FI109436B - Data processing in an access node - Google Patents

Description

109436

Data Processing in the Contact Node Databehandling i en accessnod

Field of the Invention

The invention relates to a method for encrypting / decrypting messages at a node in a communication system. The invention further relates to an arrangement for performing encryption / decryption functions and also to a communication system access server.

Background of the Invention

A communication system may comprise many different types of networks. System networks may be circuit switched networks, such as a public switched telephone network (PSTN).

Public Switched Telephone Network) or Public Land Mobile Network (PLMN), e.g. GSM, NMT, AMPS, D-AMPS, CDMA, WCDMA, PDC, UMTS or similar cellular network (VV), or packet switched networks , such as X.25 or the Internet or intranet web applications. Today, circuit-switched:: telephone networks carry the majority of two-to-one subscribers • · ·:: ordinary calls. However, even though PSTN is the oldest and V 'the widest existing telecommunication network to date, the number of mobile users using different PLMNs has steadily increased. Other bearer networks for call transfer are * · arrangements such as integrated services digital network (ISDN), asynchronous transfer (ATM), frame; relay and internet.

. ·· *. In addition to traditional voice traffic, today's communication networks are capable of transferring data. Most often this is achieved by packet switched data networks which transmit data in the form of data packets. Examples of packet switched data networks include X.25 protocol data networks (e.g., PSPDN, packet switched public data network) or the Internet or Intranet.

Of these, the Internet can be defined as a global network using a packet-switched, offline connection, formed by interconnecting thousands of subnetworks (e.g., various local or regional networks; LANs, MANs, etc.) using the TCP / IP protocol control protocol. -col / Internet protocol protocol suite) and a common address structure. In contrast to transmission technologies such as X.25, frame relay and most ATM applications, the Internet is an end-to-end application that reaches all the way to the user's terminal.

. In addition to data, packet switched networks may also be used to transfer voice, such as speech, between two communicating parties. When audio is transmitted over a data network, the audio is ... ... · digitized and transmitted in digital form as data packets. DiV: The gitated sound is then converted back to analog format ·. · · And presented to the listener at the receiving end.

The communication system may also comprise one or more interface or gateway devices between different networks, i.e. access node (AN), e.g.

·: ·: Access servers (AS). Connect-. . ·. the capture node can usually be described as a device that functions ···. mi as an interface between the packet network and other networks, and allows access to the packet network, i.e., a system that converts some connection media (e.g., a modem call via PSTN) to IP network traffic.

There are clear indications that the access nodes are beginning to need some security protection functions in order to authenticate and / or encrypt the control traffic of the access node. This also applies to the utility traffic that the call node is configured to forward. For example, it may be necessary for the access node to be the end point of an Internet Protocol Security session (IPSec), whereby the access node uses, for example, so-called 3DES encryption algorithms for many thousands of calls when call terminals PC terminals encrypt IPSec / 3DES-Fi.

Said 3DES is a substantially heavy algorithm and requires considerable processing power even from a device that serves only one communication link. In practice, however, there would be thousands of links, which raises the processing power requirements to overwhelming.

'· / · · According to another scenario, the access node «φ ·' ·" 'can be used to encrypt an unprotected call so that the call can be V * sent to the tunnel via an unprotected, open Internet.

· ... · Access nodes generally use Central Processing Units (CPUs) or some specialized hardware to perform encryption processes. It is also possible to use: ·: ** around the access node. ·. available Digital Signal Processor resources (DSPs) when a large number of DSPs are available. However, DSPs are 4,109,936 difficult to program and are not believed to be the right tools for some of the more complex processes that occur, for example, during the secure connection negotiation steps.

Summary of the Invention

There has been no proper solution for efficient use of DSPs or other subprocessors in an architecture that utilizes a plurality of processing resources (e.g., control processors, DSPrites, interface S / T cards) connected to the control processor or the CPU via an appropriate high-speed bus. interface I / O cards)). Due to the nature of the protocol stack used in such an arrangement (i.e., over IP IPSec, over point-to-point (PPP), over modem), a possible implementation mechanism could be to execute an IPSec layer on a control processor also adapted to perform IP -transmission. This is believed to be a meaningful solution because the required address tables and the decryption of the PPP are typically also located in the controller. *. ·. To be able to use the processing power of the DSPride · ... 'encryption process, the control processor would need to »V' send the unencapsulated PPP / IP packet for processing on a separate DSP over a high-speed bus and then back to the same path for further processing, such as - '···' you. However, this will lead to two additional round trips along the • · · ·; · * bus across the entire bandwidth passing through the • • »· .., · sampling node. This can be described by the following formula: call -> · DSP -> CPU - »DSP -> CPU -> interface 5 109436 This kind of traffic loads the bus between the CPU and the DSP or similar subprocessing device and consumes system capacity. Commuting can also cause some delays and / or increase the risk of error during processing.

