Jose, CA (US); Jie Chu, Los Altos, CA (US); Jonathan Rosen, Cary, NC (US); Douglas Michael Toney, Raleigh, NC (US); Harikrishnan Pillai, San Jose, CA (US); and Feng Cao, Fremont, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Apr. 14, 2021, as Appl. No. 17/230,675.
Prior Publication US 2022/0337627 A1, Oct. 20, 2022
Int. Cl. H04L 29/06 (2006.01); H04L 9/40 (2022.01); G06F 16/2455 (2019.01)
CPC H04L 63/20 (2013.01) [G06F 16/2455 (2019.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, at a receiving module of a system on a chip (SoC), a packet;
determining a key identifying an inbound security association (SA) for the packet;
searching a hardware look-up table for the inbound SA of the packet based at least in part on the key;
determining the inbound SA of the packet based at least in part on the searching the hardware look-up table;
determining a corresponding SA memory address for the inbound SA;
providing the corresponding SA memory address for the inbound SA to an internet protocol (IP) security (IPsec) engine for processing of the packet with respect to an IPsec protocol;
decrypting, by the IPsec engine, IPsec features of the packet;
storing, by the IPsec engine, decrypted IPsec features in a buffer;
forwarding, by the IPsec engine, the packet and the buffer to a central processing unit (CPU) core; and
further processing, by the CPU core, additional features of the packet, wherein during the further processing, the decrypted IPsec features are retrieved by the CPU core from the buffer,
wherein forwarding, by the IPsec engine, the packet and the buffer to the CPU core is based at least in part on a decrypted inner IP address of the packet and a classification related to the decrypted inner IP address of the packet in the hardware look-up table.