BACKGROUND OF THE INVENTION A communications system may comprise various networks of different kind. The networks of the system can be circuit switched networks, such as a Public Switched Telephone Network (PSTN) or a Public Land Mobile Network (PLMN; e. g.

GSM, NMT, AMPS, D-AMPS, CDMA, WCDMA, PDC, UMTS etc. cellular network), or packet switched networks, such as X. 25 or the Internet or intranet network applications. At present of the circuit switched telephone networks carry most of the ordinary telephone calls between two subscribers. However, even though the oldest and hitherto largest telecommunications network in existence is the PSTN, the number of mobile telephone users using some of the various PLMNs has increased steadily. Other bearer networks for call transmission include arrangements such as integrated services digital network (ISDN), asynchronous transfer mode (ATM), frame relay and the Internet.

In addition to the conventional voice traffic the present communication networks are also capable of transmitting data.

In most cases this is accomplished by means of the packet switched data networks which convey the data in form of data packets. Data networks based on X. 25 protocol (e. g. PSPDN; packet switched public data network) or the Internet or Intranet are mentioned herein as examples of the packet

switched data networks.

From these the Internet can be defined as a global network using packet switched connectionless transfer mode and formed by the interconnection of thousands of subnetworks (e. g. various local or area networks; LANs, MANs etc.) that make the use of TCP/IP (transmission control protocol/Internet protocol) protocol suite and a common address structure.

Unlike transfer techniques such as X. 25, frame relay and the majority of ATM applications, the Internet is an end-to-end application extending all the way to the user terminal.

In addition to data, the packet switched networks can also be used for transmitting sound, such as speech, between two communicating parties. When transmitting sound in data network, the sound is digitised and transmitted in the digitised form as data packets. The digitised sound is then converted back into analogue form and represented to the listener at the receiving end.

A communications system may also comprise one or several interfacing or gateway apparatus, i. e. access nodes (AN), between different networks, such as access servers (AS). In general, an access node can be described as a device interfacing the packet switched network to other networks and allowing an access to the packet switched network, i. e. as a system converting some access media (e. g. modem calls over a PSTN) to IP network traffic.

There are clear indications that the access nodes are beginning to need some security protection functions in order to be capable of authenticating and/or hiding the management traffic to the access server. This concerns also the payload traffic the access nodes are arranged to forward. For instance, an access node may need to terminate an IPSec (Internet Protocol Security) session, wherein the access node uses, for instance, so called 3DES decryption algorithm for

several thousands of calls in cases where the PC terminals at the originating ends of the calls are encrypting with IPSec/3DES.

Said 3DES is a substantially heavy algorithm, and requires a considerable processing power, even from a device serving just only one communication link. In practise, however, there would be several thousands of links, which makes the demands for the processing power excessively high.

According to another scenario an access node can be used for encrypting a unprotected call in order to send it into a tunnel over the unprotected, open Internet.

Usually the access nodes use general purpose CPUs (Central Processing Units) or some special hardware devices to perform the encryption processes. In addition, it is possible to use free DSP (Digital Signal Processor) resources in the access node environment in instances where a large number of DSPs is available. However, DSPs are hard to program, and are not believed to form proper means for some of the more complex processes occurring e. g. during the negotiation phases of a secure connection set-up.

SUMMARY OF THE INVENTION There has not been a proper solution how to use the DSPs or other subprocessors efficiently in an architecture employing a set of computing resources (e. g. control processors, DSPs, interface I/O cards) connected to the control processor or CPU by an appropriate high-speed bus. Due to the nature of the protocol stack in this kind of arrangement (i. e. IP over IPSec over PPP (point-to-point) over modem), a possible implementation mechanism could be an execution of the IPSec layer somewhere on the control processor arranged to perform the IP forwarding as well. This is believed to be an appropriate solution due to the fact that the needed address

tables and the PPP decapsulation typically reside in the control processor as well. In order to be able to use the processing power of the DSPs for the encryption process the control processor would then need to send the uncapsulated PPP/IP packet for processing on a separate DSP via a high- speed bus and then back the same way for further processing, such as for forwarding, in the control processor. This, however, leads to two additional bus roundtrips for the whole bandwidth running through the access node. This can be illustrated by the following scheme: call@DSP@CPU+DSP@CPU@Interface This kind of traffic loads the bus between the CPU and the DSP or similar subprocessing facility, and consumes the capacity of the system. The back and forth traffic may also cause some delays and/or increased risk for errors during the processing.

There are also proposals in which each of the subprocessors controls itself, i. e. the implementation is such that the subprocessors do not require any control instructions from any central processor. However, this raises remarkably the requirements, complexity and costs of a single subprocessors, and may decrease the controllability of the node as entity.

This kind of implementation may even be impossible for such processes and operation which requires more complicated (and in many cases centralized) control processing.

