초록 ▼

Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet ch

Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.

대표청구항 ▼

The invention claimed is: 1. A method for interfacing a computing device with a network interface device, for use with a network, comprising the steps of: a first sending process of the computing device initiating establishment of a first transmit queue; a privileged mode process, in response to th

The invention claimed is: 1. A method for interfacing a computing device with a network interface device, for use with a network, comprising the steps of: a first sending process of the computing device initiating establishment of a first transmit queue; a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process, the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic; the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network; the network interface device including a database that: identifies a set of one or more of the transmit queues in the computing device, identifies one or more data packet characteristics, indicates a correspondence between the transmit queues in the set of transmit queues and the data packet characteristics, and indicates whether data packets from each given one of the transmit queues in the set of transmit queues is permitted to be transmitted onto the network if such data packets have the data packet characteristics indicated in the correspondence; the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue is indicated in the database as having such authority; and the network interface device transmitting the first data packet onto the network only if the first determination is positive. 2. A method according to claim 1, wherein the first characteristic comprises a particular network transport protocol, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets using the particular network transport protocol. 3. A method according to claim 1, wherein the first characteristic comprises a particular source IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first transmit queue is indicated in the database as having authority to transmit data packets having the particular source IP port number. 4. A method according to claim 1, wherein the first characteristic comprises a particular destination IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first transmit queue is indicated in the database as having authority to transmit data packets having the particular source IP port number. 5. A method according to claim 1, wherein the first characteristic comprises a particular source IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first transmit queue is indicated in the database as having authority to transmit data packets having the particular source IP address. 6. A method according to claim 1, wherein the first characteristic comprises a particular destination IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first transmit queue is indicated in the database as having authority to transmit data packets having the particular destination IP address. 7. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue. 8. A method according to claim 1, further comprising the step of the first sending process notifying the network interface device, without invoking any privileged mode routines, of the availability of the first data packet in the first transmit queue. 9. A method according to claim 1, wherein the first sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, programming authorization rights for the first transmit queue into the database. 10. A method according to claim 1, further comprising the steps of: a second sending process initiating establishment of a second transmit queue; a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, establishing the second transmit queue in a virtual address space of the second sending process; the second sending process enqueueing a second data packet onto the second transmit queue for transmission onto the network, the second data packet having a second characteristic; the network interface device receiving at least part of the second data packet from the second transmit queue; the network interface device making a second determination of whether the second sending process has authority to transmit data packets having the second characteristic onto the network; and the network interface device transmitting the second data packet onto the network only if the second determination is positive. 11. A method according to claim 10, wherein the second sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, programming authorization rights for the second transmit queue into the network interface device, and wherein the step of the network interface device making a second determination comprises the step of the network interface device examining the authorization rights for the second transmit queue. 12. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue, further comprising the step of aborting retrieval of the first data packet if the first determination is negative. 13. Network interface apparatus, for use with a plurality of transmit queues allocated among a plurality of different processes in a computer system, comprising a database: identifying a set of one or more of the transmit queues in the computer system, and further identifying one or more data packet characteristics, the database further indicating a correspondence between the transmit queues in the set of transmit queues and the data packet characteristics, and further indicating whether data packets from each given one of the transmit queues in the set of transmit queues is permitted to be transmitted onto the network if such data packets have the data packet characteristics indicated in the correspondence; and wherein the network interface apparatus is configured to transmit a data packet onto the network received from a transmit queue identified in the set, only if the network interface apparatus determines that the database indicates that the data packet is permitted to be transmitted onto the network. 14. Apparatus according to claim 13, wherein a correspondence indicated in the database for a particular one of the transmit queues indicates a plurality of the data packet characteristics, the database indicating that data packets from the particular transmit queue are permitted to be transmitted onto the network if such data packets have the plurality of data packet characteristics indicated in the correspondence. 15. Apparatus according to claim 13, wherein one of the data packet characteristics is a network transport protocol. 16. Apparatus according to claim 13, wherein one of the data packet characteristics is a source IP port number. 17. Apparatus according to claim 13, wherein one of the data packet characteristics is a destination IP port number. 18. Apparatus according to claim 13, wherein one of the data packet characteristics is a member of the group consisting of a source IP address and a destination IP address.