[특허]Packet validation in virtual network interface architecture

Packet validation in virtual network interface architecture 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-015/16
출원번호	US-0612078 (2009-11-04)
등록번호	US-8380882 (2013-02-19)
발명자 / 주소	Pope, Steve L. Riddoch, David J. Yu, Ching Roberts, Derek
출원인 / 주소	Solarflare Communications, Inc.
인용정보	피인용 횟수 : 1 인용 특허 : 81

초록 ▼

Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.

대표청구항 ▼

1. A method for interfacing a computing device with a network interface device, for use with a network, comprising the steps of: a first sending process of the computing device initiating establishment of a first transmit queue;a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process,the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device on a per-transmit queue basis; andthe network interface device transmitting the first data packet onto the network only if the first determination is positive. 2. A method according to claim 1, wherein the first characteristic comprises a particular network transport protocol, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets using the particular network transport protocol. 3. A method according to claim 1, wherein the first characteristic comprises a particular source IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP port number. 4. A method according to claim 1, wherein the first characteristic comprises a particular destination IP port number, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular destination IP port number. 5. A method according to claim 1, wherein the first characteristic comprises a particular source IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular source IP address. 6. A method according to claim 1, wherein the first characteristic comprises a particular destination IP address, and wherein the step of the network interface device making a first determination comprises the step of the network interface device determining whether the first sending process is authorized to transmit data packets having the particular destination IP address. 7. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue. 8. A method according to claim 1, further comprising the step of the first sending process notifying the network interface device, without invoking any privileged mode routines, of the availability of the first data packet in the first transmit queue. 9. A method according to claim 1, wherein the first sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the first sending process initiating establishment of a first transmit queue, programming authorization rights for the first transmit queue into a database accessible to the network interface device,and wherein the step of the network interface device making a first determination comprises the step of the network interface device examining the authorization rights for the first transmit queue in the database. 10. A method according to claim 1, further comprising the steps of: a second sending process initiating establishment of a second transmit queue;a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, establishing the second transmit queue in a virtual address space of the second sending process;the second sending process enqueueing a second data packet onto the second transmit queue for transmission onto the network, the second data packet having a second characteristic;the network interface device receiving at least part of the second data packet from the second transmit queue;the network interface device making a second determination of whether the second sending process has authority to transmit data packets having the second characteristic onto the network; andthe network interface device transmitting the second data packet onto the network only if the second determination is positive. 11. A method according to claim 10, wherein the second sending process is a user level process, further comprising the step of a privileged mode process, in response to the step of the second sending process initiating establishment of a second transmit queue, programming authorization rights for the second transmit queue into the database accessible to the network interface device, and wherein the step of the network interface device making a second determination comprises the step of the network interface device examining the authorization rights for the second transmit queue in the database. 12. A method according to claim 1, wherein the step of the network interface device receiving at least part of the first data packet comprises the step of the network interface device retrieving at least part of the first data packet from the first transmit queue, further comprising the step of aborting retrieval of the first data packet if the first determination is negative. 13. A system comprising: a computing device; andnetwork interface device in communication with the computing device via a physical bus, wherein the computing device is configured such that: in response to a first sending process of the computing device initiating establishment of a first transmit queue, a privileged mode process of the computing device establishes the first transmit queue in a virtual address space of the first sending process,and in response to the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto a network, the first data packet having a first characteristic, the network interface device receives at least part of the first data packet without involvement of any privileged mode routines of the computing device;and wherein the network interface device is configured to make a first determination as to whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device on a per-transmit queue basis, and to transmit the first data packet onto the network only if the first determination is positive.

