公开(公告)号：US09912665B2

公开(公告)日：2018-03-06

申请号：US13765579

申请日：2013-02-12

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steve L. Pope ,  David J. Riddoch ,  Ching Yu ,  Derek Roberts

IPC: G06F15/16 ,  H04L29/06 ,  H04L12/861 ,  H04L12/879 ,  H04L12/863

CPC classification number: H04L63/10 ,  H04L47/50 ,  H04L49/90 ,  H04L49/901 ,  H04L49/9031 ,  H04L49/9063

Abstract: Roughly described, a network interface device receiving data packets from a computing device for transmission onto a network, the data packets having a certain characteristic, transmits the packet only if the sending queue has authority to send packets having that characteristic. The data packet characteristics can include transport protocol number, source and destination port numbers, source and destination IP addresses, for example. Authorizations can be programmed into the NIC by a kernel routine upon establishment of the transmit queue, based on the privilege level of the process for which the queue is being established. In this way, a user process can use an untrusted user-level protocol stack to initiate data transmission onto the network, while the NIC protects the remainder of the system or network from certain kinds of compromise.

公开(公告)号：US20160352687A1

公开(公告)日：2016-12-01

申请号：US15231564

申请日：2016-08-08

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steve L. Pope ,  Derek Roberts ,  David J. Riddoch

IPC: H04L29/06

CPC classification number: H04L63/0263 ,  H04L63/0236

Abstract: A logic device and method are provided for intercepting a data flow from a network source to a network destination. A data store holds a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period. A packet inspector is configured to inspect the intercepted data flow and identify from the data store a temporary compliance rule associated with the inspected data flow. A packet filter is configured to when the data flow is identified as being associated with the temporary compliance rule, carry out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid.

Abstract translation: 提供了用于截取从网络源到网络目的地的数据流的逻辑设备和方法。 数据存储器保存一组遵从性规则和相应的动作，其中该组合规规则中的至少一个是对于预定时间段有效的临时合规规则。 分组检查器被配置为检查所截获的数据流并且从数据存储中识别与被检查数据流相关联的临时合规性规则。 分组过滤器被配置为当数据流被识别为与临时遵从规则相关联时，在临时遵从规则有效的情况下，针对对应于临时遵从规则的数据流执行动作。

公开(公告)号：US20160277447A1

公开(公告)日：2016-09-22

申请号：US14660812

申请日：2015-03-17

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steven L. Pope ,  David J. Riddoch ,  Derek Roberts

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0227 ,  H04L63/06 ,  H04L63/1441

Abstract: A rule engine receives data flows. The data flows are between a network and an application. The rule engine determines data flow information and in dependence on the information performs an action with respect to said flow. A controller provides control information to the rule engine to define one or more actions. The communications between said rule engine and said controller are secure.

Abstract translation: 规则引擎接收数据流。 数据流在网络和应用程序之间。 规则引擎确定数据流信息，并且根据该信息执行关于所述流的动作。 控制器向规则引擎提供控制信息以定义一个或多个动作。 所述规则引擎和所述控制器之间的通信是安全的。

公开(公告)号：US20140233571A1

公开(公告)日：2014-08-21

申请号：US14261199

申请日：2014-04-24

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steven L. Pope ,  David Riddoch ,  Dimitri Kitariev ,  Derek Roberts

IPC: H04L12/741

CPC classification number: H04L45/74 ,  H04L49/30 ,  H04L69/22

Abstract: Roughly described, a header processing engine for a network interface device has a header recognizer to parse the headers of a data packet stored at a buffer to identify the type and position of each header in the packet; a constructor unit; and a processor including an execution pipeline. The header recognizer is configured to, for each header: select in dependence on the header type commands stored at a command memory; and form one or more messages for the constructor unit identifying the selected commands and the position of the header in the data packet. The commands selected for the packet headers are collectively such as to, if executed by the constructor unit, cause the constructor unit to generate a data structure which operates to cause the processor to process of the packet headers without accessing the data packet at the buffer.

Abstract translation: 粗略地描述，网络接口设备的报头处理引擎具有报头识别器，用于解析存储在缓冲器中的数据分组的报头以识别分组中每个报头的类型和位置; 一个构造单元; 以及包括执行流水线的处理器。 标题识别器被配置为对于每个标题：根据存储在命令存储器中的标题类型命令进行选择; 并且为构造器单元形成一个或多个消息，用于标识所选择的命令和头部在数据分组中的位置。 选择用于分组报头的命令集体地如此，如果由构造器单元执行，则使构造器单元生成数据结构，该数据结构用于使处理器处理分组报头而不访问缓冲器处的数据分组。

公开(公告)号：US20210034526A1

公开(公告)日：2021-02-04

申请号：US16525313

申请日：2019-07-29

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steven L. Pope ,  Dmitri Kitariev ,  David J. Riddoch ,  Derek Roberts ,  Neil Turton

IPC: G06F12/0831 ,  G06F12/0888 ,  G06F13/28 ,  G06F9/38

Abstract: A network interface device comprises a programmable interface configured to provide a device interface with at least one bus between the network interface device and a host device. The programmable interface is programmable to support a plurality of different types of a device interface.

