Packet validation in virtual network interface architecture
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-015/16
H04L-029/06
H04L-012/861
H04L-012/879
H04L-012/863
출원번호
US-0765579
(2013-02-12)
등록번호
US-9912665
(2018-03-06)
발명자
/ 주소
Pope, Steve L.
Riddoch, David J.
Yu, Ching
Roberts, Derek
출원인 / 주소
Solarflare Communications, Inc.
대리인 / 주소
Wolf, Greenfield & Sacks, P.C.
인용정보
피인용 횟수 :
1인용 특허 :
88
초록▼
Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet cha
Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.
대표청구항▼
1. A method comprising: establishing, by a privileged mode process, a first virtual address space resource for a first user-level process to bypass subsequent kernel routines;programming, by the privileged mode process, first authorizations into a network interface device indicating one or more firs
1. A method comprising: establishing, by a privileged mode process, a first virtual address space resource for a first user-level process to bypass subsequent kernel routines;programming, by the privileged mode process, first authorizations into a network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network;subsequently enqueueing a first data packet in the first virtual address space resource by the first user-level process, without involving the privileged mode process by bypassing kernel routines; andsubsequently determining, by the network interface device and without involving the privileged mode process, whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so, transmitting, by the network interface device and without involving the privileged mode process, said first data packet onto the network. 2. A method according to claim 1, wherein one of the one or more particular first characteristics comprises at least one characteristic selected from: a particular network transport protocol,a particular source IP port number,a particular destination IP port number,a particular source IP address, anda particular destination IP address; andwherein determining comprises determining, by the network interface device, whether the first user-level process is authorized to transmit data packets using the particular network transport protocol,having the particular source IP port number,having the particular destination IP port number,having the particular source IP address, orhaving the particular destination IP address, respectively. 3. A method according to claim 1, further comprising retrieving, by the network interface device and without involving the privileged mode process, at least part of the first data packet from the first virtual address space resource. 4. A method according to claim 3, further comprising aborting, by the network interface device and without involving the privileged mode process, retrieval of the first data packet if the first data packet is determined not to have any of the one or more first particular characteristics indicated in the first authorizations. 5. A method according to claim 1, further comprising notifying, by the first user-level process, the network interface device of the availability of the first data packet in the first virtual address space resource, without invoking any privileged mode routines. 6. A method according to claim 1, wherein programming comprises programming, by the privileged mode process, authorization rights for the first virtual address space resource into a database accessible to the network interface device, in response to the establishment of the first virtual address space resource, and wherein determining comprises examining, by the network interface device, the authorization rights for the virtual address space resource in the database. 7. A method according to claim 1, further comprising: establishing, by the privileged mode process, a second virtual address space resource for a second user-level process;programming, by the privileged mode process, second authorizations into the network interface device indicating one or more second particular characteristics of data packets the second user-level process is authorized to transmit via the network interface device onto the network;subsequently enqueueing a second data packet in the second virtual address space resource by the second user-level process, without involving the privileged mode process; andsubsequently determining, by the network interface device and without involving the privileged mode process, whether said second data packet has any of the one or more second particular characteristics indicated in the second authorizations, and only if so transmitting, by the network interface device and without involving the privileged mode process, said second data packet onto the network. 8. A system comprising: a data processing system comprising a first user-level level process and a privileged mode process; anda network interface device;wherein: the privileged mode process is arranged to: establish a first virtual address space resource for the first user-level process; andprogram first authorizations into the network interface device indicating one or more first particular characteristics of data packets the first user-level process is authorized to transmit via the network interface device onto a network;the first user-level process is arranged to subsequently enqueue a first data packet in the first virtual address space resource, without involving the privileged mode process; andthe network interface device is arranged to, without involving the privileged mode process, subsequently determine whether said first data packet has any of the one or more first particular characteristics indicated in the first authorizations, and only if so transmit said first data packet onto the network without involving the privileged mode process. 