公开(公告)号：US07627899B1

公开(公告)日：2009-12-01

申请号：US11112629

申请日：2005-04-22

申请人： Sunay Tripathi ,  Nicolas G. Droux

发明人： Sunay Tripathi ,  Nicolas G. Droux

IPC分类号： G08B23/00

CPC分类号： H04L63/1458

摘要： A method for isolating legitimate network traffic during a denial of service attack involves receiving a plurality of packets from a network, detecting an attack from the network on a first virtual network stack, wherein the attack on the first virtual network stack comprises at least one from the group consisting of the denial of service attack and an extreme network load, if the attack is detected, forwarding a plurality of packets associated with a subsequent connection to a temporary data structure associated with a second virtual network stack, wherein the second virtual network stack is a lowest priority queue configured at connection setup time, determining whether the subsequent connection is legitimate, and forwarding at least one of the plurality of packets associated with the subsequent connection to a temporary data structure associated with the first virtual network stack if the subsequent connection is legitimate, wherein a higher priority mapping is assigned by a classifier to the subsequent connection.

摘要翻译： 在拒绝服务攻击期间分离合法网络流量的方法涉及从网络接收多个分组，在第一虚拟网络堆栈上检测来自网络的攻击，其中对第一虚拟网络堆栈的攻击包括至少一个来自 所述组由拒绝服务攻击和极端网络负载组成，如果检测到攻击，则将与后续连接相关联的多个分组转发到与第二虚拟网络栈相关联的临时数据结构，其中所述第二虚拟网络栈 是在连接建立时间配置的最低优先权队列，确定所述后续连接是否合法，以及如果所述后续连接，将与所述后续连接相关联的所述多个分组中的至少一个分组转发到与所述第一虚拟网络堆栈相关联的临时数据结构 是合法的，其中较高优先级映射由分类分配 随后连接。

公开(公告)号：US07623538B1

公开(公告)日：2009-11-24

申请号：US11112222

申请日：2005-04-22

申请人： Sunay Tripathi ,  Nicolas G. Droux ,  Hsiao-Keng Jerry Chu

发明人： Sunay Tripathi ,  Nicolas G. Droux ,  Hsiao-Keng Jerry Chu

IPC分类号： H04L12/28 ,  H04L12/66

CPC分类号： H04L49/9063 ,  H04L49/90

摘要： Incoming/outgoing data packets to/from a network are processed by associated receive/send rings of a network interface. A plurality of counters, disposed in hardware, are each associated with particular receive/send rings. Each of the plurality of counters maintains a count of a number of data packets processed by an associated receive/send ring.

摘要翻译： 来往/来自网络的传入/传出数据分组由网络接口​​的关联接收/发送振铃进行处理。 设置在硬件中的多个计数器各自与特定的接收/发送环相关联。 多个计数器中的每一个维护由相关联的接收/发送环处理的数量分组的数量的计数。

公开(公告)号：US07613198B2

公开(公告)日：2009-11-03

申请号：US11479817

申请日：2006-06-30

申请人： Kais Belgaied ,  Sunay Tripathi ,  Nicolas G. Droux

发明人： Kais Belgaied ,  Sunay Tripathi ,  Nicolas G. Droux

IPC分类号： H04L12/28

CPC分类号： H04L49/9063 ,  H04L47/10 ,  H04L49/90

摘要： A method for dynamically changing a virtual network interface card (VNIC) binding. If the use of a hardware receive ring (HRR) is below the first threshold and the use of the software receive ring (SRR) is above the second threshold, then: binding the first VNIC to the SRR and the second VNIC to the HRR, removing the binding from the first VNIC to the HRR, removing the binding from the second VNIC to the SRR, and reprogramming a hardware classifier to send packets associated with the r VNIC to a second HRR and to send packets associated with the second VNIC to the HRR, reprogramming a software classifier to send packets associated with the first VNIC to the SRR, wherein the software classifier is associated with a soft ring (SR) and the SR is configured to obtain packets from the second HRR.