公开(公告)号：US20180288198A1

公开(公告)日：2018-10-04

申请号：US15939152

申请日：2018-03-28

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steven L. Pope ,  David J. Riddoch ,  Derek Roberts

IPC: H04L29/06 ,  H04L12/851 ,  G06F15/18

Abstract: A network interface device has in input. The input receives packets in accordance with a protocol and has at least one protocol header. The network interface has hardware which applies an artificial intelligence process to at least one of the protocol headers. This is used to provide an output which may, for example, indicate a risk associated with a packet.

公开(公告)号：US20180124216A1

公开(公告)日：2018-05-03

申请号：US15341967

申请日：2016-11-02

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steven L. Pope ,  David J. Riddoch ,  Derek Roberts

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L69/163 ,  G06F13/102 ,  H04L49/30 ,  H04L67/10 ,  H04L69/16

Abstract: A network interface device includes an interface configured to receive data packets for a host processing device and an engine supporting a network interface device component of an application that is provided on the host processing device. In response to receiving data packets for the application, the engine is configured to cause at least some of the data packets to be available to the component of the application, to cause the data packets to be delivered to a protocol stack of the host processing device, and to receive control information associated the data packets from the protocol stack of the host processing device. The interface is configured to output an acknowledgement message comprising the control information.

公开(公告)号：US20180063197A1

公开(公告)日：2018-03-01

申请号：US15792481

申请日：2017-10-24

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steven L. Pope ,  David J. Riddoch ,  Derek Roberts

IPC: H04L29/06

CPC classification number: H04L63/20 ,  H04L63/0227 ,  H04L63/06 ,  H04L63/1441

Abstract: A rule engine receives data flows. The data flows are between a network and an application. The rule engine determines data flow information and in dependence on the information performs an action with respect to said flow. A controller provides control information to the rule engine to define one or more actions. The communications between said rule engine and said controller are secure.

公开(公告)号：US09426124B2

公开(公告)日：2016-08-23

申请号：US14248082

申请日：2014-04-08

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steve L. Pope ,  Derek Roberts ,  David J. Riddoch

IPC: G06F21/62 ,  H04L29/06

CPC classification number: H04L63/0263 ,  H04L63/0236

Abstract: A logic device and method are provided for intercepting a data flow from a network source to a network destination. A data store holds a set of compliance rules and corresponding actions wherein at least one of the set of compliance rules is a temporary compliance rule valid for a predetermined period. A packet inspector is configured to inspect the intercepted data flow and identify from the data store a temporary compliance rule associated with the inspected data flow. A packet filter is configured to when the data flow is identified as being associated with the temporary compliance rule, carry out an action with respect to the data flow corresponding to the temporary compliance rule while the temporary compliance rule is valid.

Abstract translation: 提供了用于截取从网络源到网络目的地的数据流的逻辑设备和方法。 数据存储器保存一组遵从性规则和相应的动作，其中该组合规规则中的至少一个是对于预定时间段有效的临时合规规则。 分组检查器被配置为检查所截获的数据流并且从数据存储中识别与被检查数据流相关联的临时合规性规则。 分组过滤器被配置为当数据流被识别为与临时遵从规则相关联时，在临时遵从规则有效的情况下，针对对应于临时遵从规则的数据流执行动作。

公开(公告)号：US09124539B2

公开(公告)日：2015-09-01

申请号：US14261199

申请日：2014-04-24

Applicant: SOLARFLARE COMMUNICATIONS, INC.

Inventor： Steven L. Pope ,  David Riddoch ,  Dimitri Kitariev ,  Derek Roberts

IPC: H04L12/28 ,  H04L12/741 ,  H04L12/935 ,  H04L29/06

CPC classification number: H04L45/74 ,  H04L49/30 ,  H04L69/22

Abstract: Roughly described, a header processing engine for a network interface device has a header recognizer to parse the headers of a data packet stored at a buffer to identify the type and position of each header in the packet; a constructor unit; and a processor including an execution pipeline. The header recognizer is configured to, for each header: select in dependence on the header type commands stored at a command memory; and form one or more messages for the constructor unit identifying the selected commands and the position of the header in the data packet. The commands selected for the packet headers are collectively such as to, if executed by the constructor unit, cause the constructor unit to generate a data structure which operates to cause the processor to process of the packet headers without accessing the data packet at the buffer.

Abstract translation: 粗略地描述，网络接口设备的报头处理引擎具有报头识别器，用于解析存储在缓冲器中的数据分组的报头以识别分组中每个报头的类型和位置; 一个构造单元; 以及包括执行流水线的处理器。 标题识别器被配置为对于每个标题：根据存储在命令存储器中的标题类型命令进行选择; 并且为构造器单元形成一个或多个消息，用于标识所选择的命令和头部在数据分组中的位置。 选择用于分组报头的命令集体地如此，如果由构造器单元执行，则使构造器单元生成数据结构，该数据结构用于使处理器处理分组报头而不访问缓冲器处的数据分组。