Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.

Abstract: A network interface system includes a memory system for managing data obtained via a system bus that supports split transactions. The memory system comprises a first memory for storing outgoing assembled data frames and associated control information prior to transfer of the outgoing data to the network, and an assembly memory that stores unassembled outgoing data from the bus. A memory control system stores the control information associated with pending bus read requests and also transfers outgoing data from the assembly memory to the first memory when all the outgoing data for a corresponding read request has been assembled.

Abstract: Network interface systems are disclosed comprising a bus interface system, a media access control system, a memory system, a security system for selectively encrypting outgoing data and decrypting incoming data, a checksum system for generating and verifying checksum values, and a segmentation system for selectively segmenting outgoing data, where the network interface system may be fabricated as a single integrated circuit chip. Methods are also provided for interfacing a host system with a network, in which checksum information is obtained from the host system, which is used to generate checksum values for outgoing data while the data is being stored in a network interface memory system.

Abstract: In one embodiment, a method comprises assigning a unique node number to each of a first plurality of nodes in a first partition of a system and a second plurality of nodes in a second partition of the system. A first memory address space spans first memory included in the first partition and a second memory address space spans second memory included in the second partition. The first memory address space and the second memory address space are generally logically distinct. The method further comprises programming a first address map in the first partition to map the first memory address space to node numbers, wherein the programming comprises mapping a first memory address range within the first memory address space to a first node number assigned to a first node of the second plurality of nodes in the second partition, whereby the first memory address range is mapped to the second partition.

Abstract: A network interface system is presented for interfacing a host system with a network, including a bus interface system, a media access control system, a memory system, a security system, and a descriptor management system, wherein the descriptor management system obtains initialization vector information from the host system and provides the initialization vector information to the security system. A method of encrypting outgoing data in a network interface system is provided, comprising providing initialization vector information from a descriptor to a security system in a network interface system, selectively encrypting or authenticating outgoing data using the security system, and selectively employing an initialization vector from the outgoing data to perform CBC encryption of the outgoing data according to the initialization vector information.

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, a memory system, and a security system. The security system is coupled to the memory system and is adapted to selectively perform security processing on incoming and outgoing data. For at least one of receive or transmit processing, the security system comprises one or more encryption pipelines and at least two sets of one or more authentication pipelines. The encryption pipelines are adapted to perform one or more encryption or decryption algorithms. The authentication pipelines are adapted to perform one or more authentication algorithms. The security system is configured to selectively process frames through the encryption pipelines and then through the two sets of authentication pipelines. The system toggles whereby successive frames alternate between the two sets of authentication pipelines.

Abstract: Methods and systems are provided for reducing partial cache writes in transferring incoming data status entries from a peripheral device to a host. The methods comprise determining a lower limit on a number of available incoming data status entry positions in an incoming data status ring in the host system memory, and selectively transferring a current incoming data status entry to the host system memory using a full cache line write if the lower limit is greater than or equal to a first value. Peripheral systems are provided for providing an interface between a host computer and an external device or network, which comprise a descriptor management system adapted to determine a lower limit on a number of available incoming data status entry positions in an incoming data status ring in a host system memory, and to selectively transfer a current incoming data status entry to the host system memory using a full cache line write if the lower limit is greater than or equal to a first value.

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.

Abstract: A security association architecture system of the present invention facilitates network data transfer by providing an internal portion of a security association database that can be quickly accessed to obtain security associations as well as an external component that stores the complete security association database. As a result, at least some security associations for incoming received frames and outgoing transmitted frames can be obtained from the internal portion located on a network interface device without accessing system memory, a host computer, and the like in order to obtain the security associations to perform security processing.

Abstract: Methods and network interface systems are provided for transferring data between a host and a network using a shared memory, in which separate data transfer queues are employed for transfer of data of different priorities. For receive data, the network interface scrutinizes the data and provides a corresponding entry in a receive data transfer queue of a particular priority according to the data. For transmit data, the network interface transmits data corresponding to entries in lower priority queues when all higher priority data has been transmitted or when a certain number of higher priority data frames have been transferred while a lower priority frame is waiting to be sent.

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The security system is operative to selectively authenticate incoming and outgoing data. The security system includes a pipeline that masks mutable fields from incoming data prior to authentication.

Abstract: One aspect of the invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The security system selectively perform security processing on data incoming from the network based on security associations stored in a memory external to the network interface system, typically a host system memory. The security association for any given frame, when available, is fetched from the external memory after the frame begins to arrive in the network interface system based in part on information contained in the frame. Preferably, the fetch begins before the frame is fully received and the security association is queued whereby security processing can begin without having to wait for the security association to be fetched.

Abstract: In one embodiment, a method comprises assigning a unique node number to each of a first plurality of nodes in a first partition of a system and a second plurality of nodes in a second partition of the system. A first memory address space spans first memory included in the first partition and a second memory address space spans second memory included in the second partition. The first memory address space and the second memory address space are generally logically distinct. The method further comprises programming a first address map in the first partition to map the first memory address space to node numbers, wherein the programming comprises mapping a first memory address range within the first memory address space to a first node number assigned to a first node of the second plurality of nodes in the second partition, whereby the first memory address range is mapped to the second partition.

Abstract: A method and apparatus for autopolling physical layer (PHY) devices in a network is controlled by information contained in a plurality of poll registers. A user independently defines the PHY addresses and register numbers for a plurality of external PHY registers and provides these to the poll registers. In each poll register, an enable bit is provided for each of the selected PHY registers. When a host CPU sets one of the enable bits, the poll logic reads the corresponding PHY register and stores the result in a corresponding poll data register. One poll data register is provided for each poll register. Thereafter, at each polling interval, the poll logic compares the current contents of the selected PHY register with the contents of the corresponding poll data register. If a change is detected, an interrupt is set in an interrupt register, which causes an interrupt to the host CPU.

Abstract: An automatic flow control mechanism that supports two modes of automatic flow control is provided in a network interface. In the first flow control mode, the network interface periodically compares the number of available receive descriptors with low and high threshold values. When the number of available receive descriptors falls below the low threshold value, the network interface sends a PAUSE frame requesting the link partner to suspend its transmission (in a full-duplex mode), or enables the back pressure mechanism (in a half-duplex mode).

Abstract: One aspect of the invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The security system selectively perform security processing on data incoming from the network based on security associations stored in a memory external to the network interface system, typically a host system memory. The security association for any given frame, when available, is fetched from the external memory after the frame begins to arrive in the network interface system based in part on information contained in the frame. Preferably, the fetch begins before the frame is fully received and the security association is queued whereby security processing can begin without having to wait for the security association to be fetched.

Abstract: An improved descriptor system is provided in which read pointers indicate to a host and a peripheral the next location to read from a queue of descriptors, and write pointers indicate the next location to be written in a queue. The system also allows an incoming descriptor to point to a plurality of data frames for transfer to the host processor, wherein the peripheral need not read a new descriptor each time a frame is to be transferred to the host.

Abstract: A novel method of providing alternate access to a storage element for holding a data element in a network interface. The storage element is accessed via a first access path when the network interface operates with a first type of software, and via a second access path when a second type of software is used. The first access path is allocated in response to a first address signal identifying a first register required by the first type of software to hold the data element. The second access path is allocated in response to a second address signal identifying a second register required by the second type of software to hold the data element.

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.