AMD Alchemy Au1550 Security Network Processor Data Book
161
Security Engine
30283D
7.1.1.2
Packet Engine Controller
The packet engine contains a dedicated controller which allows it to autonomously process packets from either a descriptor
ring or a direct command register set. The security engine can be configured for one of two command modes:
Descriptor Ring Mode. The security engine polls a descriptor ring in host memory space. Various polling parameters
may be configured at initialization, and an option allows the host to issue an interrupt to the security engine in order to
trigger a descriptor fetch.
Target Command Mode. A packet descriptor register-set within the security engine is written by the host processor in
order to initiate a packet operation. This eliminates much of the I/O bus overhead of polling for descriptors but requires
the host processor to synchronously initiate packet processing.
When a packet descriptor operation is complete, the security engine provides a result descriptor which indicates the status
and provides information, such as the new length, pad result, and the IPsec next header field. The security engine can write
this result out into a ring in host memory, or else the host can read the result structure from internal security engine regis-
ters. An optional interrupt may be generated by the security engine at completion of packet processing.
7.1.1.3
Packet Engine Header and Trailer Processors
The header and trailer processors implement all of the header and trailer packet processing for the IPsec protocol. For bulk
operations, this includes padding and optional insertion of an IV at the beginning of a packet. For IPsec operations, this
block performs all IPsec header and trailer insertion and removal for both ESP and AH, as shown in Tables
7-2 and
7-3.Table 7-2. IPsec ESP (Encapsulating Security Payload)
Element
Outbound
Inbound
SPI (Security Parameters Index)
Insert
Extract, verify against SA record
Replay Counter
Increment and insert
Extract, verify against expected count and 64-bit
window mask; update count and mask after
authentication passes
IV (Initialization Vector)
Insert random or specified IV
Extract and load into cryptographic engine
Padding
Insert padding up to 255 bytes
Strip padding (selectable)
Next Header
Insert into pad trailer field
Extract and report in result descriptor
ICV (Integrity Check Value)
Calculate and Insert
Extract and verify. Optionally discard
Table 7-3. IPsec AH (Authentication Header)
Element
Outbound
Inbound
Outer IP Header
Update length, next header,
and header checksum in IP
header. Clear the “mutable bit”
fields as HMAC is calculated.
Parse the outer IP header and options (IPv4) or
extension headers (IPv6) to locate AH header.
Clear the “mutable bit” fields as HMAC is calcu-
lated.
SPI (Security Parameters Index)
Insert
Extract, verify against SA record
Replay Counter
Increment and insert
Extract, verify against expected count and 64-bit
window mask
Next Header
Insert into AH header field
Extract and report in result descriptor
ICV (Integrity Check Value)
Calculate and Insert
Extract and verify. Optionally discard