IPsec processing of packets in SoCs

What is claimed is: 1. A method comprising: receiving, at a receiving module of a system on a chip (SoC), a packet; determining a key identifying an inbound security association (SA) for the packet; searching a hardware look-up table for the inbound SA of the packet based at least in part on the key; determining the inbound SA of the packet based at least in part on the searching the hardware look-up table; determining a corresponding SA memory address for the inbound SA; providing the corresponding SA memory address for the inbound SA to an internet protocol (IP) security (IPsec) engine for processing of the packet with respect to an IPsec protocol; decrypting, by the IPsec engine, IPsec features of the packet; storing, by the IPsec engine, decrypted IPsec features in a buffer; forwarding, by the IPsec engine, the packet and the buffer to a central processing unit (CPU) core; and further processing, by the CPU core, additional features of the packet, wherein during the further processing, the decrypted IPsec features are retrieved by the CPU core from the buffer, wherein forwarding, by the IPsec engine, the packet and the buffer to the CPU core is based at least in part on a decrypted inner IP address of the packet and a classification related to the decrypted inner IP address of the packet in the hardware look-up table. 2. The method of claim 1 , wherein determining the inbound SA of the packet comprises: searching a software look-up table for the inbound SA of the packet based at least in part on (i) the key and (ii) failure to locate the inbound SA in the hardware look-up table; and locating the inbound SA in the software look-up table. 3. The method of claim 2 , further comprising: programming all inbound SAs into the software look-up table; and programming at least some inbound SAs into the hardware look-up table based at least in part on available capacity in the hardware look-up table. 4. The method of claim 3 , further comprises: dynamically exchanging entries between the software look-up table and the hardware look-up table. 5. The method of claim 1 , further comprising: locating the inbound SA in the hardware look-up table, wherein locating the inbound SA in the hardware look-up table includes locating information comprising one or more of the IPsec protocol or a special application, wherein determining the corresponding SA memory address for the inbound SA comprises determining the corresponding SA memory address for the inbound SA based at least in part on the information. 6. The method of claim 1 , wherein the hardware look-up table comprises a hierarchical hardware look-up table. 7. The method of claim 1 , further comprising: performing, by the CPU core, first outbound IPsec operations on the packet; forwarding, by the CPU core, the packet to the IPsec engine; performing, by the IPsec engine, second outbound IPsec operations on the packet, wherein the second outbound IPsec operations are provided to the IPsec engine in metadata of the packet; and forwarding the packet to traffic management of the SoC. 8. The method of claim 1 , further comprising: collecting, by the IPsec engine, information related to the packet and the SA, wherein the information comprises one or more packet offsets, IPsec protocol, IPsec next protocol, or feature specific flags; storing the information in an inbound buffer as metadata; forwarding the packet and the metadata to a central processing unit (CPU) core; processing, by the CPU core, the packet; forwarding the packet and the metadata to the IPsec engine; storing the metadata in an outbound buffer; and encrypting, by the IPsec engine, the packet, the packet including the metadata from the outbound buffer. 9. A system on a chip (SoC) comprising: an internet protocol (IP) security (IPsec) engine; one or more central processing unit (CPU) cores; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by one of the IPsec engine or one of the one or more CPU cores, cause the IPsec engine or the one of one or more CPU cores to perform actions comprising: receiving a packet; determining a key identifying an inbound security association (SA) for the packet; searching a hardware look-up table for the inbound SA of the packet based at least in part on the key; determining the inbound SA of the packet based at least in part on the searching the hardware look-up table; determining a corresponding SA memory address for the inbound SA; providing the corresponding SA memory address for the inbound SA to the IPsec engine for processing of the packet with respect to an IPsec protocol; decrypting, by the IPsec engine, IPsec features of the packet; storing, by the IPsec engine, decrypted IPsec features in a buffer; forwarding, by the IPsec engine, the packet and the buffer to the one of the one or more CPU cores; and further processing, by the one of the one or more CPU cores, additional features of the packet, wherein during the further processing the decrypted IPsec features are retrieved by the one of the one or more CPU cores from the buffer, wherein forwarding, by the IPsec engine, the packet and the buffer to the one of the one or more CPU cores is based at least in part on a decrypted inner IP address of the packet and a classification related to the decrypted inner IP address of the packet in the hardware look-up table. 10. The system on a chip of claim 9 , wherein determining the inbound SA of the packet comprises: searching a software look-up table for the inbound SA of the packet based at least in part on (i) the key and (ii) failure to locate the inbound SA in the hardware look-up table; and locating the inbound SA in the software look-up table. 11. The system on a chip of claim 10 , wherein the actions further comprise: programming all inbound SAs into the software look-up table; and programming at least some inbound SAs into the hardware look-up table based at least in part on available capacity in the hardware look-up table. 12. The system on a chip of claim 9 , wherein the actions further comprise: locating the inbound SA in the hardware look-up table, wherein locating the inbound SA in the hardware look-up table includes locating information comprising one or more of the IPsec protocol or a special application, wherein determining the corresponding SA memory address for the inbound SA comprises determining the corresponding SA memory address for the inbound SA based at least in part on the information. 13. The system on a chip of claim 9 , wherein the actions further comprise: performing, by the one of the one or more CPU cores, first outbound IPsec operations on the packet; forwarding, by the one of the one or more CPU cores, the packet to the IPsec engine; performing, by the IPsec engine, second outbound IPsec operations on the packet, wherein the second outbound IPsec operations are provided to the IPsec engine in metadata of the packet; and forwarding the packet to traffic management of the SoC. 14. The system on a chip of claim 9 , wherein the actions further comprise: collecting, by the IPsec engine, information related to the packet and the SA, wherein the information comprises one or more packet offsets, IPsec protocol, IPsec next protocol, or feature specific flags; storing the information in an inbound buffer as metadata; forwarding the packet and the metadata to one of the one or more CPU cores; processing, by the one of the one or more CPU cores, the packet; forwarding the packet and the metadata to the IPsec engine; storing the m