-
1.发明授权Secure and efficient offloading of network policies to network interface cards 有权安全高效地将网络策略卸载到网络接口卡公开(公告)号:US08856518B2
公开(公告)日:2014-10-07
申请号:US13565369
申请日:2012-08-02
申请人: Murari Sridharan , Narasimhan Venkataramaiah , Yu-Shun Wang , Albert G. Greenberg , Alireza Dabagh , Pankaj Garg , Daniel M. Firestone
发明人: Murari Sridharan , Narasimhan Venkataramaiah , Yu-Shun Wang , Albert G. Greenberg , Alireza Dabagh , Pankaj Garg , Daniel M. Firestone
IPC分类号: H04L29/06 , H04L12/713
CPC分类号: H04L45/586
摘要: Techniques for efficient and secure implementation of network policies in a network interface controller (NIC) in a host computing device operating a virtualized computing environment. In some embodiments, the NIC may process and forward packets directly to their destinations, bypassing a parent partition of the host computing device. In particular, in some embodiments, the NIC may store network policy information to process and forward packets directly to a virtual machine (VM). If the NIC is unable to process a packet, then the NIC may forward the packet to the parent partition. In some embodiments, the NIC may use an encapsulation protocol to transmit address information in packet headers. In some embodiments, this address information may be communicated by the MC to the parent partition via a secure channel. The NIC may also obtain, and decrypt, encrypted addresses from the VMs for routing packets, bypassing the parent partition.
摘要翻译: 用于在操作虚拟化计算环境的主机计算设备中的网络接口控制器(NIC)中有效和安全地实现网络策略的技术。 在一些实施例中,NIC可以绕过主计算设备的父分区来处理和转发数据包直接到其目的地。 特别地,在一些实施例中,NIC可以存储网络策略信息以直接处理和转发分组到虚拟机(VM)。 如果NIC无法处理数据包,则NIC可能会将数据包转发到父分区。 在一些实施例中,NIC可以使用封装协议来传送分组报头中的地址信息。 在一些实施例中,该地址信息可以由MC通过安全信道传送到父分区。 NIC也可以绕过父分区,从虚拟机获取和解密路由数据包的加密地址。
-
公开(公告)号:US20130055270A1
公开(公告)日:2013-02-28
申请号:US13219373
申请日:2011-08-26
申请人: Alireza Dabagh , Murari Sridharan , Joseph Nievelt , Ganesh Srinivasan , Muhammad Junaid Shahid
发明人: Alireza Dabagh , Murari Sridharan , Joseph Nievelt , Ganesh Srinivasan , Muhammad Junaid Shahid
IPC分类号: G06F9/46
CPC分类号: H04L41/0803 , G06F9/5088 , G06F15/1735 , H04L49/9068 , H04L49/9078
摘要: Embodiments of the invention may improve the performance of multi-processor systems in processing information received via a network. For example, some embodiments may enable configuration of a system such that information received is distributed among multiple processors for efficient processing. A user may select from among multiple configuration options, each configuration option being associated with a particular mode of processing information received. By selecting a configuration option, the user may specify how information received is processed to capitalize on the system's characteristics, such as by aligning processors on the system with certain NICs. As such, the processor(s) aligned with a NIC may perform networking-related tasks associated with information received by that NIC. If initial alignment causes one or more processors to become over-burdened, processing tasks may be dynamically re-distributed to other processors.
摘要翻译: 本发明的实施例可以改善处理经由网络接收的信息的多处理器系统的性能。 例如,一些实施例可以实现系统的配置,使得接收到的信息被分配在多个处理器之间以进行有效的处理。 用户可以从多个配置选项中进行选择,每个配置选项与所接收的处理信息的特定模式相关联。 通过选择配置选项,用户可以指定如何处理收到的信息以利用系统的特征,例如通过将系统上的处理器与某些NIC对齐。 因此,与NIC对准的处理器可以执行与由该NIC接收的信息相关联的联网相关任务。 如果初始对齐导致一个或多个处理器变得过度负担,则处理任务可以被动态地重新分配给其他处理器。
-
公开(公告)号:US08190698B2
公开(公告)日:2012-05-29
申请号:US11479907
申请日:2006-06-30
IPC分类号: G06F15/167 , G06F13/28
CPC分类号: H04L49/9063 , H04L49/90 , H04L69/28
摘要: Efficiently polling a DMA module to determine if the DMA copying of a packet payload to an application buffer is complete. For communication packets received from a network, a processing module may be configured to poll the DMA module at times when it is likely that the DMA copying of packet payloads is complete. Packets may be received and processed in batches. The polling of the DMA module for a packet belonging to a first batch may be deferred until the processing of a next batch. An exception may occur if a predefined amount of time elapses following the completion of the processing of the first batch before the next batch is received. In response to the predefined amount of time elapsing before the receipt of the next batch, the DMA module may be polled, i.e., prior to the next batch being processed.
