WO2000030262A2 - Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network - Google Patents
Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network Download PDFInfo
- Publication number
- WO2000030262A2 WO2000030262A2 PCT/DK1999/000625 DK9900625W WO0030262A2 WO 2000030262 A2 WO2000030262 A2 WO 2000030262A2 DK 9900625 W DK9900625 W DK 9900625W WO 0030262 A2 WO0030262 A2 WO 0030262A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- transmission
- section
- unit
- controller
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03M—CODING; DECODING; CODE CONVERSION IN GENERAL
- H03M7/00—Conversion of a code where information is represented by a given sequence or number of digits to a code where the same, similar or subset of information is represented by a different sequence or number of digits
- H03M7/30—Compression; Expansion; Suppression of unnecessary data, e.g. redundancy reduction
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0464—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload using hop-by-hop encryption, i.e. wherein an intermediate entity decrypts the information and re-encrypts it before forwarding it
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Definitions
- Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network are provided.
- the present invention generally relates to a technique for performing compression, encryption and transmission, and reception, decryption and decompression, respectively, of data communication packages on an area network.
- the most commonly applied technique for performing transmissions on a network such as LAN (local area network) or WAN (wide area network) involves performing compression/decompression, encode/decode and transmission/reception of data communication packages to establish a fast communication between stations in the LAN.
- An object of the present invention is to provide a novel apparatus and method for securing data communication packages by encryption and simultaneously ensuring a fast communication between stations in a network such as LAN or WAN.
- a particular advantage of the present invention is the significant reduction or substantially elimination of delays in transmitting data communication packages through a network by continuously insuring data is presented to the LAN or WAN in an encrypted state.
- a particular feature of the present invention relates to the fact that the apparatus according to the present invention may be produced fully or partly in a process compatible with the production of integrated electronic circuits using any appropriate circuit technology involving VLSI, LSI, ASIC, FPGA, PLD production techniques or any combinations thereof.
- a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network such as a LAN (local area network) or WAN (wide area network), the data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and comprising a session key LUT unit and a transmission and encryption section comprising: (a) a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and communicating with said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
- a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package
- a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit (126),
- an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) intercommunicating through said integrity check value calculation unit (122) to said data encryption unit (126),
- a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said network in a transmission rate determined by said network transmission controller (134) and said network, and
- a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and enabling communication between said data read transmission control unit (102) and said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation enabling communication between said data read transmission control unit (102) through said first series configuration to said network transmission controller
- said communication controller further comprising a receiving and decrypting section comprising:
- a LAN receiving controller 140
- a data receiving control unit (148) receiving said received data communication package through communication with said network receiving controller (140), and communicating with said session key LUT (186), said session key LUT (186) providing a reception encryption key for said received data communication package,
- a data decryption unit (164) providing a decryption of said second section of said received data communication package according to a reception encryption key transferred from said session key LUT (186) to said data decryption unit
- an integrity check value verification unit (168) receiving said received data communication package from said data decryption unit (164), and constituting a second series configuration from said data decryption unit (164) intercommunicating through said integrity check value verification unit (166) to said data decompression unit (172), said integrity check value verification unit (166) transferring said second section of said received data communication package to said data decompression unit (172),
- a second switch means (154) enabling switching between two modes of operation, a third mode of operation providing bypassing or disabling of said second series configuration and enabling communication between said data receiving control unit (148) and said data write unit (180) for transferring said first section of said received data communication package directly hereto, and a fourth mode of operation enabling communication between said data receiving control unit (148) through said second series configuration to said data write unit (180).
- the time delay from one unit to the next is considerable reduced compared to time delays between discrete electronic components.
- unit is to be understood as a generic term including all equivalent elements, blocks and sections etc.
- the term unit may comprise a single entity or may comprise a multiple of entities into one self-contained and defined unit, element, block or section.
- the transmission and encryption section further comprises a transmission FIFO (first in first out storage means) constituting an input section of the network transmission controller.
- the receiving and decrypting section further comprises a write FIFO receiving the received data communication package from the data receiving control unit in the third mode of operation, receiving the received data communication package from the data decompression unit in said fourth mode of operation and transferring the received data communication package through a connection to the data write unit, and a receiving FIFO receiving the received data communication package from the network reception control and transferring the data communication package through a connection to the data receiving control unit.
- the communication controller comprises storage means for transmission as well as reception of data communication packages, full compatibility is achieved between a host system and the network. Especially differences in reading rates between stations and network transmission rates are compensated for.
- the host system may operate at one frequency, while the network may operate at another without overloading either the host system or the network. This relieves processing time available to the host system, since delivering a data communication package to the controller frees the host system's central processing unit to perform other tasks than waiting for completion of transmission and therefor optimises the transmission performed on the network.
- the communication controller for receiving and transmitting data communication packages on a network provides interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on a network.
- the communication controller having the data compression unit and the data encryption unit adapted to be operated substantially simultaneously and controlled by the network transmission controller.
- the network transmission controller furthermore controls the transmission FIFO so as to guarantee the continuous supply of bytes from the transmission FIFO to the network transmission controller. This ensures that the transmission is extraordinarily fast.
- the communication controller preferably is implemented in accordance with a technique for producing integrated electronic circuits, a fast internal control of the operation may be achieved. By operating data compression and data encryption substantially simultaneously instead of operating consecutively considerably improves the transmission time and reduces the delay for transmitting a secure data communication package.
- the communication controller having the data read transmission control adapted to monitor the compression and encryption of the part of the input data for determining, whether or not, the part of the input data exceeds the amount of data containable within said second section of data communication package.
- the integrity check value calculation unit performs a subtraction, division, multiplication or preferably a summation of the data contained in the second section of the data communication package to be transmitted, and adds a first integrity check value to the second section of the data communication package.
- the communication controller wherein the integrity check value verification unit performs a subtraction, division, multiplication or preferably a summation of the data contained in the second section of a received data communication package.
- the integrity check value verification unit performs a subtraction, division, multiplication or preferably a summation of the data contained in the second section of a received data communication package.
- the communication controller according to the first aspect of the present invention, wherein the data read transmission control unit comprises control means for controlling the first switch means in the two modes of operations. Furthermore, wherein the data receiving control unit comprises control means for controlling the second switch means in the two modes of operations. These switching means ensures a fast recognition of the clear text and consequently bypassing or disabling of the first and second series configuration, respectively.
- the communication controller according to the first aspect of the present invention, wherein the data read transmission control unit further comprising a connection to the data encryption unit, for transferring the transmission encryption key provided by the session key LUT from the data read transmission control unit to the data encryption unit.
- the communication controller according to the first aspect of the present invention, wherein the session key LUT comprising encryption key information is updated according to a key management protocol by the host system. Encryption key administration is entirely managed by the host system thus delegating this cumbersome task to the host rather than a local processing unit on the communication controller.
- the encryption key or keys may be updated through the data read transmission control of the communication controller. Further alternatively the encryption key or keys may be generated locally by the communication controller rather than by updating from the host system.
- the communication controller according to the first aspect of the present invention, is implemented fully or partly as an integrated circuit applying VLSI, LSI, ASIC, FPGA, PLD techniques or any combinations thereof.
- VLSI Very Large Scalable Interconnect
- LSI Small Interconnect
- ASIC Application-Specific Integrated Circuit
- FPGA Field-programmable gate array
- PLD Physical Low-Nothing-Demand Device
- This provides considerable production cost reductions since by implementing the communication controller according to the first aspect of the present invention utilising these production techniques the production time and the product handling are greatly reduced, and furthermore, the amount of costly pin connections and component casings are subsequently minimised.
- the communication controller according to the first aspect of the present invention, wherein the data compression unit adds flag and fragment ID trailing the compressed part of the input data contained the second section of the data communication package, and wherein the data decompression unit extracts flag and fragment ID trailing the compressed part of the input data in the second section of the data communication package.
- the flag and fragment ID provides information as to how the data communication package is configured.
- the data compression unit comprising two modes of operation, a high compression mode of operation handling compression of the part of the input data substantially simultaneously to transmission of the data communication package, and a low compression mode of operation applying a reduced compression efficiency to the compression substantially simultaneously to transmission of the data communication package, the high compression mode of operation operating according to an amount of accumulated data in the transmission FIFO and the data compression unit being notified by the network transmission controller in case of the amount of accumulated data in transmission FIFO is less than a predetermined value hence activating the low compression mode of operation.
- the capability of switching between two modes of compression enables the communication controller to perform at a maximum rate continuously and supplying the network with transmission data bytes until the end of the data communication package is reached.
- the low compression mode may involve low compression, no compression or even expansion or decompression.
- a transmission and encryption section of a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), the data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key LUT unit, and comprising:
- a data read transmission control unit (102) connected to a system bus of a host system and receiving input data therefrom and connected to said session key LUT (186), said session key LUT (186) providing a transmission encryption key for said data communication package,
- a data compressing unit (118) providing compression of a part of said input data thereby producing a compressed part of said input data contained in said second section of said data communication package,
- a data encryption unit (126) providing an encryption of said second section of said data communication package according to said transmission encryption key transferred from said session key LUT (186) to said data encryption unit
- an integrity check value calculation unit (122) constituting a first series configuration from said data compression unit (118) interconnecting through said integrity check value calculation unit (122) to said data encryption unit (126),
- a network transmission controller (134) providing said data communication package through a connection to said network, supplying said input data to said LAN in a transmission rate determined by said network transmission controller (134) and said network, and (f) a first switch means (108) enabling switching between two modes of operation, a first mode of operation providing bypassing or disabling of said first series configuration and providing a connection from said data read transmission control unit (102) with said network transmission controller (134) for transferring said input data directly hereto and a second mode of operation providing a connection to said data read transmission control unit (102) through said first series configuration to said network transmission controller (134).
- the transmission and encryption section of a communication controller is new, and incorporates several of its functions in a single electronic circuit. Hereby considerably reducing the time delay from on section to the next compared to time delays between discrete electronic components.
- the communication controller wherein the transmission and encryption section further comprises a transmission FIFO (first in first out storage means) constituting an input section of the network transmission controller.
- the transmission and encryption section of a communication controller comprises storage means for transmission of data communication packages, full compatibility is achieved between a host system and the network. Especially differences in reading rates between stations and network transmission rates are compensated for.
- the host system may operate at one transmission frequency, while the network may operate at another without overloading the host system or the network. This relieves processing time available to the host system, since delivering a data communication package to the controller frees the host system's central processing unit to perform other tasks than waiting for completion of transmission and therefor optimises the transmission performed on the network.
- the transmission and encryption section of a communication controller for encrypting and transmitting data communication packages on a network provides interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on a network.
- the transmission and encryption section having the data compression unit and the data encryption unit adapted to be operated substantially simultaneously and controlled by the network transmission controller.
- the network transmission controller controls the transmission FIFO so as to guarantee the continuous supply of bytes from the transmission FIFO to the network transmission controller. This ensures that the transmission is extraordinarily fast.
- the communication controller preferably is implemented in accordance with a technique for producing integrated electronic circuits, a fast internal control of the operation may be achieved.
- the transmission and encryption section of a communication controller having the data read transmission control adapted to monitor the compression and encryption of the part of the input data for determining, whether or not, the part of the input data exceeds the amount of data containable within the second section of data communication package.
- the transmission and encryption section of a communication controller wherein the integrity check value calculation unit performs a subtraction, division, multiplication or preferably a summation of the data contained in the second section of the data communication package to be transmitted, and adding a first integrity calculation value to the second section of the data communication package.
- the integrity check value calculation ensures that no excessive time is spent on corrupted data communication packages at the receiving end of a transmission, therefor, implementation of this calculation may reduce unnecessary data communication package processing.
- the transmission and encryption section of a communication controller wherein the data read transmission control unit comprises control means for controlling the first switch means in the two modes of operations. These switching means ensures a fast recognition of the clear text and consequently bypassing or disabling of the first series configuration.