It is an object of the present invention to overcome the above referred problems and to provide a new type of solution for processing messages in an access node. A further object of the present invention is to provide a method and an arrangement by means of which the use of processing capacity of an access node is made more effective and the amount of unnecessary traffic between various components of the node is decreased.

The objects are obtained by a method of decrypting/encrypting a message in a communications system comprising a packet switched data network and an access node between a user terminal and the data network, said access node being provided with a control processor and at least one subprocessor, said control processor controlling said at least one subprocessor, comprising steps of receiving the message in the access node, routing the message to a subprocessor of the access node prior the control processor of the access node, recognising a need for decryption/encryption operations, decrypting/encrypting the message in the subprocessor, and forwarding the decrypted/encrypted message to the central processor through a bus between the subprocessor and the central processor.

According to a further aspect an arrangement in a communications system is provided, the arrangement comprising a packet switched data network, an access node interfacing the data network, a control processor of the access node, a subprocessor of the access node comprising means for recognising a need for decryption/encryption processing of a message received to the subprocessor, wherein the control processor is arranged to provide control of the subprocessor, means for decrypting/encrypting the message in the subprocessor subsequent to the recognition, and a bus for transmitting the message from the subprocessor to the control processor subsequent to the processing.

A still further aspect provides an access server for a communications system comprising a control processor, a subprocessor comprising means for recognising a need for decryption/encryption processing of a message received to the subprocessor, wherein the control processor is arranged to provide control of the subprocessor, means for decrypting/encrypting the message in the subprocessor subsequent to the recognition, and a bus for transmitting the

message from the subprocessor to the control processor subsequent to the processing.

According to a more specific aspect, the subprocessor can terminate modem calls and is used for both the modem decoding/encoding functions and the decryption/encryption functions of the access node. The subprocessor can be a digital signalling processor (DSP) or according to one alternative the subprocessor is an interface card.

Several advantages are obtained by means of the present invention, since the solution provides a simple, reliable and controllable manner for improving the processing power of an access node. The solution decreases the amount of traffic between the control processor and the subprocessors of an access node, whereby the capacity is increased and the risk for transfer errors and overload is decreased.

In the following the present invention and the other objects and advantages thereof will be described in an exemplifying manner with reference to the annexed drawings, in which similar reference characters throughout the various figures refer to similar features.

BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 is a general schematic presentation of a network system including an access server; Figure 2 is a schematic presentation of an access server platform; Figure 3 is a schematic presentation one possible signalling flow in accordance with the basic embodiment of the present invention; Figure 4 is a schematic presentation one possible signalling flow in accordance with a further embodiment; and Figure 5 is a flow chart for one embodiment.

DETAILED DESCRIPTION OF EMBODIMENTS Reference will now be made to Figure 1 which illustrates some Internet access arrangements and in which the Internet is identified by the reference numeral 1. Point-to-point connections (i. e. logical connections) made via the Internet 1 are identified by dashed lines whilst physical connections are identified by solid lines. A terminal (e. g. personal computer, workstation or similar data processing device) 2 is a subscriber of a public switched telephone network (PSTN) 3 and is connected thereto by a modem (not shown) and a subscriber line 4. This PSTN 3 is often referred to as the "home"network of the subscriber terminal 2.

By calling a predefined access number (B-number) the subscriber terminal 2 is able to gain access to the Internet 1 through an access node 5, such as an access server (AS) or an Internet access system (IAS). The access node is usually operated by the operator of the PSTN 3. The above examples of access nodes, i. e. AS or IAS, can be defined as nodes integrated in an exchange and intended for establishing dial- up access the data network, such as to the Internet or an Intranet. The access node is for the provision of appropriate protocol conversions (i. e. between circuit-switched and packet-switched data transmission) for data transfer between the data network 1 and the subscriber terminal 2.

It is noted that the invention is not intended to be limited for use only in such instances where the user interfaces or terminals are connected to a PSTN, but that also other types of telecommunications networks capable of providing the communications between the terminal and the packet switched data networks could be used, such as various types of public land mobile networks (PLMNs). To illustrate the alternative manner to access the Internet than by means of the PSTN 3, figure 1 shows also terminal 8 having a connection through a local area network. The terminal may be connected to a LAN

(Local Area Network) which is turn is connected through a xDSL modem pair to the global Internet 1.

An access node platform (e. g.) 24 is shown in more detail in figure 2. The platform contains a control processor 20 (i. e. a Central Processing Unit, CPU in figure 2), and a plurality of subprocessors (i. e. Digital Signal Processors (DSPs) 22 and interface cards 23 in figure 2) arranged hierarchically below the control processor so as to be controlled by it and connected to each other by a bus 21. The subprocessors, such as the DSPs or interface cards, are used to terminate modem calls from the subscribers. One example of the DSPs is 200 MHz C6201 by Texas Instruments, but various other types of subprocessors can be used as well. The subprocessors 22,23 are arranged to accomplish lower intelligence tasks, such as running modem algorithms. The connections between the CPU 20 and the DSPs 22 and interface card 23 are arranged by means of high-speed bus 21.