摘要翻译: 有效地轮询DMA模块,以确定分组有效载荷到应用程序缓冲区的DMA复制是否完整。 对于从网络接收的通信分组,处理模块可以被配置为在可能的情况下对分组有效载荷的DMA复制完成的轮询DMA模块。 数据包可能会被批量接收和处理。 属于第一批的数据包的DMA模块轮询可能会延迟到下一个批处理。 如果在接收到下一个批次之前完成第一批处理完成后经过预定义的时间量,则可能会发生异常。 响应于在接收下一个批次之前经过的预定义的时间量,可以轮询DMA模块,即在下一个批处理之前。
-
公开(公告)号:US09021138B2
公开(公告)日:2015-04-28
申请号:US13219373
申请日:2011-08-26
申请人: Alireza Dabagh , Murari Sridharan , Joseph Nievelt , Ganesh Srinivasan , Muhammad Junaid Shahid
发明人: Alireza Dabagh , Murari Sridharan , Joseph Nievelt , Ganesh Srinivasan , Muhammad Junaid Shahid
IPC分类号: G06F15/16 , G06F15/173 , G06F9/50
CPC分类号: H04L41/0803 , G06F9/5088 , G06F15/1735 , H04L49/9068 , H04L49/9078
摘要: Embodiments of the invention may improve the performance of multi-processor systems in processing information received via a network. For example, some embodiments may enable configuration of a system such that information received is distributed among multiple processors for efficient processing. A user may select from among multiple configuration options, each configuration option being associated with a particular mode of processing information received. By selecting a configuration option, the user may specify how information received is processed to capitalize on the system's characteristics, such as by aligning processors on the system with certain NICs. As such, the processor(s) aligned with a NIC may perform networking-related tasks associated with information received by that NIC. If initial alignment causes one or more processors to become over-burdened, processing tasks may be dynamically re-distributed to other processors.
摘要翻译: 本发明的实施例可以改善处理经由网络接收的信息的多处理器系统的性能。 例如,一些实施例可以实现系统的配置,使得接收到的信息被分配在多个处理器之间以进行有效的处理。 用户可以从多个配置选项中进行选择,每个配置选项与所接收的处理信息的特定模式相关联。 通过选择配置选项,用户可以指定如何处理收到的信息以利用系统的特征,例如通过将系统上的处理器与某些NIC对齐。 因此,与NIC对准的处理器可以执行与由该NIC接收的信息相关联的联网相关任务。 如果初始对齐导致一个或多个处理器变得过度负担,则处理任务可以被动态地重新分配给其他处理器。
-
5.发明申请SECURE AND EFFICIENT OFFLOADING OF NETWORK POLICIES TO NETWORK INTERFACE CARDS 有权将网络政策安全有效地卸载到网络接口卡公开(公告)号:US20130061047A1
公开(公告)日:2013-03-07
申请号:US13565369
申请日:2012-08-02
申请人: Murari Sridharan , Narasimhan Venkataramaiah , Yu-Shun Wang , Albert G. Greenberg , Alireza Dabagh , Pankaj Garg , Daniel M. Firestone
发明人: Murari Sridharan , Narasimhan Venkataramaiah , Yu-Shun Wang , Albert G. Greenberg , Alireza Dabagh , Pankaj Garg , Daniel M. Firestone
CPC分类号: H04L45/586
摘要: Techniques for efficient and secure implementation of network policies in a network interface controller (NIC) in a host computing device operating a virtualized computing environment. In some embodiments, the NIC may process and forward packets directly to their destinations, bypassing a parent partition of the host computing device. In particular, in some embodiments, the NIC may store network policy information to process and forward packets directly to a virtual machine (VM). If the NIC is unable to process a packet, then the NIC may forward the packet to the parent partition. In some embodiments, the NIC may use an encapsulation protocol to transmit address information in packet headers. In some embodiments, this address information may be communicated by the MC to the parent partition via a secure channel. The NIC may also obtain, and decrypt, encrypted addresses from the VMs for routing packets, bypassing the parent partition.
