公开(公告)号：US20160099968A1

公开(公告)日：2016-04-07

申请号：US14965870

申请日：2015-12-10

Applicant: VMware, Inc.

Inventor： Amit CHOPRA ,  Uday MASUREKAR

IPC: H04L29/06

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract translation: 公开了用于使用基于组密钥的加密来保护跨越多租户虚拟化基础设施的流量的技术。 在一个实施例中，虚拟机（VM）主机的加密模块拦截经由虚拟NIC（vNIC）发送的帧2（L2）帧。 加密模块确定vNIC是否连接到“安全线”，并调用由密钥管理模块公开的API，以使用与安全线相关联的组密钥（如果有的话）加密帧。 可以对来自vNIC的所有帧执行加密，或者根据策略执行加密。 在一个实施例中，加密模块可以位于距离vNIC最远的一层，并且加密对于VM和虚拟交换机都是透明的。 缺少组密钥的未经授权的网络实体不能对加密帧的数据进行解密，即使它们能够访问这样的帧。

公开(公告)号：US20180063743A1

公开(公告)日：2018-03-01

申请号：US15654588

申请日：2017-07-19

Applicant: VMware, Inc.

Inventor： Laxminarayana TUMULURU ,  Todd SABIN ,  Weiqing WU ,  Uday MASUREKAR ,  Serge MASKALIK ,  Sachin THAKKAR ,  Debashis BASAK

IPC: H04W28/02 ,  H04L12/801 ,  H04L12/911

Abstract: An approach is disclosed for steering network traffic away from congestion hot-spots to achieve better throughput and latency. In one embodiment, multiple Foo-over-UDP (FOU) tunnels, each having a distinct source port, are created between two endpoints. As a result of the distinct source ports, routers that compute hashes of packet fields in order to distribute traffic flows across network paths will compute distinct hash values for the FOU tunnels that may be associated with different paths. Probes are scheduled to measure network metrics, such as latency and liveliness, of each of the FOU tunnels. In turn, the network metrics are used to select particular FOU tunnel(s) to send traffic over so as to avoid congestion and high-latency hotspots in the network.

公开(公告)号：US20210029201A1

公开(公告)日：2021-01-28

申请号：US16523938

申请日：2019-07-26

Applicant: VMware, Inc.

Inventor： Uday MASUREKAR ,  Sergii STEPANENKO ,  Todd SABIN ,  Gabe ROSAS

IPC: H04L29/08 ,  H04L29/12

Abstract: System and computer-implemented method in a cloud architecture including a mixed network having local objects in a local network and external objects in an external network, wherein the external objects are accessed through proxy communications, uses a proxy inventory to determine whether a connection from a first computing object to a second computing object should be excluded from a proxy. The connection from the first computing object to the second computing object is performed based on the determination.

公开(公告)号：US20190034297A1

公开(公告)日：2019-01-31

申请号：US15713714

申请日：2017-09-25

Applicant: VMWARE, INC.

Inventor： Narendra Kumar BASUR SHANKARAPPA ,  Serge MASKALIK ,  Uday MASUREKAR ,  Anand PRITAM ,  Aravind SRINIVASAN ,  Bob SHEEHAN ,  Abhijeet DESHPANDE ,  Sachin THAKKAR ,  Hemanth Kumar PANNEM

IPC: G06F11/20 ,  G06F9/48 ,  G06F11/14 ,  G06F3/06 ,  G06F9/455

Abstract: One or more embodiments provide techniques for migrating virtual machines (VMs) from a private data center to a cloud data center. A hybrid cloud manager determines a scope of migration from the private data center to the cloud data center. The hybrid cloud manager groups each VM included in the scope of migration into one or more clusters. The hybrid cloud manager defines one or more migration phases. Each migration phase comprises a subset of the one or more clusters. The hybrid cloud manager generates a migration schedule based on at least the one or more migration phases. The hybrid cloud manager migrates the VMs from the private data center to the cloud data center in accordance with the migration schedule.

公开(公告)号：US20190081912A1

公开(公告)日：2019-03-14

申请号：US15701396

申请日：2017-09-11

Applicant: VMware, Inc.

Inventor： Leon CUI ,  Siddharth EKBOTE ,  Todd SABIN ,  Weiqing WU ,  Uday MASUREKAR

IPC: H04L12/931 ,  G06F11/00 ,  G06F21/62 ,  G06F9/455

Abstract: The disclosure provides an approach for managing and diagnosing middleboxes in a cloud computing system. In one embodiment, a network operations center, that is located remote to a virtualized cloud computing system and communicates with the cloud computing system via a wide area network, controls network middleboxes in the cloud computing system through a secure routing module inside a gateway of the cloud computing system. The secure routing module is configured to receive, from an authenticated management application and via a secure communication channel, packets intended for managing network middleboxes. In turn, the secure routing module establishes secure communication channels with the target middleboxes, translates the identified packets to protocols and/or application programming interfaces (APIs) of the target middleboxes, and transmits the translated packets to the target middleboxes.

公开(公告)号：US20140226820A1

公开(公告)日：2014-08-14

申请号：US13765618

申请日：2013-02-12

Applicant: VMWARE, INC.

Inventor： Amit CHOPRA ,  Uday MASUREKAR

IPC: H04L9/08

CPC classification number: H04L63/162 ,  H04L63/0272 ,  H04L63/0457 ,  H04L63/0485 ,  H04L63/061 ,  H04L63/065 ,  H04L63/0876 ,  H04L63/123

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract translation: 公开了用于使用基于组密钥的加密来保护跨越多租户虚拟化基础设施的流量的技术。 在一个实施例中，虚拟机（VM）主机的加密模块拦截经由虚拟NIC（vNIC）发送的帧2（L2）帧。 加密模块确定vNIC是否连接到“安全线”，并调用由密钥管理模块公开的API，以使用与安全线相关联的组密钥（如果有的话）加密帧。 可以对来自vNIC的所有帧执行加密，或者根据策略执行加密。 在一个实施例中，加密模块可以位于距离vNIC最远的一层，并且加密对于VM和虚拟交换机都是透明的。 缺少组密钥的未经授权的网络实体不能对加密帧的数据进行解密，即使它们能够访问这样的帧。