9. A system according to claim 8, wherein one of the one or more particular first characteristics comprises a characteristic selected from: a particular network transport protocol,a particular source IP port number,a particular destination IP port number,a particular source IP address, anda particular destination IP address; andwherein the network interface device is further arranged to determine whether the first user-level process is authorized to transmit data packets using the particular network transport protocol,having the particular source IP port number,having the particular destination IP port number,having the particular source IP address, orhaving the particular destination IP address, respectively. 10. A system according to claim 8, wherein the network interface device is further arranged to retrieve at least part of the first data packet from the first virtual address space resource. 11. A system according to claim 10, wherein the network interface device is further arranged to abort retrieval of the first data packet if the first data packet is determined not to have any of the one or more first particular characteristics indicated in the first authorizations. 12. A system according to claim 8, wherein the first user-level process is further arranged to notify the network interface device of the availability of the first data packet in the first virtual address space resource, without invoking any privileged mode routines. 13. A system according to claim 8, wherein the privileged mode process is further arranged to, once it has established the first virtual address space resource, program authorization rights for the first virtual address space resource into a database accessible to the network interface device, and wherein the network interface device is further arranged to examine the authorization rights for the virtual address space resource in the database. 14. A system according to claim 8, wherein: the data processing system further comprises a second user-level level process;the privileged mode process is further arranged to: establish a second virtual address space resource for the second user-level process; andprogram second authorizations into the network interface device indicating one or more second particular characteristics of data packets the second user-level process is authorized to transmit via the network interface device onto the network;the second user-level process is arranged to subsequently enqueue a second data packet in the second virtual address space resource, without involving the privileged mode process; andthe network interface device is further arranged to, without involving the privileged mode process, subsequently determine whether said second data packet has any of the one or more second particular characteristics indicated in the second authorizations, and only if so transmit said second data packet onto the network without involving the privileged mode process. 15. A method for interfacing a computing device with a network interface device, for use with a network, comprising: a sending process of the computing device requesting establishment of a virtual memory resource for data packet transmission;a privileged mode process, in response to the sending process requesting establishment of the virtual memory resource, establishing the virtual memory resource in a virtual address space of the sending process;programming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;the sending process adding a data packet to the virtual memory resource, without involvement of any privileged mode routines, the data packet having at least one particular characteristic;the network interface device receiving at least part of the data packet from the virtual memory resource for transmission onto the network;the network interface device making a determination of whether the sending process has authority to transmit said data packet onto the network, in dependence upon at least one of said at least one characteristics; andthe network interface device transmitting the data packet onto the network only if the determination is positive. 16. A method according to claim 15: wherein programming, by the privileged mode process, first authorizations into the network interface device, comprises programming, by the privileged mode process, authorization rights for the virtual memory resource into a database accessible to the network interface device, in response to the establishment of the virtual memory resource,and wherein the network interface device makes said determination by examining the authorization rights for the virtual memory resource in the database. 17. A system comprising: a computing device comprising a privileged mode process and a sending process;a network interface device; anda network;wherein: the sending process is arranged to request establishment of a virtual memory resource for data packet transmission;the privileged mode process is arranged to, in response to the sending process requesting establishment of the virtual memory resource, establish the virtual memory resource in a virtual address space of the sending process; andprogram first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;the sending process is arranged to add a data packet to the virtual memory resource, without involvement of any privileged mode routines, the data packet having at least one particular characteristic; andthe network interface device is arranged to: receive at least part of the data packet from the virtual memory resource for transmission onto the network;make a determination of whether the sending process has authority to transmit said data packet onto the network, in dependence upon at least one of said at least one characteristics; andtransmit the data packet onto the network only if the determination is positive. 