이 특허에 인용된 특허 (81)

Rephaeli, Shai; Waldman, Eyal Moshe; Eyal, Zvika; Margolin, Ilya, Adapter for pluggable module.
상세보기
Hudson, Charles L.; Modi, Prashant; Cripe, Daniel Nathan, Aggregation of hybrid network resources operable to support both offloaded and non-offloaded connections.
상세보기
Modi,Prashant; Biswas,Amitabha; Yip,Yiu; Sayon,Doris; Hampton,Kathryn; Khalili,Mehrdad; Teisberg,Robert R.; Cripe,Daniel N.; Hudson,Charles L., Aggregation of network resources providing offloaded connections between applications over a network.
상세보기
Teisberg, Robert R.; Cripe, Daniel N.; Hudson, Charles L., Aggregation over multiple processing nodes of network resources each providing offloaded connections between applications over a network.
상세보기
Bennett Toby D. ; Davis Donald J. ; Harris Jonathan C. ; Miller Ian D., Apparatus and method for constructing data for transmission within a reliable communication protocol by performing portions of the protocol suite concurrently.
상세보기
Chmielecki ; Jr. Stanley ; Itkowsky ; Jr. Frank A. ; Koning G. Paul ; Washbaugh Douglas M. ; Ramakrishnan Kadangode K., Apparatus and method for controlling interrupts to a host during data transfer between the host and an adapter.
상세보기
Barron,Dwight L; Hilland,Jeffrey R., Atomic operations.
상세보기
Kagan, Michael; Webman, Alon; Bukspan, Ido; Koren, Benny; Chapman, Hillel; Shachar, Ariel, Auto-negotiation by nodes on an infiniband fabric.
상세보기
Crosswy Wm. Caldwell (Spring TX) Barron Dwight L. (Houston TX) Abmayr David W. (Spring TX) Rosenblum Harvey M. (Spring TX) Burckhartt David M. (Houston TX), Automatic development of operating system boot image.
상세보기
Garcia,David J.; Hilland,Jeffrey R.; Culley,Paul R.; Barron,Dwight L.; Krause,Michael R., Binding a memory window to a queue pair.
상세보기
McMahan, Larry N.; Gostin, Gary Belgrave; Cowan, Joe P.; Krause, Michael R., Communication among partitioned devices.
상세보기
Krause Michael D, Computer file content preview window.
상세보기
Osborne Randy B., Computer network interface and network protocol with direct deposit messaging.
상세보기
Smelloy, Yossi; Eckhouse, Ronen; Frost, Eyal, Current-triggered low turn-on voltage SCR.
상세보기
Kagan, Michael; Shahar, Ariel; Crupnicoff, Diego, DMA doorbell.
상세보기
Barron,Dwight L.; Olarig,Sompong P., Data redundancy in a hot pluggable, large symmetric multi-processor system.
상세보기
Fiedler,Alan, Delay-locked loop.
상세보기
Oved, Tzah, Device, system and method of UDP communication.
상세보기
Oved, Tzah, Device, system and method of multicast communication.
상세보기
Haviv, Yaron, Device, system, and method of accessing storage.
상세보기
Oved, Tzah, Device, system, and method of publishing information to multiple subscribers.
상세보기
Cripe, Daniel N.; Kasperson, David; Hudson, Charles L., Electronic device profile migration.
상세보기
Calo Seraphin B. (Peekskill NY) Kannan Krishnamurthi (Yorktown Heights NY) Soo Suk S. (Mount Kisco NY) Burket Thomas G. (Pleasantville NY) Wiley ; Jr. John W. (Yorktown Heights NY), Electronic system for accessing graphical and textual information.
상세보기
Haviv,Yaron; Corem,Guy, Filtered application-to-application communication.
상세보기
Michael Kagan IL; Freddy Gabbay IL; Alon Webman IL; Diego Crupnicoff IL, Forwarding database cache.
상세보기
McAlpine Gary Lester ; Regnier Greg John, Hierarchical interrupt structure for event notification on multi-virtual circuit network interface controller.
상세보기
Delaney David M. (Ottawa CAX), High performance two-port transport LAN bridge.
상세보기
Fiedler, Alan, High-speed data sampler with input threshold adjustment.
상세보기