摘要翻译: 用于在操作虚拟化计算环境的主机计算设备中的网络接口控制器(NIC)中有效和安全地实现网络策略的技术。 在一些实施例中,NIC可以绕过主计算设备的父分区来处理和转发数据包直接到其目的地。 特别地,在一些实施例中,NIC可以存储网络策略信息以直接处理和转发分组到虚拟机(VM)。 如果NIC无法处理数据包,则NIC可能会将数据包转发到父分区。 在一些实施例中,NIC可以使用封装协议来传送分组报头中的地址信息。 在一些实施例中,该地址信息可以由MC通过安全信道传送到父分区。 NIC也可以绕过父分区,从虚拟机获取和解密路由数据包的加密地址。
-
公开(公告)号:US20080240140A1
公开(公告)日:2008-10-02
申请号:US11729495
申请日:2007-03-29
申请人: Alireza Dabagh , Murari Sridharan
发明人: Alireza Dabagh , Murari Sridharan
IPC分类号: H04L12/56
CPC分类号: H04L49/9063 , H04L49/90
摘要: A network interface that provides improved processing of received packets in a networked computer by classifying packets as they are received. Further, both the characteristics used by the network interface to classify packets and the processing performed on those packets once classified may be programmed. The network interface contains multiple receive queues and one type of processing that may be performed is assigning packets to queues based on classification. A network stack within an operating system of the networked computer can route packets classified by the network interface to application level destinations with reduced processing. Additionally, the priority with which packets of certain classifications are processed may be used to allocate processing power to certain types of packets. As a specific example, a computer subjected to a particular type of denial of service attack sometimes called a “SYN attack” may lower the priority of processing SYN packets to reduce the effect of such an attack.
摘要翻译: 一种网络接口,通过在接收到分组时对分组进行分类,对网络计算机中接收到的分组进行改进的处理。 此外,网络接口对分组进行分类的特征和对一次分类的那些分组执行的处理可以被编程。 网络接口包含多个接收队列,并且可以执行的一种类型的处理是基于分类将分组分组到队列。 联网计算机的操作系统内的网络栈可以将网络接口分类的分组路由到具有减少处理的应用级目的地。 此外,可以使用处理某些分类的分组的优先级来为某些类型的分组分配处理能力。 作为具体示例,遭受特定类型的拒绝服务攻击的计算机有时被称为“SYN攻击”可能降低处理SYN分组的优先级,以减少这种攻击的影响。
-
公开(公告)号:US20080005258A1
公开(公告)日:2008-01-03
申请号:US11479907
申请日:2006-06-30
IPC分类号: G06F15/167
CPC分类号: H04L49/9063 , H04L49/90 , H04L69/28
摘要: Efficiently polling a DMA module to determine if the DMA copying of a packet payload to an application buffer is complete. For communication packets received from a network, a processing module may be configured to poll the DMA module at times when it is likely that the DMA copying of packet payloads is complete. Packets may be received and processed in batches. The polling of the DMA module for a packet belonging to a first batch may be deferred until the processing of a next batch. An exception may occur if a predefined amount of time elapses following the completion of the processing of the first batch before the next batch is received. In response to the predefined amount of time elapsing before the receipt of the next batch, the DMA module may be polled, i.e., prior to the next batch being processed.
摘要翻译: 有效地轮询DMA模块,以确定分组有效载荷到应用程序缓冲区的DMA复制是否完整。 对于从网络接收的通信分组,处理模块可以被配置为在可能的情况下对分组有效载荷的DMA复制完成的轮询DMA模块。 数据包可能会被批量接收和处理。 属于第一批的数据包的DMA模块轮询可能会延迟到下一个批处理。 如果在接收到下一个批次之前完成第一批处理完成后经过预定义的时间量,则可能会发生异常。 响应于在接收下一个批次之前经过的预定义的时间量,可以轮询DMA模块,即在下一个批处理之前。
-
公开(公告)号:US08214509B2
公开(公告)日:2012-07-03
申请号:US11823295
申请日:2007-06-27
申请人: Alireza Dabagh , Murari Sridharan
发明人: Alireza Dabagh , Murari Sridharan
IPC分类号: G06F15/173 , G06F15/16
摘要: A networked computer with a network interface device to which the network stack can offload a subset of the functions needed to process received data packets. The network interface device can receive a map between connections and application buffers. Upon receipt of a data packet through a connection, the network interface device may use the map to identify an application buffer and transfer the data packet to that application buffer. The network interface device may be programmed to recognize qualifications on data packets appropriate for transfer to an application buffer, such as by receiving the sequence number of the next expected packet. Because the network interface device can recognize packets for transfer to an application buffer by simple comparison of a packet header to the map, additional hardware required in the network interface device to perform the offloaded functions is lightweight.