摘要翻译： 一种用于动态改变虚拟网络接口卡（VNIC）绑定的方法。 如果使用硬件接收环（HRR）低于第一阈值并且软件接收环（SRR）的使用高于第二阈值，则：将第一VNIC与SRR和第二VNIC绑定到HRR， 去除从第一VNIC到HRR的绑定，去除从第二VNIC到SRR的绑定，以及重新编程硬件分类器以将与r VNIC相关联的分组发送到第二HRR，并将与第二VNIC相关联的分组发送到 HRR重新编程软件分类器以将与第一VNIC相关联的分组发送到SRR，其中软件分类器与软环（SR）相关联，并且SR被配置为从第二HRR获得分组。

公开(公告)号：US07499457B1

公开(公告)日：2009-03-03

申请号：US11112584

申请日：2005-04-22

申请人： Nicolas G. Droux ,  Sunay Tripathi

发明人： Nicolas G. Droux ,  Sunay Tripathi

IPC分类号： H04L12/28

CPC分类号： H04L47/10 ,  H04L47/2433 ,  H04L47/2441 ,  H04L47/2458

摘要： A method for processing a plurality of packets that includes receiving the plurality of packets from a network, analyzing each of the plurality of packets by a classifier to determine to which of a plurality of temporary data structures each of the plurality of packet is to be forwarded, forwarding each of the plurality of packets to one of the plurality of temporary data structures as determined by the classifier, forwarding a plurality of packets from the one of the plurality of temporary data structures to a virtual serialization queue associated with the one of the plurality of temporary data structures, wherein the virtual serialization queue is bound to a thread having a processing priority, and processing the plurality of packets on the virtual serialization queue using at least one processor bound to the virtual serialization queue and the processing priority.

摘要翻译： 一种用于处理多个分组的方法，包括从网络接收所述多个分组，通过分类器分析所述多个分组中的每个分组，以确定所述多个分组中的每一个将被转发到多个临时数据结构中的哪一个 将所述多个分组中的每一个转发到由所述分类器确定的所述多个临时数据结构之一，将多个分组从所述多个临时数据结构之一转发到与所述多个临时数据结构中的一个相关联的虚拟序列化队列 临时数据结构，其中所述虚拟序列化队列绑定到具有处理优先级的线程，并且使用绑定到所述虚拟序列化队列和所述处理优先级的至少一个处理器来处理所述虚拟序列化队列上的所述多个分组。

公开(公告)号：US20080043756A1

公开(公告)日：2008-02-21

申请号：US11489923

申请日：2006-07-20

申请人： Nicolas G. Droux ,  Kais Belgaied ,  Erik Nordmark ,  Sunay Tripathi

发明人： Nicolas G. Droux ,  Kais Belgaied ,  Erik Nordmark ,  Sunay Tripathi

IPC分类号： H04L12/56 ,  H04L12/28

CPC分类号： H04L12/66

摘要： A method for changing network configuration parameters that includes generating a request to change a network configuration parameter, where the request is generated by a virtual machine, sending the request to a virtual network interface card (VNIC) associated with the virtual machine, sending the request to a VNIC configuration database associated with the VNIC, determining whether the virtual machine is allowed to change the network configuration parameter, if the virtual machine is allowed to change the network configuration parameter, updating the VNIC configuration database and VNIC to reflect the change in the network configuration parameter, and notifying the virtual machine that the change in network configuration parameter is allowed, and if the virtual machine is not allowed to change the network configuration parameter, dropping the request.

摘要翻译： 一种用于改变网络配置参数的方法，所述方法包括生成改变网络配置参数的请求，所述请求由所述虚拟机产生，所述请求发送到与所述虚拟机相关联的虚拟网络接口卡（VNIC），发送所述请求 到与VNIC相关联的VNIC配置数据库，确定虚拟机是否被允许改变网络配置参数，如果虚拟机被允许改变网络配置参数，更新VNIC配置数据库和VNIC以反映该变更 网络配置参数，并通知虚拟机允许网络配置参数的更改，如果虚拟机不允许更改网络配置参数，则丢弃请求。