- the transmission and encryption section of a communication controller wherein the data read transmission control unit further comprises a connection to the data encryption unit for transferring the transmission encryption key provided by the session key LUT from the data read transmission control unit to the data encryption unit.
- the transmission and encryption section of a communication controller according to the second aspect of the present invention, wherein the session key LUT comprising encryption key information is updated according to a key management protocol by the host system. Encryption key administration is entirely managed by the host system thus delegating this cumbersome task to the host rather than a local processing unit on the communication controller.
- the encryption key or keys may be updated through the data read transmission control of the communication controller. Further alternatively the encryption key or keys may be generated locally by the communication controller rather than by updating from the host system.
- the transmission and encryption section of a communication controller is implemented fully or partly as an integrated circuit applying VLSI, LSI, ASIC, FPGA, PLD techniques or any combinations thereof.
- the transmission and encryption section of a communication controller wherein the data compression unit adds flag and fragment ID trailing the compressed part of the input data contained in the second section of the data communication package.
- the flag and fragment ID provides information as to how the data communication package is configured.
- the data compression unit comprising two modes of operation, a high compression mode of operation handling compression of the part of the input data substantially simultaneously to transmission of the data communication package, and a low compression mode of operation applying a reduced compression efficiency to the compression substantially simultaneously to transmission of the data communication package, the high compression mode of operation operating according to an amount of accumulated data in the transmission FIFO and the data compression unit being notified by the network transmission controller in case of the amount of accumulated data in transmission FIFO is less than a predetermined value hence activating the low compression mode of operation.
- the capability of switching between two modes of compression enables the communication controller to perform at a maximum rate continuously and supplying the network with transmission data bytes until the end of the data communication package is reached.
- a third aspect of the present invention obtained by a method for transmitting and encrypting in a communication controller for performing data encryption and data decryption of data communication packages to be transferred in a network (such as a LAN: Local Area Network, or a WAN: Wide Area Network), said data communication package containing a first section of non-encrypted data and a second section containing encrypted data, and said communication controller comprising a session key storage means, a transmission FIFO (first in first out storage facility) means, a data read transmission control means, a data encryption means, a data compression means and an integrity check value calculation means constituting a first series configuration from said data compression means interconnecting through said integrity check value calculation means to said data encryption means, said method for transmitting and encrypting, comprising:
- the method for transmitting and encrypting in a communication controller is new and ensures a secure and fast transmission. Furthermore by incorporating the means in a single method the time delays are considerably reduced.
- the method for transmitting and encrypting further comprising constituting an input section of said controller means for network transmission by means of a transmission FIFO means (first in first out storage means).
- a transmission FIFO means first in first out storage means. Since the method for transmission and encryption in a communication controller, according to the third aspect of the present invention, comprises storage means for transmission of data communication packages, full compatibility is achieved between a host system and the network. Especially differences in reading rates between stations and network transmission rates are compensated for.
- the host system may operate at one transmission frequency, while the network may operate at another without overloading the host system or the network. This relieves processing time available to the host system, since delivering a data communication package to the controller frees the host system's central processing unit to perform other tasks than waiting for completion of transmission and therefor optimises the transmission performed on the network.
- the method for transmitting and encrypting in a communication controller further comprising provision of interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on the network by means of the controller means for network transmission.
- the method for transmitting and encrypting further comprising substantially simultaneously operations of the data compression means and the data encryption means, and controlling by the controller means for network transmission.
- the method for transmitting and encrypting further comprising controlling the transmission FIFO means by means of the controller means for network transmission so as to guarantee the continuous supply of bytes from the transmission FIFO means to the controller means for network transmission. This ensures that the transmission is performed extraordinarily fast.
- the means incorporate several operations in the method a fast internal control of the operations may be achieved. Performing data compression and data encryption substantially simultaneously instead of performing the operations consecutively considerably improves the transmission time and reduces the delay for transmitting a secure data communication package.
- the method for transmitting and encrypting in a communication controller further comprising monitoring the compression and encryption of the part of the input data by means of the data read transmission control means for determining, whether or not, the part of the input data exceeds the amount of data containable within the second section of data communication package.
- the method for transmitting and encrypting in a communication controller further comprising transferring the transmission encryption key provided by the session key storage means from the data read transmission control means to the data encryption means by means of a connection means.
- the method for transmitting and encrypting in a communication controller further comprising operating the data compression means in two modes of operation, a high compression mode of operation handling compression of the part of the input data substantially simultaneously to transmission of the data communication package, and a low compression mode of operation applying a reduced compression efficiency to the compression substantially simultaneously to transmission of the data communication package, the high compression mode of operation operating according to an amount of accumulated data in the transmission FIFO means and the data compression means being notified by the controller means for network transmission in case of the amount of accumulated data in the transmission FIFO means is less than a predetermined value hence activating the low compression mode of operation.
- the capability of switching between two modes of compression enables the continuous performance of a maximum rate and supply of transmission data bytes to the network until the end of the data communication package is reached.
- the communication controller further comprising receiving means, a data writing means, a data decompressing means, a data decryption means, a data receiving control means and an integrity check value verification means constituting a second series configuration from said data decryption means interconnecting through said integrity check value verification means to said data decompression means, comprising:
- the method for transmitting and encrypting further comprising receiving said received data communication package from said data receiving control means in said third mode of operation, receiving said received data communication package from said data decompression means in said fourth mode of operation and transferring said received data communication package through a connection to said data writing means by means of a write FIFO means, and receiving said received data communication package from said control means for network reception and transferring said data communication package through a connection to said data receiving control means by means of a receiving FIFO means.
- the method for transmitting and encrypting in a communication controller further comprising updating encryption key information in the session key storage means according to a key management protocol by the host system.
- Encryption key administration is entirely managed by the host system thus delegating this cumbersome task to the host rather than a local processing means on the communication controller.
- the encryption key or keys may be updated through the data read transmission control means.
- the method transmitting and encrypting in a communication controller further comprising performing a subtraction, division, multiplication or preferably a summation of the data contained in the second section of the data communication package to be transmitted, and adding a first integrity check value to the second section of the data communication package by means of the integrity check value calculation means.
- the method for transmitting and encrypting in a communication controller further comprising performing a subtraction, division, multiplication or preferably a summation of the data contained in the second section of a received data communication package.
- the integrity check value calculation and verification ensures that no excessive time is spent on corrupted data communication packages at the receiving end of a transmission, therefor, implementation of this calculation and verification may reduce unnecessary data communication package processing.
- the method for transmitting and encrypting in a communication controller further comprising controlling the first switching means in the two modes of operations by means of the data read transmission control means.
- the method transmitting and encrypting in a communication controller further comprising controlling the second switching means in the two modes of operations by means of the data receiving control means.
- the method for transmitting and encrypting in a communication controller further comprising providing interrupt routines for units included in the communication controller hereby insuring a continuous data transmission on the network by means of the receiving means for receiving the data communication packages on the network.
- the method for transmitting and encrypting in a communication controller further comprising adding flag and fragment ID trailing the compressed part of the input data contained in the second section of the data communication package by means of the data compression means, and further comprising extracting flag and fragment ID trailing the compressed part of the input data in the decrypted second section of the data communication package by means of the data decompression means.
- a network controller of a communication controller comprising means for producing a data communication package comprising a non encrypted first section including clear header, and a encrypted second section including a protected header, a data section, a fragment ID, flags, padding and a ICV.
- the network controller of a communication controller further comprising means for producing the data communication package wherein the data section comprises compressed data, end of data, padding and uncompressed data.
- the transmission data are compressed until the transmission data are smaller than the maximum payload of the data section. If the transmission data in compressed are larger than the maximum payload of the data section then the transmission data are transmitted uncompressed.
- the data section is configured as comprising compressed data as well as an uncompressed data.
- the compressed data part may contain 0 bytes of data.
- the network controller of a communication controller may further advantageously comprise any of the features of the communication controller according to the first and second aspects of the present invention and may further advantageously be adapted to perform the method according to the third aspect of the present invention.
- a data communication package comprising a data section including compressed data and uncompressed data.
- a communication controller chip for performing data encryption and data decryption of a multiplicity of data communication packages to be transferred in a network such as LAN (local area network) or WAN (wide area network) and including a plurality of processing units, each of said multiplicity of data communication packages containing a first section of non-encrypted data and a second section containing encrypted data and each said of multiplicity of data communication packages having an associated processing descriptor defining source, destination, process configuration of said plurality of processing units and processing of said data communication package, and said communication controller chip comprising:
- a bridge unit connecting said communication controller through a bus to a central processing unit (CPU) or a host,
- a random access memory RAM for keys, processing descriptors and for temporary storage of data
- an in-queue unit comprising a plurality of queues for pointers referencing processing descriptors for data communication packages in said RAM to be processed by said plurality of processing units
- an out-queue unit comprising a go-queue of pointers referencing processing descriptors for data communication packages in RAM to be processed by a plurality of processing units, which process is monitored and analysed by said CPU or host system so as to establish if further processing is required, and said out-queue unit comprising a complete-queue of pointers referencing processing descriptors for data communication packages in said RAM having completed processing in accordance with requirements of said CPU or host system, (f) a decompression processing unit included in said plurality of processing units providing decompression of compressed data of said second section of said data communication packages thereby producing decompressed data in said RAM or memory of said host in accordance with processing descriptors associated with said data communication packages, (g) a compression processing unit providing compression of said second section of said outgoing data communication packages thereby producing compressed data in said RAM or memory of said host in accordance with processing descriptors associated with said data communication packages, (h) a decryption processing unit providing a decryption of said
- the communication controller chip according to the sixth aspect of the present invention provides a superior implementation of the invention according to first, second, third and fifth aspect of the invention, since the communication controller chip allows for any combination of units and any combination of order in which the units operated thereby providing an extremely fast system.
- the communication controller chip according to the sixth aspect of the present invention further comprises:
- a first authentication processing unit providing calculation of an integrity check value (ICV) to be included in an outgoing data communication package, said calculation utilising an ICV key provided in a ICV key space of said RAM, said ICV key space being referenced by said processing descriptors
- a second authentication processing unit providing verification of an ICV to be extracted from an incoming data communication package, said calculation utilising a ICV key provided in said ICV key space of said RAM, said ICV key space being referenced by said processing descriptors
- a receiving media access control unit constituting an address filter for said communication controller and providing a receiving gate for said network, said receiving media access control unit filtering all data communication packages on said network and communicating incoming data communication packages to a incoming data communication package space in said RAM, said receiving media access control unit simultaneously generating a processing descriptor for every incoming data communication packages, said processing descriptor including a start address of associated incoming data communication package in a incoming data communication package space in said RAM, said receiving media
- the RAM of the communication controller chip according to the sixth aspect of the present invention is constituted by SRAM, DRAM, or SDRAM or any combinations thereof.
- the compressing processing unit of the communication controller chip according to the sixth aspect of the present invention may be configured to detect compression efficiency and in accordance to the compression efficiency continue compression of data or disengage further compression.
- the communication controller chip ensures that the management bus further providing signaling and configuration for the first authentication processing unit, the second authentication processing unit, the receiving media access control unit, and the transmitting media access control unit, and the first in first out (FIFO) bus further enabling communication between the bridge unit, the RAM, the data transmission control unit, the in-queue unit, the out-queue unit, the compressing processing unit, the decompression processing unit, the encryption processing unit, the decryption processing unit, the first authentication processing unit, the second authentication processing unit, the receiving media access control unit, and the transmitting media access control unit.
- FIFO first in first out
- the communication controller chip includes the compressing processing unit having a maximum allowable space on the RAM for compressed data included in the second section of the outgoing data communication package and includes the decompressing processing unit having a maximum allowable space on the RAM for decompressed data included in the second section of the incoming data communication packages to be communicated to the CPU or the host.