摘要翻译: 具有网络接口设备的网络计算机,网络堆栈可以卸载处理接收的数据分组所需的功能的子集。 网络接口设备可以在连接和应用缓冲区之间接收映射。 在通过连接接收到数据分组时,网络接口设备可以使用映射来识别应用缓冲器并将数据分组传送到该应用缓冲器。 网络接口设备可以被编程为识别适合于传送到应用缓冲器的数据分组的资格,例如通过接收下一个预期分组的序列号。 因为网络接口设备可以通过简单地将分组报头与地图进行比较来识别用于传送到应用缓冲区的分组,所以网络接口设备中执行卸载功能所需的附加硬件是轻量级的。
-
公开(公告)号:US20080082685A1
公开(公告)日:2008-04-03
申请号:US11823295
申请日:2007-06-27
申请人: Alireza Dabagh , Murari Sridharan
发明人: Alireza Dabagh , Murari Sridharan
IPC分类号: G06F15/173
摘要: A networked computer with a network interface device to which the network stack can offload a subset of the functions needed to process received data packets. The network interface device can receive a map between connections and application buffers. Upon receipt of a data packet through a connection, the network interface device may use the map to identify an application buffer and transfer the data packet to that application buffer. The network interface device may be programmed to recognize qualifications on data packets appropriate for transfer to an application buffer, such as by receiving the sequence number of the next expected packet. Because the network interface device can recognize packets for transfer to an application buffer by simple comparison of a packet header to the map, additional hardware required in the network interface device to perform the offloaded functions is lightweight.
摘要翻译: 具有网络接口设备的网络计算机,网络堆栈可以卸载处理接收的数据分组所需的功能的子集。 网络接口设备可以在连接和应用缓冲区之间接收映射。 在通过连接接收到数据分组时,网络接口设备可以使用映射来识别应用缓冲器并将数据分组传送到该应用缓冲器。 网络接口设备可以被编程为识别适合于传送到应用缓冲器的数据分组的资格,例如通过接收下一个预期分组的序列号。 因为网络接口设备可以通过简单地将分组报头与地图进行比较来识别用于传送到应用缓冲区的分组,所以网络接口设备中执行卸载功能所需的附加硬件是轻量级的。
-
公开(公告)号:US20130343399A1
公开(公告)日:2013-12-26
申请号:US13529747
申请日:2012-06-21
IPC分类号: H04L12/56
CPC分类号: G06F9/5077 , G06F9/45533 , H04L41/0893 , H04L45/38 , H04L45/586 , H04L49/70 , H04L49/90 , H04L49/9068
摘要: The present invention extends to methods, systems, and computer program products for offloading virtual machine flows to physical queues. A computer system executes one or more virtual machines, and programs a physical network device with one or more rules that manage network traffic for the virtual machines. The computer system also programs the network device to manage network traffic using the rules. In particular, the network device is programmed to determine availability of one or more physical queues at the network device that are usable for processing network flows for the virtual machines. The network device is also programmed to identify network flows for the virtual machines, including identifying characteristics of each network flow. The network device is also programmed to, based on the characteristics of the network flows and based on the rules, assign one or more of the network flows to at least one of the physical queues.
摘要翻译: 本发明扩展到用于将虚拟机流卸载到物理队列的方法,系统和计算机程序产品。 计算机系统执行一个或多个虚拟机,并且利用管理虚拟机的网络流量的一个或多个规则对物理网络设备进行编程。 计算机系统还使用规则对网络设备进行编程以管理网络流量。 特别地,网络设备被编程为确定在网络设备处可用于处理虚拟机的网络流的一个或多个物理队列的可用性。 网络设备也被编程为识别虚拟机的网络流,包括识别每个网络流的特征。 网络设备还被编程为基于网络流的特征并且基于规则,将一个或多个网络流分配给至少一个物理队列。
-
-
-
-
-
-
-
-
-
搜索结果
43 条记录 (耗时 0.02 秒)