公开(公告)号：US20080019360A1

公开(公告)日：2008-01-24

申请号：US11490745

申请日：2006-07-20

申请人： Kais Belgaied ,  Nicolas G. Droux ,  Sunay Tripathi

发明人： Kais Belgaied ,  Nicolas G. Droux ,  Sunay Tripathi

IPC分类号： H04L12/56

CPC分类号： H04L12/42 ,  H04L45/04 ,  H04L45/38

摘要： A method for processing a packet that includes receiving the packet where the packet comprises a header, and traversing a flow table comprising a plurality of flow table entries (FTEs) for each FTE encountered during the traversal, obtaining a packet matching function associated with the FTE, applying the packet matching function associated with the FTE to the header to determine whether the packet matches the FTE, if the packet matches the FTE, send the packet to one selected from the group consisting of one of a plurality of receive rings (RRs) and a first sub-flow table, where the first sub-flow table is associated with the FTE, stopping the traversal of the flow table, and if the packet does not match the FTE continue the traversal of the flow table.

摘要翻译： 一种用于处理分组的方法，包括接收分组包括报头的分组，并且遍历包括在遍历期间遇到的每个FTE的多个流表条目（FTE）的流表，获得与所述FTE相关联的分组匹配功能 ，将与所述FTE相关联的分组匹配功能应用于所述报头，以确定所述分组是否与所述FTE匹配，如果所述分组与所述FTE匹配，则将所述分组发送到从由多个接收环（RR） 和第一子流表，其中第一子流表与FTE相关联，停止流表的遍历，并且如果分组不匹配FTE，继续遍历流表。

公开(公告)号：US20080005441A1

公开(公告)日：2008-01-03

申请号：US11479948

申请日：2006-06-30

申请人： Nicolas G. Droux ,  Sunay Tripathi ,  Kais Belgaied ,  Erik Nordmark

发明人： Nicolas G. Droux ,  Sunay Tripathi ,  Kais Belgaied ,  Erik Nordmark

IPC分类号： G06F13/36

CPC分类号： H04L49/10 ,  H04L49/25 ,  H04L49/30 ,  H04L49/70

摘要： A system includes a first and a second network component, and a bridge. The bridge, which resides a Media Access Control (MAC) layer of a host, includes a bridge component, a first virtual network interface card (VNIC) and a second VNIC, wherein the first VNIC is associated with the first network component and the second VNIC is associated with the second network component. Further, the bridge component is configured to send packets received from the first network component to the second network component and to send packets received from the second network component to the first network component.

摘要翻译： 系统包括第一和第二网络组件和桥。 驻留主机的媒体访问控制（MAC）层的桥包括桥组件，第一虚拟网络接口卡（VNIC）和第二VNIC，其中第一VNIC与第一网络组件相关联，第二VNIC与第二网络组件相关联 VNIC与第二个网络组件相关联。 此外，桥组件被配置为将从第一网络组件接收的分组发送到第二网络组件，并将从第二网络组件接收的分组发送到第一网络组件。

公开(公告)号：US20080005360A1

公开(公告)日：2008-01-03

申请号：US11480100

申请日：2006-06-30

申请人： Kais Belgaied ,  Sunay Tripathi ,  Nicolas G. Droux

发明人： Kais Belgaied ,  Sunay Tripathi ,  Nicolas G. Droux

IPC分类号： G06F15/16

CPC分类号： H04L63/1408 ,  H04L63/1458

摘要： A method for processing packets, where the method includes programming a hardware classifier in a network interface card (NIC) to send packets associated with a first packet destination to a non-standby hardware receive ring (HRR), programming a software ring to obtain packets from the non-standby HRR, programming the software ring to send packets for the first destination to a first software receive ring (SRR), wherein the first packet destination is associated with the first SRR, obtaining identifying information about a packet associated with a denial of service (DoS) attack, programming the hardware classifier, using the identifying information, to send the packet associated with the DoS attack to a standby HRR, and for each packet received by the hardware classifier determining to which of the standby HRR and the non-standby HRR to send the packet using the programming of the hardware classifier.

