4.2 4450 Packet Processing Operation
Inbound packets arrive over the network-side GMAC interface typically connected to the
PHY device. The packet's payload is buffered and the DPU classifies the header as being
IPsec and/or IPcomp and uses the SPI, protocol, destination address, ethernet interface,
and VLAN ID to look-up the SA. Upon successful look-up, the DPU forwards the SA
information along with the packet to the crypto algorithm processors. The DPU then
performs the anti-replay check, and a post-crypto inbound policy check. The DPU then
updates the SA with adjusted sequence numbers and packet/byte counters. The decoded
packet is then egressed out the host GMAC port typically connected to the host subsystem.
IPsec/ IPcomp
Source & Dest IP address
…)
Protocol (TCP/UDP/ICMP
Source & Dest
VLAN tag
Port numbers
SA
SAD
Ethernet Channel # (0 or 1)
RDA
RAM
M
SA
Fetch
Fetch
SA
SA
Lookup
Lookup
Crypt
Crypto &
Compression
Compression
Processing
Processing
SA
Polic
Policy
&
o
y
Lookup
From
Host
Lookup
To
Network
Outbound
Inbound
Polic
SA Mask
SA Mask
Policy
SAL
SAL
200 SA’s
250 SA’s
On-chip
On-chip
SAL
SAL
TCyA
TCAM
M
SA
SA
Lookup
Lookup
SA
SA
Fetch
Fetch
Polic
Crypt
Crypto &
Policy
&
Selyecto
Decomopressio
Selector
To
Host
Decompression
From
Network
Chre
n
Check
Processing
Processing
ck
SAD = SA Database
SAL = SA Lookup table
TCAM = Ternary Content - Addressable Memory
SA
RDA
RAM
M
SAD
Figure 4-2. 4450 Processing Steps
Any errors in this process are captured to the eSC processor (or optionally the host) for
statistics logging. Non-IPsec packets are checked against the SPD policy database and
either discarded or forwarded to the host MAC port, depending on policy. IPsec packet
fragments are forwarded to the host side MAC port for off-chip reassembly. The
reassembled packets are then returned via the outbound MAC port with appropriate
messaging, and re-inserted for inbound IPsec processing. Optionally, packet reassembly
may occur on-chip in the eSC processor.
Outbound packets arrive over the Ethernet GMAC interface connected to the host-side
media access (MAC) port. The packet's payload is buffered and the DPU performs a SPD
policy look-up (based on the selectors defined for the security protocol), and then a SA
look-up (based on the selectors defined for the security protocol), and checks the SA
lifetime counters. The DPU also checks for exceptions and fragmentation. Upon successful
4450 – Data Sheet, DS-0131-06
Page24
Hifn Confidential