Krause, Michael R.; Scott, Kimberly K.; Worley, Fred B., Highly available, monotonic increasing sequence number generation.
상세보기
Fiedler, Alan, Input threshold adjustment in a synchronous data sampling circuit.
상세보기
Chadalapaka, Mallikarjun; Barron, Dwight L.; Culley, Paul R.; Hilland, Jeffrey R.; Wendt, James G., Method and apparatus for accessing a memory.
상세보기
Dwight L. Barron ; Michael F. Angelo, Method and apparatus for cluster system operation.
상세보기
Hilland, Jeffrey R.; Chadalapaka, Mallikarjun; Krause, Michael R.; Culley, Paul R.; Garcia, David J., Method and apparatus for implementing work request lists.
상세보기
Koenen David J., Method and apparatus for maintaining cache coherency in a computer system having multiple processor buses.
상세보기
Koenen,David J., Method and apparatus for optimizing performance in a multi-processing system.
상세보기
Modi, Prashant; Biswas, Ambitabha; Hampton, Kathryn; Yip, Yiu; Barron, Dwight L.; Hilland, Jeffrey R., Method and apparatus for performing connection management with multiple stacks.
상세보기
Sarkinen, Scott A.; Sarkinen, Gregg T.; Trivedi, Hemant Vrajlal, Method and apparatus for providing multi-protocol, multi-stage, real-time frame classification.
상세보기
Krause,Michael R.; Hilland,Jeffrey R., Method and apparatus for providing notification via multiple completion queue handlers.
상세보기
Olarig, Sompong Paul; Koenen, David J.; Heng, Chai S., Method and apparatus for supporting heterogeneous memory in computer systems.
상세보기
David J. Koenen, Method and apparatus for tooless mating of liquid cooled cold plate with tapered interposer heat sink.
상세보기
Hanes,David H; Bayless,Stephen F; Krause,Michael D, Method for transferring and indexing data from old media to new media.
상세보기
Kagan, Michael; Koren, Benny; Goldenberg, Dror; Shainer, Gilad; Bloch, Gil; Shachar, Ariel; Turbovich, Ophir; Borer, Dror; Crupnicoff, Diego, Method, system and protocol that enable unrestricted user-level access to a network interface adapter.
상세보기
Koenen David J. (Houston TX), Microprocessor heat dissipation apparatus for a printed circuit board.
상세보기
Fiedler, Alan, Mixer-based phase control.
상세보기
Shachar, Ariel, Modulo remainder generator.
상세보기
Sarkinen,Scott A.; Davidson,Scott A., Multi-service queuing method and apparatus that provides exhaustive arbitration, load balancing, and support for rapid port failover.
상세보기
Kagan, Michael; Bloch, Gil; Crupnicoff, Diego A.; Schnitman, Margarita; Levenvirth, Dafna, Multiple queue pair access with a single doorbell.
상세보기
Kagan, Michael; Crupnicoff, Diego; Shainer, Gilad; Shahar, Ariel, Network adapter with shared database for message context information.
상세보기
Sharma,Viswa, Network architecture and system for delivering bi-directional xDSL based services.
상세보기
Recio,Renato J.; Cowan,Joe P.; Barron,Dwight L.; Pfister,Gregory F.; Bradley,Mark W., Partitioning in distributed computer system.
상세보기
Koenen David J. ; Jansen Kenneth A., Pivotable support and heat sink apparatus removably connectable without tools to a computer processor.
상세보기
Goldenberg, Dror; Rond, Eyal; Ben David, Tomer, Prefetching of receive queue descriptors.
상세보기
Sarkinen,Scott A.; Davidson,Scott A., Programmable multi-service queue scheduler.
상세보기
Koenen, David J., Progressive CPU sleep state duty cycle to limit peak power of multiple computers on shared power distribution unit.
상세보기
Krause, Michael R., Queue pair partitioning in distributed computer system.
상세보기
Krause, Michael R.; Worley, Fred B.; Iyer, Shankar G., Reliable datagram via independent source destination resources.
상세보기
Stoler,Gil; Crupnicoff,Diego, Round-robin arbiter with low jitter.
상세보기