- the communication controller chip according to sixth aspect of the present invention is implemented having features of the communication controller according to features of the first aspect of the present invention, having features of the transmission and encryption section of a communication controller according to second aspect of the present invention, being adapted to perform the method according third aspect of the present invention, having features of a network controller of a communication controller according to fourth aspect of the present invention, and having features allowing transmission of the data communication packages according fifth aspect of the present invention.
- figure 1 is a schematic presentation of an encrypted LAN communication package
- figure 2 is a schematic overview of a typical communication system having incorporated a communication controller according to present invention
- figure 3 is a schematic diagram of a presently preferred embodiment according to the invention for data-encryption/data-decryption
- figure 4 and figure 4B are a schematic presentations of data formats for a compressed payload
- figure 5 is a schematic presentation of an example on an advantageously and presently preferred embodiment of a LAN communication package format according to the invention.
- FIG. 6 is a schematic diagram of an ESP (Encapsulating Security Payload) processing of an IP data telegram
- Figure 7 is a schematic presentation of a compression in accordance to IP com
- Figure 8 is a log diagram of the processing units and connecting ram
- Figure 9 is a schematic presentation of a virtual private network interfacing to the intranet and to the internet
- Figure 10 is a block diagram of a network interface controller card consisting of a single Ethernet interface and a single set of processing units such as compressing or encryption units
- Figure 11 is a block diagram of a virtual private network showing logical connections and structures
- Figure 12 is a schematic presentation of a structure of a processing descriptor
- Figure 13 is a schematic presentation of an example of a buffer indication in the processing descriptor and shows a processing descriptor configuration for encryption followed by authentication.
- Figure 14 is a schematic presentation of a principle of signalling between processing units
- Figure 15 is a schematic presentation of a model for the synchronisation performed between the processing unit
- Figure 16 is a schematic presentation of the main state machine of the processing unit, which controls the processing and the overall operation
- Figure 17 is a schematic presentation of a calculation of a virtual FIFO count calculated as the difference between a source buffer end and source buffer start,
- Figure 18 is a schematic presentation of destination buffer control and signalling (destination buffer increment control signalling),
- FIG 19 is a schematic presentation of signalling status (SIGStatus).
- FIG. 20 is a schematic presentation of a management bus and the attached processing units and controller units
- Figure 21 is a schematic presentation of a state machine, which requests a processing unit
- Figure 22 is a schematic presentation of an encapsulated security payload specification including padding at the end of the payload
- Figure 23 is a schematic presentation of the activation of a processing descriptor which activation is controlled by the state machines
- FIG. 24 is a schematic presentation of an Ethernet frame format
- Table 1 summarises encryption algorithms currently suggested by the encryption security payload and the requirements for confidentiality
- Table 2 lists the algorithms which are required by the authentication of authentication header and encryption security payload
- Table 3 lists State and Activity of a processing unit main state machine
- Table 4 lists State and Activity of source buffer end and virtual FIFO count control
- Table 5 lists State and Activity of destination buffer control and signalling
- Table 6 lists State and Activity of signalling status
- Table 7 lists the implementation of the interrupt lines of the central processing unit (CPU),
- Table 8 lists allocation of chip select in memory areas which allocation is controlled by the system controller which provides large flexibility regarding location in the processor memory space
- Table 9 lists the address fields of the register space layout
- Table 10 lists common processing units registers
- Table 11 lists source buffer increment layouts
- Table 12 lists identifiers for all the processing units
- Table 13 lists definitions of the currently identified signals to be transferred on a management bus
- Table 14 lists the result/status of each command's last signal indicated by the target
- Table 15 lists State and Activity of the processing unit's request/arbitration
- Table 16 lists definitions of type
- Table 17 outlines the differences in handling of the header and source buffer
- Table 19 lists common fields, which are common to most of the processing descriptor sections.
- Table 20 lists the configuration of the base
- Table 21 lists Offset, Size, Type and Name of fixed fields
- Table 22 lists Offset, Size, Type, Name, Description of encryption processing descriptor section,
- Table 23 lists the configuration base of encryption processing descriptor section
- Table 24 lists Offset, Size, Type, Name and Description of decryption processing descriptor section,
- Table 25 lists configuration base of decryption processing descriptor section
- Table 26 lists value of the next header field in the encryption security payload trailer of description processing descriptive section
- Table 27 lists Offset, Size, Type, Name and Description of keys/initialisation vector section,
- Table 28 lists Offset, Size, Type, Name and Description of calculation processing descriptive section
- Table 29 lists configuration base of calculation processing descriptive section
- Table 30 lists Offset, Size, Type, Name and Description of verification processing descriptive section,
- Table 31 lists configuration base of verification base of verification processing descriptive section
- Table 32 lists Offset, Size, Type, Name and Description of authentication algorithm configuration
- Table 33 lists algorithms of the authentication algorithm configuration
- Table 34 lists Offset, Size, Type, Name and Description of compression processing descriptive section,
- Table 35 lists configuration base of compressing processing descriptive section
- Table 36 lists Offset, Size, Type, Name and Description of decompression processing descriptive section
- Table 37 lists configuration of decompression processing descriptive section
- Table 38 lists Offset, Size, Type, Name and Description of register interface
- Table 39 lists Offset, Size, Type, Name and Description of InQueue processing descriptive section,
- Table 40 lists configuration of InQueue processing descriptive section
- Table 41 lists State and Activity for a InQueue state machine used for monitoring the state of previous processing units
- Table 42 lists Offset, Size, Type, Name and Description of register's interface, WO-OO/30262 PCT/DK99/00625
- Table 43 lists OutQueue pointer format of register's interface
- Table 44 lists configuration of register's interface
- Table 45 lists Offset, Size, Type, Name and Description of OutQueue processing descriptive section,
- Table 46 lists Offset, Size, Type, Name and Description of Ethernet transmission and IP compensation of processing descriptive section,
- Table 47 lists configuration base of Ethernet transmission and IP compensation of processing descriptive section
- Table 48 lists Offset, Size, Type, Name and Description of Ethernet reception
- Table 49 lists configuration base of Ethernet reception
- Table 50 lists Offset, Size, Type, Name and Description of media access control address registers
- Table 51 lists Offset, Size, Type, Name and Description of receive media access control address filter configurations
- Table 52 lists media access control types
- Table 53 lists Offset, Size, Type and Description of source buffer register interface
- Table 54 lists the results of a read operation performed with an external memory access command
- Table 55 lists Offset, Size, Type, Name and Description of destination buffer registers.
- Table 56 lists the results of a write operation performed with an external memory access command.
- a transmission between different stations connected in a network such as a LAN (local area network) or a WAN (wide area network) involves sending data communication packages from one station to a connecting station or connecting stations and receiving data communication packages at one station from a connecting station or several connecting stations.
- Figure 1 illustrates a data communication package designated in its entirety by numeral 10 and comprising a section containing clear text 12 and a section containing encrypted data 14.
- the section containing clear text 12 holds a 48 bit address or addresses of the receiving station or stations, respectively, and a 48 bit address of the transmitting station.
- the receiving station may locate an encryption key in a local key centre and recall the encryption key associated with the transmitting station, similarly the transmitting station prior to encryption may locate an encryption key in a local key centre and recall the encryption key associated with the receiving station. According to the addresses of the receiving and transmitting stations contained in the clear text 12 the correct selection of an encryption key may be performed.
- FIG. 2 illustrates a schematic overview of a communication system, designated in its entirety by numeral 20, incorporating a communication controller 26 according to the present invention.
- the communication controller 26 is connected to a LAN 28 and to a local system bus 24 of a host system or station 22.
- the host system 22 for example a computer or a router directs a data communication package in a raw state, i.e. containing data which is not encrypted, to the system bus 24. This activates the communication controller 26, which subsequently encrypts the data and initiates a transmission of a data communication package through the LAN 28.
- the communication controller 26 receives a data communication package from the LAN 28, performs a decryption of the data communication packages and places the decrypted data communication packages on the system bus 24.
- the decrypted data communication packages are then collected from the system bus 24 by the host system 22.
- the communication controller 26 is an independent unit acting between the host 22 and the LAN 28 and performing the data communication encryption and decryption thereby significantly reducing processing time of the host needed for data transmissions. Additionally, the communication controller 26 may be applied to wide area network (WAN) modes connected through high speed transmission lines.
- WAN wide area network
- FIG. 3 illustrates the communication controller 26 according to the present invention in greater detail.
- the communication controller 26 is connected to the system bus of a host system through connections 100, 186 and 182.
- the connection designated by numeral 100 provides transmission data from the system bus of the host system as input to a Data Read TX control 102.
- the Data Read TX control comprises DMA (Direct Memory Access) means performing the collecting and reading of transmission data from the system bus.
- DMA Direct Memory Access
- the first part of data communication packages are transmitted without the application of an encryption procedure according to the IEEE standard, therefor a switching between an encryption mode and a non-encryption mode must be implemented.
- there are two acknowledge standards for encryption of data transmission IEEE 802.10 and IPSec. Either of these standards or potential future standards may be applied in the presently preferred embodiment of the invention.
- a switch designated in its entirety by numeral 108, is connected to the Data Read TX control 102 through connection 106 fulfils this requirement.
- the switch 108 may be implemented by any gate means utilising semiconductor techniques. Since the beginning of each data communication package contains non-encrypted data the switch has an initial position 110. When the switch 108 is switched in the position 110 encryption processing is bypassed through a connection 116 providing input data directly to a TX FIFO 130. However, when the switch 108 is switched in a position 112 a connection 114 is established to a Data Compressing unit 118. As described previously, the clear text 12 in the data communication package contains information regarding the transmitting and receiving addresses from which a correct encryption key may be deduced.
- the Session Key LUT 182 comprises an external CAM or a binary searching means built into an IC in conjunction with an ordinary RAM and stores a copy of the session keys.
- the Session Key LUT 182 comprising HASH means in conjunction with an ordinary external RAM.
- the session keys are updated according to a key management protocol by the host system.
- the security of a data transmission is typically improved by adding additional data, such as an additional header, padding and ICV (integrity check value), to data communication packages before encryption.
- additional data such as an additional header, padding and ICV (integrity check value)
- ICV integrated check value
- the length of these typical data communication packages exceeds the maximum allowable data package size, limited by LAN specifications, it becomes necessary to apply a fragmentation procedure upon the data contained in the package. This consequently slows the transmission rate considerably since more packages are introduced to the LAN each of which have copies of the first section added containing destination address and transmitting address.
- the introduction of these additional packages to the LAN is avoided by utilising data compressing means, such as the Data Compressing unit 1 18, for the reduction of raw data to package sizes that comply with the LAN specifications.
- the data is transferred substantially simultaneously from the Data Compressing unit 118 to an ICV calculation unit 122 through a connection 120.
- the ICV calculation unit 122 performs a calculation of the integrity check value by numerically summing the data part of the data communication package.
- the ICV calculation unit 122 further adds the value to the end of the data package.
- the compressed data are continuously transferred and finally the integrity check value is also transferred from the ICV calculation unit 122 to a Data Encryption unit 126 through a connection 124.
- the Data Encryption unit 126 performs the encryption of the compressed data and the integrity check value, and continuously transfers the result to the TX FIFO 130 through a connection 128.
- the TX FIFO 130 acts as a first in first out storage buffer ensuring that the LAN always has data to transmit.
- the TX FIFO 130 is partly filled before an actual transmission is initiated since the LAN only transmits with a predefined transmission rate and does not wait for data to be transmitted.
- a LAN controller TX 134 collects outgoing data from the TX FIFO 130 through a connection 132 and places them on the LAN through connection 136.
- the LAN controller TX 134 ensures that the data continuously are loaded onto the LAN within LAN specifications.
- the LAN generally needs a continuous flow of data.
