Bi-directional encryption/decryption device for underlay and overlay operations

What is claimed is: 1. A network device comprising: a plurality of ports; a network processing element, wherein the network processing element is to encapsulate a packet to obtain an encapsulated packet; a programmable path-selection circuit coupled to the plurality of ports and the network processing element; and a security integrated circuit coupled to the programmable path-selection circuit, wherein the programmable path-selection circuit is to operate in a first mode and a second mode, wherein: i) in the first mode, first outgoing packets are routed to the security integrated circuit to be encrypted before sending on one of the plurality of ports, and first incoming packets, received on one of the plurality of ports, are routed to the security integrated circuit to be decrypted; and ii) in the second mode, second incoming packets are routed to the security integrated circuit to be encrypted before processing by the network processing element. 2. The network device of claim 1 , wherein, in the second mode, the programmable path-selection circuit is to route second outgoing packets to the security integrated circuit to be decrypted after processing by the network processing element. 3. The network device of claim 1 , wherein, in the first mode, the programmable path-selection circuit is to: route a first outgoing packet to the security integrated circuit to obtain an encrypted packet; send the encrypted packet on a first port of the plurality of ports, wherein the first port is a protected port; receive a first incoming packet on a second port of the plurality of ports, wherein the second port is a protected port; route the first incoming packet to the security integrated circuit to obtain a decrypted packet; and route the decrypted packet to the network processing element. 4. The network device of claim 1 , wherein, in the second mode, the programmable path-selection circuit is to: receive a first incoming packet on a first port of the plurality of ports; route the first incoming packet to the security integrated circuit to obtain an encrypted packet; and route the encrypted packet to the network processing element to obtain an encapsulated packet, wherein the encapsulated packet is sent on a second port of the plurality of ports, wherein the second port is a protected port. 5. The network device of claim 4 , wherein, in the second mode, the programmable path-selection circuit is to: route a first outgoing packet to the security integrated circuit to obtain a decrypted packet; and send the decrypted packet to a second port of the plurality of ports. 6. The network device of claim 5 , wherein the second port is a non-protected port. 7. The network device of claim 1 , wherein the security integrated circuit is a media access control security (MACsec) device. 8. The network device of claim 1 , wherein the security integrated circuit is an Internet Protocol security (IPsec) device. 9. An apparatus comprising: a first port; a second port; a third port; a fourth port; a path-selection circuit coupled to the first port, the second port, the third port, and the fourth port; a decryption circuit coupled to the path-selection circuit; an encryption circuit coupled to the path-selection circuit; and a network processing element coupled to the path-selection circuit, wherein the network processing element is to encapsulate a packet to obtain an encapsulated packet, and wherein the path-selection circuit is to: in a first mode, route first incoming packets, received on the first port, to the decryption circuit to decrypt the first incoming packets before routing to the network processing element to obtain first outgoing packets; in the first mode, route the first outgoing packets to the encryption circuit to encrypt the first outgoing packets before sending on the second port; and in a second mode, route second incoming packets, received on the third port, to the encryption circuit to encrypt the second incoming packets before routing to the network processing element. 10. The apparatus of claim 9 , wherein the network processing element is to receive the second incoming packets and generate second outgoing packets, wherein the path-selection circuit is to route the second outgoing packets to the decryption circuit to decrypt the second outgoing packets before sending to the fourth port, wherein the second outgoing packets received at the decryption circuit are encapsulated packets. 11. The apparatus of claim 10 , further comprising a media access control security (MACsec) device comprising the encryption circuit and the decryption circuit. 12. The apparatus of claim 10 , further comprising an Internet Protocol security (IPsec) device comprising the encryption circuit and the decryption circuit. 13. The apparatus of claim 10 , wherein the path-selection circuit is to: route the first outgoing packets to the encryption circuit in the first mode; and route the second outgoing packets to the decryption circuit in the second mode. 14. The apparatus of claim 10 , wherein the encapsulated packets comprises overlay information. 15. A method comprising: receiving, at a first port of a network device, a first incoming packet; in a first mode, routing, using a path-selection circuit, the first incoming packet to a decryption circuit of the network device to be decrypted before routing to a network processing element to obtain a first outgoing packet, wherein the network processing element is to encapsulate a packet to obtain an encapsulated packet; in the first mode, routing, using the path-selection circuit, the first outgoing packet to an encryption circuit of the network device to encrypt the first outgoing packet before sending to a second port of the network device; receiving, at a third port of the network device, a second incoming packet; and in a second mode, routing, using the path-selection circuit, the second incoming packet to the encryption circuit to encrypt the second incoming packet to obtain an encrypted packet before routing to the network processing element. 16. The method of claim 15 , further comprising: receiving an outgoing packet from the network processing element, the outgoing packet corresponding to the encrypted packet; routing the outgoing packet to the decryption circuit to be decrypted as a decrypted packet; and routing the decrypted packet to a fourth port of the network device. 17. The method of claim 15 , further comprising: receiving an outgoing packet from the network processing element, the outgoing packet corresponding to the encrypted packet; and routing the outgoing packet to a fourth port of the network device. 18. The method of claim 15 , further comprising: receiving a second outgoing packet from the network processing element, the second outgoing packet corresponding to the second incoming packet; routing the second outgoing packet to the encryption circuit to be encrypted as a second encrypted packet; and routing the second encrypted packet to a fourth port of the network device. 19. The method of claim 15 , wherein the first port is a protected port, and wherein the second port is a protected port.