Pham, Duc; Nguyen, Tien Le; Zhang, Pu Paul; Lo, Mingchen, Secure network file access controller implementing access control and auditing.
상세보기
Green Michael W. ; Jensen Andrew W., Secure server utilizing separate protocol stacks.
상세보기
Leader, Yuval; Shmueli, Zvi; Ben-Nun, Boaz; Eliyahu, Yuval; Zahavi, Eitan, Self-repair of embedded memory arrays.
상세보기
Goldenberg,Dror; Bloch,Gil; Stoler,Gil; Crupnicoff,Diego; Kagan,Michael, Sharing a network interface card among multiple hosts.
상세보기
Sharma, Viswa N.; Ketchum, Breton A., Shelf management controller with hardware/software implemented dual redundant configuration.
상세보기
Harel, Alon, Spanning tree root selection in a hierarchical network.
상세보기
Scheifler, Robert W.; Gong, Li, Stack-based access control using code and executor identifiers.
상세보기
Ishijima Yoshihiro ; Krause Michael, Streams function registering.
상세보기
Kagan, Michael; Crupnicoff, Diego; Gabbay, Freddy; Rottenberg, Shimon, Synchronization of interrupts with data packets.
상세보기
Lucovsky, Jeffrey A., System and method for a process attribute based computer network filter.
상세보기
Jacobson,Van; Felderman,Bob; Cobbs,Archibald L; Eberhard,Martin, System and method for allocatiing communications to processors and rescheduling processes in a multiprocessor system.
상세보기
Jacobson,Van; Felderman,Bob; Cobbs,Archibald L; Eberhard,Martin, System and method for allocating communications to processors in a multiprocessor system.
상세보기
Jacobson,Van; Poduri,Kedar, System and method for establishing a secure connection.
상세보기
Santiago, Rodolfo A.; Sarkinen, Scott A., System and method for hierarchical policing of flows and subflows of a data stream.
상세보기
Haviv,Yaron, System and method for highly scalable high-speed content-based filtering and load balancing in interconnected fabrics.
상세보기
Buskirk, Glenn A.; Santiago, Rodolfo A., System and method for policing multiple data flows and multi-protocol data flows.
상세보기
Eberhard,Martin; Felderman,Bob; Jacobson,Van, System and method for providing communications to processes.
상세보기
Steffens, Ricky A; Wilkins, Tomas G; Ashbaugh, Daniel B; Krause, Michael D, System and method for retrieving an abstracted portion of a file without regard to the operating system of the current host computer.
상세보기
Carmeli, Haim Baruch, System and method for securing a computer communication network.
상세보기
Futral William T. ; Regnier Greg J. ; Amway ; III Stanley S., System for transferring I/O data between an I/O device and an application program's memory in accordance with a request directly over a virtual connection.
상세보기
Gonen Fink IL; Amir Harush IL, System, device and method for rapid packet filtering and processing.
상세보기
Merritt, Anne Marie; Swortwood, William H., Tunneling management messages over a channel architecture network.
상세보기
Macchiano,Angelo; Musselwhite,Dennis; Tarcza,Richard; White,W. Romney, Virtual machine operating system LAN.
상세보기
Yu Kin C. (Burlington MA), Virtual network mechanism to access well known port application programs running on a single host system.
상세보기

이 특허를 인용한 특허 (1)

Pope, Steve L.; Riddoch, David J.; Yu, Ching; Roberts, Derek, Packet validation in virtual network interface architecture.
상세보기

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

Packet validation in virtual network interface architecture 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (81)

이 특허를 인용한 특허 (1)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

Packet validation in virtual network interface architecture 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (81)

이 특허를 인용한 특허 (1)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트