IPC분류정보
국가/구분 |
United States(US) Patent
등록
|
국제특허분류(IPC7판) |
|
출원번호 |
US-0612078
(2009-11-04)
|
등록번호 |
US-8380882
(2013-02-19)
|
발명자
/ 주소 |
- Pope, Steve L.
- Riddoch, David J.
- Yu, Ching
- Roberts, Derek
|
출원인 / 주소 |
- Solarflare Communications, Inc.
|
인용정보 |
피인용 횟수 :
1 인용 특허 :
81 |
초록
▼
Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet cha
Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.
대표청구항
▼
1. A method for interfacing a computing device with a network interface device, for use with a network, comprising the steps of: a first sending process of the computing device initiating establishment of a first transmit queue;a privileged mode process, in response to the step of the first sending
1. A method for interfacing a computing device with a network interface device, for use with a network, comprising the steps of: a first sending process of the computing device initiating establishment of a first transmit queue;a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process,the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device on a per-transmit queue basis; andthe network interface device transmitting the first data packet onto the network only if the first determination is positive. 2. A method according to claim 1, wherein the first characteristic comprises a particular network transport protocol, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets using the particular network transport protocol. 3. A method according to claim 1, wherein the first characteristic comprises a particular source IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP port number. 4. A method according to claim 1, wherein the first characteristic comprises a particular destination IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular destination IP port number. 5. A method according to claim 1, wherein the first characteristic comprises a particular source IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP address. 6. A method according to claim 1, wherein the first characteristic comprises a particular destination IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular destination IP address. 7. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue. 8. A method according to claim 1, further comprising the step of the first sending process notifying the network interface device, without invoking any privileged mode routines, of the availability of the first data packet in the first transmit queue. 9. A method according to claim 1, wherein the first sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, programming authorization rights for the first transmit queue into a database accessible to the network interface device,and wherein the step of the network interface device making a first determination comprises the step of the network interface device examining the authorization rights for the first transmit queue in the database. 10. A method according to claim 1, further comprising the steps of: a second sending process initiating establishment of a second transmit queue;a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, establishing the second transmit queue in a virtual address space of the second sending process;the second sending process enqueueing a second data packet onto the second transmit queue for transmission onto the network, the second data packet having a second characteristic;the network interface device receiving at least part of the second data packet from the second transmit queue;the network interface device making a second determination of whether the second sending process has authority to transmit data packets having the second characteristic onto the network; andthe network interface device transmitting the second data packet onto the network only if the second determination is positive. 11. A method according to claim 10, wherein the second sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, programming authorization rights for the second transmit queue into the database accessible to the network interface device, and wherein the step of the network interface device making a second determination comprises the step of the network interface device examining the authorization rights for the second transmit queue in the database. 12. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue, further comprising the step of aborting retrieval of the first data packet if the first determination is negative. 13. A system comprising: a computing device; andnetwork interface device in communication with the computing device via a physical bus, wherein the computing device is configured such that: in response to a first sending process of the computing device initiating establishment of a first transmit queue, a privileged mode process of the computing device establishes the first transmit queue in a virtual address space of the first sending process,and in response to the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto a network, the first data packet having a first characteristic, the network interface device receives at least part of the first data packet without involvement of any privileged mode routines of the computing device;and wherein the network interface device is configured to make a first determination as to whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device on a per-transmit queue basis, and to transmit the first data packet onto the network only if the first determination is positive.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.