5.2 4450 Host Messaging
The 4450 to host communications may be accomplished using in-band Ethernet frames.
Command and status messages are encapsulated in a standard Ethernet frame using a
unique Ethertype identifier (0x814F). Both the 4450 and host discriminate messages from
data by using this special Ethertype identifier. The messages within the Ethernet frames are
a Hifn-proprietary protocol designated PPCI (Packet Processing Command Interface).
As an alternative to in-band messaging, the host may also use the out-of-band RMII port
for configuration and control. In this case, it is expected that the RMII port connects
directly to a control processor, or through an Ethernet switch chip if multiple devices are
being managed.
Note
The RMII port is not intended to be used across a network connection. It is to be used as
a local management interface port only, similar to I2C or PCI.
In either hardware connection, 4450-to-host communications are supported with a software
hook placed in the low-level host 4450 device driver. Refer to the 44x0/84x0 User's Manual
for additional information.
5.3 Packet Fragmentation & Reassembly
Outbound IP packet fragmentation is handled inside the 4450. During outbound processing,
the 4450 checks a per-flow MTU size and determines if IP fragmentation is required after
crypto processing has completed. If required, the 4450 forms the IP headers for the
fragmented IPsec packet, and forwards the IP fragments to the network port.
Inbound reassembly of fragmented packets (a.k.a. packet de-fragmentation) may be
handled either by the eSC or in combination of 4450 and host-based software. If the
implementation utilizes Hifn's optional IKE software package, then fragment reassembly
can occur in the eSC. Otherwise, when the 4450 detects an inbound IP packet fragment, it
will be encapsulated in a 4450-to-Host message Ethernet frame, and forwarded to the host.
When the host determines that all fragments have been received and reassembled, the
entire reassembled packet will be encapsulated and returned to the 4450 in an Ethernet
message frame for inbound packet processing.
Packet fragmentation and reassembly are expensive operations on the 4450, as on most
systems, and reliance on this functionality should be keep to a minimum through proper
configuration of MTU sizes and Path MTU discovery (PMTU) where possible.
5.4 Security Policy and SA Database Management
The 4450 has internal facilities to support up to 256 security policies. These are created
and managed via an API that communicates with the host-based user interface or to the
optional embedded IKE implementation. The 4450 allows two security policy databases:
one for inbound and one for outbound. The databases are an ordered list, and the actual
policy lookup hardware resource is shared for inbound and outbound. It is the responsibility
of the policy configuration software to allocate the entries so that the combined number
does not exceed 256 entries.
4450 – Data Sheet, DS-0131-06
Page28
Hifn Confidential