The controlling central processor is, for instance, capable of determining whether a certain subprocessor of the node is capable of performing the required encryption/decryption operations, and also capable of loading the required software to the subprocessor. In other words, the central control processor is arranged to determine possibilities and needs for encryption/decryption on particular subprocessor (s) and communicating that information and possible addition software from the central processor to the subprocessor (s).

A possible way of using DSP resources or corresponding resources of any other additional assisting subprocessor more efficiently will now be explained in more detail with reference to figure 3. In view of the basic principles of the invention it is essential to note that all data for every call passes a DSP, interface card or similar subprocessor at least once in any case. In other words, for outgoing data the DSP performs modem decoding and data packaging, and for the

incoming data the DSP performs modem encoding and data unpacking. What has been found here is that it is possible to avoid the bi-directional bus transfer of the data between the CPU and the DSP by equipping the DSP (or any other possible subprocessor used for data processing) with a software which is arranged to recognise the need for encryption/decryption processes of the data. Such instances, or data transfers, where the need for encryption/decryption is recognised, can be referred to as"fastpath"cases. The prior art arrangement have been such that the data goes through the subprocessor, and it is only the control processor which recognises a need for some possible IP level operations, such as the decryption/encryption. This traffic can now be avoided by means of the disclosed arrangement.

The recognition is established on basis of the characteristics of the data packet. More precisely, it is possible to recognise the incoming data packets on the basis of the IP header (src and dst address protocol) and the number of the secure connection number (Security Parameter Index, SPI) prior to decryption. The outgoing packets, which are to be encrypted, can be recognised using all information concerning the packet (port numbers, src and dst address protocol, but not, however, SPI).

In order to enable the subprocessor to accomplish the above recognition, the controlling central processor and the subprocessor must negotiate during the set-up of the connection so that the central processor may give the necessary control information or instructions to the subprocessors. According to one variation in this the negotiation does not occur during the connection set-up stage, but adaptively after the controlling central processor recognises that there will be a substantial amount of encrypting/decrypting operations of a certain type.

In the fastpath case it is required that the subprocessors

are capable of handling the simple portions of the PPP packet formatting, IPSec headers, and that the subprocessors are also preferably capable of recognising also such cases where the control processor itself must be invoked to perform some higher-intelligence tasks such as key negotiations. This possibility is illustrated by the schematical signalling chart of figure 4.

Figure 5 discloses a flow chart for one possible embodiment, starting from the above mentioned negotiation stage. After it has been determined whether the controlling central processor has provided any information to the subprocessor or not, the next step is to determine whether the data packet entering the subprocessor is an incoming data packet or an outgoing data packet. After having verified whether the data packet corresponds a certain predefined pattern or not, the subprocessor will decrypt/encrypt the packet depending the transmission direction of the packet. After having accomplished the decryption/encryption operations the procedure will return to the stage where the subprocessor awaits for any possible instructions from the central processor and/or new data packets to arrive the subprocessor.

In addition to the above, it is possible to use a flow control mechanism implemented in the modem protocol to signal any excessive load conditions of the encryption/decryption processes there might occur in cases where the same subprocessor is used both for the modem purposes and for the encryption/decryption purposes.

On a system which employs only virtual devices (i. e. no actual modems are used, but the traffic consist of so called tunnel terminated traffic), the traffic would normally not go through DSPs or other subprocessors. In case the subprocessor resources are desired to be used as encryption/decryption resources, it is then necessary to arrange the messages to be transmitted through them. Even though this is an additional

point in the message path, there is still no need to sent the message for and back over a bus between the central control processor and the subprocessor since the data packets can also be arranged to go directly out from the interface card after the encryption/decryption processes. In this case the control processor has to provide the subprocessor with knowledge about the header so that the subprocessor becomes capable of adding a correct header in front of the data packet (to tunnel) or where to forward the plain data packet (from tunnel).

Thus, the invention provides an apparatus and a method by which a significant improvement can be achieved in the area of encrypting/decrypting messages and/or data. The disclosed solution provides a possibility to integrate the encryption/decryption and the modem processing in a more efficient manner. The arrangement according to the present invention is easy and economical to realise by per se known components and reliable in use. It is also noted that the foregoing examples of the embodiments of the invention are not intended to restrict the scope of the invention to the specific forms presented above but the present invention is meant rather to cover all modifications, similarities and alternatives which are included in the spirit and scope of the present invention, as defined by the appended claims.