- the data read rate of the Data Read TX control 102 of the communication controller 26 compared to the LAN transmission rate determines how the data transmission is performed. If, the data read rate of the Data Read TX control 102 is larger than the LAN transmission rate then transmission data will temporarily need to be stored in the TX FIFO 130 while the LAN controller TX 134 transmits initial parts of the data.
- the LAN controller TX 134 may initiate the transmission as soon as the receiving address is extracted from data received from the host.
- the LAN controller TX 134 needs to temporarily store transmission data in the TX FIFO 130 before transmission of any of the data.
- the LAN controller TX 134 may initiate the transmission as soon as the TX FIFO contains sufficient transmission data to allow for a continuous flow of data in the LAN transmission.
- the communication controller 26 may perform the storing of transmission data in the TX FIFO 130 substantially simultaneously to operations such as extraction of the receiving address from the first section of the data package and collecting an encryption key accordingly.
- the LAN controller TX 134 may substantially simultaneously calculate the amount of transmission data from the data communication package that needs to be stored in the TX FIFO 130 before the transmission is initiated on the LAN.
- the calculation performed by the LAN controller TX 134 may start when the LAN controller TX 134 has received the information regarding the size of the complete data communication package. The calculation is based upon size of the data communication package, the efficiency of the Data Compression unit 118 and the LAN transmission rate. If this calculation shows, that transmission time may be reduced by transmitting without compression of the data the LAN Controller TX 134 may order the Data Compression 1 18 through a connection 119 to shift from a high compression mode to a low compression mode.
- the time consumption allowed for the LAN controller TX 134 to extract the encryption key depends on the LAN transmission rate, the LAN type, the location of the key information in the data communication package, and the encryption algorithm. The following equation must be complied
- Tpreamble + T W art > TGet Block + TEncrypt Block ( ) and Tcet Key Tpreamble + T w a ⁇ t + T ⁇ clear header'TRead Key ID-TGetBlock-TEncr pt Block (2)
- Tp r e amb i e is the time necessary for transmitting the preamble part of the data communication package on the LAN
- T TX ci ear ead e r is the time necessary for transmitting the non-encrypted header on the LAN
- TRead K ey ID is the time necessary for reading the data from which the encryption key may be deduced
- TGet K e is the time allowed for extraction of the encryption key
- TEncrypt Bloc k is the time necessary for encrypting a block of data
- T Ge t Bl oc k is the time necessary for reading a block of data that needs encryption
- T W a ⁇ t is the time the LAN controller TX 134 must wait before the transmission may begin (can be 0).
- the preamble part of the data communication package comprises 8 octets having a transmission rate of 10Mbit/sec.
- a Key ID comprises 6 octets for a destination address and a Clear header comprises 12 octets for destination address and source address.
- the encryption algorithm applying DES block mode using 8 octets and not transmitting fixed IV consumes 0.64 ⁇ sec for encrypting every block, equivalent to an encryption rate of 100Mbit/sec.
- the primary purpose of the Data Compression unit 118 is to compress the data to a state where any fragmentation may be avoided. Additionally, an improved efficiency of the LAN is obtained, if, the data read rate of the Data Read TX control 102 is faster than the LAN transmission rate then.
- the data compression may influence the allowable time consumption of the LAN controller TX 134 however, this influence may be reduced significantly by following certain data compression methods.
- a first method involves performing the data compression substantially simultaneously to performing the data transmission.
- the rate at which the data is output from the Data Encryption unit 126 is unpredictable. This is unacceptable since the TX FIFO 130 must never be emptied during the data transmission.
- the data compression function of the Data Compression unit 118 may be implemented as dependent on the amount of stored bytes in the TX FIFO 130. Thus, if the TX FIFO 130 is running low on stored bytes then the Data Compression unit 118 will lower data compression efficiency.
- the implementation of the lowering of data compression efficiency may be implemented by having the Data Compression unit 118 ignoring its history buffer.
- the Data Compression unit will lower its efficiency as long as the TX FIFO 130 contains an insufficient amount of stored bytes.
- the last two bytes in a (media access control) MAC header normally contains information relating to the length of the data communication package and this information is not known prior to the compression of the data communication package. Therefor a precisely defined and vacant Ethernet type may substitute this information relating to the length of the data communication package (byte count). The original value is moved into a protected header in the data communication package thus allowing the receiving station to re-establish the information.
- the first method might induce further difficulties when applying the IPSec standard since the length of the data communication package must be included in the IP header.
- the communications controller 26 engages in transmitting a IPSec data communication package having a payload of 4,000 octets of data on a LAN employing IEEE 802.3 standard having a maximum data communication package size of 1 ,500 octets , when a fragmentation is likely to be required since the data in the data communication package cannot be compressed to a size within the limits.
- the communications controller 26 therefore starts by transmitting a data communication package having maximum payload, and if the data compression unit 118 compresses too much the data compression unit 118 stops compressing so as to ensure that the resulting length of the data communication package is identical to the length of a data communication package included in the IP header.
- a second method involves compressing all the data before the transmission is initiated i.e. the amount of data contained in the data communication package and the necessity for data fragmentation is known. If the primary purpose is to avoid fragmentation of the data a following first scheme may be implemented. If the data communication packages are smaller than the maximum payload then they are transmitted non-compressed at once. If the data communication packages are larger than maximum payload then they are compressed and if the size of the compressed part and the clear text part is smaller than the maximum payload, then the data communication packages are transmitted. However, if the Data Compression unit 118 is unsuccessful in compressing the data communication package to comply with the maximum payload then the data communication package may be transmitted non- compressed.
- the Data Read TX control 102 may check the progress of the compression of the data in the Data Compression unit 118 and make a decision as to either continue or interrupt further data compressing of the data communication package.
- the LAN controller TX 134 may check the progress of the compression of the data in the Data Compression unit 118 through the connection 1 19 and order a high or low compression mode.
- a second scheme may be implemented.
- Data communication packages, smaller than a predetermined size are transmitted non-compressed at once.
- Data communication packages, larger than the predetermined size are compressed and in case the compression of the data communication package is progressing normally then the Data Compression unit 118 continues the compressing procedure otherwise the compression is interrupted and the data communication package continued as a non- compressed transmission.
- the receiving station or stations experience compatibility between the first and second scheme and may be implemented and used with most relevant standards for data transmission .
- Figure 4A illustrates a data format for a compressed payload, designated by numeral 40 in its entirety, comprising a first section 42 containing compressed data, a second section 44 containing a bit pattern indicating the end of the compressed data section 42, a third section 46 containing padding of 0-7 bits insuring the correct placement of the octets in the non-compressed data and a fourth section 48 containing the non-compressed data.
- the length and the bit pattern of the second section 44 describe which algorithm is used for compressing the data.
- Figure 4B shows an alternative format for a compressed pay load designated by numeral 41 in its entirety, comprising a first section 43 containing compressed data, a second section 45 containing uncompressed encrypted data including octets of uncompressed data encrypted according to a compression standard, a third section 47 containing a bits pattern indicating the end of the compressed data section 43 and finally a fourth section 49 containing padding of 0-7 bits ensuring the correct placement of the octets in the non-compressed data.
- the data communication package When the data communication packages exceed a size compatible with the LAN specifications or when the data communication package expand as a result of the compression then the data communication package may be fragmented into two or more data communication packages. Expansion resulting from compression may occur when the compression is applied to encrypted data. Normally, the maximum expansion of the data due to compression relates to the compression algorithm and consequently the maximum expansion is known. Typically, an expansion percentage is in the range of 5% to 20%, depending on which compression algorithm is utilised.
- the protocol trailer is the last byte before the padding information in a LAN data communication package and is used for indicating if the LAN communication package is a fragmented package.
- Figure 5 illustrates an example on a LAN communication package format according to the invention, designated by numeral 50 in its entirety, comprising a first section 52 containing a clear text, a second section 54 containing a protected header, a third section 56 containing data, a fourth section 58 containing fraction ID, a fifth section 60 containing flags, a sixth section 62 containing padding 62 and a seventh section 64 containing ICV.
- the protocol trailer comprises sections 58 and 60 containing fragment ID and flags and includes a byte having 6 reserved bits, 1 bit indicating more segments and 1 bit indicating fragmentation.
- a fragment identifier may be stored in the in six bytes situated from the seventh to last byte to the second to last byte in the data section 56 in the LAN communication package 50.
- the flags 60 and the padding 62 may according to normal practice be contained in the protected header 54. Choosing the fragmentation identifiers capacity this large ensures against reruns of the identical fragmentation identifier before the session key is changed.
- the first compression method places flags and fragment ID in the later sections of the LAN communication package 50.
- the value included in the ICV section 64 of the LAN communication package 50 is based on an ICV calculation including sections 54 to 62 illustrated by arrow 66. Sections in the LAN communication package trailing the clear text section 52 are all encrypted as illustrated by arrow 68.
- the receiving section of the communication controller 26 comprises several functions.
- a LAN controller RX 140 receives data from the LAN through a connection 138 and stores the data in an RX FIFO 144 through a connection 142 at rates determined by the LAN specifications.
- the RX FIFO 144 acts like a storage buffer ensuring compatibility between LAN transmission rates and processing speeds of the communication controller 26. If an error should occur during a reception of data in the LAN controller RX 140 the LAN controller RX 140 sends a message to the host system and to an RX control unit 148.
- the RX control unit 148 extracts the information in the first section of the data communication package regarding the encryption key needed for the decryption of the received data, collects the appropriate decryption key from the Session key LUT 186 through a connection 150 and provides the decryption key to a Data Decryption unit 164 through a connection 165.
- the RX control unit 148 is capable of translating a wide variety of formats of data communication packages and the translation algorithm may be adjusted to any new or different formats of data communication packages.
- a switch 154 has an initial position 158 directing non-encrypted data contained in the first section of a data communication package to a WR FIFO 176 through a connection 160.
- the switch 154 changes to a new position 156 directing encrypted data contained in the second section of the data communication package to the Data Decryption unit 164 through a connection 162 and a connection 152.
- the Data Decryption unit 164 decrypts the second section of the data communication package and transfers the decrypted data to an ICV check unit 168 through a connection 166.
- the ICV check unit 168 performs a verification of the integrity check value of the decrypted data by calculating the integrity check value of the decrypted data and comparing the calculated value with the value stored in the data communication package by the transmitting controller of a different station.
- the ICV check unit 168 finds an error in the value it sends a message to the host system and the data communication package is discarded. Depending on which standard is applied the ICV check calculation and the data decryption process may be interchanged so as to enable data decryption before ICV check calculation. If the ICV check unit 168 finds that the two values are identical then the data communication package is transferred through a connection 170 to a Data Decompression unit 172. The Data Decompression unit 172 provides a decompression of the verified data communication package and transfers the result through a connection 174 to the WR FIFO 176.
- the WR FIFO 176 acts like a storage buffer ensuring compatibility between LAN transmission rates and processing speeds of the communications control 26 e.g. the system bus 24 of the host system 22 and the LAN 28 are operating at a different speeds.
- the data communication package is subsequently extracted through a connection 178 and placed on the system bus of the host by a Data Write unit 180 through a connection 182. If any errors occur during a reception the host system is notified through the Data Write unit 180 enabling the discarding of any parts of data received from the package and which are already stored in the host system.
- the communication controller 26 co-operates with the host system 22 in providing the optimum performance and lowest costs regarding a data transmission system.
- the host system 22 must comprise a powerful central programmable unit (CPU) and include a large capacity of RAM for management of the encryption keys and for the updating of the Session Key LUT 186. Furthermore, the host system 22 collects fragmented data communication packages in its RAM because this provides the fastest solution.
- the communication controller 26 comprises relevant algorithms implemented in hardware, some CPU means and RAM.