18. A system according to claim 17, wherein: programming first authorizations into the network interface device by the privileged mode process further comprises programming, by the privileged mode process, authorization rights for the virtual memory resource into a database accessible to the network interface device, in response to the establishment of the virtual memory resource,and wherein the network interface device is arranged to make said determination by examining the authorization rights for the virtual memory resource in the database. 19. A method for interfacing a computing device with a network interface device, for use with a network, comprising: a first sending process of the computing device initiating establishment of a first transmit queue;a privileged mode process, in response to the first sending process initiating establishment of a first transmit queue, establishing the first transmit queue in a virtual address space of the first sending process; andprogramming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto the network, without involvement of any privileged mode routines, the first data packet having a first characteristic;the network interface device receiving at least part of the first data packet from the first transmit queue for transmission onto the network;the network interface device making a first determination of whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device; andthe network interface device transmitting the first data packet onto the network only if the first determination is positive. 20. A system comprising: a computing device; anda network interface device in communication with the computing device via a physical bus,wherein the computing device is configured such that: in response to a first sending process of the computing device initiating establishment of a first transmit queue, a privileged mode process of the computing device establishes the first transmit queue in a virtual address space of the first sending process; andprogramming, by the privileged mode process, first authorizations into the network interface device indicating one or more first particular characteristics of data packets that the sending process is authorized to transmit via the network interface device onto the network;in response to the first sending process enqueueing a first data packet onto the first transmit queue for transmission onto a network, the first data packet having a first characteristic, the network interface device receives at least part of the first data packet without involvement of any privileged mode routines of the computing device; andwherein the network interface device is configured to make a first determination as to whether the first sending process has authority to transmit data packets having the first characteristic onto the network, in dependence upon whether the first transmit queue has such authority according to authorization rights maintained on the network interface device, and to transmit the first data packet onto the network only if the first determination is positive.
Hudson, Charles L.; Modi, Prashant; Cripe, Daniel Nathan, Aggregation of hybrid network resources operable to support both offloaded and non-offloaded connections.
Teisberg, Robert R.; Cripe, Daniel N.; Hudson, Charles L., Aggregation over multiple processing nodes of network resources each providing offloaded connections between applications over a network.
Bennett Toby D. ; Davis Donald J. ; Harris Jonathan C. ; Miller Ian D., Apparatus and method for constructing data for transmission within a reliable communication protocol by performing portions of the protocol suite concurrently.
Chmielecki ; Jr. Stanley ; Itkowsky ; Jr. Frank A. ; Koning G. Paul ; Washbaugh Douglas M. ; Ramakrishnan Kadangode K., Apparatus and method for controlling interrupts to a host during data transfer between the host and an adapter.
Crosswy Wm. Caldwell (Spring TX) Barron Dwight L. (Houston TX) Abmayr David W. (Spring TX) Rosenblum Harvey M. (Spring TX) Burckhartt David M. (Houston TX), Automatic development of operating system boot image.
Calo Seraphin B. (Peekskill NY) Kannan Krishnamurthi (Yorktown Heights NY) Soo Suk S. (Mount Kisco NY) Burket Thomas G. (Pleasantville NY) Wiley ; Jr. John W. (Yorktown Heights NY), Electronic system for accessing graphical and textual information.
Hilland, Jeffrey R.; Chadalapaka, Mallikarjun; Krause, Michael R.; Culley, Paul R.; Garcia, David J., Method and apparatus for implementing work request lists.
Indeck, Ronald S.; Indeck, David Mark, Method and system for high performance integration, processing and searching of structured and unstructured data using coprocessors.
Sarkinen,Scott A.; Davidson,Scott A., Multi-service queuing method and apparatus that provides exhaustive arbitration, load balancing, and support for rapid port failover.
Jacobson,Van; Felderman,Bob; Cobbs,Archibald L; Eberhard,Martin, System and method for allocatiing communications to processors and rescheduling processes in a multiprocessor system.
Jacobson,Van; Felderman,Bob; Cobbs,Archibald L; Eberhard,Martin, System and method for allocating communications to processors in a multiprocessor system.
Steffens, Ricky A; Wilkins, Tomas G; Ashbaugh, Daniel B; Krause, Michael D, System and method for retrieving an abstracted portion of a file without regard to the operating system of the current host computer.
Futral William T. ; Regnier Greg J. ; Amway ; III Stanley S., System for transferring I/O data between an I/O device and an application program's memory in accordance with a request directly over a virtual connection.
Gobriel, Sameh; Wang, Ren; Mann, Eric K.; Maciocco, Christian; Tai, Tsung-Yuan C., Efficient QoS support for software packet processing on general purpose servers.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.