公开(公告)号：US20150263968A1

公开(公告)日：2015-09-17

申请号：US14205173

申请日：2014-03-11

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Weiqing Wu

IPC: H04L12/805 ,  H04L29/06

CPC classification number: H04L47/36 ,  G06F9/00 ,  G06F9/46 ,  H04L69/166 ,  H04L69/22

Abstract: A method for performing LRO aggregation on packets being forwarded by a VM is provided. The method segments the LRO aggregated packet according to the Maximum Segment Size (MSS) of the TCP protocol before forwarding the segmented packets to their destination. The method snoops the packets being forwarded for its MSS parameter before using the snooped MSS parameter to perform Transmit Segmentation Offload (TSO) operation. The PNIC performs both the aggregation operation (LRO) and the segmentation (TSO) within its own hardware without consuming CPU cycles at the host machine. The PNIC receives the MSS parameter from the network stack as a metadata that accompanies a LRO aggregated packet.

Abstract translation: 提供了一种用于在由VM转发的分组上执行LRO聚合的方法。 该方法根据TCP协议的最大段大小（MSS）在将分段数据包转发到目的地之前对LRO聚合数据包进行分段。 在使用侦听的MSS参数执行传输分段卸载（TSO）操作之前，该方法会窥探其MSS参数转发的数据包。 PNIC在其自己的硬件中执行聚合操作（LRO）和分段（TSO），而不会在主机上消耗CPU周期。 PNIC从网络堆栈接收MSS参数，作为伴随LRO聚合数据包的元数据。

公开(公告)号：US20140376367A1

公开(公告)日：2014-12-25

申请号：US13925483

申请日：2013-06-24

Applicant: VMware, Inc.

Inventor： Jayant Jain ,  Anirban Sengupta ,  Debashis Basak ,  Serge Maskalik ,  Weiqing Wu ,  Aravind Srinivasan ,  Todd Sabin

IPC: H04L12/813

CPC classification number: H04L47/20 ,  H04L61/2514 ,  H04L63/0218 ,  H04L63/0263 ,  H04L67/1002

Abstract: The disclosure herein describes an edge device of a network for distributed policy enforcement. During operation, the edge device receives an initial packet for an outgoing traffic flow, and identifies a policy being triggered by the initial packet. The edge device performs a reverse lookup to identify at least an intermediate node that is previously traversed by the initial packet and traffic parameters associated with the initial packet at the identified intermediate node. The edge device translates the policy based on the traffic parameters at the intermediate node, and forwards the translated policy to the intermediate node, thus facilitating the intermediate node in applying the policy to the traffic flow.

Abstract translation: 本文的公开内容描述了用于分布式策略实施的网络的边缘设备。 在操作期间，边缘设备接收用于出站业务流的初始分组，并且识别由初始分组触发的策略。 边缘设备执行反向查找以识别先前由初始分组穿过的中间节点和与所识别的中间节点处的初始分组相关联的业务参数。 边缘设备根据中间节点的流量参数来转换策略，并将转换的策略转发到中间节点，从而有助于中间节点将策略应用于业务流。

公开(公告)号：US20140317677A1

公开(公告)日：2014-10-23

申请号：US13866869

申请日：2013-04-19

Applicant: VMWARE, INC.

Inventor： Sachin Mohan Vaidya ,  Azeem Feroz ,  Anirban Sengupta ,  James Christopher Wiese

IPC: H04L29/06

CPC classification number: H04L63/20 ,  G06F21/554 ,  G06F21/56 ,  G06F21/568

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract translation: 描述了虚拟机安全性的系统和技术。 所描述的技术包括根据相应的安全容器来操作一个或多个虚拟机，其中相应的安全容器与相应的规则相关联，该相应的规则基于一个或多个虚拟机指定将虚拟机从相应的安全容器传输到检疫容器 更多的标准。 一个或多个安全服务在一个或多个虚拟机上操作以识别与一个或多个虚拟机相关联的一个或多个安全威胁。 获得由端点安全服务生成的一个或多个标签，其中每个标签用于与所识别的安全威胁之一相关联的虚拟机。 并且其中一个虚拟机被识别为基于至少一个或多个获得的标签和一个或多个标准来要求转移到隔离容器。