- the host system 22 may perform a interpretation in part of the data communication package when the package format is complicated and transmit relevant information to the communication controller 26 enabling the Data Read TX control 102 to quickly find the associated session key.
- the RX control unit 148 performs an interpretation of the data communication packages and extracts the relevant encryption keys without help from the host system 22. However, the host system 22 may perform adjustments to the data communication packages before they are handed to the applications.
- data communication package is a generic term for a datagram, data telegram, data package and is to be construed as a complete data package to be transmitted on LAN or WAN.
- the implementation may be accomplished by configuring a network card or a virtual private network card (VPN).
- VPN virtual private network card
- the IPSec standard as defined in RFC 2401 provides a method for achieving confidentiality and/or authenticity.
- encapsulated security payload (ESP) as defined in RFC 2406 is used as the general technology.
- the ESP processing is performed on the entire IP data communication package in transport- or tunnel mode and provides a new IP data communication package.
- the ESP processing in transport mode shown in figure 6 essentially consists of generation of a new IP data communication package comprising a copy of the original header including an adjustment of the next header value and further consists of the application of ESP on the payload. This results in the encryption of data and the calculation of an ICV.
- the encryption is performed before the ICV calculation.
- the field defined as SPI in figure 6 is used as reference for which encryption key and which algorithm should be employed.
- the IPComp standard (RFC 2393) provides the possibility for compression of data as shown in figure 7.
- a compression parameter index (CPI) designates which algorithm should be employed in accordance with RFC 2393. During transmission of data the compression must be completed before encryption since it is not possible to compress encrypted data.
- An alternative and presently preferred embodiment of the invention provides the possibility for utilising IPSec and IPComp standards as ESP so that delays in the system is minimised.
- This is achieved by combining a central processing unit (CPU) for administration and set up of the processing of the individual data communication packages as well as dedicated processing units (PU).
- the PUs are characterised by firstly having access to local RAM (common between PUs) into which RAM data is written and read at a position in the RAM, which is determined by a processing descriptor (PD), thereby obtaining enlarged flexibility since the CPU is enabled to define data before and subsequent to a PU process.
- PD processing descriptor
- the process of data may be accomplished synchronously between individual PUs thereby enabling virtual transfer of data from for example the data compression unit and the data encryption unit without significant delays in the system.
- the individual PUs are able to manage header and trailer in accordance with above mentioned standards, thereby allowing to define the entire processing of the data communication package from clear text to transmission.
- the processing descriptor PD for each data communication package defines which process the respective PUs should perform.
- a queuing system enables the communication controller to manage peak loads and further accomplishes an effective operation of the CPU.
- Figure 8 shows a block diagram of the PUs and connected RAM, in which block diagram the FIFO (first in first out) bus 80 provides access to a SRAM 82 (static random accessible memory) shared by all PUs 92a, 92b, 94a, 94b, 96a, and 96b.
- the management bus 84 shown in figure 8 is used for signalling between individual PUs 92a, 92b, 94a, 94b, 96a, and 96b for example for the synchronising described above.
- a bridge to CPU/host bus 86 provides access for the CPU to registers in the individual PUs 92a, 92b, 94a, 94b, 96a, and 96b, and the SRAM 82.
- An external bus 85 may typically be a local bus whereto the local CPU has access. If the presently preferred embodiment of the invention is used as a network card then the bridge to CPU/host 86 further provides the primary path for transferring to and from a host system.
- a control unit 88 provides access for the CPU to data relating to general configuration and surveillance of the system.
- An inqueue unit 90a and an out-queue unit 90b comprises a collection of PDs which need to be processed by the CPU (out-queue 90b) and a collection which need to be processed by the PUs (in-queue 90a).
- the in-queue 90a enables the CPU to insert PDs as soon as they are ready for processing without having to wait for the PUs to become ready. Additional queues ensure that a busy PU does not block or disable initiation of a PD on a different PU.
- the out-queue 90b utilises a go-queue and a complete-queue.
- the go-queue is for inserting PDs as soon as a PU has produced a certain amount of data, thereby enabling the CPU to inspect for example an IP header on a received Ethernet frame. Further processing may subsequently be initiated even though all the data still has not been received. An interrupt is generated to the CPU when the go-queue contains a PD.
- the complete-queue is for inserting PDs when the processing of the PDs is finalised. PDs included in the complete-queue are utilised by a transmitting media access control unit (TX-MAC) 98a or by the CPU.
- TX-MAC transmitting media access control unit
- a decompression unit PU 92a and a compression unit PU 92b perform a decompression and compression of data respectively.
- the CPU sets up the header thereby ensuring that the complete data block is ready by the completion of the compression process.
- Both the decompression unit PU 92a and the compression unit PU 92b have a maximum allowable length of the data. In case the length of the data exceeds the maximum allowable length an interrupt is generated and transmitted to the CPU. This ensures that no data is over written during the creation of a data communication package.
- the end of data indication may further be applied for the detection of whether the compression has resulted in an expansion of the data. By specifying a limit for the compression required the decision as to further compression is accelerated. If a satisfactory compression is achieved then the compression continues and if a non-satisfactory compression is achieved then the data will not be compressed and a second start address is applied. The decision regarding further compression may be taken without the involvement of the CPU.
- a decryption unit PU 94a and an encryption unit PU 94b perform respectively decryption and encryption of the payload as defined by ESP.
- a memory block includes information on keys used for decryption and encryption and is referenced by the PDs.
- the memory block has allocated an ICV (integrity check value) field for each SPI (figure 6).
- the decryption unit 94a and the encryption unit 94b provides the possibility for using an ICV for a first set of data on a second set of data using the same key block in the memory referenced by the PDs. Further, the decryption unit 94a and the encryption unit 94b provides an possibility for configuring the process so that decryption and encryption may be performed on fragmented data even though additional processing of other data communication packages are initiated.
- Two authentication units PU 96a and 96b perform calculation and validity control of ICV.
- a pointer included in the authentication units 96a and 96b points to a memory block including key. Typically a block will be allocated for each SPI.
- a transmitting media access control unit (TX-MAC) 98b and the RX-MAC 98a transmits and receives data communication package via the network.
- TX-MAC media access control unit
- RX-MAC radio access control unit
- At reception of a data communication package data is sequentially written to a large buffer and a PD is configured in accordance with firstly the start address and secondly the end address.
- the PD is moved to the Go-queue enabling the CPU to detect the reception of a new data communication package.
- the CPU reads the header of the data communication package and decides which form of process is needed. If the first PU is available for carrying out this process then the processing may be initiated immediately. Consequently processing of the data may be performed simultaneously to the reception of data from the LAN.
- the main buffer is configured with a defined limit for amount of data and in case the limit is exceeded an interrupt is generate for the CPU, which configures a new buffer hereafter.
- VPN virtual private network
- an address filter is implemented, which address filter determines from the MAC address whether the data communication packages should be received or not.
- the address filter may operate in a positive or negative mode designating which data communication packages should be received and designating which data communication packages should be ignored. Configuration of the address filter may be performed dynamically so as to enable compatibility with the network configuration used.
- the length of the data provided in a field in the IP header may be adjusted in accordance with the real length of the data communication package.
- a new ICV is calculated and inserted in the IP header.
- the adjustment of the length value in the IP header field may obviously be initiated only when the processing of the data is concluded that is that for example the compression of data is complete. If no compression is applied to the data the transmission may be initiated as soon as the first data arrive at the TX-MAC 98b.
- the Safe NIC product Compared to a standard PCI network interface controller card (NIC), the Safe NIC product will provided hardware assisted compression/decompression, encryption/decryption and authentication which makes it possible to provide full data confidentiality and authentication without significant reduction in performance - in some cases even with improved performance due to compression and the on-board IP processing.
- NIC network interface controller card
- the board In a VPN configuration, the board will provide one half of the VPN functionality.
- the interfaces of the board is therefore one to the intranet and one to the internet.
- This configuration is illustrated in figure 9.
- the interface is provided by means of an Ethernet interface but other physical interfaces are also possible by - optionally by means of the PCI interface although an integrated interface is preferred.
- the board is primarily intended for the VPN pro to provide hardware based cryptography, authentication and compression. If the two Ethernet interfaces are used, all processing between the intranet and internet is performed onboard whereby the PCI interface is not loaded by this traffic - only non-VPN related traffic is routed through the PCI-bus to the host system.
- a MAC-address filter is provided on the local Ethernet channel in order not to load the system with Ethernet frames that are not intended for the VPN processing.
- PCI-bus interface compliant with PCI spec. 2.1 32 bits/33MHz. 10/100Mbit Ethernet for local net. Includes MAC address filter. 10/100Mbit Ethernet for internet access. Support for IPSec (ESP primary, possibly also AH). RFC 2406. Support for IPComp. RFC 2393
- the architecture of the design is based on a number of processing units (PU) which performs the processing of the data based on a SRAM memory interface.
- PU processing units
- These PUs are Authentication, En/decryption compression/decompression and a transmit/receive MAC.
- SRAM which provides a virtual FIFO between the units - this memory is therefore also denote FIFO-RAM.
- the SRAM and the PUs are accessed by a bus which will be denoted Fifo Bus.
- Fifo Bus a bus which will be denoted Fifo Bus.
- This bus also provides access to the PC system memory by means of the CPU/PCI bridge provided by the system controller.
- Each PU will operate on buffers (identified by a start and end pointer) in memory.
- the accessible memory may be divided in three sections:
- System memory is accessible by means of the system controller. Accesses to system memory should be limited to transfer of data to be transmitted/received from/to the host system.
- SRAM is primarily intended for processing by the PUs. Use of the SRAM for this processing will make it possible to process data at wire-speed of the network connection (100Mbit). The amount of SRAM is limited since it only should be used as a temporary processing storage during processing of the datagrams.
- the data In the VPN configuration, the data should quickly be retransmitted (probably with a new security association) to a new receiver.
- the data will be transferred to/from an upper application layer.
- Processor memory is intended to be working memory for the local CPU.
- the CPU has access to all other memory areas by means of system controller.
- the PUs should work in the local SRAM.
- the configuration of the PUs is based on a processing descriptor (PD) which contains all configuration information and may be located on any location in the FIFO-memory.
- a part of the PD is indication of source and destination buffers used for the processing.
- Two queue units are included in order to provide an efficient interface to the CPU. PDs which are to processed are placed in a queue. The InQueue will then initiate processing as soon as the relevant PU is available. Similar, the Outqueue unit will collect the PDs (represented by a pointer to each) as they are processed by the PUs. Using these queues provides more efficient use of the CPU as well as the PUs since none of them have to wait for each other.
- a management bus which is used to perform communication between the PUs. An important part of the communication is synchronization between the PUs whereby a pipelined processing may be achieved.
- This processor Since the required processing cannot easily be deduced from the received datagrams a processor is provided to perform this analysis and configuration for the processing. This processor will also perform management related tasks such as negotiation and maintenance of the security association which shall be used for each individual connection.
- Figure 10 shows a block diagram of the NIC-card. This configuration only consist of a single Ethernet interface and a single set of PUs.
- Figure 11 shows a block diagram of the VPN. This configuration contains two Ethernet interfaces - one for the internet interface and one for the local network interface. Two sets of PUs is provided - one for inbound and one for outbound internet data processing (IOP) and one for inbound internet data processing (IIP).
- IOP internet data processing
- IIP inbound internet data processing
- Each section has its own memory and dedicated PUs. Configuration and processing of the two blocks are also independent.
- each set of PUs interfaces to the local network and the internet. This means that the physical interfaces are shared between the two PU sets.
- IPsec [1], IPComp [2], IPv4 [3] and IPv6 [4] shows that processing of the IP datagrams in hardware only will be very complex due to the header analysis.
- a local processor is provided to perform the above mentioned tasks.
- the use of a local processor puts less effort on the host processor and the network adapter will appear as 'black box' since the IPsec and IPcomp processing is performed by the board itself.