摘要翻译： 一种处理分组的方法，其中所述方法包括对网络接口卡（NIC）中的硬件分类器进行编程，以将与第一分组目的地相关联的分组发送到非待机硬件接收环（HRR），编程软件环以获得分组 从所述非备用HRR，对所述软件环进行编程，以将所述第一目的地的分组发送到第一软件接收环（SRR），其中所述第一分组目的地与所述第一SRR相关联，获得关于拒绝的分组的标识信息 的服务（DoS）攻击，使用识别信息对硬件分类器进行编程，将与DoS攻击相关联的分组发送到备用HRR，并且对于由硬件分类器接收的每个分组来确定哪个待机HRR和非零 - 通过HRR发送包使用硬件分类器的编程。

公开(公告)号：US20080002714A1

公开(公告)日：2008-01-03

申请号：US11479817

申请日：2006-06-30

申请人： Kais Belgaied ,  Sunay Tripathi ,  Nicolas G. Droux

发明人： Kais Belgaied ,  Sunay Tripathi ,  Nicolas G. Droux

IPC分类号： H04L12/56

CPC分类号： H04L49/9063 ,  H04L47/10 ,  H04L49/90

摘要： A method for dynamically changing a virtual network interface card (VNIC) binding. If the use of a hardware receive ring (HRR) is below the first threshold and the use of the software receive ring (SRR) is above the second threshold, then: binding the first VNIC to the SRR and the second VNIC to the HRR, removing the binding from the first VNIC to the HRR, removing the binding from the second VNIC to the SRR, and reprogramming a hardware classifier to send packets associated with the r VNIC to a second HRR and to send packets associated with the second VNIC to the HRR, reprogramming a software classifier to send packets associated with the first VNIC to the SRR, wherein the software classifier is associated with a soft ring (SR) and the SR is configured to obtain packets from the second HRR.

摘要翻译： 一种用于动态改变虚拟网络接口卡（VNIC）绑定的方法。 如果使用硬件接收环（HRR）低于第一阈值并且软件接收环（SRR）的使用高于第二阈值，则：将第一VNIC与SRR和第二VNIC绑定到HRR， 去除从第一VNIC到HRR的绑定，去除从第二VNIC到SRR的绑定，以及重新编程硬件分类器以将与r VNIC相关联的分组发送到第二HRR，并将与第二VNIC相关联的分组发送到 HRR重新编程软件分类器以将与第一VNIC相关联的分组发送到SRR，其中软件分类器与软环（SR）相关联，并且SR被配置为从第二HRR获得分组。

公开(公告)号：US20080002663A1

公开(公告)日：2008-01-03

申请号：US11479946

申请日：2006-06-30

申请人： Sunay Tripathi ,  Erik Nordmark ,  Nicolas G. Droux

发明人： Sunay Tripathi ,  Erik Nordmark ,  Nicolas G. Droux

IPC分类号： H04L12/28

CPC分类号： H04L45/00 ,  H04L45/586

摘要： A method for routing packets includes receiving an outbound packet issued by a first virtual machine, wherein the first virtual machine is located on a host, determining a packet destination associated with the outbound packet, querying a routing table for a routing entry corresponding to the packet destination, wherein the routing table comprises a first routing entry referencing an external host and a second routing entry referencing a second virtual machine, wherein the second virtual machine is located on the host, if the routing entry corresponding to the packet destination is the first routing entry, passing the packet to the external host, and if the routing entry corresponding to the packet destination is the second routing entry, passing the packet to the second virtual machine.

摘要翻译： 路由分组的方法包括接收由第一虚拟机发出的出站分组，其中所述第一虚拟机位于主机上，确定与所述出站分组相关联的分组目的地，向所述路由表查询与所述分组对应的路由表项 目的地，其中所述路由表包括引用外部主机的第一路由条目和引用第二虚拟机的第二路由条目，其中所述第二虚拟机位于所述主机上，如果对应于所述分组目的地的路由条目是所述第一路由 将分组传递到外部主机，如果与分组目的地相对应的路由条目是第二路由条目，则将分组传递到第二虚拟机。