It has also been suggested that each subprocessor controls itself, i.e., the implementation is such that the subprocessors do not need any control commands from any central processor.

However, this significantly increases the requirements, complexity, and cost of a single subprocessor and may reduce the overall controllability of the node. Such an implementation may even be impossible for processes and uses that require more complex (and in many cases centralized) control processing.

The object of the invention is to solve the above-mentioned problems and to provide a new type of solution for processing messages on-line. :: in the denotation node. It is a further object of the invention to provide:: a method and an arrangement for enhancing the utilization of the processing capacity of the call node and reducing the amount of unnecessary traffic between the different components of the node.

v 'The objects are achieved by a method for decrypting / encrypting a message in a communication system comprising a packet switched data network and a communication node between a user * ♦ terminal and a data network; the access node being provided with a control processor and at least one subprocessor, the control processor controller. . ·. including at least one subprocessor, the method comprising. steps to receive the message on the access node, route the message to the access node subprocessor before the access control node 6109436, identify the need for decryption / encryption functions, decrypt the message / encrypt the message on the subprocessor, and pass the encrypted message .

According to another aspect, an arrangement is provided in a communication system, the arrangement comprising a packet-switched data network, a data network interface access node, a access node control processor, a request node subprocessor, decryption / encryption in the subprocessor after recognition, and transmission of a bus message from the subprocessor to the control processor after processing.

j Yet another feature provides a communication server for the communication system, comprising an instruction processor, a subprocessor, ... means, comprising means for processing a message received in the subprocessor for processing decryption / encryption * · · v: means for decrypting the message, wherein the control processor is arranged to take care of the subprocessor, means for decrypting / encrypting the message after recognition in the subprocessor, and transmitting a bus message from the subprocessor to the processor after processing.

. . ·. More specifically, the subprocessor may be the end point of a modem call and is used for both the modem decoding / modem encoding functions and the decryption / encryption functions of the access node. The subprocessor may be a digital signal processor (DSP) or, in one embodiment, the subprocessor is an interface card.

The invention provides numerous advantages because the solution provides a simple, reliable and manageable way of improving the processing power of the access node. The solution reduces the amount of traffic between the access node control processor and the sub processors, increasing performance and reducing the risk of transmission errors and congestion.

The invention and other objects and advantages of the invention will now be described by way of example with reference to the accompanying drawings, in which like features are denoted by like reference numerals throughout the various figures.

Brief Description of the Drawings

Figure 1 is a general schematic representation of a network system including a access server;

Fig. 2 is a schematic representation of a contact server platform; Fig. 3 is a schematic representation of a single potential V * signaling stream according to a basic embodiment of the invention; 'I ·' ··. Fig. 4 is a schematic representation of one possible · · ··· 'signaling flow according to another embodiment; and

• t I

Figure 5 is a flowchart of one embodiment.

. · '. DETAILED DESCRIPTION OF THE EMBODIMENTS Reference is made to Fig. 1, which illustrates some Internet access arrangements and is designated by the reference numeral 1. The point-to-point (i.e. logical) connections made through Internet 1 are indicated by dashed lines, while physical connections are indicated by whole lines. .

The terminal (e.g., personal computer, workstation, or similar data processing device) 2 is a subscriber to a public switched telephone network (PSTN) 3 and is connected to it by a modem (not shown) and a subscriber line 4. This PSTN 3 is often referred to as "home network". "home" network).

By calling a predetermined access number (B-number), the subscriber terminal 2 is able to connect to the Internet 1 via a access node 5, such as a access server (AS) or an Internet access system (IAS). The access node is generally controlled by the PSTN 3 operator. The above examples of access nodes, i.e. AS or IAS, can be defined as nodes that are integrated into the exchange and are intended to establish dial-up connections to a data network such as the .V Internet or Intranet. The access node provides appropriate:.:: Appropriate protocol conversions (i.e., between circuit switched and packet switched communication) for communication between the data network 1 and the subscriber terminal 2.