- the NEC VR4310 [18] and the Galileo GT64115 [19] is chosen as the local processor and system controller.
- SDRam which is intended for the program execution on the MIPS processor.
- the code from the Flash should be copied to this area in order to provide faster access and thereby improved performance compared to the Flash.
- 16MB SDRam will be provided on the initial version. This amount might be adjusted.
- Flash which will provide boot-code for the local processor. This device must be programmed as a part of the initial test of the board. Later maintenance may then be performed by means of the PCI-bus and/or the local processor itself. Several MB may be provided.
- SRAM is provided for each direction as shown on the block diagram. At least 128KB will be provided for each block in the diagram.
- the CPU/Local bridge provides an interface between the device-bus and possibly the processor-bus and the FIFO-bus. This unit is additionally arbiter on the local bus.
- the main access types which are translated by this block is:
- a PU When a PU accesses memory, it may either be directly to the local SRAM which may be accessed at random or it may be to the processor memory/external RAM by means of a source and destination buffer functionality.
- the source/destination buffer functionality may be seen as two independent PUs which are configured only by means of a register interface and which must be requested similarly to the other PUs. Two buffer PUs are provided - one for read (source buffer) and one for write (destination buffer).
- the Buffer PUs can only be used for the source and destination data of the processing and thereby not for any configuration. All configuration data must therefore be present in the FIFO-RAM. Note: In earlier versions, it was the intention that memory access should be fully transparent by means of the bridge. This is now only the case for source and destination data. Full transparency may be provided then the system is integrated further.
- An address filter is integrated as a part of the RX-MAC PU. This filter will be utilised in the VPN configuration in order only to process packets which shall be routed to the internet. The processor will thereby not have to analyze packets which are intended for the LAN and thereby not tunneling through the internet.
- the Address Filter can operate in either positive mode or in negative mode. In negative mode the Address Filter will discard the frame if the Destination Address Field in the received frame matches with one of the Destination Addresses stored in the Address Filter. In positive mode the Address Filter will discard the frame if the Destination Address Field in the received frame do not match with one of the Destination Addresses stored in the Address Filter. In short positive mode allows reception of frames with an address match and negative mode allows reception of frames with no match.
- the addresses of the filter is maintained by the following commands:
- the address filter operates on the data received from the MAC.
- the addresses are stored in separate memory not shown in the block diagram of figure 11.
- the InQueue is used to implement a queue of PDs which shall be processed. This makes batch-processing more efficient and it simplifies the entry of a PD for processing since this is done in a single point accessed by the CPU only.
- the InQueue PU will process the PDs on a strict queue basis. Alternatively, it may be considered to improve the performance by selecting a PD further down the queue if the PU of that PD should be free.
- the OutQueue is used to collect PDs in a queue during and after processing. Two queues will be provided:
- An interrrupt may be generated when one or more PDs are available in the queues.
- Section 4.4.4 in [6] lists the encryption algorithms which currently are suggested by the ESP. Table 1 summarizes these algorithms and the requirements for confidentiality.
- the supported column in tabel 1 indicates whether the algorithm is supported by the hardware. Additional algorithms may be supported later.
- Table 2 lists the algorithms which are required by the authentication of authentication header (AH) and ESP as defined in [6] section 4.4.3 and 4.4.4:
- the authentication PU will calculate the ICV and either write the data or compare to an existing value.
- the Ethernet interface is provided by a MAC-controller with a Mil interface.
- Embedding the MAC instead of using a standard external PCI Ethernet controller allows a tight integration and thereby an improved pata-path to the PUs.
- the processing descriptor (PD) is used to configure the PUs.
- the PD is located at an arbitrary location in FIFO memory and has the overall structure shown in figure 12.
- the PD is logically divided in sections corresponding to a section for each PU in the pipeline Each section is denoted PDS (Processing Descriptor Section).
- the NextPUID field will be present in (almost) all PDS and indicates which PU follows the current in the processing order.
- Figure 13 provides an example of buffer indication in the PD.
- the desired processing is that the payload is encrypted (and trailer is implicitly added).
- the authentication value shall then be calculated for the header followed by the encrypted payload, and the result of the authentication shall be added immediately after the encrypted payload (special option for authentication).
- the example contents of the PDS is illustrated in figures 12 and 13.
- the result of the encryption is written to an 'unused' location in memory, but it could also be written directly in the original payload (providing that the cleartext payload is not required - even in case of error). Note, that the configuration above results in a continuos datagram which could be transmitted if a IP header was added in front of the ESP header.
- One of the optional functions of the encryption PU is to add the ESP trailer. To indicate the final length of the source buffer to the next PU, the pointer to the end of the ESP trailer is written to the SrcBufEndPtr field of the authentication section.
- the part above the buffer shows the terminology used for the destination buffer (i.e. the data production part of the current PU) and the part below the buffer shows the terminology for the source buffer (i.e. the part of the next PU which consumes data).
- the signaling takes place based on the values set for the SBI (Source Buffer Increment) and DBI (Destination Buffer Increment), and consist of three major phases: 1.
- the current PU produces data until DBH words are available.
- a Go (first go) will then be signaled to the next PU. This will initiate the next PU which then knows that SBI1 words of data are available.
- Step 1 and 2 may be bypassed if less than DBH data is produced.
- SBE source buffer-end pointer
- FIG. 15 provides a model for an understanding of the synchronization which is performed between the PUs.
- the function of the modules in the drawing is as follows: SBE Source Buffer End. This unit keeps track on the end of the source buffer. When the unit is started with the first go, it is initialized to SBS+SBI1. On the following
- the actual buffer length is read from the PD.
- SBR Source Buffer Read Pointer to the next data to read in the source buffer. On start, this is initialized to SBS and then incremented as data is read by the PU core.
- VFC Virtual Fifo Count This is calculated as SBE-SBR and does thereby provide a count on how many octets remains to be processed in the source buffer. The operation of the PU core is controlled by this figure.
- DBE Destination Buffer End Keeps track on where the next data shall be written.
- the counter is initially loaded with DBH .
- a Go is signaled and the counter is loaded with DB12.
- This unit may also be implemented by means of an incrementing counter and a compare operation against DBH and DBI2 if this is found to be more efficient.
- the DBH value depends on the typical load on the PUs.
- a high value of DBH allows the current PU to perform a significant amount of processing before the next PU is started. If the next PU is busy, this allows the current PU to produce a larger amount of data. If however the next PU typically is idle, the DBI should be set low in order to start the next PU as early as possible and thereby reduce latency.
- the values of the SBI1 and SBI2 for each PU is stored in registers of each PU. A part of the configuration of the PUs is to read this register from the next PU in order to determine the DBH and DBI2 values which will be used for this PD.
- PU operation and state machines provides further details about the behavior of the PUs by means of state machines (SM).
- the description is based on PUs which consumes data from a header and a source buffer and produces data to a destination buffer. This does not apply for all PUs, and their state machines will therefore be simplified accordingly.
- the initial state of all state machines is the Idle state. This state shall also unconditionally be entered if a Reset is signaled to the PU.
- a PU main state machine (MainPU) is the main state machine of the PU which controls the processing and overall operation.
- Figure 16 shows a block diagram of the MainPU and table 3 provides states and activities of the MainPU.
- a Source Buffer End and VFC control keeps track on the current end of the Source buffer (SBE).
- the SBE is dynamically increased as Go signals are received from the previous PU.
- the VFC may be calculated as the difference between the SBE and SBR as shown in figure 17. Further table 4 lists state and activity of the SBE.
- a Destination buffer control and signaling (DBICtrl) shown in figure 18 controls the Go and Complete signaling to the next PU.
- This SM does also implement the request/grant protocol since the next PU must be granted before Go or Complete can be signaled.
- Table 5 lists state and activity of DBICtrl.
- This SM additionally handles the Sync signal which is issued if this PU will be the producer of data to a next PU. This allows additional processing to be initiated 'on the fly'.
- the ReqPU sub-state machine (SSM) will request/arbitrate the next PU.
- SSM The ReqPU sub-state machine
- the arbitration protocol and ReqPU state machine is further described below.
- a Signaling status (SigStat) shown in figure 19 is a simple state machine which monitors the progress/signaling state of the previous PU. States and activities of SigStat is listed in table 6.
- the FIFO-bus interface of the PUs is intented for the actual data-transfer.
- the source/destination for these data-transfers is typically the FIFO-memory, but may also be access to registers or access to external memory.
- the type of access as well as the signaling is communicated by means of a management bus.
- the ownership of the management bus always follows the ownership of the local bus.
- the default transaction on the FIFO-bus is access to FIFO-memory which will take place unless register-access or external access explicitly is indicated on the management bus.
- the control unit also operates as a device on the management bus and allows the CPU to perform signaling on the bus.
- FIG. 20 An overview of the management bus and the attached PUs and the CU is shown figure 20.
- the management bus is synchronous and consist of three signal groups (and clock): MSource This is the source of the bus-transfer which is controlled by the CU only. Each PU (and the CU) has a unique identifier (PUID) which is used for selection.
- MSource has the mastership of the bus for the active clock period and must drive the MTarget and MData. All other units must tri- state their drivers on these signals. It may be considered only to drive the bus in the 2 nd half of the clock period in order to avoid multiple drivers during the Source decode phase.
- MTarget The owner of the bus indicates the target for the management data/command.
- the Target shall respond on the MResult line with an indication of the result of the transaction.
- the PUNone may be used.
- MData The owner places the data on these lines. These indicate the actual signal/command.
- MResult The result of the bus-cycle management command is indicated on this bus which is driven by the PU identified by MTarget.
- the MSource is exclusively driven by the CU. Ownership of the bus is determined by an arbiter in the CU. Each PU has a request signal indicating that it wants ownership of the bus.
- the arbitration is essentially based on a timeslot for each PU. If a PU is not requesting the bus, it is bypassed and the 'next' PU in the sequence will grant the bus. A more intelligent arbitration may be considered in order to reduce signaling latency, but the benefits will probably be limited.
- the FIFO-bus is very similar to a typical asynchronous SRAM-bus consisting of the following signals.
- Address Indication of the address for the access This may be interpretated as a register address of a FIFO-memory address.
- the current inplementation uses a 32 bit databus and does only support 32 bit data-access.
- a register allows the software to quickly identify which interrupts are pending and take the appropriate action
- the SM In case of an error, the SM must examine each of the PUs and resolve the error Typically it will be necessary and probably easiest to 'clean up' the entire pipeline in order to start processing from a well-defined state
- Each PU will have registers defining its internal state These registers will be inspected by the CPU to determine the cause of the interrupt and appropriate actions
- the CPLD provides glue-logic for the board and provides some debugging facilities
- the UART allows attachment of a terminal which may be used during the test phase of the design
- the memory area of the FPGAs will consist of two major blocks:
- Address bit 21 will be used to determine which area to access. This provides 2MBytes for each area with the FIFO-ram at the lowest addresses. This will also mean that the areas will be mirrored if more than a 4MB window is allocated for this purpose.
- the PUs shall primarily work in the local SRAM, it is however possible to have the source or destination buffer outside this scope. Use of external memory is indicated with dedicated bits in the PD.
- Source buffer/header where start and end pointer is defined - i.e. the source data may not be provided dynamically by a previous PU since the length is not known until processing is complete. • Destination buffer.
- the access to external memory is provided by the source and destination buffer of the bridge is it only possible for one PU to have read access and one PU to have write access at a time.
- bridge-blocks which may utilize DMA or busmastering on the processor bus in order to perform the transfer.
- the PCI-interface is based on the Pajero system controller which provides a bridge between the PCI interface and the processor- and device-bus.
- the BridgeRead and BridgeWrite will be arbited by a PU when it has a buffer located in external memory. After configuration of the entities, they will initiate a DMA-transfer and provide/consume the data from the PU.
