Tagging mechanism for data path security processing

摘要

Methods and associated systems are disclosed for providing secured data transmission over a data network. Data to be encrypted and encryption information may be sent to a security processor via a packet network so that the security processor may extract the encryption information and use it to encrypt the data. The encryption information may include flow information, security association and/or other cryptographic information, and/or one or more addresses associated with such information. The encryption information may consist of a tag in a header that is appended to packets to be encrypted before the packets are sent to the security processor. The packet and tag header may be encapsulated into an Ethernet packet and routed via an Ethernet connection to the security processor.

主权项

1. A method of generating encrypted packets comprising the steps of:
receiving, in a security processor, a first Ethernet packet from an originating device, the first Ethernet packet comprising a second Ethernet packet and a memory address associated with a security association, wherein the second Ethernet packet includes a source address field specifying a source of the second Ethernet packet and a destination address field specifying a destination of the second Ethernet packet, and wherein the destination address field includes an address of the originating device; extracting the memory address and the second Ethernet packet from the first Ethernet packet; retrieving the security association from a memory using the received memory address; and encrypting a portion of the extracted second Ethernet packet according to the retrieved security association.