It should be noted that the invention is not intended to be limited to use only when user interfaces or terminals are connected to the PSTN, but that other types of telecommunication networks capable of providing communications between the terminal and packet data networks may also be used. such as various types of public mobile networks (PLMNs).

; In order to illustrate an alternative way to obtain an Internet connection in addition to PSTN 3, Figure 1 also shows a terminal 8 having a connection through a LAN. The terminal can be on a LAN.

9 109436

Local Area Network), which in turn is connected via the xDSL modem pair to the World Wide Web 1.

Fig. 2 shows the contact node platform (e.g.) 24 in more detail. The platform includes a control processor 20 (i.e., a Central Processing Unit (CPU) in Figure 2) and a plurality of sub processors (i.e., digital signal processors (DSPs) 22 and interface cards 23 in Figure 2) arranged hierarchically under the control processor to control them. , and interconnected by bus 21. Subprocessors, such as DSPs or interface cards, are used as endpoints for modem calls from subscribers. One example of DSPs is the Texas Instruments 200 MHz C62Q1, but various other types of subprocessors can also be used. The subprocessors 22, 23 are adapted to perform tasks that require less intelligence, such as performing modem algorithms. The connections between the CPU 20 and the DSPride 22 and the interface cards 23 are arranged via high-speed bus 21.

The controlling CPU can, for example, determine whether a particular node subprocessor can perform the required * «* * ... · encryption / decryption operations, and it can also * * ·» * · * load the necessary software into the subprocessor.

i »· v 'In other words, the central control processor is adapted to determine the capabilities and needs of encryption for a specific subprocessor; ·' (certain subprocessors) and to communicate this information and possibly additional software from the central processing unit to the subprocessor (subprocessor).

I t i »I»

Referring now to Figure 3,

A $ 1 million way to more efficiently use DSP resources or equivalent resources from other 109436 10 auxiliary processors. In the light of the basic principles of the invention, it is essential to state that, for each call, all information passes at least once through a DSP, an interface card, or the like. In other words, for outgoing data, DSP performs modem decoding and data compression, and for incoming data, DSP performs modem encoding and data packet decompression. What has been found herein is that it is possible to avoid bidirectional bus transfer of data between the CPU and DSP by providing DSP (or any other processing sub-processor possible) with software adapted to recognize the need for data encryption / decryption processes.

Situations or data transmissions that recognize the need for encryption / decryption can be referred to as "fastpath" cases.

Prior art arrangements have been such that data passes through a subprocessor and only the control processor recognizes the need for any IP-level functions · / *. · ', Such as decryption / decryption. This traffic can now be avoided by the:, V arrangement shown.

I · «» · «V * Authentication is performed based on data packet properties

I I I

V * tea. Specifically, it is possible to identify incoming data packets based on the IP header (src and dst address protocol) * · · and the security connection number (Security Parameter Index) before decryption. . Encrypted outbound packets can be identified by using information about each packet. (port number, src and dst address protocols, • i i but not SPI).

»I» 11 109436

In order to enable the subprocessor to perform the above identification, the controlling CPU and the subprocessor must be negotiated during the connection establishment so that the CPU can provide the necessary control information or instructions to the subprocessors. According to one of these variations, the negotiation does not take place during the connection establishment phase, but adaptively after the controlling central processing unit recognizes that there will be a substantial amount of certain types of encryption / decryption operations. i

The quick routing case requires that the subprocessors be able to handle simpler portions of PPP packet formatting, IPSec headers, and that the subprocessors preferably also be able to identify instances where the control processor itself needs to be involved in some higher intelligence tasks, such as key consulting. This possibility is illustrated in the schematic signal diagram of Figure 4.

.V: Figure 5 illustrates a flow of one possible embodiment, starting with the aforementioned negotiation step. The only thing left to determine when the controlling CPU has provided any information to the subprocessor is the following ίί: step to determine whether the incoming data packet to the subprocessor is receiving a * * # '/> falling data packet or an outgoing data packet. After checking whether the data packet fits into a particular predefined formula or

f I I

no, the subprocessor decrypts the packet / encrypts the packet depending on the transmission direction of the packet.