- the DMA-transfer may be to the local memory - such as SDRam or it may be to the PCI-bus whereby memory in the host system can be accessed.
- Configuration of PCI space provides good flexibility regarding which memory-spaces should be present/configurable in the PCI configuration space.
- the register regions in the register space consist of blocks of 256 words (8 word address bits) - one block for each PU or other functional block.
- the order of the blocks for the PUs is determined by their PUID.
- address bit 21 is used to indicate access to the local FIFO-ram or register access. This results in the fields of the address fields listed in table 9.
- Common registers listed in table 10 are registers which are common to most PUs.
- the table 12 lists identifiers - PUID - of all the PUs. These are used to identify the PUs and other units on the management bus and for identification in the PDs.
- the (*) marked rows in table 12 are not implemented in the FPGA, but might be included in ASIC - probably by means of a dedicated processor. These units will perform analysis of the header/decrypted data and setup processing. This task is currently performed by the local processor.
- the table 13 gives a signal overview, which defines the currently identified signals to be transferred on the management bus. For all commands except ExtMemAcc and RegAccess, an access to the FIFO-memory will also take place. NOP transactions on the bus may be generated by deasserting Rd_L and Wr_L. Each command has a source which always is the active master of the local bus and a target. Each is identified by their PUID. The command is identified by 4 bits.
- the identifiers of the source and target for the PUs follows the PUID
- the Control-unit provides a bridge between the Device-bus and the FIFO/Management bus The following access may be performed by the CPU
- the request/arbitration of a PU is required before the actual processing of a PD can start Since (almost) all PUs can request another PU, it must be ensured that only one grants the ownership and writes the PD pointer to the PDPtr register of the next PU This request/arbitration is achieved by means of the PUReq signal and the following result based on the following rules
- Any PU may send a PUReq (providing it actually wants the PU)
- the target PU of the request will reply with an OK status if it can accept the request otherwise it will reply with Busy
- the requesting PU uses this status to determine whatever the request was acknowledged or not
- a state machine (PUReq) which requests a PU according to the above rules is shown in figure 21 and the actions in the states are listed in table 15
- the target PU must obviously always respond to the PUReq signal A OK will be the response if the PU is ready to process a new PD - otherwise the response shall be Busy
- the processing descriptor consist of a number of sections (PDS) where each section contains configuration data for a PU.
- PDS processing descriptor
- the tables 16, 19 to 40, 42 to 53 and 55 defining the contents contains a 'type' column which indicate who are intended to write to the field
- Most of the PUs have some kind of source data and destination data.
- the source data may be represented as a header section and a source buffer. Splitting the source data in a header and a source buffer allows a fixed image to be used without the need for it to be continuous with the remaining data to be processed.
- the matrix in table 17 outlines the differences in the handling of the header and source buffer.
- a source buffer end pointer is written to the PDS section of the next PU when the current PU has completed processing. Passing the end of the buffer in this way makes it possible to setup a pipelined processing although it may not be possible to predict the resulting length of the output data when the processing is initiated.
- the buffers is represented by a pointer to the first word and - in some cases - a pointer to the last word/octet.
- a buffer is empty if the start address is greater than the end address.
- IP-header adjustment in connection with transmission is one exception since fields smaller than 32 bits needs to be adjusted in the header.
- a read-mod ify-write operation is used for this purpose.
- fields which are common to most of the PDS are described in table 19 and 20.
- NextPUID3..0 Indication of the next PU in the processing order.
- HdrExt The header is located in external memory. Does only apply if a header is used by the PU.
- the source buffer is located in external memory.
- DestExt The destination buffer is located in external memory.
- ESPTrail 1 ESP trailer (Padding and Next header field) will be added as input to the encryption processing. The trailer will not be written to the source buffer.
- IVCopy 1 The initialization vector is copied to the destination buffer as the very first data.
- the initialization vector is not copied to any location.
- IVWB 1 The last block of data (typically 64bits) is written back to the IV-field of the key-section. This provides an easy way to implement a reuse of the last encrypted data as the initialization vector for the next datagram.
- PadLen7..0 Minimum padding length. 0 will add as little padding as possible.
- BlockLen where BlockLen is the block length of the encryption algorithm.
- IVWB 1 The last data being read will be copied to the IV-field in the key section This allows continuation on a fragmented datagram
- IVSource 1 The first block of the data is used as initialization vector (typically 64
- the PU Since the actual payload length is unknown until the padlength field is decrypted, the PU will not report the last MaxPadLength+2 octets ready to the next PU until the pad-length is determined
- BlockLength-1 A optimistic setting assuming that no unnecessary padding is present is BlockLength-1 , where BlockLength is the block length of the encryption algorithm
- the KeyPtr field of the PDS is used to reference a block containing keys and initialization vectors This is an efficient way to indicate the keys which typically will be reused for many datagrams (depending on the parameters of the security association) It also provides an efficient passing of initialization vectors
- the block contains the fields listed in table 27
- the software Since the length of the cleartext not necessarily can be predicted (for example if it is the result of compression), the software is not able to generate the padding and place the Next Header field correctly before the compression is complete It is therefore desirable to have the padding and Next Header fields generated automatically since the processing otherwise would need to be stalled and resumed when the padding is added by software
- the decryption algorithm only reports the actual amount of payload data to the next PU
- the Next Header field is passed as a part of the status information in the PD, but may also be read from the destination buffer
- This hardware support does thereby provide a trailer handling without any intervention from the software
- the above functionality is specific for the ESP and will probably not be usable for any other protocols
- the padding is an incrementing sequence of bytes starting at 1 as defined in [8]
- KeyPtr Pointer to block with specific information for the authentication.
- AuthApp 1 Append authentication value to the end of the source buffer (i.e.
- the SrcBufStartPtr of the next PU will be updated with the address of the octet immediately after the authentication value.
- the Authentication calculation unit does not have an explicit destination buffer, it shall behave as it had regarding signaling to the next PU. This includes:
- Furhter fields which involve verication PDS are described in table 30 and 31.
- AuthAppend 1 Authentication value is located at end of source buffer, (i.e.
- Authentication value is located at AuthStartPtr. Although the Authentication calculation unit does not have an explicit destination buffer, it shall behave as it had regarding signaling to the next PU. This includes:
- interrupt shall be generated if the authentication verification fails.
- the processing will stop to allow the CPU read the PD and take further action. It may be considered to indicate the failure in the PDS. This will reduce the overhead of the CPU in case of excessive authentication failures. This policy would however require that the software inspects the result of the result of authentication.
- the authentication algorithm configuration involves a detailed configuration of the encryption and decryption algorithm, which is performed in a separate block indicated by the ConfPtr ' m the two authentication PDS.
- Table 32 and 33 list possible configurations.
- Init 1 Perform full initialization of compression algorithm/history window for LZS (i.e. 'empty history window).
- This PU does also provide support for an end indication of the destination buffer. If the destination data should exceed the destination buffer, an interrupt will be generated. This end indication may be used to detect if the compression of the data results in an expansion.
- CompDet is used to enable a compression detection and determine if data should be compressed or not. If sufficient compression is achieved, all data will be compressed and written to the destination buffer starting at DestBufStartPtr. If the compression is insufficient, all data will be copied to the destination buffer now starting at AltDestBufPtr. In addition the AltTxConfig will be copied to the ConfigBase field of the Ethernet transmit PDS. Copying this field allows a pipelined transmission of the frame since the length can be predicted when compression is not being used. Use of the alternate destination buffer start allows fx. the compression header to be overwritten. The remaining processing can thereby take place without further configuration from the CPU.
- the end-pointer for the destination buffer is primarily intended to avoid that the allocated memory is being overwritten. If the output data should exceed the destination buffer, it is possible to resume the decompression with a new buffer configuration.
- the InQueue and OutQueue are PUs which provides administration of PDs which are to be processed, are partially processed or which have been completed.
- the Outqueue is also an important part of the PD allocation since it collects completed PDs which will be used by the Ethernet receive PU on reception of Ethernet frames.
- the PD, register interface and operation of the InQueue is defined below.
- new PDs to be inserted in the queue are added by writing the pointer to the PD to the queue register defined in table 38.
- the HW will perform the maintenance of the queue.
- the Link field in the beginning of the PD is used to link the PDs. InQueue PDS
- the PrevPU field is used to indicate which PU - if any is providing the data. This field is used only if synchronization with the previous PU is required. In this case, it must be ensured that the previous PU is either processing the data or that it has completed the processing of the PD (in which case the PrevPU field is redundant, and may be set to NoPU).
- the processing of the PDs in the queue may be divided in two cases: • All Source data are ready for processing. This is typically the case if some data is to be transmitted from some upper application layer. • A previous processing unit is generating data. In this case the startup of the next PU requires special care since the PUs has not been synchronized from the start. It must be ensured that at least SBI1 data is available for the Next PU before the PD is entered in the queue. This case typically applies to processing of Ethernet frames where the processing cannot be determined until the header is available. This may also apply to decryption and decompression where further processing may start as soon as the header is revealed. Each of the cases are detected by the hardware and handled as defined below.
- the lnQueue2 state machine is used to monitor the state of the previous PU in order to detect whatever it has initiated processing of a new PD since InQueuel was in the LoadPUID state.
- the PD, register interface and operation of the OutQueue is defined below.
- Outqueue actually consist of two queues: a Go and a Complete queue.
- a PD is placed in the Go queue on the first Go (for each PD) and a PD is placed in the Complete queue on complete signaling.
- a PD is collected in the queue simply by indicating OutQueue as the next PU. It is possible to configure whatever an interrupt shall be asserted when one of the queues contain PDs.
- the Go queue is intended for the CPU to examine the first part of output data in order to determine the following processing of the data.
- the SBI1 value should be set accordingly for this purpose.
- Registers interface The OutQueue is used to collect PDs. New PDs are always appended to the end of the queue. Two registers are used for maintenance of the queue and these are listed in table 42. The format of the Address/pointer field is listed in table 43 and 44.
- GoEnb and ComplEnb are used to enable the Go and Complete queue. When the queue is disabled, no PDs will be added.
- Golntr and Compllntr are used to enable interrupt for the Go and Complete queue. If interrupt is enabled, it will be asserted as long as there are PDs in the Queue.
- GoRdy and ComplRdy indicates whatever the next element of the queues may be read. This bit must be cleared before a valid read of the queue can take place.
- the outqueue only contains a field for the SrcBufEnd and a link field for the Go queue.
- the link field of the general section of the PD is used for the Complete queue. Offset, size, type, name and description is listed in table 45.
- Ethernet transmission and IP compensation PDS This processing unit provides two functions: • IP header compensation. A length field may be written and a checksum according to IPv4 may be calculated. • Transmission of Ethernet frame. Some of the fields may be generated automatically or the raw frame may be transmitted.
- the PDS is listed in table 46 and 47.
- IPChk 1 Checksum will be calculated on the header section and written according to the IPv4 specification.
- IPLenCalc 1 The length field is calculated based on the transmitted data: HdrEndPtr-HdrStartPtr+SrcBufEndPtr-SrcBufStartPtr + 2 0: The length is set to the value specified by Length.
- IPLen 1 Datagram length will be written starting at location HdrStartPtr+IPOfs. 0: No datagram length will be written.
- the length field is 16 bits and is written by means of a read-modify- write cycle, other PUs may therefore not have access to the header while this PU is active.
- LenT 1 The length field of the MAC frame is written based on the MAC- payload length.
- DestAddr Destination MAC address of frame DestAddr Destination MAC address of frame.
- Pipelined transmission may take place if all data of the IP header is available - otherwise transmission will not start until the final length is known. In case of transmission errors, an interrupt will be generated and further transmission will be suspended. The CPU must resolve the situation.
- the Ethernet frame generation is described further in figure 24.
- the frame may either be passed as raw data including all the fields, or the hardware may build the frame as defined by the PDS.
- the interpretation and generation of the fields is as follows: Preamble Bit sequence used to synchronize reciver. SFD Start Frame Delimiter. Indicates start of frame. Dest addr Destination MAC address of frame. This field is read from the
- DestAddr field of the PDs DestAddr field of the PDs.
- LenT determines whatever a specified value shall be written or the value shall be the length of the payload.
- Payload Payload which consist of the header data followed by the source buffer.
- FCS Frame Check Sequence 32 bit CRC calculated on the MAC-frame.
- the interface to the MAC-controller is provided by transparent registers.
- the Ethernet Receiver PU must always be able to receive data.
- a special buffer arrangement is therefore provided.
- a register interface allows the CPU to define a memory space (in FIFO-memory) where received data shall be written.
- a PD On reception of a PD, a PD will be fetched from the complete queue and the start, of the buffer will be written.
- DBH of Outqueue words When been received, it will be placed in the Go-queue for analysis by the CPU. When the entire Ethernet frame has been received, Complete will be signaled.
- the reception of the next Ethernet frame will continue from the next word in the receive buffer.
- Two limits are defined for the buffer: An early warning limit which generates an interrupt to the CPU. This allows the CPU to configure a new buffer before the 'end limit' is reached. Writing will not take place beyond the end limit.
- the PDS of the Ethernet receiver is defined by tables 48 and 49.
- NextPUID3..0 This field is initially ignored since the destination on the first go always will be Outqueue.
- the software may configure this field according to the required processing. This field will then be written when the PD is placed in InQueue.
- the MAC address of the transmit and receive section of the two processing blocks are defined by the registers listed in table 50.
- Ethernet frames with the configured address will always be received independently of the Address filter configuration.
- the transmit MAC address is added to frames which are transmitted.
- Configuration of Receive MAC Address filter is performed by controlling the address filter by means of 2 registers to represent the MAC address and to provide status/control information.
- Tables 51 and 52 list the registeres and controls.
- the bridge provides access to external memory by means of a source and destination buffer functionality. This is the only way the PUs can access external memory.
- the source and destination buffer are similar to the other PUs, they just lack a PDS and does not perform any processing themselves.
- the registers listed in table 53 are provided for the source buffer.
- the read operations are performed with the ExtMemAcc command.
- the result may be one of the listed results in table 54.
- the buffer will automatically be released (ready to be requested by another PU) when the end of the buffer has been reached.
- Destination buffer registers The registers listed in table 55 are provided for the destination buffer.
- the destination buffer must be granted and the start and end address must be defined before processing can start.
- the write operations are performed with the ExtMemAcc command.
- the result may be one of the results listed in table 56.
- the destination buffer In opposite to the Source buffer, the destination buffer is not released (ready to be requested by another PU) when the end of the buffer is reached. This allows an easy resumption where the BufEnd register is rewritten and writing to the buffer may proceed.
- IPComp and IPSec IP Authentication Header
- ESP IP Encapsulation Security Payload
- RFC 2406 IP Payload compression using Deflate
- RFC 2394 IP Payload compression using LZS
- RFC 2395 IP Payload compression using LZS
- NIC Network Interface controller/card Also used to denote the NIC option of the board.
- VPN Virtual Private Network Also used to denote the NIC option of the board.
- IIP Internet Inbound Processing Usually refers to hardware dedicated to the processing of data received from the internet.
- IOP Internet Outbound Processing Usually refers to hardware dedicated to the processing data to be transmitted on the internet.
- PDS Processing Descriptor section A section of the PD which configures a given PU.
- PU Processing Unit (such as compression, encryption etc.).
- PUID Processing Unit Identifier for example used in the PD.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU12632/00A AU1263200A (en) | 1998-11-12 | 1999-11-12 | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network |
EP99955839A EP1171957A2 (en) | 1998-11-12 | 1999-11-12 | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network |
CA002350424A CA2350424A1 (en) | 1998-11-12 | 1999-11-12 | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network |
US09/531,532 US6275588B1 (en) | 1998-11-12 | 2000-03-21 | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DKPA199801481 | 1998-11-12 | ||
DKPA199801481 | 1998-11-12 | ||
US10974398P | 1998-11-24 | 1998-11-24 | |
USUS60/109,743 | 1998-11-24 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US09/531,532 Continuation US6275588B1 (en) | 1998-11-12 | 2000-03-21 | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2000030262A2 true WO2000030262A2 (en) | 2000-05-25 |
WO2000030262A3 WO2000030262A3 (en) | 2000-08-17 |
Family
ID=26065813
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/DK1999/000625 WO2000030262A2 (en) | 1998-11-12 | 1999-11-12 | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP1171957A2 (en) |
AU (1) | AU1263200A (en) |
CA (1) | CA2350424A1 (en) |
WO (1) | WO2000030262A2 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002003655A2 (en) * | 2000-06-30 | 2002-01-10 | Intel Corporation | Method and apparatus for flexible high speed communication |
WO2002052707A1 (en) * | 2000-12-26 | 2002-07-04 | Sony Corporation | Multiple output dc-dc converter |
WO2002052765A2 (en) * | 2000-12-25 | 2002-07-04 | Matsushita Electric Industrial Co., Ltd. | Security communication packet processing apparatus and the method thereof |
CN118573473A (en) * | 2024-07-31 | 2024-08-30 | 飞驰云联(南京)科技有限公司 | Network data safety transmission method based on trusted platform |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0582395A2 (en) * | 1992-07-21 | 1994-02-09 | Digital Equipment Corporation | Computer network with modified host-to-host encryption keys |
US5297147A (en) * | 1991-02-08 | 1994-03-22 | Mitsubishi Denki Kabushiki Kaisha | Data compression and decompression controlling method |
US5434976A (en) * | 1992-09-28 | 1995-07-18 | Standard Microsystems Corporation | Communications controller utilizing an external buffer memory with plural channels between a host and network interface operating independently for transferring packets between protocol layers |
EP0677939A2 (en) * | 1994-04-12 | 1995-10-18 | Advanced Micro Devices, Inc. | Wireless communications privacy method and system |
US5640158A (en) * | 1994-09-14 | 1997-06-17 | Seiko Epson Corporation | Reversible method of encoding data |
EP0797158A2 (en) * | 1996-03-19 | 1997-09-24 | Fujitsu Limited | Document managing apparatus, data compressing method, and data decompressing method |
EP0810532A2 (en) * | 1996-05-31 | 1997-12-03 | Siemens Medical Systems, Inc. | A lossless data compression technique that also facilitates signal analysis |
-
1999
- 1999-11-12 WO PCT/DK1999/000625 patent/WO2000030262A2/en not_active Application Discontinuation
- 1999-11-12 EP EP99955839A patent/EP1171957A2/en not_active Withdrawn
- 1999-11-12 CA CA002350424A patent/CA2350424A1/en not_active Abandoned
- 1999-11-12 AU AU12632/00A patent/AU1263200A/en not_active Abandoned
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5297147A (en) * | 1991-02-08 | 1994-03-22 | Mitsubishi Denki Kabushiki Kaisha | Data compression and decompression controlling method |
EP0582395A2 (en) * | 1992-07-21 | 1994-02-09 | Digital Equipment Corporation | Computer network with modified host-to-host encryption keys |
US5434976A (en) * | 1992-09-28 | 1995-07-18 | Standard Microsystems Corporation | Communications controller utilizing an external buffer memory with plural channels between a host and network interface operating independently for transferring packets between protocol layers |
EP0677939A2 (en) * | 1994-04-12 | 1995-10-18 | Advanced Micro Devices, Inc. | Wireless communications privacy method and system |
US5640158A (en) * | 1994-09-14 | 1997-06-17 | Seiko Epson Corporation | Reversible method of encoding data |
EP0797158A2 (en) * | 1996-03-19 | 1997-09-24 | Fujitsu Limited | Document managing apparatus, data compressing method, and data decompressing method |
EP0810532A2 (en) * | 1996-05-31 | 1997-12-03 | Siemens Medical Systems, Inc. | A lossless data compression technique that also facilitates signal analysis |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002003655A2 (en) * | 2000-06-30 | 2002-01-10 | Intel Corporation | Method and apparatus for flexible high speed communication |
WO2002003655A3 (en) * | 2000-06-30 | 2002-05-10 | Intel Corp | Method and apparatus for flexible high speed communication |
US7082468B1 (en) | 2000-06-30 | 2006-07-25 | Intel Corporation | Method and apparatus for flexible high speed communication |
WO2002052765A2 (en) * | 2000-12-25 | 2002-07-04 | Matsushita Electric Industrial Co., Ltd. | Security communication packet processing apparatus and the method thereof |
WO2002052765A3 (en) * | 2000-12-25 | 2003-09-25 | Matsushita Electric Ind Co Ltd | Security communication packet processing apparatus and the method thereof |
US7158637B2 (en) | 2000-12-25 | 2007-01-02 | Matsushita Electric Industrila Co., Ltd. | Security communication packet processing apparatus and the method thereof |
WO2002052707A1 (en) * | 2000-12-26 | 2002-07-04 | Sony Corporation | Multiple output dc-dc converter |
CN118573473A (en) * | 2024-07-31 | 2024-08-30 | 飞驰云联(南京)科技有限公司 | Network data safety transmission method based on trusted platform |
Also Published As
Publication number | Publication date |
---|---|
AU1263200A (en) | 2000-06-05 |
WO2000030262A3 (en) | 2000-08-17 |
EP1171957A2 (en) | 2002-01-16 |
CA2350424A1 (en) | 2000-05-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6275588B1 (en) | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network | |
US5961626A (en) | Method and processing interface for transferring data between host systems and a packetized processing system | |
US7548997B2 (en) | Functional DMA performing operation on DMA data and writing result of operation | |
US8566485B2 (en) | Data transformation during direct memory access | |
EP0876026B1 (en) | Programmable crypto processing system and method | |
EP1570361B1 (en) | Method and apparatus for performing network processing functions | |
US7676814B2 (en) | Four layer architecture for network device drivers | |
JP5074558B2 (en) | Network processing using IPSec | |
US8266338B2 (en) | Data flow control within and between DMA channels | |
US8504728B1 (en) | Network interface with secondary data and packet information storage and memory control systems to accommodate out-of-order data processing and split transactions on a host system bus | |
US7526085B1 (en) | Throughput and latency of inbound and outbound IPsec processing | |
US7707477B2 (en) | Checksum calculation | |
KR20090085685A (en) | Data-mover controller with plural registers for supporting ciphering operations | |
WO2000030262A2 (en) | Apparatus and method for performing and controlling encryption/decryption for data to be transmitted on local area network | |
US7787481B1 (en) | Prefetch scheme to minimize interpacket gap | |
JP2003069555A (en) | Encryption device and encryption/decryption processing method | |
EP1049292A2 (en) | System and method for network monitoring | |
JPH01256840A (en) | Communication equipment coupling terminal equipment and network |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase in: |
Ref country code: AU Ref document number: 2000 12632 Kind code of ref document: A Format of ref document f/p: F |
|
WWE | Wipo information: entry into national phase |
Ref document number: 09531532 Country of ref document: US |
|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AL AM AT AT AU AZ BA BB BG BR BY CA CH CN CU CZ CZ DE DE DK DK EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AL AM AT AT AU AZ BA BB BG BR BY CA CH CN CU CZ CZ DE DE DK DK EE EE ES FI FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SK SL TJ TM TR TT UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1999955839 Country of ref document: EP |
|
ENP | Entry into the national phase in: |
Ref country code: CA Ref document number: 2350424 Kind code of ref document: A Format of ref document f/p: F Ref document number: 2350424 Country of ref document: CA |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
WWP | Wipo information: published in national office |
Ref document number: 1999955839 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 1999955839 Country of ref document: EP |