· Decrypt / Decrypt functions; · · ·! after this, the procedure returns to the step where the sub-X processor waits for possible instructions from the central processor * * ·, · * ·, and / or the arrival of new data packets into the sub-processor.

I I t 12 109436

In addition to the above, it is possible to use a flow control mechanism implemented in a modem connection protocol to signal any overload situations that may occur during encryption / decryption processes when the same subprocessor is used for both modem and encryption / decryption purposes.

In a system that uses only virtual devices (that is, no actual modems are used, and traffic consists of so-called tunnel-end traffic), traffic would not normally pass through DSPs or other subprocessors. If you want to use the subprocessor resources as encryption / decryption resources, you must arrange for the messages to be passed through them. Although this is an additional point in the message path, there is still no need to send the message back and forth along the bus between the central control processor and the subprocessor, since the data packets can also be arranged to flow directly out of the interface card after encryption / decryption processes. In this case, the processor must provide the header information to the subprocessor to allow the subprocessor to insert the correct header.

1 I

• *, V in front of a data packet (going into a tunnel) or knowing where to send the data packet (coming from a tunnel).

The invention thus provides an apparatus and method for achieving a significant improvement in the encryption / decryption of data and / or messages.

I ft · * »> ·· 'The solution provided allows you to integrate encryption * / *: <t> / decryption and modem processing in a more efficient way! The arrangement according to the invention is. easily and economically feasible with known components and is reliable in use. It should also be noted that the foregoing examples are not intended to limit the scope of the invention to the specific forms set forth above, but rather to cover all modifications, similarities, and variations contained within the spirit and scope of the invention as defined in the appended claims.

ψ · * 4 i «·» ·> · <· · t * * I I · · t ·! t · ^ · · I * I I »i · t * I I · t I» 6 * »*» · i »* * · 4 * ·« »> e» * * * * »i f Φ t · • k ·

I (I

»» · $ I »il · I I * I I I t>! · Ill

Claims (10)

A method for decrypting / encrypting a message in a communication system comprising a packet switched data network and a access node between a user terminal and a data network, said access node being provided with a control filter and at least one subprocessor, said control processor, ; routing the message to the access node subprocessor before the access node control processor; recognizing the need for decryption / encryption functions; decrypting / decrypting the message in the subprocessor; and transmitting the decrypted / encrypted message to the CPU via the bus between the subprocessor and the CPU. The method of claim 1, wherein the subprocessor is the end point of the modem calls and is used by the access node for both modem decoding V '/ modem encoding functions and decryption / decryption functions. The method of claim 1 or 2, wherein: - the subprocessor is a digital signaling processor (DSP). The method of claim 1 or 2, wherein the subprocessor is an interface card. 109436 The method of any one of the preceding claims, wherein the control step is performed after the adaptive connection set-up step and after the control processor recognizes that there will be a significant amount of encryption / decryption operations of a certain type. An arrangement in a communication system comprising a packet switched data network; an access node as an interface to the data network; a access node control processor; a node subprocessor for the access node, comprising means for detecting the need for decrypting / decrypting the message received in the subprocessor, wherein the control processor is adapted to provide control of the subprocessor; means for decrypting / encrypting the message in the subprocessor after recognition. Keen; and I ·:: to send a bus message from the subprocessor to the controller: :: after processing. The arrangement according to claim 6, wherein the sub-processor is configured to be the end point for modem calls, and includes means for implementing both modem decoding · ... · / modem encoding functions and decryption ... '/ encryption functions. An arrangement according to claim 6 or 7, wherein; . ·. I created a subprocessor is a digital signal processor (DSP) or • «·. ·“. interface card. 109436 A communication server for a communication system comprising: a processor; a subprocessor comprising means for recognizing the need for decryption / decryption processing of a message received in the subprocessor, wherein the control processor is adapted to take care of the subprocessor; means for decrypting / encrypting the message in the subprocessor after identification; and transmitting a bus message from the subprocessor to the control processor after processing. The access server of claim 9, wherein the subprocessor is adapted to be the end point of modem calls, and. comprising means for implementing both modem decoding / modem encoding functions and decryption / decryption functions. • · • «· * t ·» · · »* · I 17 109436